Program Agenda

As part of the Cyber Threat Intelligence – Special Interest Group, we have formulated / articulated three phases of CTI maturity. For our discussion we are going to dive into the actions, processes and approaches for the teams which are advanced to the level 3 of maturity.

We will cover variety of topics related to advanced chapters of Cyber Threat Intelligence and share the lessons learned during our over decade long journey into CTI.

Erick Thek is a Cyber Threat Intelligence Manager at Trend Micro. He is responsible for analyzing emerging threats facing public and private sectors. Assisting organisations along their security journey to a point where they feel secure in knowing they are doing their best. Assisting and initiating public and private sector collaborations.

Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.

This presentation advocates for a paradigm shift by spotlighting a spectrum of often overlooked artifacts and metadata. Beyond the conventional elements, these nuanced digital footprints harbor the potential to substantially enhance the attribution process.From delving into file metadata and linguistic analysis to scrutinizing social engineering tactics and cryptocurrency transactions, each artifact offers a unique lens through which to decipher the identity and motivations of cyber threat actors.

Pratik is a seasoned Information Security professional, with expertise in Threat Intelligence, Malware analysis and Incident Response. Throughout notable positions at industry giants like Apple and Amazon, Pratik has consistently showcased his proficiency by spearheading extensive Malware analysis, digital forensic investigations, conceptualising detection methodologies, and engineering automation solutions to streamline security analyses.

Currently, working in the Threat Analysis Group at Google, Pratik focuses on understanding and counter government-backed threats against Google and it's users.

Working in various intelligence organizations has allowed me to understand the multitude of factors that influence the final production of intelligence satisfying customer needs. However, are all of them equally important? Which ones should we select and focus on when starting our Cyber Threat Intelligence (CTI) program from scratch? Given the abundance of factors, how can we structure them into an achievable action plan that will enable us to build intelligence optimally aligned with our stakeholders' needs?

For the last 15 years, I’ve worked in the world of intelligence. Thanks to being in different roles as an intelligence collector, intelligence analyst, and program or team leader, I’ve had a chance to understand different aspects of CTI. Being responsible for the design and delivery of intelligence products for various kinds of customers (from governmental to corporate), gave me a unique chance to integrate cyber threat intelligence efforts with customers’ needs in different organizations and cultures.

Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you convey answers to intelligence requirements as effective way as possible. Channel your inner artist. For example, building periodic briefings or yearly write-ups. Still, what makes a good threat landscape? What essential information should it contain?

This workshop follows a walkthrough in producing such a deliverable. Combining hands-on examples and audience interaction. Several formats will be discussed, and templates made available. In addition, special attention will be given to the machine learning and AI trends. Finally, the facilitators will share practical tips, tricks, and happy accidents after years of creating threat landscape deliverables.

After following this workshop, participants have built a first version of your team’s threat landscape deliverable or understand where you should adjust your existing deliverable. This workshop also recognises the sensitivity of threat landscape contents.

This workshop is meant to provide cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape deliverables. Enabling them to create a larger narrative around cyber threats to support stakeholder decision making and drive security investment.

Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams all over the world in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.

This workshop offers a practical understanding of Blockchain, Smart Contracts, DApps, and NFTs. Participants will learn the basics of Web3 OSINT, including extracting and analyzing on-chain and off-chain data. The workshop also provides a guide to important websites and tools, with a focus on the process of linking and verifying information. It's an opportunity to enhance your skills within the realm of cryptocurrency and Web3.

Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.

Tanguy is a security engineer currently working as a Blockchain/OSINT expert at FuzzingLabs. He has four years of hands-on experience in blockchain technology, gained through multiple projects at leading tech companies and French research institutions. In addition to his expertise in blockchain, Tanguy possesses a deep knowledge of OSINT. At FuzzingLabs, he focuses on developing tools to facilitate investigations, profiling, and de-anonymization related to blockchains. Tanguy is also exploring the use of new Web3 protocols such as IPFS, with the aim of deepening our understanding of these emerging technologies.

Acknowledging a systematic and time-tested methodology dating back to 1982, this session explores the intricate method of "Attack Trees". To this day it still offers a powerful holistic approach to modeling security threats and their sequential actions against assets but is regularly forgotten in favor of more contemporary methodologies. This methodology still remains a powerful tool both for visualizing complex attack sequences to business leaders and effective stakeholder engagement.

Navigating the fundamental concepts of Attack Trees, emphasizing their relevance in contemporary cyber threat intelligence. Attendees gain insights into how Attack Trees provide a comprehensive framework for analyzing real-life threat activity threads. By combining elements from MITRE ATT&CK, the Diamond Model of Intrusion, and the attack tree methodology, the presenters demonstrate how even to this day the methodology can enable cybersecurity professionals to collate threat actor activities and assess realistic defensive measures. From identifying sequential stages and nuanced tactics to visualizing attack chains, this exploration promises practical applications for daily use.

After the session, attendees will have a clear understanding of how they can apply the Attack Tree’s method and leverage their own knowledge of the threat landscape, their organization’s threat surface, and their defender’s capability and resources to derive feasible defensive measures to detect and stop threat actors from reaching their goals.

Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams all over the world in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.

Sherman is a Manager at Deloitte, focusing on helping clients build threat intelligence and detection capabilities. He specializes in threat intelligence, incident response, threat hunting, and detection engineering. A US Army veteran, Sherman previously led the technical threat intelligence team at New York City Cyber Command.

Our research introduces a practical approach to malware analysis, focusing on the detection of code similarities in malware samples using vector search. Instead of traditional machine learning methods for vectorization, we use Trend Micro’s Locality Sensitive Hash (TLSH). This technique involves disassembling incoming binary files into their basic components and then computing TLSH values for these parts. The resulting hashes are compact and effectively reflect the structure and content of the binaries.

An important aspect of our method is the use of an Intermediate Language (IL) for consistent binary function representation, which helps identify similarities in malware compiled with different settings or platforms. This approach enables us to more effectively find similar code segments across various malware samples. Our work demonstrates a reliable and efficient way to analyze malware, offering valuable insights for cybersecurity efforts.

Remco is a Senior Security Researcher at Elastic's Security Labs, specializing in reversing and analyzing malware, particularly in the Linux domain. With a rich background as a forensic investigator for the Dutch Police, he brings a unique blend of law enforcement and cybersecurity expertise. At Elastic, Remco focuses on dissecting malware families, contributing to the development of innovative security strategies. His work is integral in understanding and mitigating emerging cyber threats, leveraging his extensive experience in digital forensics and threat analysis.

Cyber Threat Intelligence (CTI) professionals are increasingly confronted with pressure to deliver more intelligence services and products with fewer resources. Balancing escalating threats against budget cuts and limited tools stretches CTI teams thin, leading to burnout and high turnover. To provide clarity on priorities, the CTI community adopted Priority Intelligence Requirements (PIRs). PIRs are a pivotal method for refocusing efforts and resources, building relationships between CTI and stakeholders, and enabling greater efficiency. But how does one begin collecting PIRs when there is minimal budget in the first place? How do you approach the first 90 days to ensure you implement PIRs without incurring high costs?

This session takes a pragmatic approach to developing PIRs, complementing previous workshops on PIRs (including at this conference) by focusing on the earlier stages and working with a limited budget.

Josh is a Cyber Threat Intelligence (CTI) professional with experience in the financial, tech, and cybersecurity sectors in North America and Europe. He originally started out in physical threat intelligence and has worked in geopolitical risk, protective intelligence, and risk management before pivoting to the CTI. Josh's current job focuses on using Machine Learning Models to collect cyber threat intelligence.

Josh enjoys contributing to the threat intelligence community and mentoring others in the industry. He sits on the Board of Director for TIER (Threat Intelligence Exchange Roundtable) and on the committee for CyberToronto Conference, previously holding directorships with (ISC)2 Toronto Chapter and ASIS.

AI for CTI is getting a lot of attention and traction. Natural Language Processing (NLP) is starting to be used a lot for the analyst's workload. Turns out, there seems to be no single accepted CTI NLP benchmark dataset. In other words: we can't compare solutions.

Benchmark datasets are extremely relevant for comparing the quality of systems as well as for improving their accuracy in training and re-training runs. The AI SIG at FIRST.org created a sub-group of volunteers to address this hard problem. This talk will cover how we thought about the benchmark dataset, an analysis of similar benchmarks and how people created them, what goes into a balanced and good dataset, analysis of sources of data (ORKL.eu, etc.) and what use-cases we wanted to cover with the benchmark dataset. Finally, we will show how the benchmark is being used for evaluating a few CTI AI tools and how to use it for LoRA training of your own, custom LLM.

Currently working for EC-DIGIT-CSIRC where he focuses on how to leverage the power of Large Language Models (LLMs) for CTI purposes. Prior to joining EC-DIGIT-CSIRC, Aaron was employee #4 of CERT.at, the national CERT of Austria. He was member of the board of directors FIRST.org between 2014-2018. He co-founded intelmq.org, a tool for automating incident handling workflows. He is a frequent speaker at (IT security) conferences such as hack.lu, black hat, amongst others.

He is co-chair of the AI Security SIG at FIRST.org. Aaron likes to come up with ideas which have a strong benefit for (digital) society as a whole and which scale up. He loves sharing knowledge and open source tools to automate stuff.

Jay is the Chief Data Scientist at Cyentia Institute, the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST.

Phd. Paolo Di Prodi was a senior data scientist at Microsoft and Fortinet. He has now founded a company called Priam Cyber AI ltd that uses virtual agents to automate security operations. He contributes regularly to open source projects from OASIS like STIX2.1,DISARM,IOB and various LLM projects such as OLLAMA and LiteLLM. He also a member of the Automation AI SIG in FIRST ORG and contributed to developing EPSS at the RAND ORG.

Syra Marshall is the CTO at Elemendar, with a background in Mathematics and Computer Science. After getting bored of being a cog in a machine she has been the technical founder of start-ups in search, blockchain and, for the past seven years, has led product development at Elemendar, where her focus has been the applications of NLP within Cyber. A self-confessed nerd she will happily take any board game challenge you might want to throw at her.

Join industry leaders for an engaging half-day workshop that introduces the core fundamentals of building an intelligence plan that aligns to stakeholder needs - individually and at scale - and creates a foundation for measuring success of your CTI team.

Participants will gain hands-on experience building their own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including training videos, fillable templates and worksheets that are provided free of charge for use in their own environments.

As Chief Intelligence Officer, Michael DeBolt provides strategic and operational leadership across Intel 471's globally diverse team of HUMINT and technical researchers, linguists, analysts, and intelligence consultants. Before Intel 471, Michael developed strategy and led operations as the US representative and Head of Cybercrime Intelligence at INTERPOL. As a Special Agent at the US Naval Criminal Investigative Service (NCIS), he specialized in national security cyber operations and cybercriminal investigations. Michael is a proud US Marine Corps infantry veteran.

Freddy is currently doing his PhD on the cross-section of intelligence and Cyber Threat Intelligence (CTI) and will research how the intelligence field can help mature the CTI field in the private sector. While researching for his PhD, Freddy also works as the senior threat intelligence analyst at Nordic Financial CERT (NFCERT) in Norway where he supports the financial sector with strategic intelligence. Freddy uses his education and experience with intelligence to bring a multifaceted approach to CTI and provide value to stakeholders.

Discovery and tracking of adversarial infrastructure are one of the most common tasks of threat intelligence teams and can yield significant insights into adversary operations. However, increasing adoption of cloud services and use of privacy protection have enabled threat actors to blend command-and-control nodes with legitimate hosts that present similar features and profile. The talk aims to discuss challenges related to infrastructure analysis and propose a robust methodology leading to resilient tracking techniques. Using Joe Slowik's concept of treating indicators as composite objects, we will focus on profiling network artifacts like TLS certificates, exposed host services, and domains. By observing and combining multiple characteristics, analysts can establish patterns and signatures representing how an activity group creates their infrastructure, and as such gain more confidence in early detection and attribution.

The presentation will include use cases of tracking post-exploitation frameworks servers and role of infrastructure analysis in activity group clustering. The examples will aim to demonstrate how to fully exploit data that can be derived from an indicator utilizing the author's guide (available at https://bit.ly/infrastructure-exploitation) and data collected from widely accessible services such as Shodan or Censys.

Kamil Bojarski works as a Senior Analyst at Standard Chartered Bank's Client and Third-Party Intelligence team where he tracks down adversarial activity affecting the Bank's supply chain and supports outreach efforts. Kamil is also a teaching assistant at SANS Institute supporting students during FOR578 Cyber Threat Intelligence course, and a member of GIAC Advisory Board. You can read his musings on threat intelligence, OSINT and national security at counterintelligence.pl. His research interests are focused on counterintelligence aspects of information security, activity of eastern APT groups and cross-section of technical and political aspects of cyber operations.

This workshop offers a unique opportunity for participants to master the setup and operation of a Malware Lab, an indispensable asset in the field of cybersecurity. Expert-led sessions will guide attendees through the creation and management of environments for secure malware analysis. The program emphasizes the use of specially prepared virtual machines, enabling the safe examination and detonation of malware samples in a controlled setting.

A significant focus of the workshop is on Malware Analysis, particularly the use of Sandbox Techniques to observe and understand malware behavior in a granular way. A key aspect of this training involves the advanced skill of filtering events in large datasets. Participants will engage in hands-on exercises to execute malware in these environments, followed by thorough training in sophisticated event collection and analysis methods. These skills are vital for professionals tasked with sifting through extensive data to identify critical security threats. This workshop is designed to equip attendees with the necessary tools and insights to navigate and analyze complex cybersecurity environments effectively

A central feature of the workshop is advanced Malware Analysis, focusing on the utilization of Sandbox Techniques for detailed malware behavior observation. Participants will gain practical experience in sifting through large datasets, honing their skills in filtering and analyzing significant events from security data. This hands-on approach will equip them with the critical ability to identify and address sophisticated cyber threats effectively in today's complex security landscapes.

Remco is a Senior Security Researcher at Elastic's Security Labs, specializing in reversing and analyzing malware, particularly in the Linux domain. With a rich background as a forensic investigator for the Dutch Police, he brings a unique blend of law enforcement and cybersecurity expertise. At Elastic, Remco focuses on dissecting malware families, contributing to the development of innovative security strategies. His work is integral in understanding and mitigating emerging cyber threats, leveraging his extensive experience in digital forensics and threat analysis.

Ruben Groenewoud is a dynamic Threat Detection Engineer at Elastic, known for his innovative approach in cybersecurity. With a solid background in managing SOC operations and a Master's degree in Applied Machine Learning for Cybersecurity, Ruben brings a unique blend of practical experience and advanced academic knowledge. At Elastic, he plays a key role in enhancing threat detection systems, applying his expertise to develop smarter, data-centric security solutions. His contributions are characterized by a keen understanding of modern cyber threats and a commitment to evolving security technologies, making him a rising talent in the cybersecurity arena.

This workshop will introduce participants into some of the more intricate uses of MISP, especially in regards to automation and the use of the API. There will be a heavy focus on building efficient and accurate search queries, best practices for bucketing relevant information as well as integration with custom tools and formats.

Finding the right subset of information shared in a broad community such as FIRST can be challenging, but luckily we have a large toolbox at our disposal. We will cover a wide range of techniques to achieve this and participants will get to try out their newly acquired skills via a set of hands-on exercises.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

Christian Studer joined CIRCL in 2017 after he graduated with a Master in Computer Science. During his master thesis at CIRCL he showed his capacity to lead existing CIRCL software such as the Potiron framework, a tool to normalize, index and visualize network captures. He is mainly working on MISP, contributing to the core development and several integrations with other tools and formats, most notable, he leads the STIX implementation of the project. He is also the co-chair of the OASIS CTI STIX Subcommittee.

Once upon a time, a central Threat Intelligence Platform (TIP) started to show the first signs of aging. A group of experts assembled and decided to replace it with a new and exciting one called MISP.

The team designed a majestic architecture with a dozen interconnected new instances of MISP puppies, each one dedicated to specific tasks. The litter enjoyed the new kingdom and all the puppies happily played along with each other, exchanging data using MISP native synchronization and filtering capabilities. Every issue that the old platform suffered from was taken care of. Therefore, on paper, everything was perfect.

But was it? What happened when the puppies grew up?

Join us for the fascinating tale of one of the most complex MISP ecosystems ever built - where the joy of raising feature-packed MISP puppies clashed with the tricky challenges of taming a technological beast - and we will share the valuable lessons that we learned in the vibrant chaos of our overengineered MISP zoo.

Enrico Lovat received his PhD from the Technical University of Munich for his research on the topics of usage control and information flow tracking. He joined Siemens CERT in 2016 in the dual role of Incident Handler and Cyber Threat Intelligence Team Lead. In 2022 he moved to Siemens Technology as Principal Key Expert, supervising the research in technologies and innovations for cybersecurity services.

Tobias Mainka serves as the Technical Lead for Cyber Threat Intelligence at Infineon AG, actively involved in building and coordinating the Cyber Threat Intelligence process. Before his current role, he was part of Siemens CERT specializing as a major incident responder, particularly drawn to special vulnerability handling.

In the realm of cybersecurity, staying ahead of emerging threats is paramount. Our presentation introduces an innovative system that revolutionizes how Cyber Threat Intelligence (CTI) is analyzed and utilized. By harnessing the power of advanced multimodal techniques, combining both textual and visual data, we offer a transformative approach for security analysts to convert an overwhelming influx of intelligence into structured data. The core of our system is a Natural Language-to-SQL (NL2SQL) technology, allowing analysts to navigate and extract critical information from the CTI database with ease. Our method extends beyond traditional search capabilities, presenting a conversational assistant that guides users through a question-answering interface, making the retrieval of complex intelligence both intuitive and efficient. This talk will unveil the intricacies of constructing such a system and demonstrate its ability to enhance the performance of security analysts.

Dr. Cheng-Lin Yang, currently a data science director at CyCraft Technology, where he is responsible for organizing and leading the machine learning team. He received his PhD in Artificial Intelligence from the University of Edinburgh and his research focuses on constructing efficient and effective machine learning workflows and utilizing machine learning techniques to automate detection and response along each phase of the cyberattack kill chain. He was a speaker at Black Hat USA, CyberSec, SECCON, PyCon Taiwan, PyCon Japan and AWS Summit Taiwan.

Kuan-Lun Liao is a data scientist at CyCraft Technology, where he is primarily responsible for designing human-compatible neural networks, including part-whole hierarchies learning and additive neural networks. He also applies various NLP techniques to solve cybersecurity issues, such as automatic AD security analysis and massive user behavior retrieval. Liao is passionate about exploring opportunities to use cutting-edge machine learning approaches in the field of cybersecurity. His work has been published in ICML, ICLR, and AAAI, three of the world's leading machine learning conferences.

This workshop introduces Early Warning Intelligence (EWI), a predictive approach that orchestrates cyber defense by anticipating threats before they materialize. Incorporating structured analytical techniques, we will explore two distinct methodologies for constructing an EWI system: profile-driven and correlation-guided research approaches, drawing from practical examples and previously published works.

This workshop will not only dissect these methods but will also argue for the integration of temporary countermeasures—a concept introduced to adjust cyber defense dynamically in response to elevated threat levels. Examples include tweaking rate limits and bot scores, configuring increased resources, and temporarily disabling features to mitigate impact, showcasing a shift from static to adaptive security postures.

Robin Dimyanoglu is the Red Team Lead at HelloFresh Global, with extensive experience in Cyber Threat Intelligence and Threat-Informed Defense. Robin is inspired to bring in concepts from war and intelligence studies to the field of cybersecurity. With a passion for staying ahead of the curve, he is committed to developing novel solutions to security problems.

The Private Search Set (PSS) is an extension to the standard Bloom filter or a standalone hash file to describe and share private set. It provides features such as fast lookup of values without disclosing the values, easy distribution of private sets to a group of users or organizations, watermarking and tracking down potential leak of a private search set (PSS), offline private search, and flexible meta-format to describe and extend the private search set (PSS). We will present the benefits for sharing communities using PSS and how it can improve the distribution of IoC, threat intelligence or leaked information.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

Jean-Louis Huynen is a security researcher at CIRCL. He works on threat detection/intel and the development of tools to support incident response, Previously he collaborated with LIST-- Luxembourg Institute of Science and Technology (LU)--to the development of a Mixed Reality platform for the training for Security Critical Agents (mainly on firearms events and CBRN incidents). Previous research works (and his PhD) at SnT--Interdisciplinary Centre for Security, Reliability and Trust (LU)--focused on the usability of security systems and root cause analysis techniques for investigating security incidents.

A core dilemma within intelligence work is the act of disclosure: acting on information will, to some degree, expose to an entity that such information was collected. Furthermore, exposure of a single instance can lead to identification of far broader penetration, endangering subsequent collection of intelligence and thus further action. Yet, intelligence absent action can be deemed irrelevant and superfluous—leaving analysts and decision makers in a difficult position.

In this discussion, we will explore examples of intelligence disclosure in the cyber realm leading to adversary adaptation, and its consequence for defenders. As a result of this analysis, we will arrive at an understanding of the gain-loss dilemma underpinning cyber threat intelligence work. We will conclude the discussion with an assessment of how intelligence analysts can seek to balance continued collection with defender support, and what factors are most critical in deciding such issues.

Joe Slowik has over 15 years of experience across multiple security disciplines. Joe has previously built and led cyber threat intelligence operations at multiple organizations including Dragos, DomainTools, Gigamon, and Huntress, as well as performed significant operational roles in incident response and security management within the US government. Joe is primarily interested in intelligence applications to tactical security outcomes, and ensuring the relevance and efficacy of cyber threat intelligence in modern defensive environments.

Images are a common feature of documents, but they can also be a valuable source of intelligence for security analysts. By tracking the images that threat actors use in their documents, analysts can gain insights into their procedures, as well as their potential targets and impersonated companies.

This type of approach has helped us find and track the Russian cyber espionage group Gamaredon and others such as the group known as Blind Eagle that is suspected to be from Latin America and other APTs/Crime groups. It will also discuss the challenges and limitations of the approach.

Joseliyo Sanchez is a security engineer at VirusTotal - Google. Member of the ENISA Working Group on Cyber Threat Landscapes. Previously worked at McAfee and BlackBerry as a threat researcher. His main objectives are threat hunting that leads to detection engineering and analysis of APTs and Crime groups.