Program Agenda

Modern cyber adversaries are evolving more regularly than ever before, and CTI & defender teams must adapt accordingly. Practitioners are likely familiar with the concept of IOC “volatility”, but evolution now happens frequently even at the behavioral level, which is traditionally seen as less dynamic (see the Pyramid of Pain).

This evolution is nuanced, occurring at both strategic & tactical levels, which in itself has implications for defender adaptation. This session will review timely examples of adversary behavioral evolution at three levels - Tactic, Technique, & Procedure evolution - highlighting differences in their frequency; various drivers & incentives for each type; and steps CTI & defender teams can take to account for them, including collection tuning, tracking strategies, and prioritization of more “robust” countermeasures (e.g. behavioral detections & mitigations) over “brittle” defenses.

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.

Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.

Priority Intelligence Requirements (PIRs) are sometimes dismissed as "academic exercises" disconnected from practical operations. Their value is clear on a macro level to most CTI professionals. The challenge, however, lies in integrating these strategic concepts into day-to-day CTI, SOC and Security Operations, and Cyber Defense activities. When implemented effectively, PIRs not only guide CTI efforts but also strengthen the broader information security strategy by aligning it with current adversarial threats. This talk will offer a practical walkthrough of developing and operationalizing PIRs. It begins with foundational options for PIR development, followed by defining priority threat actors. It will introduce methodology for defining priority adversary TTPs from the list of priority threat actors. The process culminates in application of the priority adversary TTPs to detection, threat hunting, red teaming and updating of security controls thus ensuring threat-informed security.

Keith Swagler is a Cyber Threat Intelligence Analyst with a focus on Detection and Response at Red Hat. Keith has 10 years of IT experience, and previous security experience in Incident Response, Vulnerability Management, and Compliance.

Ondra Rojčík is a Cyber Threat Intelligence Analyst at Red Hat CTI team. He is providing intelligence analysis and strategic perspective to the Red Hat’s CTI program and its analytical production. He also lectures and consults on intelligence analysis tradecraft. Previously, he worked for the Czech National Cyber Security Agency (NUKIB), where he co-founded and led the Strategic Threat Intelligence function for over five years.

Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you convey answers to intelligence requirements as effectively as possible. Channel your inner artist. For example, building periodic briefings or yearly write-ups. Still, what makes a good threat landscape? What essential information should it contain? This workshop follows a walkthrough in producing such a deliverable. Combining hands-on examples and audience interaction. Several formats will be discussed, and templates made available. In addition, special attention will be given to the machine learning and AI trends. Finally, the facilitators will share practical tips, tricks, and happy accidents after years of creating threat landscape deliverables. After following this workshop, participants have built a first version of your team’s threat landscape deliverable or understand where you should adjust your existing deliverable. This workshop also recognizes the sensitivity of threat landscape contents. This workshop is meant to provide cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape deliverables. Enabling them to create a larger narrative around cyber threats to support stakeholder decision making and drive security investment.

Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams all over the world in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.

We understand well what the role of CTI is for our enterprise, but in the context of a PSIRT there are some significant challenges to establishing a CTI function when the products are not under your management or operational responsibility, and the product-related intelligence is largely kept secret.

We will take you through our findings while establishing the CTI function in our PSIRT and explain our scope and how we operationalise our intelligence.

Rhys leads major incident response activities which involve Ericsson’s product and services portfolio, and brings these learnings back to the threat intelligence function for improving Ericsson’s product security posture.

Cyber operations are increasingly used as tools of statecraft, directly influenced by geopolitical events. Understanding the relationship between national policies and cyber threats is crucial for cyber threat intelligence analysts tasked with protecting organizations from state-sponsored attacks. This workshop, based on the book Geopolitical Cyber Threat Intelligence, offers CTI professionals practical approaches to analyzing how geopolitical factors shape cyber operations.

Participants will explore the intersection of cyber capabilities and national policy objectives, learning how to anticipate potential threats by analyzing global political dynamics. Through case studies of real-world conflicts such as the Russo-Ukrainian war, the Nagorno-Karabakh conflict, and tensions between Iran and Israel, attendees will gain insights into how states deploy cyber tactics in both peacetime and wartime scenarios.

Robin Dimyanoglu is the Red Team Lead at HelloFresh Global, with extensive experience in Cyber Threat Intelligence and Threat-Informed Defense. Robin is inspired to bring in concepts from war and intelligence studies to the field of cybersecurity. With a passion for staying ahead of the curve, he is committed to developing novel solutions to security problems.

With the amount of malware we collect daily, it's important to automate basic investigations to drop the common ones and focus on real "fresh meat". Let's see how to automate this process.

Xavier Mertens is a freelance security consultant based in Belgium. With 15+ years of experience in information security, his job focuses on protecting his customers' assets by providing services like incident handling, investigations, log management, security visualization, OSINT). Xavier is also a Senior Handler at the SANS Internet Storm Center, SANS FOR610 instructor, a security blogger and co-organizer of the BruCON security conference.

We’ve all heard it before: “If everything is priority, nothing is priority”. We’ll challenge this statement through the lessons learned from Mandiant’s high-demand incident response work, and the Google Threat Intelligence machine that supports the frontlines. We’ll also abstract some concepts learned from time with the US military and how, believe it or not, they can translate to resource management and leading a team when “everything is priority”.

There will be some hard truths for analysts and leaders alike. But it will give confidence to challenge the notion that “if everything is priority” then maybe that’s okay!

Jake Nicastro is a Principal Intrusion Operations Analyst at Google Threat Intelligence / Mandiant. He spent 3 years as an incident response consultant before switching to intelligence, but didn't stray far. Jake's role on the Mandiant Advanced Practices team has been supporting incident response engagements with intelligence analysis and attribution. He also spent time with the US Army as an infantryman and a brief stint with cyber operations.

This session will walk you through how easy and powerful it can be to integrate new tools into your existing cybersecurity workflows in MISP. You'll learn the practical steps of plugging in external tools using misp-modules and misp-workflows, see a live demo of the process, discuss common integration challenges, and understand how automation with MISP can significantly reduce time to respond to threats and improve efficiency.

Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools.

Join industry leaders for an engaging half-day workshop that introduces the core fundamentals of building an intelligence collection plan that aligns to stakeholder needs - individually and at scale - and creates a foundation for measuring success of your CTI program.

Participants will gain hands-on experience building their own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including training videos, fillable templates and worksheets that are provided free of charge for use in their own environments.

Freddy is currently doing his PhD on the cross-section of intelligence and Cyber Threat Intelligence (CTI) and will research how the intelligence field can help mature the CTI field in the private sector. While researching for his PhD, Freddy also works as the senior threat intelligence analyst at Nordic Financial CERT (NFCERT) in Norway where he supports the financial sector with strategic intelligence. Freddy uses his education and experience with intelligence to bring a multifaceted approach to CTI and provide value to stakeholders.

As Chief Intelligence Officer, Michael DeBolt provides strategic and operational leadership across Intel 471's globally diverse team of HUMINT and technical researchers, linguists, analysts, and intelligence consultants. Before Intel 471, Michael developed strategy and led operations as the US representative and Head of Cybercrime Intelligence at INTERPOL. As a Special Agent at the US Naval Criminal Investigative Service (NCIS), he specialized in national security cyber operations and cybercriminal investigations. Michael is a proud US Marine Corps infantry veteran.

This talk seeks to use the Russia-Ukraine war as a case study on how CTI teams can determine relevance and assess impact potential throughout rising geopolitical tensions, delving into third and fourth order effects. The talk will examine threat actor dynamics, ranging from targeting decision calculus to capabilities and frequency employed to how baseline understanding is apt to shift from a preconceived understanding of normal MO. It will discuss the potential for an emergence of new cyber threat actors to appear that were not previously tracked like GRU Unit 29155 operators.

Attendees will be pressed to reconsider their assumptions around appropriate messaging, cadence, and workflows relating to relevant threat actors baselines. The talk concludes by challenging the audience to think about how a China-Taiwan conflict may impact its organizations, similarities in approach, and how this type of geopolitical event varies from what transpired during the Russia-Ukraine conflict, acknowledging China's more prominent global influence and blowback potential to most organizations.

Mr. Doyle has over fifteen years of experience working in Cyber Threat Intelligence, Digital Forensics, Cyber Policy, and Security Awareness and Education. He has spent over a decade tracking multiple state-sponsored cyber actors (APTs) to support strategic, operational, and tactical intelligence requirements.

I work since 2001 in the IT-Security. After my apprenticeship I studied computer science, was a specialized SAP consultant for many years and left the IT 2013. After some years as triathlete, a-licence fitness coach, life-guard and civilian on the battlefield for the US Army and Bundeswehr I had made the decision to start again in the IT as a cyber security analyst. Since June 2022 I work as a security analyst for Orange Cyberdefense in the incident response (OT/IT environment). Within the Analyst as a Service consulting I do "MITRE Detection Engineering" and threat modeling besides incident response and threat hunting. https://www.orangecyberdefense.com/be/about-us/international-womens-day/simone-kraus

Most CTI practitioners agree that threat prioritization is essential, but consensus hardly exists on how to prioritize something as complex as one APT group or ransomware operation over another. This session outlines why, after a decade supporting & consulting 100+ intelligence teams, the speaker firmly believes that quantification is the solution for more consistent & less biased threat prioritization, highlighting a tangible, successful case study from the physical security space (an ongoing U.S. government cargo security program launched in 2001). Then, we will dive into a review of numerous public data sources that can yield value for threat quantification, and a simplified methodology for using that data to generate rank-ordered lists of priority threats.

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.

Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.

We have observed that vulnerabilities, proof-of-concepts (PoCs), and remediation strategies are frequently discussed online before they are officially published—sometimes from just a few hours to several weeks in advance.

Twitter’s restriction on free API access has impacted many communities that relied on its data. Meanwhile, Twitter is increasingly being abandoned in favor of Mastodon, especially within the infosec community. Consequently a new category of social network is emerging, more decentralized and more challenging to monitor. Of course, our work is not limited to social networks.

Monitoring information and discussions related to vulnerabilities across the web is essential. We believe that enriching vulnerability information before its public release can be highly beneficial for analysts. When people actively seek or exchange information about a vulnerability, it signals that the issue should be prioritized.

Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

At CIRCL, we have observed continuous activity over the past years in the field of threat intelligence, focused on gathering new pivot points, particularly from threat actors attempting to conceal their activities. In this talk, we will present various strategies for uncovering more insights by creating new pivot points in threat intelligence, ranging from analyzing common favicons to tracking QR codes and barcodes exchanged by cybercriminals.

We will also demonstrate how to use the tools to automatically create pivot points and uncover the relationships between threat actors.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

Thomas Schreck is a Board member and a former Chairman of the Forum of Incident Response and Security Teams (FIRST.org). Thomas is a Professor for IT Security and the University of Applied Sciences in Munich. Prior to this role, he was a Principal Security Engineer at Siemens and was the head of Siemens CERT. He holds a Diploma degree in Computer Science from the University of Applied Sciences Landshut and a PhD in Computer Engineering from the Friedrich-Alexander University Erlangen-Nuremberg.

This presentation explores how project management fundamentals can enhance the cyber intelligence cycle by aligning intelligence efforts with stakeholder needs and business objectives. Attendees will learn actionable steps for creating structured, measurable processes that maximize decision-support value and streamline intelligence workflows.

Brian Mohr helps intelligence teams of all sizes and industries provide excellent service to their decision-makers using intelligence requirements. Brian believes that intelligence work comes down to two core tenets: the purpose of intelligence is providing decision support to leadership and providing intelligence is a customer service. To support these tenets within intelligence teams, Brian co-founded the SaaS company 'ReqFast' providing intelligence requirements and workflow management for intelligence teams. Improving the efficiency & efficacy of teams and enabling them to demonstrate value with actual metrics. Previously, Brian worked in both the private and public intelligence community for over twenty years.

This presentation explores how project management fundamentals can enhance the cyber intelligence cycle by aligning intelligence efforts with stakeholder needs and business objectives. Attendees will learn actionable steps for creating structured, measurable processes that maximize decision-support value and streamline intelligence workflows.