Program Agenda

Priority Intelligence Requirements (PIRs) are sometimes dismissed as "academic exercises" disconnected from practical operations. Their value is clear on a macro level to most CTI professionals. The challenge, however, lies in integrating these strategic concepts into day-to-day CTI, SOC and Security Operations, and Cyber Defense activities. When implemented effectively, PIRs not only guide CTI efforts but also strengthen the broader information security strategy by aligning it with current adversarial threats. This talk will offer a practical walkthrough of developing and operationalizing PIRs. It begins with foundational options for PIR development, followed by defining priority threat actors. It will introduce methodology for defining priority adversary TTPs from the list of priority threat actors. The process culminates in application of the priority adversary TTPs to detection, threat hunting, red teaming and updating of security controls thus ensuring threat-informed security.

Keith Swagler is a Cyber Threat Intelligence Analyst with a focus on Detection and Response at Red Hat. Keith has 10 years of IT experience, and previous security experience in Incident Response, Vulnerability Management, and Compliance.

Ondra Rojčík is a Cyber Threat Intelligence Analyst at Red Hat CTI team. He is providing intelligence analysis and strategic perspective to the Red Hat’s CTI program and its analytical production. He also lectures and consults on intelligence analysis tradecraft. Previously, he worked for the Czech National Cyber Security Agency (NUKIB), where he co-founded and led the Strategic Threat Intelligence function for over five years.

Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you convey answers to intelligence requirements as effectively as possible. Channel your inner artist. For example, building periodic briefings or yearly write-ups. Still, what makes a good threat landscape? What essential information should it contain? This workshop follows a walkthrough in producing such a deliverable. Combining hands-on examples and audience interaction. Several formats will be discussed, and templates made available. In addition, special attention will be given to the machine learning and AI trends. Finally, the facilitators will share practical tips, tricks, and happy accidents after years of creating threat landscape deliverables. After following this workshop, participants have built a first version of your team’s threat landscape deliverable or understand where you should adjust your existing deliverable. This workshop also recognizes the sensitivity of threat landscape contents. This workshop is meant to provide cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape deliverables. Enabling them to create a larger narrative around cyber threats to support stakeholder decision making and drive security investment.

Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams all over the world in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.

We understand well what the role of CTI is for our enterprise, but in the context of a PSIRT there are some significant challenges to establishing a CTI function when the products are not under your management or operational responsibility, and the product-related intelligence is largely kept secret.

We will take you through our findings while establishing the CTI function in our PSIRT and explain our scope and how we operationalise our intelligence.

Rhys leads major incident response activities which involve Ericsson’s product and services portfolio and brings these learnings back to the threat intelligence function for improving Ericsson’s product security posture.

This interactive presentation introduces the Admiralty System, a framework for evaluating the reliability of information, originally used for intelligence and now adapted for modern Cyber Threat Intelligence. It explores the system's two core concepts: Source Reliability and Information Credibility, enabling participants to critically assess and rate sources and information using practical CTI examples.

Freddy Murstad is the senior advisor for cyber threat intelligence (CTI) at Nordic Finance CERT (NFCERT) and has a specific focus on strategic reporting, as well as training in structured analysis techniques (SAT) and intelligence for CTI professionals in the financial sector. Murstad is educated in intelligence from King's College London with a focus on cyber security and a master's degree in counter-terrorism from the University of St Andrews, focusing on critical infrastructure. In May 2023, Murstad started his PhD education at the Norwegian University of Science and Technology (NTNU) and will research how to implement intelligence methodology into CTI programs and how AI might change how we do intelligence analysis, and thus, how this may change how we use intelligence in CTI.

Cyber operations are increasingly used as tools of statecraft, directly influenced by geopolitical events. Understanding the relationship between national policies and cyber threats is crucial for cyber threat intelligence analysts tasked with protecting organizations from state-sponsored attacks. This workshop, based on the book Geopolitical Cyber Threat Intelligence, offers CTI professionals practical approaches to analyzing how geopolitical factors shape cyber operations.

Participants will explore the intersection of cyber capabilities and national policy objectives, learning how to anticipate potential threats by analyzing global political dynamics. Through case studies of real-world conflicts such as the Russo-Ukrainian war, the Nagorno-Karabakh conflict, and tensions between Iran and Israel, attendees will gain insights into how states deploy cyber tactics in both peacetime and wartime scenarios.

Robin Dimyanoglu is a seasoned cyber security professional with over eight years of experience in Cyber Threat Intelligence, Application Security, and Red Teaming. He has worked with leading consultancy firms, delivering tailored threat intelligence and providing hands-on training in malware forensics and reverse engineering to SOC teams.

Beyond his professional work, Robin is an active member of the cyber community and frequently speaks at conferences, sharing insights from his research on Early Warning Intelligence and Predictive Cyber Defense. Drawing inspiration from war and intelligence studies, he founded Predictive Defense, where he develops and publishes novel methodologies. Robin is also the author of the book Geopolitical Cyber Threat Intelligence.

With the amount of malware we collect daily, it's important to automate basic investigations to drop the common ones and focus on real "fresh meat". Let's see how to automate this process.

Xavier Mertens is a freelance security consultant based in Belgium. With 15+ years of experience in information security, his job focuses on protecting his customers' assets by providing services like incident handling, investigations, log management, security visualization, OSINT). Xavier is also a Senior Handler at the SANS Internet Storm Center, SANS FOR610 instructor, a security blogger and co-organizer of the BruCON security conference.

We’ve all heard it before: “If everything is priority, nothing is priority”. We’ll challenge this statement through the lessons learned from Mandiant’s high-demand incident response work, and the Google Threat Intelligence machine that supports the frontlines. We’ll also abstract some concepts learned from time with the US military and how, believe it or not, they can translate to resource management and leading a team when “everything is priority”.

There will be some hard truths for analysts and leaders alike. But it will give confidence to challenge the notion that “if everything is priority” then maybe that’s okay!

Jake Nicastro is a Principal Intrusion Operations Analyst at Google Threat Intelligence / Mandiant. He spent 3 years as an incident response consultant before switching to intelligence, but didn't stray far. Jake's role on the Mandiant Advanced Practices team has been supporting incident response engagements with intelligence analysis and attribution. He also spent time with the US Army as an infantryman and a brief stint with cyber operations.

For the past decade, CTI operations in industry (and government to a lesser degree) have been driven by technology and venture capital. At the root of the problem is the misconception that because cyber threats target computers, the solution to the problem must be more technology. This misalignment has driven many corporate consumers into products and services that fail to address their needs, convincing them of value propositions they cannot fully realize. The reality is that at the root of most failed cyber-intelligence endeavors is a lack of planning and processes, further complicated by a technology-specific industry standard. While there are many CTI maturity models available, they are often tied to particular technologies or services, limiting their applicability across cyber-intelligence programs.

The CTI Capability Maturity Model (CTI-CMM) is a new practitioner-led initiative designed to break this cycle. It provides a comprehensive, flexible framework that can be applied across industries, independent of specific technologies. This talk explores how this vendor-neutral initiative offers a clear and practical approach to assessing the maturity of cyber-intelligence programs. In particular, we’ll address how the CTI-CMM:

• Offers unique value that compliments other models.
• Enables teams to broaden their operational scope (potentially securing greater funding).
• Deepens enterprise-wide engagement and appreciation for CTI.
• Can be used to develop a practical roadmap for maturing your program. These benefits enable organizations to create a more resilient and adaptive cyber-intelligence program that aligns better to their strategic objectives. We invite practitioners to contribute to this critical, community-driven initiative.

Gert-Jan Bruggink specializes in helping leaders use proven systems to make informed decisions about digital risk. He supports teams all across the world in understanding adversary tradecraft through narratives and systems thinking. Providing understanding of their threat landscape, enabling informed decision-making and developing cost-effective risk mitigation strategies. Gert-Jan is Founder & CEO of ‘Venation’, where he pioneers the field of scenario-based cyber threat intelligence deliverables. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.

Andreas is a Cyber Threat Intelligence professional with over fifteen years of experience in cyber security. He focuses on applying threat intelligence and helping organizations manage threats mostly within the Energy, Technology, and Financial sectors as well as in European Union’s Agencies and Institutions. Andreas has been contributing to the CTI community since 2012 via public reports and presentations, his blog, newsletter, and instructing. His utmost goals are the maturing of threat management programs within organizations as well as the embedding CTI in policy making. Andreas Twitter handle is @asfakian and his website is threatintel.eu.

This session will walk you through how easy and powerful it can be to integrate new tools into your existing cybersecurity workflows in MISP. You'll learn the practical steps of plugging in external tools using misp-modules and misp-workflows, see a live demo of the process, discuss common integration challenges, and understand how automation with MISP can significantly reduce time to respond to threats and improve efficiency.

Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.

Join industry leaders for an engaging half-day workshop that introduces the core fundamentals of building an intelligence collection plan that aligns to stakeholder needs - individually and at scale - and creates a foundation for measuring success of your CTI program.

Participants will gain hands-on experience building their own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including training videos, fillable templates and worksheets that are provided free of charge for use in their own environments.

Garrett Carstens is the Vice President of Intel Operations at Intel 471 coordinates internal and cross-departmental initiatives focused on optimizing timely and relevant intelligence production and delivery. Prior to joining Intel 471, Garrett spent over 15 years in various roles within the U.S. Department of Defense and the financial sector– always with a primary mission of identifying, analyzing and mitigating cyber threats.

Kevin has held senior roles at the Metropolitan Police Service, the UK’s National Crime Agency, KPMG UK, Pluralsight, and Intel 471, where he focused on intelligence gathering, threat analysis, and stakeholder engagement. During his 25 years with law enforcement, he was instrumental in developing and implementing national cybercrime strategies, including advising the UK government on the cyber incident response for the London 2012 Olympics.

Freddy is currently doing his PhD on the cross-section of intelligence and Cyber Threat Intelligence (CTI) and will research how the intelligence field can help mature the CTI field in the private sector. While researching for his PhD, Freddy also works as the senior threat intelligence analyst at Nordic Financial CERT (NFCERT) in Norway where he supports the financial sector with strategic intelligence. Freddy uses his education and experience with intelligence to bring a multifaceted approach to CTI and provide value to stakeholders.

This talk seeks to use the Russia-Ukraine war as a case study on how CTI teams can determine relevance and assess impact potential throughout rising geopolitical tensions, delving into third and fourth order effects. The talk will examine threat actor dynamics, ranging from targeting decision calculus to capabilities and frequency employed to how baseline understanding is apt to shift from a preconceived understanding of normal MO. It will discuss the potential for an emergence of new cyber threat actors to appear that were not previously tracked like GRU Unit 29155 operators.

Attendees will be pressed to reconsider their assumptions around appropriate messaging, cadence, and workflows relating to relevant threat actors baselines. The talk concludes by challenging the audience to think about how a China-Taiwan conflict may impact its organizations, similarities in approach, and how this type of geopolitical event varies from what transpired during the Russia-Ukraine conflict, acknowledging China's more prominent global influence and blowback potential to most organizations.

Mr. Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical intelligence requirements.

Simone Kraus, a seasoned IT-security professional, has been navigating the industry since 2001. After completing her apprenticeship, she pursued computer science studies and specialized as an SAP consultant. In 2013, she briefly left IT to explore diverse roles, including as a triathlete, fitness coach, and “Civilian on the Battlefield” (COB) for the US Army and Bundeswehr. Her passion for IT security eventually led her back, beginning as a DFIR Consultant and later transitioning to a Security Analyst role in 2022. Today, Simone holds the position of Senior IT-Security Specialist SOC where she focuses on threat intelligence, detection engineering and threat hunting.

Most CTI practitioners agree that threat prioritization is essential, but consensus hardly exists on how to prioritize something as complex as one APT group or ransomware operation over another. This session outlines why, after a decade supporting & consulting 100+ intelligence teams, the speaker firmly believes that quantification is the solution for more consistent & less biased threat prioritization, highlighting a tangible, successful case study from the physical security space (an ongoing U.S. government cargo security program launched in 2001). Then, we will dive into a review of numerous public data sources that can yield value for threat quantification, and a simplified methodology for using that data to generate rank-ordered lists of priority threats.

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.

Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.

We have observed that vulnerabilities, proof-of-concepts (PoCs), and remediation strategies are frequently discussed online before they are officially published—sometimes from just a few hours to several weeks in advance.

Twitter’s restriction on free API access has impacted many communities that relied on its data. Meanwhile, Twitter is increasingly being abandoned in favor of Mastodon, especially within the infosec community. Consequently a new category of social network is emerging, more decentralized and more challenging to monitor. Of course, our work is not limited to social networks.

Monitoring information and discussions related to vulnerabilities across the web is essential. We believe that enriching vulnerability information before its public release can be highly beneficial for analysts. When people actively seek or exchange information about a vulnerability, it signals that the issue should be prioritized.

Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

At CIRCL, we have observed continuous activity over the past years in the field of threat intelligence, focused on gathering new pivot points, particularly from threat actors attempting to conceal their activities. In this talk, we will present various strategies for uncovering more insights by creating new pivot points in threat intelligence, ranging from analyzing common favicons to tracking QR codes and barcodes exchanged by cybercriminals.

We will also demonstrate how to use the tools to automatically create pivot points and uncover the relationships between threat actors.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialized in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open-source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

Dr. Thomas Schreck is a Professor for IT-Security at the Munich University of Applied Sciences. Prior he was a Principal Engineer for IT-Security at Siemens and the Head of Siemens CERT. He served between 2015 and 2021 on the Board of Directors of FIRST.org and was the Chairman from 2017 to 2019.

This presentation explores how project management fundamentals can enhance the cyber intelligence cycle by aligning intelligence efforts with stakeholder needs and business objectives. Attendees will learn actionable steps for creating structured, measurable processes that maximize decision-support value and streamline intelligence workflows.

In the complex landscape of cyber threat investigations, misattribution of even a single event can have cascading effects, leading to incorrect conclusions about threat actors and their motivations. This talk delves into real-world cases where a misattributed event entangled investigations into unrelated cybercrime and espionage activities.

Asli Koksal is a Senior Researcher in the Cyber Espionage team in Mandiant, part of Google Cloud with in-depth knowledge of tracking and hunting of Middle Eastern state-sponsored actors.