Program Agenda

David Bizeul is a 20+ years cybersecurity expert. As main achievements, David wrote several major whitepapers on cybersecurity threats or evolution, he initiated 3 CSIRT teams in France (Societe Generale, Airbus Cyber and Sekoia), he founded the first threat intel company in France now part of Sekoia.io. He now works as Chief Scientific Officer in Sekoia.io, making sure the platform use the latest interesting standards or approaches and sharing this approach with the community.

After several years in information systems consulting and CSR policy coordination, Fabien Gainier joined a Master's degree in Strategic Management of Sustainable Development. With this experience, he specialised in supporting organisation transformation through cultural shift and innovation. Subsequently, he set up various entrepreneurial projects. In 2020, he joined the ANSSI teams to help set up the Cyber Campus project where he became head of the Commons Studio and CSR Studio. Its mission is to develop the innovation capacity of Campus Cyber ecosystem by developing cyber commons.

Alias title: “One CTI doctrine to rule them all”

Optimizing CTI analyst time is critical. When you have major cybersecurity entities working together in the same place, you need to define rules to create and manage your threat intelligence smartly. This is exactly what CampusCyber had to deal with when trying to federate companies with different size, sector, maturity, culture working all together. This national retex explains what has been done and why.

Reminder, slides for download are TLP:CLEAR

Sergey Polzunov is a Senior Software Engineer with more than 15 years of experience, focused for the last seven years on building solutions for cyber security. Sergey was a core developer of a threat intelligence platform, participated in designing STIX2 / TAXII2 standards as a member of the OASIS CTI technical committee, released the opensource library Stixview for STIX2 graphs, and developed multiple tools for threat detection, digital forensics, and security telemetry processing.

Presenting Fabric -- a content generation system that aims to automate the prosaic and tedious parts of cyber-security reporting. Automatically creating overviews, timelines, and briefings from structured cyber security data (SIEM alerts, CTI bundles, detection rules, CVE lists) saves the security team time for creative work. Flexible schema-style document generation with a tunable level of details and integrated data enrichment allows the Fabric to generate writing prompts, summaries, and complete documents ready for dissemination.

Brian Mohr helps intelligence teams of all sizes and industries provide excellent service to their decision-makers using intelligence requirements. Brian believes that intelligence work comes down to two core tenets: the purpose of intelligence is providing decision support to leadership and providing intelligence is a customer service. To support these tenets within intelligence teams, Brian co-founded the SaaS company 'ReqFast' providing intelligence requirements and workflow management for intelligence teams. Improving the efficiency & efficacy of teams and enabling them to demonstrate value with actual metrics. Previously, Brian worked in both the private and public intelligence community for over twenty years.

Roman Sannikov supports companies building out and expanding their cyber threat intelligence teams, content, and operations. Roman currently applies this expertise as an advisor to Venation Digital and various other start-ups. Working in cyber-threat intelligence for over 20 years, Roman previously covered both the public and private sector. As a contractor for the US DOJ, he spent years doing undercover work on Russian and Eastern European dark web forums and markets. Subsequently, heading cyber-threat intelligence teams at leading private sector intelligence providers. His teams covered various topics such as dark web and cybercrime, disinformation and hacktivism, and nation-state and geopolitical threats.

Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you convey answers to intelligence requirements as effective way as possible. Channel your inner artist. For example, building periodic briefings or yearly write-ups. Still, what makes a good threat landscape? What essential information should it contain?

This workshop follows a walkthrough in producing such a deliverable. Combining hands-on examples and audience interaction. Several formats will be discussed, and templates made available. In addition, special attention will be given to the machine learning and AI trends. Finally, the facilitators will share practical tips, tricks, and happy accidents after years of creating threat landscape deliverables.

After following this workshop, participants have built a first version of your team’s threat landscape deliverable or understand where you should adjust your existing deliverable. This workshop also recognises the sensitivity of threat landscape contents.

This workshop is meant to provide cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape deliverables. Enabling them to create a larger narrative around cyber threats to support stakeholder decision making and drive security investment

Catalin is a security professional specialised into Infrastructure and Product Security areas with a strong knowledge of Security Operations.

He works at Visma as a Security Operations Manager, enjoying his time in the Security Operations team providing technical leadership in various security areas, having a true desire to drive the Cyber Threat Intelligence (CTI) field and building an Infrastructure Security Program through the Visma Security Program - VSP.

Catalin is the OWASP Timisoara Chapter Leader where he aims to create a strong local security community focused on improving the application security world and creating security awareness. He also has several recognized certifications in the security field and in his spare time he enjoys reading lots of cool stuff, playing football, biking and hiking.

Espen Johansen works at Visma as the Chief Security Officer and is globally accountable for security. He enjoys his time in the Security Operations team providing technical leadership in various security areas, like Cyber Threat Intelligence (CTI) and building an Infrastructure Security Program through the Visma Security Program - VSP.

In today's dynamic business landscape, mergers and acquisitions (M&A) have become crucial strategic initiatives for organizations seeking growth, market expansion, and competitive advantages. However, M&A activities also introduce various security challenges, making it essential to incorporate robust cybersecurity measures throughout the process. This presentation will focus on the significance of Cyber Threat Intelligence (CTI) as a key component in the M&A process.

CTI encompasses the collection, analysis, and dissemination of actionable intelligence about potential cyber threats and adversaries. By harnessing the power of CTI, organizations involved in M&A can significantly enhance their ability to identify and mitigate cyber risks, protect sensitive data, and ensure a successful integration of systems and infrastructure.

During this presentation, we will delve into the various stages of the M&A process and highlight how CTI can add value at each step. Starting from the due diligence phase, we will explore how CTI can be leveraged to evaluate the cybersecurity posture of the target company, identify hidden risks, and validate the effectiveness of existing security controls. We will then discuss the importance of incorporating CTI into the negotiation and agreement stages to address cybersecurity concerns, evaluate potential liabilities, and establish clear security requirements.

Furthermore, we will delve into the post-merger integration phase, where CTI plays a critical role in developing a comprehensive cybersecurity strategy. We will examine how CTI can help organizations identify and prioritize security gaps, facilitate the integration of disparate security systems, and proactively detect and respond to emerging threats. Additionally, we will discuss the importance of ongoing CTI efforts to ensure continued visibility into potential risks and the necessity of adapting security measures to the evolving threat landscape.

By the end of this presentation, attendees will have a clear understanding of how CTI serves as a fundamental enabler for ensuring the security and success of M&A activities. They will gain insights into practical strategies for incorporating CTI into the various stages of the M&A process and learn about the benefits of a proactive and intelligence-driven approach to cybersecurity in mergers and acquisitions.

Freddy Murstad is the senior threat intelligence analyst at the Nordic Financial CERT (NFCERT) in Norway and works serving 200+ financial institutions in the Nordics with threat intelligence, reports, and analysis on threat actors. He shares his knowledge on intelligence analysis and intelligence processes and focus on bridging the gap between Strategic and Tactical analysis for his stakeholders. Currently, Freddy is doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity.

Enhancing the foresight capabilities of CTI analysts is vital for staying ahead of future threats. However, this remains a daunting challenge, especially for data-driven and reactive analysts.

Drawing from my experience conducting foresight analysis workshops for the Nordic cybersecurity community, I'll showcase the success of these sessions. We'll explore how bias detection, structured analytical techniques (SATs), and improved critical thinking have empowered participants, enabling them to apply foresight analysis effectively within their teams.

Reminder, slides for download are TLP:CLEAR

Natalie Kilber is a Quantum Physicist, who has ventured into the cyber realm. Initially securing Quantum Computers and assessing their initial threat to infrastructure, as an independent voice on emergent technology cybersecurity, she established Nabla Co - A Natalie Kilber Advisory and resides as a senior researcher at the Institute of Software Engineering, University of Stuttgart. She has worked in the cloud, venture capital industry, as well as AI and secure software development as a technical expert and strategist. Currently, she is the Senior Director for Product Security at Harman International.

Shifts in the IT and cyber security landscape over the past decade have occurred more frequently by orders of magnitude than in traditional science and technology fields. To properly anticipate organizational impact of emergent technologies, organizations need to develop and employ a methodology to evaluate on-the-horizon technologies, understanding the multi-dimensional risks and benefits each may provide.

For each technology there are early stage indicators on how adversaries can capitalize on such technology to improve operational effectiveness. Devising a strategy to approach evaluating emerging technologies—irrespective of whether that is framework or series of templates—provides immense benefits to C-suite stakeholders and risk management and is a function that threat intelligence teams can serve.

In this talk, we take a multi-dimensional approach to examining the problem to aid organizations in understanding prioritization and timelines for potential disruption from emerging technologies. We use quantum technology as an example for how organizations can create an effective strategy to forecast and discern business impact analysis of on-the-horizon disruptive technology threats. We adapt existing cyber threat intelligence frameworks like MITRE ATT&CK and the diamond model to help existing threat intelligence teams accurately translate and communicate emerging threats while determining an effective risk management strategy.

Reminder, slides for download are TLP:CLEAR

Markus Ludwig, (ticura GmbH, CEO) is working in the Cybersecurity space since more than 17 years in multiple global roles (eg. for IBMs X-Force Threat Intel team, Internet Security Systems) and owns several patents around CTI. His mission is to create simple solutions for complex CTI problems and make life easier instead of adding another layer of complexity. e in Cybersecurity.

In times when we face a gap of 2.5+ million cybersecurity professionals, security operation teams are overloaded by alerts and incidents. 80% of the cybersecurity professionals state they feel some level of burnout. It's time to look deeper into the reasons behind alert fatigue and talk about root causes. The maturity of a Threat Intelligence program is one of those worth talking about.

Reminder, slides for download are TLP:CLEAR

Dr Jamie Collier is a Senior Threat Intelligence Advisor at Mandiant and an Associate Fellow at the Royal United Services Institute. Jamie previously was the CTI Team Lead at Digital Shadows, completed a PhD in Cyber Security at Oxford University, and attended MIT as a Cyber Security Fulbright Scholar.

Grace Chi is a Cofounder of Pulsedive, where she is focused on creating frictionless threat intelligence solutions for growing teams. Leveraging insights working with CTI-related practitioners around the world, Grace is passionate about demystifying the requirements and diverse traits enabling CTI success for individuals, teams, and organizations. On the weekend, she’s also a hyper-serious cooperative board gamer and watercolorist.

John Doyle is a Mandiant intelligence enablement consultant and SANS cyber threat intelligence (CTI) instructor. He helps clients evaluate their CTI programs, builds roadmaps, and upskill team capability and organizational reach. John has over 15 years experience most of which at the CIA tracking cyber threat actor groups.

Cyber Threat Intelligence (CTI) and Risk Management are two traditionally separate areas yet over the past few years, there has been a growing recognition of benefits from coordinating workflows and sharing knowledge between CTI and Risk Management. Transcending cyber risk-intelligence silos creates synchronized cyber defense organizations, enabling larger strategic initiatives. There is just one thing, aligning the two is not always an easy task.

This workshop demystifies misconceptions about each team, identifying elements unique to each, highlighting cultural differences that may lead to potential friction points that would inhibit collaboration. We will jointly identify collaboration opportunities unique to participants’ organizational culture and develop key building blocks across products and processes to improve team collaboration, organizational effectiveness, and resilience.

After the workshop, participants will be equipped to have open conversations with their partner team(s) about how to improve collaboration between the functions. Participants will have developed a baseline understanding of the unique terminology each uses and frame of reference that aligns with role and responsibility within the organization to assist in these discussions. Similarly, participants will have created products or processes in which they can use to jumpstart the conversation about creating collaborative workflows.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.

AIL is an invaluable resource for enhancing your threat intelligence processes, with a particular emphasis on improving the quality of your intelligence. By leveraging AIL's advanced capabilities for collecting, crawling, and analyzing unstructured data, you can gain valuable insights that might otherwise go unnoticed. With AIL, you can stay ahead of potential threats by quickly identifying and analyzing suspicious patterns and behaviors, enabling you to take proactive measures to mitigate risks. Whether you're a cybersecurity professional, a law enforcement agency, or an intelligence analyst, AIL provides a powerful set of tools to help you stay one step ahead of emerging threats.

Reminder, slides for download are TLP:CLEAR

Ingrid Grimstad is a SOC analyst in Sopra Steria Scandinavia responsible for handling security incidents for our MSSP customers. In addition to the day-to-day monitoring of the customers' infrastructure, alarm handling and log analysis, she has been a key resource in the SOC's automation efforts and data analysis projects and is a MISP champion.

In this presentation, we'll tackle the question, "If MISP is so great, why isn't everyone using it?" We'll also delve into our experience as a medium-sized MSSP in the Nordics and our journey with MISP.

Our presentation will revolve around two interconnected timelines: the technical milestones and the people/process milestone. The latter timeline mostly takes part in 2023 when one of our analysts (the presenter) became an internal MISP champion. We aim to show the challenges we faced when starting up MISP and transitioning from being a consumer to a producer of threat intelligence.

Bartek Jerzman is currently working as Head of Cyber Intelligence Centre at Standard Chartered Bank. Prior to this role, Bartosz was Head of Cyber Threat Intelligence department at Polish National Cyber Security Centre where he focused on hunting cyberespionage threats. He started his career in the Polish Navy but instead of commanding the ships, he took various positions in cybersecurity for the Navy: sysadmin, pentester, security architect and monitoring, incident responder. Bartek is also a lecturer at Polish Naval Academy and Lazarski University where he teaches his students how to analyse intrusions and respond to cyberthreats. Fan of gliding sailplanes, sailing yachts and kendo fencing.

During the adversary hunting workshop participants will be able to familiarise with threat intelligence investigations. Starting from real life incidents, we will conduct enrichments and data pivoting to better understand and cluster threat actors activities and finally track threats proactively. The workshop will start with some intelligence analysis primers first, and then an introduction to the main platform that we will be using, Synapse, and its powerful language, Storm.

We will then deep dive into some real life cases, where participants will have the opportunity to conduct an investigation using hypergraph-based intelligence platform - Synapse. Workshop will all be based on real world data from threat actors activities and will give participants a sense of cyber threat intelligence work.

Brian Mohr helps intelligence teams of all sizes and industries provide excellent service to their decision-makers using intelligence requirements. Brian believes that intelligence work comes down to two core tenets: the purpose of intelligence is providing decision support to leadership and providing intelligence is a customer service. To support these tenets within intelligence teams, Brian co-founded the SaaS company 'ReqFast' providing intelligence requirements and workflow management for intelligence teams. Improving the efficiency & efficacy of teams and enabling them to demonstrate value with actual metrics. Previously, Brian worked in both the private and public intelligence community for over twenty years.

This may sound like a Zen koan, but an intelligence requirement without context is no better than one hand clapping. In this talk, I will briefly discuss the importance of intelligence requirements and how they are used in the government. I will then discuss why requirements management usually fails in the private sector, not because they are impossible to utilize effectively but because most organizations make the process too complicated. You first need to understand stakeholders' decisions and the available actions they can take.

Following this introduction, I will discuss several techniques to establish the context intelligence teams need to support their decision-makers. These techniques are not prescriptive - there is no “RIGHT” way to do this; there is only a right way for your organization - but I hope this talk will give you ideas on establishing functional requirements for your intelligence program.

Reminder, slides for download are TLP:CLEAR

Clemens Sauerwein is Assistant Professor at the Department of Computer Science at the University of Innsbruck, Austria. His research interests include information security risk management, cyber threat intelligence sharing, empirical studies in the field of information security risk management and information systems. He works in close collaboration with industry and transfers his results into practice as a consultant and a member of various security interest groups.

Dr. Daniel Fischer conducts research and teaches at the Institute of Business Information Systems Engineering at the Technische Universität Ilmenau in Germany. As a senior researcher in the Group for Information and Knowledge Management, his research and teaching interests are focused on the integration management of inter-organizational information systems and IT security management.“

Threat intelligence sharing is a promising solution for developing situational awareness of the rapidly growing number of new cyber threats. Accordingly, there are a variety of platforms on the security solutions market that enable the efficient and targeted sharing of threat intelligence between organizations. Unfortunately, very little is known so far about the diffusion and use of these platforms from the end-user's point of view. To address this issue, we conducted an empirical study on the spread and use if threat intelligence sharing platforms. For this purpose, we surveyed security experts from enterprises, federal authorities, and public educational institutions. Our findings show, among other things, a growing interest in threat intelligence sharing platforms and their value to information security processes.

As Chief Intelligence Officer, Michael DeBolt provides strategic and operational leadership across Intel 471's globally diverse team of HUMINT and technical researchers, linguists, analysts, and intelligence consultants. Before Intel 471, Michael developed strategy and led operations as the US representative and Head of Cybercrime Intelligence at INTERPOL. As a Special Agent at the US Naval Criminal Investigative Service (NCIS), he specialized in national security cyber operations and cybercriminal investigations. Michael is a proud US Marine Corps infantry veteran.

Freddy Murstad is the senior threat intelligence analyst at the Nordic Financial CERT (NFCERT) in Norway and works serving 200+ financial institutions in the Nordics with threat intelligence, reports, and analysis on threat actors. He shares his knowledge on intelligence analysis and intelligence processes and focus on bridging the gap between Strategic and Tactical analysis for his stakeholders. Currently, Freddy is doing basic research in preparation for a PhD in the cross-section of intelligence analysis and cybersecurity.

Join industry leaders for an engaging half-day workshop that introduces the core fundamentals of building an intelligence plan that aligns to stakeholder needs - individually and at scale - and creates a foundation for measuring success of your CTI team using Intel 471's open source General Intelligence Requirements framework and lessons learnt from it's global intelligence team.

Participants will gain hands-on experience building their own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including training videos, fillable templates and worksheets that are provided free of charge for use in their own environments.

Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.

MISP, the open source threat information sharing platform, has been around for over a decade and whilst the platform has been rapidly growing along with the practices of the organisations using it, a major rework of the fundamentals has been long overdue.

This session aims at introducing what is coming in MISP 3 along with the new possibilities it brings to the FIRST community as well as the threat sharing community at large.

Besides the new features, we'll also explore some of our lessons learnt over the past decade of building MISP and related tooling.

Reminder, slides for download are TLP:CLEAR

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.

Andras Iklody works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL as a software developer and has been developing the MISP core since early 2013. He is a firm believer that there are no problems that cannot be tackled by building the right tool.

MISP is an open source Threat Information Sharing Platform (TISP), aiming to provide a broad spectrum of sharing with machines and humans alike. CIRCL has been giving trainings on MISP and threat intelligence sharing in general as part of a continuous effort since 2016.

The training is meant as both an introductiory workshop into threat information creation as well as an advanced techniques workshop for MISP in particular. Participants will learn how to create proper threat reports as well as how to encode rich and well structured MISP events using all of the modern tooling the platform offers.

Topics explored will include:

• best practices
• considerations of the needs of the community
• contextualisation
• creating graph based data
• enrichment
• writing supporting reports
• false positive handling
• building workflows to assist your CTI processes

We expect MISP newcomers as well as veterans that may not be up to date with the latest feature-set of MISP to come away with new ideas and tools in their toolbelts.

Kamil Bojarski works as a Principal Cyber Threat Intelligence Analyst at Quointelligence where he provides tailored intelligence products to customers, informing their decision making and thus reducing risks to organisations. Kamil is also a teaching assistant at SANS Institute where he supports students during FOR578 Cyber Threat Intelligence course, and a member of GIAC Advisory Board. You can read his musings on threat intelligence, OSINT and national security at counterintelligence.pl. His research interests are focused on counterintelligence aspects of information security, activity of eastern APT groups and cross-section of technical and political aspects of cyber operations.

The presentation addresses the challenges of "hard targets" in open-source intelligence (OSINT) collection for cyber threat intelligence operations. Focusing on collection from China-centric sources and criminal groups, we explore technical, legal, and operational obstacles that can impact OSINT collection.

Further, the session will discuss technical and organizational measures to tackle these challenges, such as employing technology to complement the analysts' skillset and promoting specialization and cross-disciplinary collaboration within teams. The goal is to support threat intelligence analyst with effective management of intelligence requirements related to collection from open sources.

Ondra Rojcik is a Senior Cyber Threat Intelligence Analyst at Red Hat CTI team. He is responsible for providing intelligence analysis and strategic perspective to the Red Hat’s CTI program and its analytical production. Previously he worked for the Czech National Cyber and Information Security Agency (NUKIB) as a Deputy-Director of Department and Head of Strategic Analysis Unit which he co-founded.

Vladimir Janout is a Cyber Threat Intelligence Analyst at Red Hat, currently specializing in the Collection&Processing phases of the Intelligence Cycle with a focus on process automation and streamlining. He holds a Master's degree in Information Security from Brno University of Technology.

Priority Intelligence Requirements (PIRs) Workshop aims to assist attendees in developing a mindset for establishing intelligence requirements for their organizations. PIRs are a tool that help to prioritize relevant topics of CTI team activities, such as data collection, analysis production, threat hunting, and detection.

To achieve this, participants will have access to a template (link below) that they can customize to meet their organization's specific requirements. We will work with a mock-up company annual report provided by the workshop facilitators which you can optionally go through prior to the workshop. During the workshop, the participants will undergo series of steps for setting the PIRs, including finding elements of an organization and their function, finding supporting assets of the elements, mapping most impactful adversarial operations and conducting a risk assessment, which includes assessing the likelihood and impact of a potential attack on the organization and supporting assets.

The workshop will also cover the customization of the results of the exercise into actual PIRs and how to operationalize them in CTI team activities.

Stellar Electric 2022 Annual Report: https://drive.google.com/file/d/1bzWfeR-Gw1z9MsDfshh3fGYHgRUkqWoF/view?usp=drive_link

Reminder, slides for download are TLP:CLEAR

Joel Doenne is a Cyber Security Analyst at ATRUVIA AG with preferences for CTI, Reverse Engineering and Digital Forensics. Besides researching in his free time he is currently writing his Master Thesis at Ruhr-Universität Bochum (Appl. IT Security).

Post Exploitation Frameworks are not only the swiss army knife for Red Teamers, but also in heavy use by cybercriminals and even state actors. Well known representatives are Cobalt Strike and Brute Ratel. Many artifacts, like Beacons/Badgers or Stage Loaders end up on platforms like VirusTotal. Tired of the many manual process steps needed to get decent insights about these hunted artifacts the PXF-X framework was born. PXF-X should fully automate all the required analysis steps. In essence, this means: 1) artifacts are hunted with VirusTotal Livehunting YARA rules, 2) the samples are then obtained and analyzed in several ways, 3) the extracted information is then enriched by different intelligence sources and reconnaissance methods. PXF-X is designed in a modular way. The intention is that various modules can be integrated sucessively. Currently three different Frameworks are supported: Meterpreter, Cobalt Strike and Brute Ratel C4. A bunch of others are in the makings.

Dr Jamie Collier is a Senior Threat Intelligence Advisor at Mandiant and an Associate Fellow at the Royal United Services Institute. Jamie previously was the CTI Team Lead at Digital Shadows, completed a PhD in Cyber Security at Oxford University, and attended MIT as a Cyber Security Fulbright Scholar.

John Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical intelligence requirements.

Cyber Threat Intelligence (CTI) and Risk Management have emerged as two traditionally separate areas, both designed to help organizations understand their risk realities and inform decision making on cyber security prioritization and investment. Over the past few years, there has been a growing recognition of benefits from coordinating workflows and sharing knowledge between CTI and Risk Management. Specifically, transcending cyber risk-intelligence silos not only creates a more synchronized cyber defense organization, but also enables both teams to support larger strategic organizational initiatives. However, collaboration challenges between the two elements are plentiful.

This talk will demystify misconceptions about the role each team serves, identify elements unique to each team’s lexicon and frame of reference, as well as highlight how to overcome cultural differences that may lead to potential friction points that could inhibit collaboration from the onset. CTI and Risk Management professionals will receive practical guidance on areas for integration and collaboration in each other’s workflows. These include tips on jointly developing an organization’s cyber threat profile, leveraging external cyber threat landscape publications, improving organizational threat modeling efforts, feeding CTI into risk matrices, and using CTI to prioritize patching management focus.

Reminder, slides for download are TLP:CLEAR

Andreas Sfakianakis is a Cyber Threat Intelligence professional with over fifteen years of experience in cyber security. He focuses on applying threat intelligence and helping organizations manage threats mostly within the Energy, Technology, and Financial sectors as well as in European Union’s Agencies and Institutions. Andreas has been contributing to the CTI community since 2012 via public reports and presentations, his blog, newsletter, and instructing. His utmost goals are the maturing of threat management programs within organizations as well as the embedding CTI in policy making. Andreas Twitter handle is @asfakian and his website is threatintel.eu.

Is your CTI team struggling to operationalize the CTI process? Don't worry, your team is not the only one! During the "CTI journey", CTI teams try out approaches and tools, hoping to give value to their organization. This is usually a trial and error process, and when not successful, it costs money and time for organizations and also demotivates CTI analysts.

This presentation will discuss some of the basic "baby" steps that CTI teams often neglect. We will be focusing on case management and intelligence workflows. Moreover, we will elaborate on how you can take advantage of the knowledge produced by the CTI team and provide meaningful metrics to the CTI team and the management. Finally, we elaborate on the essential ingredients for CTI teams in the early phases of their "CTI journey".

The key takeaway for the audience is the realization of some basic steps that a CTI team has to take to coordinate its workload better, build workflows, and better manage the CTI knowledge it produces. The audience will also be presented with real-world examples and implementations within corporate environments of such approaches. Ideally, we will give you some hints to spin your CTI process round!

Reminder, slides for download are TLP:CLEAR

Ross Rustici is a Principal Cyber Threat Intelligence Analyst in the MITRE Corporation’s Cyber Operations & Effects Innovation Center. In his role he leads and executes research with teams from MITRE, private sector partners, and U.S. government organizations to enhance analytic capabilities and disrupt cyber adversaries. Ross previously built intelligence products and services for multiple cyber security companies and helped build the U.S. DoD’s all-source capabilities.

CTI programs live and die by their own tribal knowledge. There is a large capability gap between new programs with small teams and junior analysts, and mature programs with a large team of senior analysts. Ascending the capabilities ladder is arduous and derailed by one or two key departures. We can bridge this gap.

For CTI products to provide value and sustain analyst attrition, the Center and its partners created a new standard for CTI reports. We share a set of templates with prescriptive instructions on what to include and to whom the report should be focused. This talk will also introduce a publicly available suite of tools that will support best practices, automation, and enable dissemination of human and machine-readable reports. These capabilities will accelerate production for teams and analysts embarking on building new programs and careers. In this session, we will:

• Share problems with current CTI production and dissemination identified through stakeholder interviews
• Describe how our standard and the derived templates address these problems
• Demonstrate how you can use the tool suite to create actionable reports.

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.

Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.

Simone Kraus has worked since 2001 in IT-Security. After my apprenticeship I studied computer science, was a specialized SAP consultant for many years and left the IT 2013. After some years as triathlete, a-licence fitness coach, life-guard and civilian on the battlefield for the US Army and Bundeswehr I had made the decision to start again in the IT as a cyber security analyst. Since June 2022 I work as a security analyst for Orange Cyberdefense in the incident response (OT/IT environment). Within the Analyst as a Service consulting I do "MITRE Detection Engineering" and threat modeling besides incident response and threat hunting. https://www.orangecyberdefense.com/be/about-us/international-womens-day/simone-kraus

Which threats matter most to my organization? A common question from security leadership, but not an easy one to answer, especially quickly. This session gives participants the foundation to confidently answer this question by providing practical, immediately-applicable guidance on building, refining, and maintaining cyber threat profiles tailored to their organizations, helping drive defensive prioritization. Using examples based on key regional industries, we’ll peel back the cover on a discipline once reserved for highly-resourced teams and show how members of virtually any security function (not just dedicated CTI or risk analysts) can build accurate threat profiles based on publicly-accessible resources.

Often considered a buzzword, threat profiling is in fact a powerful capability that allows security teams to proactively address threats with confidence, while de-escalating would-be “fires” that may in fact not pose major risks, providing teams clearer focus and giving them back (at least a little) control over their priorities. However, adoption of this discipline has been limited by misconceptions and a lack of awareness on where to start, where to find reliable sources, and how to apply the end-product. Drawing on the presenter's experience advising security programs across the maturity spectrum, attendees will take away various resources & repeatable processes that enable them to turn a buzzword into an achievable goal and start realizing the value of threat profiling for security prioritization. These include:

• A simplified approach to building a tailored yet repeatable threat profile
• Reliable, publicly available sources for informing a cyber threat profile
• Tips on real-world applications of community resources (e.g. Atomic Red Team & Sigma rules) that enable taking action based on a threat profile
• Guidance on quantification and potential automation opportunities

Review/download of all resources is optional! Our workshop focuses mainly on methodologies & workflow guidance, but we also want to arm participants with a variety of representative resources relevant to the workflows, to jumpstart their threat profiling journey more quickly.

No tools or materials are required for the workshop. A laptop with internet connection is helpful for following along/browsing to resources of interest live alongside the presenters.

Threat Quantification & Profiling Resources:

Threat Quantification – Top Resources

• Quantifying Threat Actors with Threat Box https://klrgrz.medium.com/quantifying-threat-actors-with-threat-box-e6b641109b11

• Using Threat Intelligence to Focus ATT&CK Activities https://www.youtube.com/watch?v=V--wxuSEMD0

• Sophisticuffs: The Rumble Over Adversary Sophistication https://www.slideshare.net/PalJaramillo/bsides-chicago2017

• NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-30r1.pdf (See especially Appendix D: Threat Sources)

• Threat Agent Library Helps Identify Information Security Risks https://www.oasis-open.org/committees/download.php/66239/Intel%20Corp_Threat%20Agent%20Library_07-2202w.pdf

• The next 50 years of cyber security. https://magoo.medium.com/next50-ea33c5db5930

• These and many more resources listed here (repo authored by the presenter): https://github.com/tidalcyber/cyber-threat-profiling

Resources for Taking Action on Your Threat Profile:

If you want to test tools like Atomic Red Team, we recommend using a VM for additional safety.

• Tools (Install required) Browser Chrome https://www.google.com/chrome/

• ATT&CK POWERED SUIT – Chrome Extension https://chrome.google.com/webstore/detail/attck-powered-suit/gfhomppaadldngjnmbefmmiokgefjddd

• Atomic Red Team – Invoke Atomic https://github.com/redcanaryco/invoke-atomicredteam/wiki/Installing-Invoke-AtomicRedTeam Sysmon https://learn.microsoft.com/de-de/sysinternals/downloads/sysmon

Additional Tools:

• D3FEND ATT&CK Extractor https://d3fend.mitre.org/tools/attack-extractor
• Extracting TTPs directly with a Python tool from the website https://github.com/tropChaud/webpage2attack
• ATT&CK FLOW Center for threat informed defense https://center-for-threat-informed-defense.github.io/attack-flow/ui/

Free-Registration Platforms:

• Cyborg Security HUNTER Community Edition https://www.cyborgsecurity.com/user-account-creation/
• Tidal Community Edition https://app.tidalcyber.com/

Reminder, slides for download are TLP:CLEAR

David Greenwood helps early stage cyber-security companies to build products that make users go; ""Wow! That's what I need!"".

During his career he has worked with great minds at Splunk and Anomali. David currently works at EclecticIQ building world-class threat intelligence solutions."

ChatGPT 3.0 made waves across almost every industry when it hit the market in late November last year.

Far from a silver bullet for the cyber-security industry, ChatGPT, and more specifically the GPT-3 model, do have many practical uses, namely the automation of highly repetitive tasks. Ask any threat intelligence analyst and they will concur; extraction and dissemination of threat intelligence often requires many hours of ctrl+c, ctrl+v.

Earlier this year I set out to use ChatGPT to create structured knowledge graphs from a variety of intelligence reports in my inbox.

In this session I will explain the trial and error that went into generating prompts that accurately extract artefacts and their relationships from unstructured intelligence reports (including: PDFs, emails, and Slack messages).

Taking it a step further, I will also talk you through my attempts at using Chat-GPT to model the intelligence as rich STIX 2.1 Objects for easy dissemination into existing security tooling.

Rest easy, the content covered in this talk will not replace your job.

Reminder, slides for download are TLP:CLEAR

Alexis Dorais-Joncas is the Senior Manager of Proofpoint’s APT research team, where he and his team of threat researchers and intelligence analysts focus on tracking the most elusive state-sponsored threat actors and ensuring Proofpoint customers are protected against these persistent attackers.Prior to joining Proofpoint, Alexis led ESET’s Montreal-based R&D branch office for about 10 years, where his team focused on malware research, network security and targeted attacks tracking.

Joshua Miller is a Senior Threat Researcher on Proofpoint’s Threat Research team, where he tracks and investigates state-aligned cyber espionage threats across the globe, with a focus in actors originating from the Middle East & North Africa. Previously, Joshua has held threat intelligence positions across both private industry and the intelligence community, including time as an cyber analyst with the Federal Bureau of Investigation. He’s also a Military Intelligence officer in the US Army Reserve, an international conference speaker and currently holds a M.S. in Information Security (Lewis University), BA in Political Science (Wheaton College), CISSP, and GCTI.

Does attribution of cyber operations actually matter? It depends on who’s asking. Using real world APT examples from threats attributed to Iran, Turkey, China, and Vietnam, we’ll demonstrate what details go into attribution work, why attribution can be useful for defenders and how Blue Teams can use it to better inform threat modeling and risk. We'll define attribution, compare the concepts of attribution and Attribution, discuss how softer attribution should be paired with harder, more technical attribution and then close by discussing potential pitfalls we’ve seen with attribution working for the government, private corporations and at a security vendor.