Program Overview

Per Morten Sandstad has more than 20 years' experience from the security industry, particularly with an emphasis on threat intelligence and leading incident management missions. At mnemonic, he leads a team within the Threat Intelligence department specializing in incident management and forensics. Before joining mnemonic, he helped establish FinansCERT Norge (now Nordic Financial CERT), where he led the work with threat intelligence and supported the financial industry's work with incident management.

This session will be moderated by: Jim Wolfe (US)

Amine Besson is a private contractor focused on designing and engineering large scalable detection systems for his clients, with a track record of innovative solutions deployed in critical sectors and challenging environments.

Claus Houmann is a curator of all things cyber, collecting news for his ever growing library as soon as blog posts get written.

Remi Seguy has worked in cybersecurity for more than 15 years mainly in Blue teams but is most interested to foster purple teaming. Remi fully supports Libre software and tries to contribute to the open source community.

This session will be moderated by: Nikolas Dobiasch (AT)

Adversary-in-the-middle (AitM) is a type of attack that allows attackers to intercept the authentication flows between users and a legitimate website (like O365 for example). Using tools like evilginx2, attackers can even circumvent most MFA solutions, and are able to capture and misuse the valid authentication token for the user that is created in this process.

Using this token, attackers are able to persist their access by adding a new MFA device, and will then try to use the data from the compromised account for further attacks, e.g. BEC attempts.

In this talk, I will provide a short introduction about AitM attacks, show various examples of attacks that (successfully) targeted Lufthansa employees, and provide insight into the incident response steps we took and into the lessons learned that we identified.

Tobias Hahn has been a member of the Lufthansa Cyber Defense Center & CERT for more than six years. His main responsibilities include Incident Response for all companies within the Lufthansa Group, building new detections in the central IT Security Monitoring, and being the Product Owner for the central EDR solution used within Lufthansa Group. Previously he has worked as IT Security consultant in the areas of IT Security Architecture, and as IT Security Researcher.

This session will be moderated by: Gabi Cirlig (UK)

David French is a Detection & Response Engineer and Threat Hunter with many years of experience both working as a defensive cybersecurity practitioner and on the vendor side of life doing threat research and building security solutions. He currently works at Google Cloud where he helps security practitioners defend their organization from attack using Chronicle Security Operations.

This session will be moderated by: Nikolas Dobiasch (AT)

Andrew Cal joined WestCap in 2022 as VP of Cybersecurity with a focus in the development of portfolio security programs. In the ever-evolving security sector, Andrew spearheads and implements cutting-edge governance initiatives to ensure compliance is king throughout our portfolio. Before joining WestCap, Andrew marshaled the IT Audit practice at both USAA and Wells Fargo; developing robust analytic methodologies in use to this day. Prior to entering the private sector, Andrew served in the military with a career spanning over ten years. He continues to serve his country as a Civil Affairs Officer in the Army Reserves. He enjoys traveling, keeping up with NY sports, and enjoying time at home with his wife and two dogs.

This session will be moderated by: Jim Wolfe (US)

Eddy Willems is a worldwide known cyber security expert from Belgium. He is a board member of 3 security industry organizations, EICAR, AVAR and LSEC, and is the resident Security Evangelist at G DATA Cyberdefense. He became a founding member of EICAR in 1991, one of the world’s first security IT organizations. Over the years he has served in many extra roles in different security industry organizations. Several CERTs, press agencies, print and online publications and broadcasting media, for example CNN, use his advice regularly. In October of 2013, he published his first book in Belgium and the Netherlands, entitled ‘Cybergevaar’ (Lannoo). A German translation followed afterwards and an English translation and update, Cyberdanger (Springer), was published in 2019. He is also co-author of the Dutch SF cyberthriller ‘Het Virus’ published in 2020. Eddy is a known inspiring speaker and is giving lectures and presentations (including TEDx) worldwide for a very diverse audience from children to experts.

Righard Zwienenberg started dealing with computer viruses in 1988 after encountering the first virus problems at the Technical University of Delft. His interest thus kindled and studied virus behavior and presented solutions and detection schemes ever since. Initially starting as an independent consultant, in 1991 he co-founded CSE Ltd. In November 1995 Zwienenberg joined the Research and Development department of ThunderBYTE. In 1998 he joined the Norman Development team to work on the scanner engine. In 2005 Zwienenberg took the role of Chief Research Officer. After AMTSO – Anti Malware Testing Standards Organization – was formed, Zwienenberg was elected as president. He is serving on the board of AVAR and on the Technical Overview Board of the WildList. In 2011 Zwienenberg was looking for new opportunities and started as a Senior Research Fellow at ESET. In April 2012 Zwienenberg stepped down as President of AMTSO to take the role as CTO and later as CEO. In 2016 he rejoined the AMTSO board for another two-year run. He also is the Vice Chair of the Executive Committee of IEEE ICSG. In 2018, Zwienenberg joined the Europol European Cyber Crime Center (EC3) Advisory Group as an ESET representative.

Zwienenberg has been a member of CARO since late 1991. He is a frequent speaker at conferences – among these Virus Bulletin, EICAR, AVAR, FIRST, APWG, RSA, InfoSec, SANS, CFET, ISOI, SANS Security Summits, IP Expo, Government Symposia, SCADA seminars, etc. – and general security seminars. His interests are not limited to malicious code but have broadened to include general cybersecurity issues and encryption technologies over the past years.

This session will be moderated by: Gabi Cirlig (UK)

Dave Herrald has over 25 years of experience as a technical security practitioner and leader across many industries, including technology, payments, manufacturing, media, and software. In recent years, Dave’s passion has been to improve the experience of information security analysts by developing large-scale experiential learning programs. Dave co-created Splunk’s Boss of the SOC (BOTS) blue-team CTF, reaching tens of thousands of security professionals globally. Today, Dave leads the Adoption Engineering team at Google Cloud Security, focusing on field research and developing programs for the success of security practitioners. Dave holds a degree in computer science from Iowa State University and has earned many security certifications, including GIAC GSE #79. Dave and his family live in Colorado, where he enjoys skiing, cycling, and woodworking.

John Stoner is a Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."

This session will be moderated by: Joe Tallet (UK)

With more and more people using their phones as their primary device, mobile malware's prevalence skyrocketed. People nowadays store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high-level threat landscape down to the nitty-gritty of every specific actor, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This is what this workshop wants to deliver: taking people from zero to hero in order to give them a more thorough understanding of the Android malware landscape.

Requirements: laptop capable of Nested Virtualization with VMWare Player installed.

Gabriel Cirlig - Software developer turned rogue, Gabriel went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye for everything shiny and new. For a couple of years he has shifted gears and started his career as a security researcher at HUMAN Security while speaking at various conferences showcasing whatever random stuff he hacked. With a background in electronics engineering and various programming languages, Gabi likes to dismantle and hopefully put back whatever he gets his hands on.

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Lindsay is an internationally-recognized cybersecurity speaker and author. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

Rick Logan-Stanford is a progressive ICT/Security Professional who is fully capable of handling any challenges by engaging the sum of his collective experience and training. Thirteen years of employment has made him proficient in designing, maintaining and troubleshooting Active Directory, MS Exchange and network security. Currently focused on advancing in a career in Cyber Security, building proficiency in, but not limited to, incident response, digital forensics, vulnerability assessments and cyber-related laws.

This session will be moderated by: Gabi Cirlig (UK)

Julian-Ferdinand Vögele is a threat researcher at Recorded Future’s Insikt Group with extensive expertise in malware research, threat hunting, and intelligence. Julian-Ferdinand focuses on malware analysis and malicious infrastructure detection. Before joining Recorded Future, Julian-Ferdinand worked in IT security at Security Research Labs, where he conducted security research and engaged in red team exercises. He studied computer science at UCL and is currently a fellow of the European Cyber Conflict Research Initiative (ECCRI).

This session will be moderated by: Nikolas Dobiasch (AT)

Aviv Sasson is an experienced researcher with over 9 years of experience in application and cloud security, having presented his research at top conferences such as DEFCON, KubeCon, and Open Source Summit. Currently, he leads a dedicated team of researchers at Palo Alto Networks, focusing on enhancing the security of Web applications and APIs in the cloud.

Sharon Ben Zeev is a Sr. Security Research Manager at Prisma Cloud, Palo Alto Networks, specializing in open-source and cloud security. Having researched vulnerabilities in open source projects and worked on enhancing Prisma Cloud’s vulnerability management, Sharon brings a wealth of knowledge in software security, specifically in the realm of supply chain vulnerabilities.

This session will be moderated by: Joe Tallet (UK)

Piotr Kijewski is a member of The Shadowserver Foundation, a non-profit with a mission of making the Internet a more secure environment, where he helps make things work. He has a strong CSIRT background, previously working in incident response at a national level for 14 years in the CERT Polska (CERT.PL) team. He managed the team for nearly 7 years up till 2016, building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr is also a member of The Honeynet Project (where he also served as a Director), a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis.

This session will be moderated by: Nikolas Dobiasch (AT)

Xavier Mertens is a freelance security consultant based in Belgium. With 15+ years of experience in information security, his job focuses on protecting his customers' assets by providing services like incident handling, investigations, log management, security visualization, OSINT). Xavier is also a Senior Handler at the SANS Internet Storm Center, SANS FOR610 instructor, a security blogger and co-organizer of the BruCON security conference.

This session will be moderated by: Gabi Cirlig (UK)

Matt Valites has spent the past 15+ years in various security roles spanning leadership, operations, investigations, field sales, and research. Currently leading Threat Detection Operations and Operational Strategy at SAP's Global Security Operations, he's spent most of his career in the Enterprise Software-as-a-Service space. He's a co-author of O'Reilly's Crafting the Infosec Playbook and a longtime active member of the FIRST organization.

Gavin Reid Gavin Reid serves as the CISO for HUMAN Security, a cybersecurity company that specializes in safeguarding enterprises from digital attacks while preserving digital experiences for users. In addition, he leads the Satori Threat Intelligence and Research Team as VP of Threat Intelligence.

Gavin began his cybersecurity career in information security at NASA's Johnson Space Center. He later went on to create Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Before joining HUMAN, Gavin served as the CSO for Recorded Future, where he was responsible for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. For more than 20 years, Gavin has managed every aspect of security for large enterprises.