Program Overview

Please note: Monday sessions are being held in two different locations that are about 30 mins away by taxi:

BT
BT Centre
81 Newgate Street
London, EC1A 7AJ
DS
Digital Shadows
The Columbus Building
6th Floor, 7 Westferry Circus
London, E14 4HD

Route between DS and BT - Maps provided by Google
Map provided by Google, click on map to open in Google Maps.

Monday, 18 March

Training and Workshops - BT AuditoriumTraining and Workshops - BT A1Training and Workshops - DS/BLTraining and Workshops - DS Theater
09:00 – 13:00

Using ATT&CK™ for Cyber Threat Intelligence Workshop

MISP Threat Intelligence Analyst and Administrators

OPSEC for investigators and researchers

Beginner Tracking Adversary Infrastructure

14:00 – 18:00

Tutorial on OSINT tradecraft

MISP Threat Intelligence Analyst and Administrators

Training: The ACT Threat Intelligence Platform

Beginner Tracking Adversary Infrastructure

Tuesday, 19 March

Plenary - March 19 - BT Centre Auditorium
09:00 – 09:30

5 years of applied CTI discipline: where should organisations put focus on?

Andreas Sfakianakis

09:30 – 10:00

Bootstrapping a Threat Intelligence Operation

Jon Røgeberg

10:00 – 10:45

Building, Running, and Maintaining a CTI Program

Michael Schwartz & Ryan Miller

10:45 – 11:15

Coffee Break

11:15 – 12:00

TIBER: connecting threat intelligence and red teaming

Marc Smeets & Stan Hegt

12:00 – 13:00

Lunch

13:00 – 13:30

5 years in adversary emulation

James Chappell

13:30 – 14:00

Adventures in Blunderland

Allison Wikoff & Matt Webster

14:00 – 14:30

All Your Heatmap Are Belong To Us - Building an Adversary Behavior Sighting Ecosystem

Richard Struse

14:30 – 15:00

Logistical Budget

Eireann Leverett & Bruce Stenning

15:00 – 15:30

Coffee Break

15:30 – 16:00

The Hitchhiker's Guide to Threat Research

Bryan Lee

16:00 – 16:30

Cloudy with low confidence of Threat Intelligence: How to use and create Threat Intelligence in an Office365 Environment

Ryan Kovar & Dave Herrald

16:30 – 17:00

Drawing the line: cyber mercenary or cyber threat intelligence provider?

Stewart Bertram

17:00 – 17:30

Going from Guilt to Guild: Confessions of a TI Provider

Diederik Perk

17:30 – 18:00

A Lightweight Markup Language for Graph-Structured Threat Sharing

Mayo Yamasaki

Wednesday, 20 March

Plenary - March 20 - BT Centre AuditoriumWorkshop - March 20 - BT Centre A1 conference room
09:00 – 09:30

Turning intelligence into action with MITRE ATT&CK™

Katie Nickels & Adam Pennington

09:30 – 10:00

ATT&CK™ Is The Best Form Of…Reconnaissance: Using MITRE PRE-ATT&CK™ To Enrich Your Threat Model

Richard Gold & Rafael Amado

10:00 – 10:30

Metrics and ATT&CK. Or how I failed to measure everything.

Francesco Bigarella

10:30 – 11:00

Coffee Break

11:00 – 11:30

Quality Over Quantity: Determining Your CTI Detection Efficacy

David Bianco

11:30 – 12:00

How to get promoted: Developing metrics to show how threat intel works

Toni Gidwani & Marika Chauvin

12:00 – 13:00

Lunch

13:00 – 13:30

EVALUATE OR DIE TRYING - A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds

Sergey Polzunov & Jörg Abraham

The Art and Science of Attribution

13:00 – 15:00

13:30 – 14:00

Building STINGAR to enable large scale data sharing in near real-time

Jesse Bowling

14:00 – 14:30

A Place for Analysis of Competing Hypothesis (ACH) in CTI: Applications and Evolution of ACH in CTI

Caitlin Huey

14:30 – 15:00

Your Requirements are not my Requirements

Pasquale Stirparo

15:00 – 15:30

Coffee Break

FIRST CTI SIG BoF

15:00 – 18:00

15:30 – 16:00

Semi-intelligence: trying to understand threats on a country level

Paweł Pawliński

16:00 – 16:30

Statistical Techniques to detect Covert Channels Employing DNS

Dhia Mahjoub & Thomas Mathew

16:30 – 17:00

Code Re-Use Analysis - Transforming a disadvantage to a game-changer advantage

Ignacio Sanmillan

17:00 – 17:30

File-Centric Analysis through the Use of Recursive Scanning Frameworks

David Zawdie

17:30 – 18:00

Insights and Challenges to Automated Collaborative Courses of Action

Allan Thomson & Bret Jordan

Plenary Sessions

Building, Running, and Maintaining a CTI Program

Michael Schwartz & Ryan Miller

TBD

5 years in adversary emulation

James Chappell

TBD

Insights and Challenges to Automated Collaborative Courses of Action

Allan Thomson & Bret Jordan

TBD

How to Structure Analysis of Competing Hypotheses (ACH) – Introducing the Hypothesis Object and Moving Beyond the STIX 2.1 Opinion Object

Caitlin Huey

TBD

Statistical Techniques to detect Covert Channels Employing DNS

Dhia Mahjoub &Thomas Mathew

TBD

All Your Heatmap Are Belong To Us - Building an Adversary Behavior Sighting Ecosystem

Richard Struse

TBD

Bootstrapping a Threat Intelligence Operation

Jon Røgeberg

TBD

How to get promoted: Developing metrics to show how threat intel works

Toni Gidwani & Marika Chauvin

TBD

Quality Over Quantity: Determining Your CTI Detection Efficacy

David Bianco

You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps?  Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.

Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.

Attendees will learn:

  • How to load, normalize, and merge IOC data from disparate sources in your environment to make it ready for analysis
  • How to enrich the data with information from the Pyramid of Pain and the ATT&CK framework
  • How to visualize your collected threat intel to validate your collection strategy, to identify CTI strengths, and to prioritize closing collection gaps
  • Why you should do these things on a regular basis

Adventures in Blunderland

Allison Wikoff & Matt Webster

In this session join Allison Wikoff and Matt Webster, both Senior Threat Researchers from Secureworks’ Counter Threat Unit, as they journey down the rabbit hole to explore a world of threat actor mistakes. The session will uncover some of the weird and wonderful errors adversaries are making across the criminal and targeted threat landscapes, and will ultimately show that threat actors are human too. During this session Allison and Matt will demonstrate how network defenders and security researchers have been able to capitalise on these mistake to understand and more effectively defend against a wide-range of threat actors when they slip up.

5 years of applied CTI discipline: where should organisations put focus on?

Andreas Sfakianakis

Since the publication of Mandiant’s APT1 report in 2013, cyber threat intelligence discipline has been widely adopted by organisations globally. We have observed success stories as well as fails of organisations trying to develop CTI capabilities or, in other words, adding value to business. As a community, it is critical to capture the relevant lessons learned and conduct a status check for these 5 years of applied CTI discipline.

The utmost goal of this presentation is to identify the areas that organisations should put more focus on. Based on our assessment, we identify and deep dive into the three major areas where most current CTI teams struggle: 1) intelligence direction (such as stakeholder identification and collection of intelligence requirements), 2) intelligence reporting and dissemination and 3) CTI analyst's skill set.

Key takeaways of this presentation include:

  • the realization of the significance of intelligence requirements for the intelligence cycle
  • how proper stakeholder identification increase situational awareness
  • how classic intelligence approaches can be applied to CTI production
  • success stories on disseminating intelligence products and capturing feedback
  • understanding the variety of competencies of CTI teams and ways of baselining analysis process within CTI teams.

Your Requirements are not my Requirements

Pasquale Stirparo

One would expect setting up the requirements to be the first task completed before investing time in researching and collecting any type of intelligence. However, intelligence requirements are still too often overlooked and organisations jump immediately to the collection phase which, sadly, often translates into buying and ingesting as many feeds as possible, everybody looking for “APTs”. The main goal of properly setting the requirements is to understand which type of information is of primary interest for your organization, and be sure that the most relevant and critical one is processed and not lost into the noise.

In this talk, we will give the audience an understanding of what “intelligence requirements” really are and why they are such an important component of the intelligence cycle. Finally, we will give initial practical guidelines on how to start setting up and defining them.

Metrics and ATT&CK. Or how I failed to measure everything.

Francesco Bigarella

Measuring the value of threat intelligence output isn't easy: How do we identify our intelligence gaps? Where should we focus our resources? Did it our intelligence output have an impact? Popular frameworks like ATT&CK can be used to establish standardised metrics to map to the intelligence cycle. Join me in exploring how the MITRE ATT&CK™ framework provides the building blocks to gain insights with a measureable business impact. And we will also explore how ATT&CK can be extended to provide insights outside its original scope. Because metrics can be fun!

ATT&CK™ Is The Best Form Of…Reconnaissance: Using MITRE PRE-ATT&CK™ To Enrich Your Threat Model

Richard Gold & Rafael Amado

Building effective and appropriate threat models for your organization isn’t easy. At its most basic level, threat modelling is a way of structuring thinking around what critical assets an organization has, and which are the likely threats to that organization. However, a company’s own measure of criticality may not match the thought process of an attacker, which means that it can be tricky to understand what constitutes a “critical asset”. Likewise, comprehending what an attacker wants might not be immediately obvious as your organization may only be appealing as a stepping stone in a much larger operation.

This is where MITRE’s PRE-ATT&CK framework comes into its own. Digital Shadows draws on its analysis of US Department of Justice (DOJ) indictments and its collaboration with the MITRE corporation to demonstrate why organizations need to update their threat models now. This session will show how sophisticated adversaries use the files and output of one intrusion (ATT&CK) as reconnaissance for their next attack (PRE-ATT&CK); in other words, ATT&CK often refers to the PRE-ATT&CK phase of a much larger operation. You may assume that your organization is of no interest to a large criminal outfit or sophisticated adversary, but in reality, these attackers may use you as a crucial pivot point to achieve their loftier objectives.

Outlining campaigns in this way has several advantages for defenders. It provides a useful way to identify an adversary’s goals, allowing you to focus on improving the areas most relevant to the risks you face. Using PRE-ATT&CK will also help you determine appropriate mitigation steps for each distinct phase of an attack, based on the actual tactics and techniques being used by threat actors today.

Attendees will learn:

  • How to use public indictments to map real-world campaigns against MITRE ATT&CK and PRE-ATT&CK
  • How to identify an adversary’s goals and relevant mitigation by using the PRE-ATT&CK framework
  • Why you should update your threat model as you may be used as a pivot-point in a broader campaign

EVALUATE OR DIE TRYING - A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feed

Sergey Polzunov & Jörg Abraham

CTI as a practice is getting more traction in recent years. Organizations begin to understand how threat intelligence plays in context with their existing security operations. At the same time, they face difficulties to judge the quality of sources, eventually failing to assess the return on investments. In this talk, Sergey Polzunov and Jörg Abraham will present how organizations can evaluate the quality of an intelligence source and how structured intelligence aids in making a qualitative statement about the value of an intelligence feed.

The talk will conclude with a PoC demonstrating feed assessment in an automated way.

Attendees will learn:

  • About a methodology to relate information from an intelligence source back to the intelligence requirements.
  • How to measure the feed quality in an automated way.
  • Why structured threat intelligence (STIX) plays an important role in feed assessment.

Cloudy with low confidence of Threat Intelligence: How to use and create Threat Intelligence in an Office365 Environment

Ryan Kovar & Dave Herrald

Is your organization using cloud email or considering migrating to the cloud? Chances are the answer to that question is yes! Your end users, IT admins, and management stand to benefit from the benefits and cost savings that cloud email brings with it. However, whether you know it yet not, this move will very likely introduce a rather large blind spot into your security visibility. Capabilities that security analysts and incident responders have come to depend on in their on-prem solutions often work very differently or are gone altogether, in popular cloud email offerings. In this talk, we will describe the current state of cloud email visibility for security teams and offer practical, hands-on solutions for Microsoft Office 365 utilizing open source tools like (stoQ and LAIKAboss) to regain visibility to email headers and analyze attachments.

The Hitchhiker's Guide to Threat Research

Bryan Lee

DarkHydrus. OilRig. MagicHound. Ever wonder how Unit 42 or other research teams regularly produce threat intelligence and come up with those crazy names?

As an industry, we tend to revel in the mystique of threat intelligence, instead of readily explaining the mechanics of how we conduct our research. Continuous and active sharing of both threat data in addition to tracking and hunting techniques is absolutely pivotal to achieve positive outcomes as a community. Hiding behind the proverbial curtain and obfuscating the approaches of adversary tracking and hunting only benefits the adversaries. Though it may at times seem like voodoo, the truth is that the methodology for adversary tracking and hunting is actually not an overly complex task. Join Bryan in pulling the curtain back and learn about techniques and tools used on a daily basis for threat hunting and clustering. Understand how you can use the observed data points to generate actionable threat intelligence, enhancing your existing threat data as well as preparing for potential future threats.

Remember, don't panic, and always carry a towel.

Drawing the line: cyber mercenary or cyber threat intelligence provider?

Stewart Bertram

The last decade has seen the world of cyber security change beyond all recognition, from an adjunct consideration within the IT department to a global level security concern. Wikileaks, Stuxnet, Sony, APT1 and Notpetya are just some of the keywords associated with incidents that have heralded the increased securitisation around the issue of 'cyber' and how it has become a critical issue for many invested in security. Within this context, actors such as governments have obviously had to reconsider their attitude towards cyber security. However, how has the role of the cyber threat intelligence (CTI) provider changed over the last decade?

As the context of CTI changes, and security services become politicised by implication, so the role of a CTI provider changes - from IT professional to potential cyber mercenary. This talk considers how the context of cyber security has changed and how this may affect CTI providers over the next decade.

Building STINGAR to enable large scale data sharing in near real-time

Jesse Bowling

Duke University has embarked on a multi-year mission to help lower the difficulty on automated threat intelligence sharing across higher education institutions under the umbrella project STINGAR (Shared Threat Intelligence for Network Gatekeeping and Automated Response). The overarching goals of STINGAR are to enable organizations (especially higher education) across a wide range of technical, operational maturity, and budget resources to collect, analyze, action, and share threat intelligence.

Duke began moving to an “active defense” or “automated response” model for blocking attackers in 2014. Around this same time, we began exploring the use of honeypots for detecting attackers, and found that honeypots provided a very effective way to identify external attackers of common services quickly with low false positive rates. We quickly realized that the data we generated locally could easily be shared to others, and we began making our data available to other schools and organizations.

Based on our experiences, Duke created the STINGAR project with the goals of:

  • Simple, low-friction deployment of intelligence collection sensors (honeypots initially)
  • Central collection of intelligence from sensors and outside sources, for analysis
  • Simple methods for sharing data to peers
  • A variety of methods and guidance for feeding threat intelligence to protection devices

In this presentation we will provide additional background and details on Duke’s experiences with integrating threat intelligence into the overall security program, discuss existing and future features of the CHN system, models of data sharing, and evaluation methods and metrics on effectiveness. We hope to encourage discussion around the general approach, as well as discussions on how others are generating and using threat intelligence, with the hope of identifying new ways that the data we’re collecting can be shared with the community for the benefit of defenders.

A Lightweight Markup Language for Graph-Structured Threat Sharing

Mayo Yamasaki

Sharing of structured threat intelligence is essential to address increasing and complicating cyberattacks. However, 60% of practitioners use unstructured data expression in daily operations because existing structured expressions designed for inter-system communications are complex to describe. To tackle this problem, NTT-CET is developing a lightweight markup language for graph-structured threat intelligence that is easy for both humans and machines to read and write like Markdown. In this talk, first, I introduce a novel lightweight markup language which can easily describe STIX 2.0 compatible graph data with an editing cost of 2 compared with JSON format STIX and 19% compared with the DOT language. By integrating the language into existing threat intelligence platforms as a new interface, creating and enriching intelligence become more efficient. Second, I experimentally demonstrate capabilities and limitations of the proposed language. Finally, I also demonstrate a system to create threat intelligence by using the proposed language with practical examples.

Turning intelligence into action with MITRE ATT&CK™

Katie Nickels & Adam Pennington

Many of you have embraced the concept of a threat-informed defense but are still struggling to bridge the gap between intelligence and action. MITRE ATT&CK provides a structure for organizing adversary tactics, techniques, and procedures (TTPs) that allows intel analysts to organize adversary behaviors and communicate them in a way that is actionable by defenders. The presenters will explain how they recommend you use ATT&CK to improve the practice of threat intelligence based on experience gained mapping hundreds of reports to ATT&CK over a five-year period. The presenters will also explore some of the biases and limitations of using ATT&CK for threat intelligence, how to avoid traps that you may encounter as a result, and ways that intelligence expressed with ATT&CK can be successfully applied to defend against your priority threats.

TIBER: connecting worlds

Marc Smeets & Stan Hegt

TIBER (Threat Intelligence Based Ethical Red Teaming) is a framework that aims to deliver attack simulations of the highest quality in order to test the financial sector’s resilience to cyber attacks. Since May 2018, it is accepted by the European Central Bank as the go-to cyber resilience testing framework for national and European authorities within the Euro zone. The framework has big aspirations, including the ambition to test TTPs employed by nation state actors in operations that run for multiple months. But is this even possible, and how?

In this talk we will deep dive into the TIBER framework and our hands-on experiences with it, sharing best practices on how to connect threat intelligence with red teaming. Amongst others, the following topics will be addressed:

  • How is TIBER different from other red teaming and threat intelligence frameworks (such as CBEST)?
  • What threat intelligence does a red team need to perform a top notch test?
  • Threat actor modelling in red teaming.
  • Common OPSEC mistakes by blue teams during operational TI collection.
  • RedELK: open source tooling for offensive TI during red teams operations.

Semi-intelligence: trying to understand threats on a country level

Paweł Pawliński

When it comes to the effective use of intelligence, national CSIRTs have unique challenges. Leaving advanced targeted attacks aside, we are left with the task of protecting millions of users and companies facing a variety of threats to their data and money. Obviously threat intelligence plays an important role here but what impact can it make in practice?

Over the years we tried multiple approaches to collect relevant intelligence and to make it actionable. Looking back, we will try to identify some things that worked and ones that did not bring substantial results. The main topics will be automated monitoring, practical aspects of information exchange and situational awareness on a country level.

Code Re-Use Analysis - Transforming a disadvantage to a game-changer advantage

Ignacio Sanmillan

Genetic malware analysis - leveraging binary code reuse, in order to automate malware analysis and accelerate the incident response process. Intezer's technology tracks down the evolution of malware and software and provides a platform that empowers existing sensors with unique capabilities. Learn how genetic malware analysis can be used in every level of incident response, from detection, through analysis, to containment and remediation.

Logistical Budget

Eireann Leverett & Bruce Stenning

Can we quantitatively compare eagles to bears or snakes to pandas? Is the infrastructure a threat group uses against us not just for qualitative study, but also for quantitative? If you ever wondered what Cryptowalls ROI compared to cryptolocker, this talk is for you!

Our development goal is to understand who burns more infrastructure against us, who has more coders, who uses more domains. We can (and do!) visually represent operational patterns and the amount of infrastructure thrown against us. When managers as you for your gut feel about different threats, why not paint them a picture with data visualisation and quantitative analysis?

Got a MISP instance? Go home with strategic analysis of your specific threat landscape. - Quantitative Analysis - Threat Actors - Money, Peoplepower, Time - Attacker infrastructures - MISP - PyMISP - Data visualisation