Program Overview

Adam Pennington (@_whatshisface), Principal Cyber Security Engineer, MITRE Adam Pennington is a member of the core ATT&CK team, and collected much of the intelligence leveraged in creating its initial techniques. He has spent much of his 10 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon's Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has published in a number of venues including USENIX Security and ACM Transactions on Information and System Security.

Deception has become a popular concept in cybersecurity, but are we really fooling adversaries? Honeypots and other technical solutions often don’t align with what real adversaries do. This presentation will examine how we can successfully deceive adversaries by using threat intelligence mapped to MITRE ATT&CK™.

In classical deception planning, intelligence serves a key role in understanding an adversary’s likely beliefs, expectations, and reactions, but this often hasn’t carried over into the cyber realm. In this talk, I’ll show how to bridge that gap and leverage ATT&CK for cyber deception planning. I’ll present a methodology for making decisions on where to focus deception resources based on adversary techniques and how to align deception capabilities with the expectations and visibility of real cyber threat actors. Attendees will learn how they can leverage cyber threat intelligence to deceive their adversaries and gain valuable new intelligence as they do so.

Anastasios Pingios is a security professional who started from the exploit development and vulnerability research side around 15 years ago and later on switched to the defensive side. He holds a M.Sc. in Secure Computing Systems from the University of Hertfordshire, numerous certifications on the subject of intelligence collection and intelligence analysis, and has presented a wide variety of topics from unconventional phishing techniques, to secure architecture in the cloud, and building successful intelligence teams. Currently, Anastasios is Principal Security Engineer at Booking.com and for the last few years he has been focusing on threat intelligence from a holistic perspective that takes into account all domains instead of just cyber.

The talk goes through the journey from having no dedicated threat intelligence resources, to having an intelligence-driven organization. We will go through the different phases, key challenges and how to overcome them, as well as how to measure and demonstrate the value and maturity of intelligence-driven security. The goal of this talk is to help you avoid common mistakes in the process of building a threat intelligence function, and later on maturing and expanding it to more areas within your organization and the community.

Chris O'Brien is a SANS Cyber Guardian and card-holding structured intelligence diehard. He has worked across public and private sectors as an intrusion analyst, incident responder and CTI specialist. Chris now dedicates his time to enabling practitioners through CTI tooling and structured data modelling.

The combined knowledge of the cyber security and intelligence community is vast and yet many teams still work in splendid isolation. This talk will work through an example, active intrusion set - worked on in separate teams - to show the highs and lows of parallel analysis. We investigate how multiple viewpoints increase intelligence quality but also introduce bias and data complexity - and then show how to solve that with (free) technology.

In this talk we explore the concepts that underpin true intelligence collaboration and describe a means to achieve it using STIX and elasticsearch. This method applies the core concepts of search (elasticsearch), provenance (in a git-like way) and data modelling (purist STIX) to produce a truly global and collaborative threat intelligence repository.

Graham J. Westbrook, Dir. of Intelligence & Content, Living Security. Graham is an intelligence analyst by training, cybersecurity analyst by trade and creative at heart. He is responsible for managing Living Security's threat intelligence program and content strategy for the Living Security (SaaS) platform. A writer with bylines at top cybersecurity firms, Graham holds a B.A. in Intelligence studies and Russian from Mercyhurst University and an M.S. in Criminal Justice and Forensic Psychology from Liberty University. Speaker at InfoSecWorld 2019, RMISC 2019, Toronto RiskSec 2017 & SANS Security Awareness Summit 2017.

Wilson Bautista, Jr. is a retired US military officer who is currently the founder of the consulting firm Jün Cyber. His expertise is in the domains of InfoSec leadership, policy, architecture, compliance, and risk. He holds multiple InfoSec and IT certifications as well as a Masters Degree in Information Systems from Boston University. He is an INTP on the Myers-Brigg Type Indicator test with a Driver-Driver personality. As a practitioner of Agile and SecDevOps, he develops innovative, integrated, enterprise-scale cyber security solutions that provide high value to businesses.

The fog of war is an old metaphor to describe uncertainty and fatigue during war-time. New research suggests that noise is a more accurate metaphor to describe the deafening uncertainty and alert fatigue we experience in daily operations. Cyber threat intelligence (CTI) is no exception. Our goal is to reduce uncertainty for decision-makers (human and machine) in combating cyber threats. But what if, before all else, that decision-maker is you?

We need to rethink what ""intelligence"" really means and how it is applied across our organizations. This session will zoom out from the CTI front-lines to help analysts and leaders alike understand the relationship between mind and machine, the necessity of separating noise from signal and the tools for acting with confidence. We will reimagine how we can develop priority intelligence requirements (PIRs) to address business risk, explore a new framework for reducing decision fatigue and understand how to use principles of intelligence analysis to achieve our mission. From hardware to end user, this is one discussion you don’t want to miss.

Mr. Jörg Abraham is a Senior Threat Intelligence Analyst in the EclecticIQ Fusion Center. He is responsible for analyzing Cyber Threats and providing accurate, timely and structured intelligence relevant to EclecticIQ's customers. Before joining EclecticIQ he has been working for Royal Dutch Shell for more than 10 years in various Cyber Defense positions. Mr. Jörg Abraham is a Certified Information System Security professional (CISSP) and GIAC Certified Forensic Analyst (GCFA).

Sergey Polzunov is a Senior Software Engineer in the EclecticIQ Intelligence Operations department. He is responsible for prototyping analyst-centric tools and for extending the Fusion Center Threat Intelligence Platform with new features. He is the author of OpenTAXII server and Stixview library, and has more than 10 years of software development experience.

Natural Language Generation (NLG) is the process of transforming structured data into narratives. Contrary to Natural Language Processing (NLP) that reads and analyses textual data to derive analytic insights, NLG composes synthesized text through analysis of pre-defined structured data. NLG is more than the process of rendering data into a language that sounds natural to humans. It can play a vital role in uncovering valuable insights from massive datasets (big data) through automated forms of analysis.

Adaption of NLG in other verticals has increased in recent years, yet applications of NLG technology in the Cyber Threat Intelligence (CTI) domain are sparse. On one hand, intelligence teams accumulate millions of information generated by security controls or obtained from intelligence source. On the other hand, the intelligence product is often a narrative report written by an analyst. With the influx of data, intelligence teams are confronted with challenges pertaining to data assessment and analysis, (near-) real-time creation of intelligence products targeted at the right audience; all while operating at scale and with accuracy.

We believe that the potential of NLG is vastly unexplored in CTI and want to share our research and a proof-of-concept tool demonstrating the potential value of NLG.

Marco Caselli joined Siemens in 2017 and he is the Senior Key Expert of the “Monitoring & Attack Detection” topic. He received his Ph.D. in computer security at the University of Twente with a thesis titled “Intrusion Detection in Networked Control Systems: From System Knowledge to Network Security”. His research interests focus on security of industrial control systems and building automation with a special focus on critical infrastructures. Before starting his Ph.D. he worked for GCSEC, a not-for-profit organization created to advance cyber security in Italy, and Engineering S.p.A., an international company for software development.

Threat intelligence sharing has been expanding during the last few years, leading us to have access to a large amount of open data. Unfortunately, this is usually provided as unstructured human-readable cyber threat reports and important information such as attack tactics, techniques and procedures is hidden within the text. Done manually, the analysis of such reports requires time and effort. To support this analysis, we created rcATT, an open-source tool which automatically classifies cyber threat reports according to MITRE’s Enterprise ATT&CK tactics and techniques. In this talk, we present the tool and we show how we were able to solve the challenges of working with hierarchical multi-label text classification of cyber threat reports, having access to a limited amount of labeled data. Finally, we demonstrate how rcATT performs on publicly-available cyber threat reports and how to take advantage of the classification results.

Mayo Yamasaki is a researcher at NTT Secure Platform Laboratories and also a member of NTT-CERT in Japan since 2015. He studied information science and natural language processing at NAIST (Nara Institute of Science and Technology). Since he joined NTT he’s been researching and developing software systems for cybersecurity-related information extraction and retrieval with machine learning.

Understanding threat intelligence is not an easy task for threat analysts even if they are structured. Therefore, many methods to automatically visualize the threat intelligence structure have been proposed. However, these methods utilize visualization methods developed for the general domain to support a wide variety of use cases for analyzing threat intelligence. This talk introduces a novel visualization method, for threat reports, based on simple observations obtained by a study of threat diagram characteristics of actual threat reports. Because threat report is a reasonable bundle of intelligence and one of the most common ways to share it, by capturing these characteristics, the method visualizes graph-structured STIX 2 as a concise overview of the threat structure. Also, this talk demonstrates the utility of the method by visualizing actual threat reports gathered from the ATT&CK knowledge base.

Sebastien Tricaud is Director of Security Engineering at Devo. When he is not playing the jazz flute, he loves sharing and testing thoughts by making them publicly available in liberal licenses.

Sighting is a method to keep track of how many times something has been seen. This is particularly useful for indicators, especially if Sightings are not limited to indicators.

This presentation is very use-case oriented on our own use and feedback of SightingDB in MISP. Do you think TTP always fall in the tough category? Can anyone enrich Threat Data by just counting?

This talk will share our experience as a Vendor, a MISP Standard contributor (sightingdb) and also our integration in the MISP software.

This is also an opportunity to interact and learn from the audience to improve the SightingDB standard (https://www.misp-standard.org/rfc/sightingdb-format.txt).

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team.

As we, as the CSIRT community, mature, our needs for having the ability to extract more value and context from our data becomes more and more vital. MISP has been gradually expanded to reflect these needs, by incorporating features that ease indicator life cycle management, contextualisation and management of threat intelligence, collaboration and the filtered feeding of our collected data to our various protective tools. This talk aims to highlight some of the techniques we use via the platform.

Gert-Jan Bruggink is a security specialist and researcher with over 10 years of information security experience at the crossing of offense, defense & strategic risk management. Gert-Jan’s primary role at FalconForce is to assists leaders in making informed decisions by utilizing cyber threat intelligence. In addition to that he’s helping those leaders implement relevant and sustainable cyber defences through strategic change. Before co-founding FalconForce, Gert-Jan led a CTI team specialized in strategic & operational intelligence products, cyber-reconnaissance and CTI enablement. If he wasn’t working on that then he probably was supporting organizations in augmenting cyber transformation program or security operations.

Have you ever thought about what would happen if you could compare adversaries targeting your organization with how well you are doing? Understanding the objectives of adversaries would certainly help you invest resources in the right controls and counter measures right? In this talk we will break down how you can leverage red teaming to complement your cyber threat intelligence activities.

When developing your adversary tracking mechanism, regardless of your security maturity, one of the most resource effective ways to do so is to focus on the ‘how do they do it’ or in other words their playbooks. Now when combining the trade of cyber threat intelligence with red teaming, we’re getting the opportunity to incorporate red team data into our adversary playbooks.

When a red team is pursuing a certain goal and simulating a specific adversary playbook, an organization can use the data and results to understand how for the real adversary would come and where to increase defences. Armed with these playbooks, your defensive teams can more effectively connect the dots from observed activities in your environment. Your detection and incident response teams can also more efficiently understand what adversaries do and what the TTP’s look like if they are active in their network, or even utilize automated adversary data sets for continuous validation. Finally, one can use this understanding to benchmark their strategic investments of their security program.

There’s just one thing: This is not easy.

Brittany Barbehenn is a Cyber Threat Intelligence Analyst with Palo Alto Networks' Unit 42 team. She is responsible for the collection, analysis, and production of intelligence on adversaries targeting organizations around the world. Her background spans over 10 years supporting many disciplines in both the private and public sectors including Cyber Threat Intelligence, Network Defense Architecture Engineering, Cyber Operations Planning, Business Continuity, IT Disaster Recovery, and Whole-of-Organization security assessments.

Robert Falcone is a Threat Researcher on Palo Alto Network's Unit 42 team who has spent over 10 years focusing on malware analysis, reverse engineering and tracking threat actors, primarily those associated with cyber espionage and targeted attacks. He has also worked as a security engineer within an operations center for a managed security service focused on intrusion detection and prevention.

In threat research, we rarely get to see the interests of the actors involved come to the surface; however, this past year we observed tools used in targeted attacks that were named after objects and characters from popular anime series. This talk will discuss these targeted attacks that we tracked in what we call the xHunt Campaign, which targeted Kuwaiti organizations in 2018 and 2019 that involved tools that were clearly named after persons and objects from the Hunter x Hunter and Samurai X. We will dive into the attacks they carried out, including the actor's development activities, initial attack vectors, toolset and some novel command and control mechanisms used in these attacks. We will also discuss the threat actor's cheat sheet, which gave us unprecedented insight into the activities the actors would carry out after gaining access to the targeted system and network.