Seven signals cyber experts agreed on at FIRST Paris 2026
Hosted by Group-ID
Monday, March 23rd, 2026
Group-IB hosted the FIRST Technical Colloquium in Paris, where cybersecurity experts challenged assumptions around modern cyber defense. FIRST Chair Olivier Caleff opened and moderated the event.
Introduction
The cybersecurity industry has been facing multiple parallel challenges in recent years. The pace at which cybercrime evolves is hard to match, but gatherings like FIRST provide a unique opportunity for the community to convene, reflect, and move forward together.
These events are not only about new technologies, but also about perspectives coming together to strengthen our security stance. Collaboration remains one of the most powerful responses defenders have against increasingly coordinated adversaries. In many ways, attackers already operate as networks. The challenge now is for defenders to realize their collective potential.
Discussions explored the growing role of AI in threat intelligence, the convergence of fraud and cyber operations, evolving adversarial tactics, and the importance of intelligence sharing across organizations.
The agenda reflected the need for a forward-looking objective: embracing new technologies and tradecraft while maintaining an evidence-driven approach to security. From AI agents assisting analysts to threat hunting strategies designed to detect long-running campaigns, many sessions highlighted how innovation can both strengthen and challenge existing defense models.
What follows are seven insights that repeatedly surfaced across sessions:
Signal 1. What you knew about insider risk has changed
What do you do when you find out that your trusted employee might not actually be your employee? The person on your official records may not be the same person accessing your systems. This was one of the sharpest cases of the event brought by Cisco's CSIRT team, where we discussed growing identity substitution in detail. With the increase in remote work and global employee pool, proxy workers are causing employment fraud at scale. This is a non-traditional insider threat, where the person on the payroll is not the one actually doing the work. They shared how to detect proxy workers and location fraud using existing telemetry, including consumer VPN use during authentication, VOIP-based second-factor enrollment, synthetic devices, location mismatches, and access to laptops physically located in another country.
The most memorable takeaway: "Know your neighbours," which circles back to the need to not just check one-time authentication actions but behavioral inconsistencies. Looking for unusual devices within the same network segment, or from locations consistent with the user profile, is a practical indicator of coordinated, suspicious activity.
Signal 2. The most disruptive campaigns don't make noise
Here's an unsettling thought: finding and exploiting new vulnerabilities takes time and strategic effort. Adversaries now skip that part, and instead, operate patiently and systematically over longer periods, prioritizing network persistence through low-volume password spraying: attempts across hundreds of accounts, spread over months or years, never triggering thresholds, never appearing anomalous in isolation.
Traditional brute-force attacks generate detectable signals. These don't. They sit and fester. Multi-year campaigns targeting identity systems, where each attempt looks harmless, but across hundreds of accounts, a pattern emerges. ING's threat hunters documented exactly this: so-called ORB networks running consistent, low-signal operations against high-value accounts and critical infrastructure.
It shifts the question for every security team in the room: Do we retain authentication logs long enough to detect a multi-year campaign? Most don't. And that's precisely what adversaries are counting on.
The session instituted the need to combine large-scale analytics with close collaboration between threat intelligence and security operations teams, as the only viable way to surface clusters of related attacker activity that no single data source could reveal in isolation.
Signal 3. A zero-day is no longer just a bug. It's a hidden power move
Another sharp set of insights from the session came from Thales, who took a different angle on zero-days, not just explaining how they're exploited, but whether their behavior can be understood and anticipated mathematically.
The team used mathematical models to group past zero-days and identify patterns, attempting to move from reactive response to predictive understanding. But the limitation was clear: the dataset is still small and often shaped by geopolitical factors, making the motive hard to achieve.
Even so, some structure is emerging. Zero-days could be grouped into technique-driven, ecosystem-driven, and threat-actor-driven patterns. This suggests attackers are not operating randomly, even if we can't fully predict them yet. Alongside this, a broader shift stood out. Zero-days are increasingly withheld, traded, and monetized, not disclosed with some mobile exploits reaching $7M.
The takeaway for defenders: the problem is no longer just patching vulnerabilities. It's understanding which systems are most likely to be targeted in real campaigns, especially at the edge and across widely used technologies.
Signal 4: Getting into the attacker's mind: DNS abuse
To defeat your enemy, you have to be your enemy — and this session helped us switch roles. The research was presented by Maciej Korczyński and colleagues from KOR Labs and ICANN, and it looked at abuse from an attacker's viewpoint: how they choose where to register malicious domains, and why.
The scale alone resets our perspective. Out of 534K blocklisted URLs analyzed, 28K were maliciously registered domains. That's a classic needle-in-a-haystack challenge, and it tells us that domain abuse isn't just a technical problem. It's a scale problem.
Nearly 50% of phishing domains cost $2 or less to register. The barrier to entry is almost nothing. Registrars offering a free API to register domains saw 401% more abuse than those without. Free DNS service correlated with 205% more abuse; free hosting with 88% more. Bitcoin payment acceptance correlated with 30% more abuse.
The session made clear that detection and takedown, although non-negotiable, is an insufficient and impermanent solution. Defence needs to move earlier in the attack lifecycle — to identity verification, registration restrictions, and friction at registration. Simple verification controls reduce abuse significantly: registrars requiring email or phone validation showed 70% less abuse; those with registration restrictions showed 63% less. Only two registrars in the study blocked trademarked domains from being added to a cart at all.
The tools exist. They're just not being used.
Signal 5. Will AI support mean the transfer of expertise to AI?
NEC's Takahiro Kakumaru asked a relevant, understated question during his session: Are AI agents friends or rivals to junior analysts? The question was coupled with some hard numbers. The AI agent deployment cut intelligence structuring task time by 43.2% year-on-year, and even when new junior staff joined, the productivity disruption was contained to just 12.9%. Report creation tasks dropped by roughly 50%.
However, AI over-dependence can have consequences. Three ways junior analysts mistake a tool for a substitute: over-delegation (throwing everything at the AI and pasting the output as-is). Disclaimer culture ( shifting accountability with "the AI said it)." And speed-over-verification (pursuing timeliness while skipping observability, relevance, and falsifiability).
If misused, AI will be a rival. Learning design will determine whether it becomes a mentor instead. Also shared was another insight - the future analyst will require a mix of skills - technical expertise, familiarity with AI systems, managing these analytical workflows, and finally, presenting all of it to all fronts of audiences.
Signal 6. The dark web is a noisy intelligence source
When accessing the dark web today to gather intelligence on adversaries, aliases, and emerging activity, retrieving the data isn't the real problem; it's separating real threats from noise and unreal hype. The dark web is as deceptive as it is dangerous. The data, while often valuable, can also be unreliable, recycled, or deliberately exaggerated.
Key actors making their presence certain on the dark web are ransomware groups, Initial Access Brokers (IABs), hacktivists, and data leakers - each with distinct motivations, hangouts, and monitoring value. And while some claims are legitimate, many are sheer noise.
Organizations treat dark web discoveries as confirmed incidents rather than investigative leads. But why would the data need to be taken with a grain of salt? On the dark web, threat actors gain influence by building perception (claiming breaches, exaggerating impact), but not every claim is valid.
One actor, tracked as "Skywave," ran a months-long campaign impersonating BabukV2, then fake SLSH channels, then Orion Ransomware. 180 fake victim claims. Even fooled a journalist. All linked by the same TOX ID.
In continuation of the noisy insights, discussions at the FIRST Technical Colloquium highlighted the importance of verification and context before treating underground information as actionable intelligence.
Signal 7. Humans - the weakest link or the strongest defense?
The cybersecurity industry has labelled employees as the weakest link in security. But the Grimaldi Group came to Paris with evidence that this assumption is itself putting you in a weak spot. When a business does not create a culture of encouraging, incentivising, and reporting, and instead restricts flexibility, blocks actions, it doesn't eliminate risk; it creates a different one: fear. An employee who clicks on something suspicious and thinks "I will be fired" doesn't report it.
The idea is to turn passive users into active hunters. Threats multiply their digital fingerprints faster than static signatures can detect. And filters are contextually blind — A human receiving an urgent wire transfer request on a Friday at 9 PM from the CEO - the tools say SAFE. The human says SUSPICIOUS.
Grimaldi's response was to make that human instinct scalable. Rather than depending on a few analysts to carry the load, they built GSbot (an in-house tool that turns any of their nth employees into Patient Zero).
The bigger signal. Cyber defense is still not collaborative
Collaborative cyber defence isn't being slowed down by inadequate data or intelligence sharing. Detection is better than it has ever been, and intelligence gathering is faster. The industry has moved beyond the challenge of collecting timely intelligence, driven by automation, strengthened global networks such as Group-IB's operating system of DCRCs, and platforms for real-time cyber-fraud intelligence sharing across regions.
The gap lies in making that intelligence actionable. How do teams coordinate under pressure? How do organizations synchronize responses across borders? How do we stop treating infrastructure abuse as someone else's problem?
Manos Athanatos of FORTH put it plainly: threat intelligence moves at the speed of light, but collaborative defence still moves at the speed of an email thread.
His argument wasn't that our data-sharing infrastructure is broken; it's actually mature. MISP, STIX, TAXII: the standardization and sharing are solid. The problem is that we've confused sharing information with coordinating action. When an incident crosses borders, organizations can tell each other what happened within minutes.
Actually responding together, synchronizing remediation, aligning a plan of action, moving as one unified defense force, still happens via PDFs, Slack messages, and crossed fingers.
The 2026 challenge isn't intelligence collection. It's operational sync.
Summing it up…
The sessions had a pattern emerge across the seven signals: The real weakness lies not only in technology, but in operational systems, intelligence interpretability and coordination, infrastructure governance, and human processes.
These path-shifting conversations started in Paris, but won't end there. They reflect a shift across the cybersecurity community, and Group-IB is committed to actively leading and shaping these defense-defining conversations that drive future resilience.
Want to learn more about the sessions and insights from the event, or speak with our experts about implementing some of the changes signaled for modern cybersecurity strategies? Reach out to us here.
