Training Program Agenda

Vishal Thakur is a seasoned expert in the information security industry, with extensive experience in hands-on technical roles specializing in Incident Response, Emerging Threats, Malware Analysis, and Research. Over the years, Vishal has developed a strong reputation for his deep technical expertise and ability to address complex security challenges. He has shared his research and insights at prominent international conferences, including BlackHat, DEFCON, FIRST, and the SANS DFIR Summit, where his sessions have been highly regarded for their depth and practical relevance. Additionally, Vishal has delivered training and workshops at BlackHat and the FIRST Conference, equipping participants with cutting-edge skills and techniques. Currently, Vishal leads as Head of Security Operations AU, Cyber Fusion Center at TikTok USDS, where he oversees advanced security operations and incident response strategies. Previously, he worked as a Senior Researcher at Salesforce, where he contributed to

As AI becomes integral to critical systems, its vulnerabilities to adversarial attacks and data-related weaknesses pose serious risks. This interactive, one-day training is designed for researchers, and security professionals to understand and mitigate these challenges and get ready for the future of AI Security. Participants will gain a comprehensive foundation in AI security, exploring adversarial attack techniques, defense mechanisms, and best practices for building robust datasets.

The training combines engaging lectures, live demonstrations, and four hands-on labs focused on real-world adversarial attack scenarios, including CIFAR-10, IMDB, Fashion-MNIST, and SVHN datasets. Participants will learn to craft adversarial examples, test model vulnerabilities, and implement practical defenses like adversarial training, input transformations, and feature squeezing. All code required for the labs will be provided during the sessions, and attendees will receive pre-configured Google Colab notebooks after the training to continue their learning independently.

A group exercise will simulate securing a facial recognition system, challenging attendees to collaboratively identify threats and apply defenses in a realistic context. By the end of the session, participants will leave with actionable skills, ready-to-use tools, and strategies to enhance the security and resilience of their AI models. This training is ideal for professionals looking to stay ahead in the rapidly evolving field of AI security and robustness.

Learning Outcomes By the end of the training, participants will:

• Understand key concepts like adversarial attacks, perturbations, and dataset vulnerabilities.
• Learn practical methods for generating adversarial examples using real-world datasets.
• Gain knowledge of defense mechanisms, including adversarial training, feature squeezing, and input preprocessing.
• Apply their knowledge in a collaborative group exercise to secure an AI system in a simulated scenario.
• Leave with actionable skills and pre-configured tools to continue learning and apply defenses in their own projects.

Swapneel is the Chief Security researcher and CEO of Shreshta IT Technologies Pvt. Ltd. , a DNS security and threat intelligence company based in India.

He has 15 years of experience in information security. Swapneel is a Liaison Member of the Forum of Incident Responders(FIRST) and the co-chair of the DNS Abuse SIG at FIRST. He also has been on the board of India Internet Engineering Society(IIESoc).

He also volunteers as a FIRST trainer and has most recently delivered a workshop on Fundamentals of Cyber Threat Intelligence in Kazakhstan.

He is a prolific speaker and has recently presented at numerous international cyber crime conferences in Latvia, France and Singapore.

Since 2019, he has been an APNIC Community Trainer and has delivered technical workshops in Bhutan, Myanmar, Papua New Guinea, Bangladesh, Nepal and Sri Lanka.

He has also delivered technical workshops to law enforcement agencies on countering cyber crime.

This hands-on workshop uses the concept of persistent monitoring for building a phishing detection pipeline using Open source software - Lookyloo[1], MISP[2] and custom tooling.

The workshop uses OSINT feeds( newly registered domain names and other sources etc) and builds a pipeline for ingesting domain names/websites into Lookyloo. The custom tooling enables the enrichment of data and exporting key attributes of the domain names/websites into MISP.

The workshop starts by guiding participants in building ad-hoc flows - ingesting domain names (campaign specific) into Lookyloo, MISP and using custom tooling to enrich the data.

The workshop then dives into building an automated pipeline by putting the building blocks together.

[1]: Lookyloo - Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other.

[2]MISP - MISP Threat Sharing (MISP), Malware Information Sharing Platform is an open source threat intelligence platform.

Key takeaways - How will participants benefit from the workshop: At the end of the workshop,

• Participants will get an introduction to MISP & Lookyloo.
• Confidence in leveraging Lookyloo, MISP, and other tools for phishing threat detection and analysis.
• Strategies to automate phishing detection workflows.
• Participants will leave with a functioning phishing detection pipeline and the skills to implement and expand it within their organizations.

Important prerequisites for participants attending the workshop:

• Ability to navigate and use Linux/Unix command-line tools. Open-source tools like Lookyloo, MISP and the custom tools/scripts require terminal interaction.
• Knowledge of Python or similar scripting languages will be helpful for the tooling customization.

Who should attend this workshop:

• Threat intelligence researchers/CTI folks
• Detection engineers
• Existing users of MISP, Lookyloo, or similar open-source tools who wish to integrate them into a phishing detection pipeline.

Technical requirements for the workshop: Participants should bring a laptop with the following:

• Virtualbox or Vmware Player (VM will be made available atleast one week before the workshop)
• At least 8GB RAM and sufficient storage(atleast 100GB) for the VM installation.
• Admin/root access for installation and configuration
• Access to a private Github/Gitlab repository containing all scripts/code demonstrated in the workshop will be provided in the workshop

Mike Cunningham is the R&D Program Manager in MITRE’s Center for Threat-Informed Defense. He continuously advances the state of the art and the state of practice in threat-informed defense through cutting-edge research and innovation. Before joining MITRE, Mike was an Interactive On-Net Operator in Tailored Access Operations at the NSA. In his spare time, Mike cherishes quality time with his wife and three daughters. He also enjoys playing music, staying fit, and basking in the San Diego sun.

In this workshop, participants will explore the relationships between sensors and advanced detection strategies. This session is designed for cybersecurity professionals seeking to enhance their technical acumen in building robust, adaptable detection capabilities.

The workshop begins with a detailed exploration of sensors, event IDs, and data sources, focusing on how to leverage them to align organizational telemetry with adversary techniques as outlined in MITRE ATT&CK. Participants will learn to assess sensor coverage, identify telemetry gaps, and prioritize sensor deployment for maximum visibility.

Building on this foundation, the session transitions to a methodology for developing resilient detection analytics that withstand adversary evasion. Attendees will gain hands-on experience in creating detection logic that spans from basic event-level indicators to high-fidelity, behavior-based detections at the top of the Pyramid of Pain.

Through guided exercises, participants will apply these principles to map real-world sensor data to ATT&CK techniques and develop analytics that are robust against adversary change. The workshop concludes with a demonstration of how these concepts come together to detect and respond to adversary behaviors, validating the effectiveness of the strategies discussed.

Key Takeaways:

• Learn to identify and address telemetry gaps to optimize threat detection coverage.
• Gain practical skills in creating resilient detection logic that withstands adversary evasion techniques.
• Develop a systematic approach to aligning detection engineering efforts with real-world adversary behaviors for enhanced security outcomes.

Mike Cunningham is the R&D Program Manager in MITRE’s Center for Threat-Informed Defense. He continuously advances the state of the art and the state of practice in threat-informed defense through cutting-edge research and innovation. Before joining MITRE, Mike was an Interactive On-Net Operator in Tailored Access Operations at the NSA. In his spare time, Mike cherishes quality time with his wife and three daughters. He also enjoys playing music, staying fit, and basking in the San Diego sun.

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. This workshop equips participants with the skills and tools needed to evaluate and enhance their team’s TID maturity. This workshop is specifically designed for team leads, managers, and decision-makers responsible for shaping and driving their organization’s security practices.

The session begins with an exploration of what TID is—and what it is not. Through interactive exercises, participants will identify practical examples of TID and assess how these align with their organization’s SOPs.

The workshop then dives into the three dimensions of TID:

1. Cyber Threat Intelligence (CTI)
2. Defensive Measures
3. Testing & Evaluation

Attendees will evaluate their team’s application of each dimension and measure their maturity level using a structured approach. Practical, open-source tools and hands-on challenges for each dimension will provide insights for improvement.

Finally, the session introduces the Inform model, a framework designed to represent TID markers as a score. This score allows team leads and managers to track progress over time, prioritize resources effectively, and communicate improvements to stakeholders.

Key Takeaways:

• A clear framework for understanding and articulating TID principles.
• Tools to measure and assess team performance across TID dimensions.
• Practical strategies for implementing improvements using open-source resources.

This workshop provides the strategic and technical foundations that leaders need to operationalize TID, build stronger teams, and drive measurable security outcomes.

Nadia Meichtry has been working as a DFIR specialist at Oneconsult AG for the last 4.5 years, where she regularly deals with cyber incidents, including ransomware. She holds a Masters in Digital Forensics and several SANS certifications. She joined the FIRST Multi-Stakeholder Ransomware SIG in 2022 and became one of the co-chairs of the MSR-SIG in June 2024. She co-developed and delivered this training at FIRSTCON24 in Fukuoka.

If you missed out on our full-day introductory ransomware training in Fukuoka, you’re in luck!

This improved version, based on last year’s feedback, will cover:

• Introduction into the world of ransomware attacks: -- What is ransomware? -- How bad is it? -- What do current attacks look like? -- What are the risks to keep an eye on?
• Preparing for ransomware attacks: -- Who should be involved? -- Measures and recommendations
• Darknet & ransomware groups: -- How TOR works -- Data leak sites
• Handling and responding to ransomware attacks: -- Incident response process -- Analysis steps
• Key points on recovery
• Negotiation takeaways

You’ll get valuable insights from the co-chairs and members of the FIRST Multi-Stakeholder Ransomware SIG, who’ll share their experience with real ransomware cases.