Agenda is subject to change. Times are reflected in UTC +2 (CEST). Workshops have limited seating and based on the registration admission purchased. Plenary sessions are open to all registered delegates.
Virtual Attendance: All TLP:CLEAR plenary presentations will be streamed live. Workshops will not be streamed. Virtual registration is available within the registration form. Streaming will be delivered over Zoom.
Monday, April 15 - Registration Located on Level 2, Atrium
07:00-10:00 | Registration for Workshop Participants ONLY
11:00-18:00 | Registration for Plenary Participants
Tuesday, April 16 - Registration Located on Level 1, Near Stairway from 2 and Mall Entrance
08:00-15:00 | Registration
Wednesday, April 17 - Registration Located on Level 1, Near Stairway from 2 and Mall Entrance
08:00-15:00 | Registration
Workshop: Track 1 | MOA 14
Workshop: Track 2 | MOA 15
Workshop: Track 3 | MOA 16
Plenary Sessions Day 1 | MOA 6-9
Plenary Sessions Day 2 | MOA 6-9
Workshop: Track 1 MOA 14 | Workshop: Track 2 MOA 15 | Workshop: Track 3 MOA 16 | |
---|---|---|---|
08:30 – 10:00 | NL Malware Analysis and Event Collection Workshop (08:30-12:30) Remco Sprooten, Ruben Groenwoud (Elastic, NL) TLP:CLEAR | US NO Michael DeBolt (Intel 471, US); Freddy Murstad (Nordic Financial CERT, NO) TLP:GREEN | DE Predictive Cyber Defense - Early Warning Intelligence & Forecasting (08:30-12:30) Robin Dimyanoglu (HelloFresh SE, DE) TLP:CLEAR |
10:00 – 10:15 | Networking Break | ||
10:15 – 12:30 | NL Malware Analysis and Event Collection Workshop (08:30-12:30) Remco Sprooten, Ruben Groenwoud (Elastic, NL) TLP:CLEAR | US NO Michael DeBolt (Intel 471, US); Freddy Murstad (Nordic Financial CERT, NO) TLP:GREEN | DE Predictive Cyber Defense - Early Warning Intelligence & Forecasting (08:30-12:30) Robin Dimyanoglu (HelloFresh SE, DE) TLP:CLEAR |
12:30 – 13:30 | Lunch Break | ||
13:00 – 14:00 | CTI SIG Meeting (in-person and virtual) | ||
14:00 – 16:00 | LU MISP API and Automation Workshop (14:00-18:00) Christian Studer, Alexandre Dulaunoy (CIRCL, LU) TLP:CLEAR | NL ‘Build Your Own Threat Landscape’ Workshop (14:00-18:00) Gert-Jan Bruggink (Venation, NL) TLP:CLEAR | FR Cryptocurrency & Web3 OSINT Workshop (14:00-18:00) Patrick Ventuzelo, Tanguy Laucournet (FuzzingLabs, FR) TLP:GREEN |
16:00 – 16:15 | Networking Break | ||
16:15 – 18:00 | LU MISP API and Automation Workshop (14:00-18:00) Christian Studer, Alexandre Dulaunoy (CIRCL, LU) TLP:CLEAR | NL ‘Build Your Own Threat Landscape’ Workshop (14:00-18:00) Gert-Jan Bruggink (Venation, NL) TLP:CLEAR | FR Cryptocurrency & Web3 OSINT Workshop (14:00-18:00) Patrick Ventuzelo, Tanguy Laucournet (FuzzingLabs, FR) TLP:GREEN |
Plenary Sessions Day 1 MOA 6-9 | |
---|---|
09:00 – 09:15 | Welcome Remarks |
09:15 – 09:45 | PL Blueprint for Maturity: Crafting a Tailored Cyber Threat Intelligence Maturity Model Kiraga Slawek (Standard Chartered Bank, PL) TLP:CLEAR |
09:45 – 10:15 | CA Solving CTI Sector Incoherence in a Living Growing OpenCTI Repository: Extend STIX 2.1 FTW Philippe Lin (Trend Micro, CA) TLP:CLEAR |
10:15 – 10:45 | Networking Break with Exhibitors |
10:45 – 11:15 | AT US GB Initial Findings on Creating a Standard CTI Benchmark Dataset for Machine Learning ; Aaron Kaplan (EC-DIGIT-CSIRC, AT); Jay Jacobs (Cyentia, US); Syra Marshall (ELEMENDAR, GB) TLP:CLEAR |
11:15 – 11:45 | AU Processing Threat Reports at Scale Using AI and ML: Expectations and Reality Yury Sergeev (RST Cloud Pty Ltd, AU) TLP:CLEAR |
11:45 – 12:15 | TW Cheng-Lin Yang, Kuan-Lun Liao (CyCraft Technology, TW) TLP:GREEN |
12:15 – 13:30 | Lunch Break |
13:30 – 14:00 | DE Advanced Cyber Threat Intelligence Chapter - How to Read the Mind of your Attackers Erick Thek, Vladimir Kropotov (Trend Micro, DE) TLP:CLEAR |
14:00 – 14:30 | GB How to Start Using Priority Intelligence Requirements (PIRs) on a Budget Josh Darby MacLellan (Feedly, GB) TLP:CLEAR |
14:30 – 15:00 | US The Disclosure Dilemma and Ensuring Defense Joe Slowik (Paralus, US) TLP:CLEAR |
15:00 – 15:30 | Networking Break with Exhibitors |
15:30 – 16:00 | NL Enhancing Malware Code Similarity Detection through Vectorsearch and TLSH Remco Sprooten (Elastic, NL) TLP:CLEAR |
16:00 – 16:30 | ES Tracking Threat Actors Using Images: A Hunting & Analysis Approach Joseliyo Sánchez (VirusTotal - Google, ES) TLP:CLEAR |
16:30 – 17:00 | PL Invisible Strings – Contemporary Challenges And Techniques Of Infrastructure Tracking Kamil Bojarski (Standard Chartered Bank, PL) TLP:CLEAR |
17:00 – 17:10 | Closing Remarks |
17:10 – 18:10 |
Plenary Sessions Day 2 MOA 6-9 | |
---|---|
08:50 – 09:00 | Welcome Remarks |
09:00 – 09:30 | IT A Service Architecture for an Enhanced Cyber Threat Intelligence Capability Pasquale Digregorio (Bank of Italy, IT) TLP:AMBER |
09:30 – 10:00 | DK CH If CSIRTs are Knights, CTI Teams are Queens Asger Deleuran Strunk (InfoGuard AG, DK); David Rüfenacht (InfoGuard AG, CH) TLP:CLEAR |
10:00 – 10:30 | US FR Automating Cyber Threat Intelligence: A Practical Approach to Managing Emerging Vulnerabilities Andy Giron (Datadog, US); Fred Baguelin (Datadog, FR) TLP:CLEAR |
10:30 – 11:00 | Networking Break with Exhibitors |
11:00 – 11:30 | BE Days and Nights as a CTI Analyst in CERT-EU Antoine Keraudy, Emilien Le Jamtel (CERT-EU, BE) TLP:GREEN |
11:30 – 12:00 | US DE MISP Unleashed: How a Litter of Adorable MISP Puppies Turned into a Gang of Untamed Wild Beasts Enrico Lovat (Siemens Corp, US); Tobias Mainka (Infineon AG, DE) TLP:GREEN |
12:00 – 13:15 | Lunch Break |
13:15 – 13:45 | AU Artifact Metadata to the Attribution Pratik Mehta (Google, AU) TLP:GREEN |
13:45 – 14:15 | TW Source Pollution Attack - A Hidden Threat in Cybersecurity Hsiang Yu (CyCraft Corp., TW); Syue Siang Su (CyCraft Technology Corp, TW) TLP:CLEAR |
14:15 – 14:45 | Networking Break with Exhibitors |
14:45 – 15:15 | LU Sharing Information and Intelligence without Disclosing It - Private Search Set (PSS) Alexandre Dulaunoy, Jean-Louis Huynen (CIRCL, LU) TLP:CLEAR |
15:15 – 15:45 | HU Raising the Effectiveness of Your Threat Management Program Ememobong Eyo (HU) TLP:CLEAR |
15:45 – 16:15 | NL US Decoding Cyber Threats: A Practical Guide to Using Attack Trees Gert-Jan Bruggink (Venation, NL); Sherman Chu (Deloitte, US) TLP:CLEAR |
16:15 – 16:30 | Closing Remarks |
Pasquale Digregorio (Bank of Italy, IT)
This presentation describes a vendor-agnostic service architecture, that integrates specific taxonomy and processes to develop an enhanced CTI capability. The adoption of integrated, fully defined and automatable processes can contribute to increase the efficiency and the effectiveness of the CTI production, sharing and consumption activities.
This presentation will be presented by Pasquale Digregorio and was co-authored by: Giuseppe Amato, Simone Ciccarone, and Giuseppe Natalucci (Bank of Italy, Italy).
Pasquale Digregorio: holds an MA in Telecommunication Engineering at the Polytechnic of Turin, a II level postgraduate University Master’s Degree in Advanced Satellite Communication and Navigation Systems and has completed a Master’s course in Strategic Protection of the Country’s System, Cyber Intelligence, Big Data and Security of Critical Infrastructures. Having received his education at the Teulié military school in Milan and at the Army Military Academy in Modena (Italy), he served for several years as an officer at the Italian Joint Chiefs of Staff and for the Presidency of the Council of ministers as cyber security and intelligence matter expert. He is currently the chair of the Bank of Italy’s Computer Emergency Response Team and he is a lecturer in the field of cyber intelligence in several universities and institutions. He is author of several publications and inventor of an international patent.
April 17, 2024 09:00-09:30
Vladimir KropotovErick Thek (Trend Micro, DE), Vladimir Kropotov (Trend Micro, DE)
As part of the Cyber Threat Intelligence – Special Interest Group, we have formulated / articulated three phases of CTI maturity. For our discussion we are going to dive into the actions, processes and approaches for the teams which are advanced to the level 3 of maturity.
We will cover variety of topics related to advanced chapters of Cyber Threat Intelligence and share the lessons learned during our over decade long journey into CTI.
Erick Thek is a Cyber Threat Intelligence Manager at Trend Micro. He is responsible for analyzing emerging threats facing public and private sectors. Assisting organisations along their security journey to a point where they feel secure in knowing they are doing their best. Assisting and initiating public and private sector collaborations.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others.
April 16, 2024 13:30-14:00
Pratik MehtaPratik Mehta (Google, AU)
This presentation advocates for a paradigm shift by spotlighting a spectrum of often overlooked artifacts and metadata. Beyond the conventional elements, these nuanced digital footprints harbor the potential to substantially enhance the attribution process.From delving into file metadata and linguistic analysis to scrutinizing social engineering tactics and cryptocurrency transactions, each artifact offers a unique lens through which to decipher the identity and motivations of cyber threat actors.
Pratik is a seasoned Information Security professional, with expertise in Threat Intelligence, Malware analysis and Incident Response. Throughout notable positions at industry giants like Apple and Amazon, Pratik has consistently showcased his proficiency by spearheading extensive Malware analysis, digital forensic investigations, conceptualising detection methodologies, and engineering automation solutions to streamline security analyses.
Currently, working in the Threat Analysis Group at Google, Pratik focuses on understanding and counter government-backed threats against Google and it's users.
April 17, 2024 13:15-13:45
Andy Giron (Datadog, US), Fred Baguelin (Datadog, FR)
This presentation by the Datadog Threat Research Team on their advanced process for identifying and addressing emerging cyber vulnerabilities. The team employs a multifaceted approach, starting with the systematic detection of potential threats by monitoring social media platforms, GitHub, and the National Vulnerability Database, with a special focus on proof-of-concept code. Once a vulnerability is identified, the team initiates an Emerging Vulnerability process, which includes reproducing the exploitation for in-depth analysis.
A key feature of their methodology is the use of honeypots to attract and analyze exploitation attempts, enabling real-time monitoring and the collection of crucial data. This data is then programmatically processed and validated to provide accurate, actionable intelligence to both internal and external stakeholders. The process is highly automated, mirroring a CI/CD model, ensuring quick response and updates. Collaboration with threat detection teams is essential for translating research and data into effective detection rules, which are then integrated into customer systems for enhanced security. Additionally, the team values transparency and contributes to community awareness by publishing detailed blog posts on their findings and recommendations, thus bolstering collective cyber resilience.
Andy Giron is a Senior Security Researcher at Datadog by day, he focuses on threat cloud-landscape. By night he's an Incident Response instructor in California.
Previously he was a Threat Researcher for Arista Networks specializing in network malware analysis. An Incident Response Engineer and led the Cyber Threat Intelligence initiatives at Hulu. Prior to switching to the DFIR side of the house, Andy was a Security Engineer at Currency Exchange International.
He enjoys all aspects of security and is an all around breaker of things.
Fred is a security researcher at Datadog, focusing on threat research. Fred is a fervent open source advocate and started his career by developing a digital forensics open source framework. He also worked at a CERT (Computer Emergency Response Team) dealing with threat intelligence and digital forensics and incident response and worked with cloud and container technologies. He is part of Botconf organization committee and active contributor of Yeti platform.
April 17, 2024 10:00-10:30
Kiraga SlawekKiraga Slawek (Standard Chartered Bank, PL)
Working in various intelligence organizations has allowed me to understand the multitude of factors that influence the final production of intelligence satisfying customer needs. However, are all of them equally important? Which ones should we select and focus on when starting our Cyber Threat Intelligence (CTI) program from scratch? Given the abundance of factors, how can we structure them into an achievable action plan that will enable us to build intelligence optimally aligned with our stakeholders' needs?
For the last 15 years, I’ve worked in the world of intelligence. Thanks to being in different roles as an intelligence collector, intelligence analyst, and program or team leader, I’ve had a chance to understand different aspects of CTI. Being responsible for the design and delivery of intelligence products for various kinds of customers (from governmental to corporate), gave me a unique chance to integrate cyber threat intelligence efforts with customers’ needs in different organizations and cultures.
April 16, 2024 09:15-09:45
Kiraga-Slawek-Blueprint-for-Maturity.pdf
MD5: af72219de8bd40f071ef562522e72c99
Format: application/pdf
Last Update: June 7th, 2024
Size: 14.6 Mb
Gert-Jan BrugginkGert-Jan Bruggink (Venation, NL)
Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us”. When you are ‘painting’ a company’s threat landscape, you convey answers to intelligence requirements as effective way as possible. Channel your inner artist. For example, building periodic briefings or yearly write-ups. Still, what makes a good threat landscape? What essential information should it contain?
This workshop follows a walkthrough in producing such a deliverable. Combining hands-on examples and audience interaction. Several formats will be discussed, and templates made available. In addition, special attention will be given to the machine learning and AI trends. Finally, the facilitators will share practical tips, tricks, and happy accidents after years of creating threat landscape deliverables.
After following this workshop, participants have built a first version of your team’s threat landscape deliverable or understand where you should adjust your existing deliverable. This workshop also recognises the sensitivity of threat landscape contents.
This workshop is meant to provide cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape deliverables. Enabling them to create a larger narrative around cyber threats to support stakeholder decision making and drive security investment.
Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams all over the world in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.
April 15, 2024 14:00-16:00, April 15, 2024 16:15-18:00
Patrick VentuzeloPatrick Ventuzelo (FuzzingLabs, FR), Tanguy Laucournet (FuzzingLabs, FR)
This workshop offers a practical understanding of Blockchain, Smart Contracts, DApps, and NFTs. Participants will learn the basics of Web3 OSINT, including extracting and analyzing on-chain and off-chain data. The workshop also provides a guide to important websites and tools, with a focus on the process of linking and verifying information. It's an opportunity to enhance your skills within the realm of cryptocurrency and Web3.
Patrick Ventuzelo is a senior security researcher, CEO & founder of Fuzzinglabs. After working for the French Ministry of Defense, he specialized in fuzzing, vulnerability research, and reverse engineering. Over the years, Patrick has created multiple fuzzers, found hundreds of bugs, and published various blog posts/videos/tools on topics like Rust, Go, Blockchain, WebAssembly, and Browser security. Patrick is a regular speaker and trainer at various security conferences around the globe, including BlackHat USA, OffensiveCon, REcon, RingZer0, PoC, ToorCon, hack.lu, NorthSec, SSTIC, and others.
Tanguy is a security engineer currently working as a Blockchain/OSINT expert at FuzzingLabs. He has four years of hands-on experience in blockchain technology, gained through multiple projects at leading tech companies and French research institutions. In addition to his expertise in blockchain, Tanguy possesses a deep knowledge of OSINT. At FuzzingLabs, he focuses on developing tools to facilitate investigations, profiling, and de-anonymization related to blockchains. Tanguy is also exploring the use of new Web3 protocols such as IPFS, with the aim of deepening our understanding of these emerging technologies.
April 15, 2024 14:00-16:00, April 15, 2024 16:15-18:00
Antoine Keraudy (CERT-EU, BE), Emilien Le Jamtel (CERT-EU, BE)
Threat landscape modelling and IOC-leveraging detection are well-known concept in the cybersecurity landscape. While basic implementation may seem simple, it often gets complicated, particularly for MSSPs dealing with multiple environments.
In Days and nights as a CTI analyst in CERT-EU, we will delve into the innovative approach adopted internally at CERT-EU to serve its 90 constituents. Our goal is to combine several requirements:
Through this presentation, we will offer practical insights, using real examples and challenges encountered by our CTI team in CERT-EU as well as our automation in place to consume the huge amount of data processed.
Antoine is a Cyber Threat Intelligence analyst at CERT-EU. In charge of the direct threat analysis, Antoine contributes to the situational awareness of CERT-EU’s constituents to inform them about threat actors, malware and TTPs to which they are exposed.
Emilien Le Jamtel has been a cyber security expert for the last 15 years. After building up his technical skills in penetration testing and red teaming, he joined CERT-EU in 2014 as a Threat Intelligence Analyst before quickly moving to CERT-EU's Digital Forensics and Incident Response team. Since 2021, he has been leading the DevSecOps team responsible for the infrastructure and tooling used by CERT-EU staff to deliver a wide range of services to all the EU institutions, bodies, and agencies. Emilien is a regular speaker at cybersecurity conferences such as FIRST, Hack.lu, Botconf, and NorthSec.
April 17, 2024 11:00-11:30
Gert-Jan BrugginkSherman ChuGert-Jan Bruggink (Venation, NL), Sherman Chu (Deloitte, US)
Acknowledging a systematic and time-tested methodology dating back to 1982, this session explores the intricate method of "Attack Trees". To this day it still offers a powerful holistic approach to modeling security threats and their sequential actions against assets but is regularly forgotten in favor of more contemporary methodologies. This methodology still remains a powerful tool both for visualizing complex attack sequences to business leaders and effective stakeholder engagement.
Navigating the fundamental concepts of Attack Trees, emphasizing their relevance in contemporary cyber threat intelligence. Attendees gain insights into how Attack Trees provide a comprehensive framework for analyzing real-life threat activity threads. By combining elements from MITRE ATT&CK, the Diamond Model of Intrusion, and the attack tree methodology, the presenters demonstrate how even to this day the methodology can enable cybersecurity professionals to collate threat actor activities and assess realistic defensive measures. From identifying sequential stages and nuanced tactics to visualizing attack chains, this exploration promises practical applications for daily use.
After the session, attendees will have a clear understanding of how they can apply the Attack Tree’s method and leverage their own knowledge of the threat landscape, their organization’s threat surface, and their defender’s capability and resources to derive feasible defensive measures to detect and stop threat actors from reaching their goals.
Gert-Jan Bruggink specializes in helping leaders make informed decisions on risk to prioritise security investment. He supports teams all over the world in understanding adversary tradecraft through threat-informed security programs and providing leaders actionable threat intelligence products. Gert-Jan founded boutique firm ‘Venation’ to pioneer the field of structured threat content through cyber threat intelligence subscription and advisory services. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.
Sherman is a Manager at Deloitte, focusing on helping clients build threat intelligence and detection capabilities. He specializes in threat intelligence, incident response, threat hunting, and detection engineering. A US Army veteran, Sherman previously led the technical threat intelligence team at New York City Cyber Command.
April 17, 2024 15:45-16:15
Remco SprootenRemco Sprooten (Elastic, NL)
Our research introduces a practical approach to malware analysis, focusing on the detection of code similarities in malware samples using vector search. Instead of traditional machine learning methods for vectorization, we use Trend Micro’s Locality Sensitive Hash (TLSH). This technique involves disassembling incoming binary files into their basic components and then computing TLSH values for these parts. The resulting hashes are compact and effectively reflect the structure and content of the binaries.
An important aspect of our method is the use of an Intermediate Language (IL) for consistent binary function representation, which helps identify similarities in malware compiled with different settings or platforms. This approach enables us to more effectively find similar code segments across various malware samples. Our work demonstrates a reliable and efficient way to analyze malware, offering valuable insights for cybersecurity efforts.
Remco is a Senior Security Researcher at Elastic's Security Labs, specializing in reversing and analyzing malware, particularly in the Linux domain. With a rich background as a forensic investigator for the Dutch Police, he brings a unique blend of law enforcement and cybersecurity expertise. At Elastic, Remco focuses on dissecting malware families, contributing to the development of innovative security strategies. His work is integral in understanding and mitigating emerging cyber threats, leveraging his extensive experience in digital forensics and threat analysis.
April 16, 2024 15:30-16:00
Josh Darby MacLellanJosh Darby MacLellan (Feedly, GB)
Cyber Threat Intelligence (CTI) professionals are increasingly confronted with pressure to deliver more intelligence services and products with fewer resources. Balancing escalating threats against budget cuts and limited tools stretches CTI teams thin, leading to burnout and high turnover. To provide clarity on priorities, the CTI community adopted Priority Intelligence Requirements (PIRs). PIRs are a pivotal method for refocusing efforts and resources, building relationships between CTI and stakeholders, and enabling greater efficiency. But how does one begin collecting PIRs when there is minimal budget in the first place? How do you approach the first 90 days to ensure you implement PIRs without incurring high costs?
This session takes a pragmatic approach to developing PIRs, complementing previous workshops on PIRs (including at this conference) by focusing on the earlier stages and working with a limited budget.
Josh is a Cyber Threat Intelligence (CTI) professional with experience in the financial, tech, and cybersecurity sectors in North America and Europe. He originally started out in physical threat intelligence and has worked in geopolitical risk, protective intelligence, and risk management before pivoting to the CTI. Josh's current job focuses on using Machine Learning Models to collect cyber threat intelligence.
Josh enjoys contributing to the threat intelligence community and mentoring others in the industry. He sits on the Board of Director for TIER (Threat Intelligence Exchange Roundtable) and on the committee for CyberToronto Conference, previously holding directorships with (ISC)2 Toronto Chapter and ASIS.
April 16, 2024 14:00-14:30
Josh-Darby-MacLellan-How-to-Start-Using-Priority.pdf
MD5: b36ec44c443de4603b8e1bec236110eb
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.96 Mb
Asger Deleuran Strunk (InfoGuard AG, DK), David Rüfenacht (InfoGuard AG, CH)
CTI is still a relatively new field in cybersecurity. However, this expertise has been essential in handling incidents and in the daily activities of a CSIRT for a long time. So, where does a CTI team fit in, and what can it bring to the table?
The presentation will support organizations with a CSIRT and a CTI team to enhance collaboration. It will also highlight some challenges organizations establishing CTI teams can face.
David Rufenacht is senior threat intelligence analyst at InfoGuard. Previously, David worked for the Swiss National Cyber Security Center providing threat assessments to critical infrastructure. He holds a master degree in international relations as well as in social anthropology.
Asger Strunk is a highly skilled IT security professional with a wealth of experience spanning over a decade. Throughout his career, Asger has been involved in both offensive and defensive security operations, working tirelessly to protect individuals and organizations from cyber threats. His expertise in incident response is second to none, and he has an unwavering commitment to ensuring his clients are protected at all times. Currently, Asger is employed full-time by a leading Swiss cyber security company, where he specializes in incident response and brings a level of expertise that is unmatched in the industry.
April 17, 2024 09:30-10:00
Aaron Kaplan, Aaron Kaplan (EC-DIGIT-CSIRC, AT), Jay Jacobs (Cyentia, US), Syra Marshall (ELEMENDAR, GB)
AI for CTI is getting a lot of attention and traction. Natural Language Processing (NLP) is starting to be used a lot for the analyst's workload. Turns out, there seems to be no single accepted CTI NLP benchmark dataset. In other words: we can't compare solutions.
Benchmark datasets are extremely relevant for comparing the quality of systems as well as for improving their accuracy in training and re-training runs. The AI SIG at FIRST.org created a sub-group of volunteers to address this hard problem. This talk will cover how we thought about the benchmark dataset, an analysis of similar benchmarks and how people created them, what goes into a balanced and good dataset, analysis of sources of data (ORKL.eu, etc.) and what use-cases we wanted to cover with the benchmark dataset. Finally, we will show how the benchmark is being used for evaluating a few CTI AI tools and how to use it for LoRA training of your own, custom LLM.
Currently working for EC-DIGIT-CSIRC where he focuses on how to leverage the power of Large Language Models (LLMs) for CTI purposes. Prior to joining EC-DIGIT-CSIRC, Aaron was employee #4 of CERT.at, the national CERT of Austria. He was member of the board of directors FIRST.org between 2014-2018. He co-founded intelmq.org, a tool for automating incident handling workflows. He is a frequent speaker at (IT security) conferences such as hack.lu, black hat, amongst others.
He is co-chair of the AI Security SIG at FIRST.org. Aaron likes to come up with ideas which have a strong benefit for (digital) society as a whole and which scale up. He loves sharing knowledge and open source tools to automate stuff.
Jay is the Chief Data Scientist at Cyentia Institute, the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST.
Phd. Paolo Di Prodi was a senior data scientist at Microsoft and Fortinet. He has now founded a company called Priam Cyber AI ltd that uses virtual agents to automate security operations. He contributes regularly to open source projects from OASIS like STIX2.1,DISARM,IOB and various LLM projects such as OLLAMA and LiteLLM. He also a member of the Automation AI SIG in FIRST ORG and contributed to developing EPSS at the RAND ORG.
Syra Marshall is the CTO at Elemendar, with a background in Mathematics and Computer Science. After getting bored of being a cog in a machine she has been the technical founder of start-ups in search, blockchain and, for the past seven years, has led product development at Elemendar, where her focus has been the applications of NLP within Cyber. A self-confessed nerd she will happily take any board game challenge you might want to throw at her.
April 16, 2024 10:45-11:15
Michael DeBoltFreddy MurstadMichael DeBolt (Intel 471, US), Freddy Murstad (Nordic Financial CERT, NO)
Join industry leaders for an engaging half-day workshop that introduces the core fundamentals of building an intelligence plan that aligns to stakeholder needs - individually and at scale - and creates a foundation for measuring success of your CTI team.
Participants will gain hands-on experience building their own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including training videos, fillable templates and worksheets that are provided free of charge for use in their own environments.
As Chief Intelligence Officer, Michael DeBolt provides strategic and operational leadership across Intel 471's globally diverse team of HUMINT and technical researchers, linguists, analysts, and intelligence consultants. Before Intel 471, Michael developed strategy and led operations as the US representative and Head of Cybercrime Intelligence at INTERPOL. As a Special Agent at the US Naval Criminal Investigative Service (NCIS), he specialized in national security cyber operations and cybercriminal investigations. Michael is a proud US Marine Corps infantry veteran.
Freddy is currently doing his PhD on the cross-section of intelligence and Cyber Threat Intelligence (CTI) and will research how the intelligence field can help mature the CTI field in the private sector. While researching for his PhD, Freddy also works as the senior threat intelligence analyst at Nordic Financial CERT (NFCERT) in Norway where he supports the financial sector with strategic intelligence. Freddy uses his education and experience with intelligence to bring a multifaceted approach to CTI and provide value to stakeholders.
April 15, 2024 08:30-10:00, April 15, 2024 10:15-12:30
Kamil BojarskiKamil Bojarski (Standard Chartered Bank, PL)
Discovery and tracking of adversarial infrastructure are one of the most common tasks of threat intelligence teams and can yield significant insights into adversary operations. However, increasing adoption of cloud services and use of privacy protection have enabled threat actors to blend command-and-control nodes with legitimate hosts that present similar features and profile. The talk aims to discuss challenges related to infrastructure analysis and propose a robust methodology leading to resilient tracking techniques. Using Joe Slowik's concept of treating indicators as composite objects, we will focus on profiling network artifacts like TLS certificates, exposed host services, and domains. By observing and combining multiple characteristics, analysts can establish patterns and signatures representing how an activity group creates their infrastructure, and as such gain more confidence in early detection and attribution.
The presentation will include use cases of tracking post-exploitation frameworks servers and role of infrastructure analysis in activity group clustering. The examples will aim to demonstrate how to fully exploit data that can be derived from an indicator utilizing the author's guide (available at https://bit.ly/infrastructure-exploitation) and data collected from widely accessible services such as Shodan or Censys.
Kamil Bojarski works as a Senior Analyst at Standard Chartered Bank's Client and Third-Party Intelligence team where he tracks down adversarial activity affecting the Bank's supply chain and supports outreach efforts. Kamil is also a teaching assistant at SANS Institute supporting students during FOR578 Cyber Threat Intelligence course, and a member of GIAC Advisory Board. You can read his musings on threat intelligence, OSINT and national security at counterintelligence.pl. His research interests are focused on counterintelligence aspects of information security, activity of eastern APT groups and cross-section of technical and political aspects of cyber operations.
April 16, 2024 16:30-17:00
Kamil-Bojarski-Invisible-Strings.pdf
MD5: e0199ef9e7bba590a6c699ab14a9aff5
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.43 Mb
Remco SprootenRuben GroenwoudRemco Sprooten (Elastic, NL), Ruben Groenwoud (Elastic, NL)
This workshop offers a unique opportunity for participants to master the setup and operation of a Malware Lab, an indispensable asset in the field of cybersecurity. Expert-led sessions will guide attendees through the creation and management of environments for secure malware analysis. The program emphasizes the use of specially prepared virtual machines, enabling the safe examination and detonation of malware samples in a controlled setting.
A significant focus of the workshop is on Malware Analysis, particularly the use of Sandbox Techniques to observe and understand malware behavior in a granular way. A key aspect of this training involves the advanced skill of filtering events in large datasets. Participants will engage in hands-on exercises to execute malware in these environments, followed by thorough training in sophisticated event collection and analysis methods. These skills are vital for professionals tasked with sifting through extensive data to identify critical security threats. This workshop is designed to equip attendees with the necessary tools and insights to navigate and analyze complex cybersecurity environments effectively
A central feature of the workshop is advanced Malware Analysis, focusing on the utilization of Sandbox Techniques for detailed malware behavior observation. Participants will gain practical experience in sifting through large datasets, honing their skills in filtering and analyzing significant events from security data. This hands-on approach will equip them with the critical ability to identify and address sophisticated cyber threats effectively in today's complex security landscapes.
Remco is a Senior Security Researcher at Elastic's Security Labs, specializing in reversing and analyzing malware, particularly in the Linux domain. With a rich background as a forensic investigator for the Dutch Police, he brings a unique blend of law enforcement and cybersecurity expertise. At Elastic, Remco focuses on dissecting malware families, contributing to the development of innovative security strategies. His work is integral in understanding and mitigating emerging cyber threats, leveraging his extensive experience in digital forensics and threat analysis.
Ruben Groenewoud is a dynamic Threat Detection Engineer at Elastic, known for his innovative approach in cybersecurity. With a solid background in managing SOC operations and a Master's degree in Applied Machine Learning for Cybersecurity, Ruben brings a unique blend of practical experience and advanced academic knowledge. At Elastic, he plays a key role in enhancing threat detection systems, applying his expertise to develop smarter, data-centric security solutions. His contributions are characterized by a keen understanding of modern cyber threats and a commitment to evolving security technologies, making him a rising talent in the cybersecurity arena.
April 15, 2024 08:30-10:00, April 15, 2024 10:15-12:30
Christian StuderAlexandre DulaunoyChristian Studer (CIRCL, LU), Alexandre Dulaunoy (CIRCL, LU)
This workshop will introduce participants into some of the more intricate uses of MISP, especially in regards to automation and the use of the API. There will be a heavy focus on building efficient and accurate search queries, best practices for bucketing relevant information as well as integration with custom tools and formats.
Finding the right subset of information shared in a broad community such as FIRST can be challenging, but luckily we have a large toolbox at our disposal. We will cover a wide range of techniques to achieve this and participants will get to try out their newly acquired skills via a set of hands-on exercises.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.
Christian Studer joined CIRCL in 2017 after he graduated with a Master in Computer Science. During his master thesis at CIRCL he showed his capacity to lead existing CIRCL software such as the Potiron framework, a tool to normalize, index and visualize network captures. He is mainly working on MISP, contributing to the core development and several integrations with other tools and formats, most notable, he leads the STIX implementation of the project. He is also the co-chair of the OASIS CTI STIX Subcommittee.
April 15, 2024 14:00-16:00, April 15, 2024 16:15-18:00
Enrico LovatTobias MainkaEnrico Lovat (Siemens Corp, US), Tobias Mainka (Infineon AG, DE)
Once upon a time, a central Threat Intelligence Platform (TIP) started to show the first signs of aging. A group of experts assembled and decided to replace it with a new and exciting one called MISP.
The team designed a majestic architecture with a dozen interconnected new instances of MISP puppies, each one dedicated to specific tasks. The litter enjoyed the new kingdom and all the puppies happily played along with each other, exchanging data using MISP native synchronization and filtering capabilities. Every issue that the old platform suffered from was taken care of. Therefore, on paper, everything was perfect.
But was it? What happened when the puppies grew up?
Join us for the fascinating tale of one of the most complex MISP ecosystems ever built - where the joy of raising feature-packed MISP puppies clashed with the tricky challenges of taming a technological beast - and we will share the valuable lessons that we learned in the vibrant chaos of our overengineered MISP zoo.
Enrico Lovat received his PhD from the Technical University of Munich for his research on the topics of usage control and information flow tracking. He joined Siemens CERT in 2016 in the dual role of Incident Handler and Cyber Threat Intelligence Team Lead. In 2022 he moved to Siemens Technology as Principal Key Expert, supervising the research in technologies and innovations for cybersecurity services.
Tobias Mainka serves as the Technical Lead for Cyber Threat Intelligence at Infineon AG, actively involved in building and coordinating the Cyber Threat Intelligence process. Before his current role, he was part of Siemens CERT specializing as a major incident responder, particularly drawn to special vulnerability handling.
April 17, 2024 11:30-12:00
Cheng-Lin YangKuan-Lun LiaoCheng-Lin Yang (CyCraft Technology, TW), Kuan-Lun Liao (CyCraft Technology, TW)
In the realm of cybersecurity, staying ahead of emerging threats is paramount. Our presentation introduces an innovative system that revolutionizes how Cyber Threat Intelligence (CTI) is analyzed and utilized. By harnessing the power of advanced multimodal techniques, combining both textual and visual data, we offer a transformative approach for security analysts to convert an overwhelming influx of intelligence into structured data. The core of our system is a Natural Language-to-SQL (NL2SQL) technology, allowing analysts to navigate and extract critical information from the CTI database with ease. Our method extends beyond traditional search capabilities, presenting a conversational assistant that guides users through a question-answering interface, making the retrieval of complex intelligence both intuitive and efficient. This talk will unveil the intricacies of constructing such a system and demonstrate its ability to enhance the performance of security analysts.
Dr. Cheng-Lin Yang, currently a data science director at CyCraft Technology, where he is responsible for organizing and leading the machine learning team. He received his PhD in Artificial Intelligence from the University of Edinburgh and his research focuses on constructing efficient and effective machine learning workflows and utilizing machine learning techniques to automate detection and response along each phase of the cyberattack kill chain. He was a speaker at Black Hat USA, CyberSec, SECCON, PyCon Taiwan, PyCon Japan and AWS Summit Taiwan.
Kuan-Lun Liao is a data scientist at CyCraft Technology, where he is primarily responsible for designing human-compatible neural networks, including part-whole hierarchies learning and additive neural networks. He also applies various NLP techniques to solve cybersecurity issues, such as automatic AD security analysis and massive user behavior retrieval. Liao is passionate about exploring opportunities to use cutting-edge machine learning approaches in the field of cybersecurity. His work has been published in ICML, ICLR, and AAAI, three of the world's leading machine learning conferences.
April 16, 2024 11:45-12:15
Robin DimyanogluRobin Dimyanoglu (HelloFresh SE, DE)
This workshop introduces Early Warning Intelligence (EWI), a predictive approach that orchestrates cyber defense by anticipating threats before they materialize. Incorporating structured analytical techniques, we will explore two distinct methodologies for constructing an EWI system: profile-driven and correlation-guided research approaches, drawing from practical examples and previously published works.
This workshop will not only dissect these methods but will also argue for the integration of temporary countermeasures—a concept introduced to adjust cyber defense dynamically in response to elevated threat levels. Examples include tweaking rate limits and bot scores, configuring increased resources, and temporarily disabling features to mitigate impact, showcasing a shift from static to adaptive security postures.
Robin Dimyanoglu is the Red Team Lead at HelloFresh Global, with extensive experience in Cyber Threat Intelligence and Threat-Informed Defense. Robin is inspired to bring in concepts from war and intelligence studies to the field of cybersecurity. With a passion for staying ahead of the curve, he is committed to developing novel solutions to security problems.
April 15, 2024 08:30-10:00, April 15, 2024 10:15-12:30
Robin-Dimyanoglu-Predictive-Cyber-Defense.pdf
MD5: 891e4559544767baae1b95ad298214a6
Format: application/pdf
Last Update: June 7th, 2024
Size: 37.48 Mb
Yury Sergeev (RST Cloud Pty Ltd, AU)
With an emphasis on leveraging Artificial Intelligence (AI) and Machine Learning (ML), the session demonstrates an automated approach to streamline the collection, processing, and analysis of threat intelligence reports (APT reports, DFIR reports, malware analysis reports, threat reports, etc.) at scale. The proposed methodology focuses on technical insights, spanning the identification and monitoring of relevant resources, automatic classification using ML to filter out irrelevant information, and the preservation and extraction of valuable threat data with conventional and AI techniques. Attendees will gain insights into optimising their workflows, including the extraction of meaningful information from reports, summarisation techniques, and the automated conversion of reports into the STIX format.
As a cybersecurity expert with a profound understanding of enterprise IT and OT infrastructure, they leverage their expertise to audit, plan, design, develop, and implement complex Information Security systems. Their impressive track record, consisting of over 90 successful cybersecurity projects, consistently enhanced the security of enterprises across multiple countries and industries.
After 6 years working for Deloitte Cyber Intelligence Centre as a security engineer and later as a Director, founded a company called RST Cloud that specialises in Threat Intelligence.
Their focus now centres on operationalisation of threat intelligence, staying vigilant against emerging threats, and guiding teams effectively towards project goals and objectives.
April 16, 2024 11:15-11:45
Sergeev-Processing-Threat-Reports-at-Scale-Using-AI-and-ML.pdf
MD5: bd2b466005d2988fed3ca9a345cc84c8
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.37 Mb
Ememobong Eyo (HU)
Businesses are out to make profit. As they operate and strive for growth, they rely on threat management teams to protect them. But is a focus on industry threats the most effective approach? This session will capture a concept to driving security into security-conscious businesses, what it looks like, and how it compares to conventional threat management practices.
Ememobong Eyo helps organisations operate securely. Having led a threat management team serving multiple global businesses, she believes that more than managing day-to-day threats, threat management teams are equipped to inform and justify security decisions. Ememobong has served in the information technology industry for over ten years, and currently specialises in cyber threat management as a threat hunter and business threat defense strategist.
April 17, 2024 15:15-15:45
Alexandre DulaunoyJean-Louis HuynenAlexandre Dulaunoy (CIRCL, LU), Jean-Louis Huynen (CIRCL, LU)
The Private Search Set (PSS) is an extension to the standard Bloom filter or a standalone hash file to describe and share private set. It provides features such as fast lookup of values without disclosing the values, easy distribution of private sets to a group of users or organizations, watermarking and tracking down potential leak of a private search set (PSS), offline private search, and flexible meta-format to describe and extend the private search set (PSS). We will present the benefits for sharing communities using PSS and how it can improve the distribution of IoC, threat intelligence or leaked information.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.
Jean-Louis Huynen is a security researcher at CIRCL. He works on threat detection/intel and the development of tools to support incident response, Previously he collaborated with LIST-- Luxembourg Institute of Science and Technology (LU)--to the development of a Mixed Reality platform for the training for Security Critical Agents (mainly on firearms events and CBRN incidents). Previous research works (and his PhD) at SnT--Interdisciplinary Centre for Security, Reliability and Trust (LU)--focused on the usability of security systems and root cause analysis techniques for investigating security incidents.
April 17, 2024 14:45-15:15
Philippe Lin (Trend Micro, CA)
This talk discusses the challenges and complexities of running OpenCTI with dozens of contributors over a course of three years. We delve into the "organic chaos" caused by label misuse, duplicated entries, missepelling, and the confusion that arises from ingesting many external sources, such as SecureList, Palo Alto Unit42, and Trend Micro Research into OpenCTI. Using concrete examples, we illustrate how data cleansing became mission highly-impossible and hinder threat researchers. We discuss our efforts to standardize sector labels, our consideration on US CISA vs STIX, and the need to extend existing vocabularies like STIX 2.1. In conclusion, we share our best practices, tips, tricks and traps in updating OpenCTI data on a production system.
Philippe Lin is a Senior Threat Researcher at Trend Micro Research. His work revolves around industrial embedded systems, software-defined radio, 4G/5G core network and machine learning. He is an enthusiast of open-source software.
April 16, 2024 09:45-10:15
Philippe-Lin-Morton-Swimmer-Solving-CTI-Sector.pdf
MD5: fc19f016d7e1ee8ea7df1332e8d27a1e
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.06 Mb
Hsiang Yu (CyCraft Corp., TW), Syue Siang Su (CyCraft Technology Corp, TW)
Businesses face ZTA hurdles due to external service reliance. Gartner's 2026 forecast highlights asset tracking challenges, leading to data aggregation from sources like CMDB, CISA's KEV, NIST NVD. Stringent management of these sources is crucial for resilient security in evolving threats.
In this talk, we will discuss the risk of source pollution increases. If any source is susceptible to manipulation, a successful modification will perhaps lead to information confusion, unwanted downloads, or even catastrophic security events such as DoS attack (faked GeoIP) and arbitrary code execution.
Hsiang Yu Cheng is a cybersecurity researcher at Cycraft Technology and focuses on the automatic analysis of malware and threat-hunting.
Syue Siang Su is a senior cybersecurity researcher at CyCraft Technology and is currently focused on cloud security, AD security, web security, and threat hunting. He takes an active role in the cybersecurity community and has delivered speeches at multiple seminars across the globe including HITCON, HITB, and HackerOne. He still participates in CTF competitions including SECCON CTF in Japan and HITCON CTF in Taiwan and has submitted multiple reports to bug bounty programs and open-source projects.
April 17, 2024 13:45-14:15
Joe SlowikJoe Slowik (Paralus, US)
A core dilemma within intelligence work is the act of disclosure: acting on information will, to some degree, expose to an entity that such information was collected. Furthermore, exposure of a single instance can lead to identification of far broader penetration, endangering subsequent collection of intelligence and thus further action. Yet, intelligence absent action can be deemed irrelevant and superfluous—leaving analysts and decision makers in a difficult position.
In this discussion, we will explore examples of intelligence disclosure in the cyber realm leading to adversary adaptation, and its consequence for defenders. As a result of this analysis, we will arrive at an understanding of the gain-loss dilemma underpinning cyber threat intelligence work. We will conclude the discussion with an assessment of how intelligence analysts can seek to balance continued collection with defender support, and what factors are most critical in deciding such issues.
Joe Slowik has over 15 years of experience across multiple security disciplines. Joe has previously built and led cyber threat intelligence operations at multiple organizations including Dragos, DomainTools, Gigamon, and Huntress, as well as performed significant operational roles in incident response and security management within the US government. Joe is primarily interested in intelligence applications to tactical security outcomes, and ensuring the relevance and efficacy of cyber threat intelligence in modern defensive environments.
April 16, 2024 14:30-15:00
Joseliyo SánchezJoseliyo Sánchez (VirusTotal - Google, ES)
Images are a common feature of documents, but they can also be a valuable source of intelligence for security analysts. By tracking the images that threat actors use in their documents, analysts can gain insights into their procedures, as well as their potential targets and impersonated companies.
This type of approach has helped us find and track the Russian cyber espionage group Gamaredon and others such as the group known as Blind Eagle that is suspected to be from Latin America and other APTs/Crime groups. It will also discuss the challenges and limitations of the approach.
Joseliyo Sanchez is a security engineer at VirusTotal - Google. Member of the ENISA Working Group on Cyber Threat Landscapes. Previously worked at McAfee and BlackBerry as a threat researcher. His main objectives are threat hunting that leads to detection engineering and analysis of APTs and Crime groups.
April 16, 2024 16:00-16:30
Joseliyo-Sanchez-Tracking-Threat-Actors.pdf
MD5: f3af5778c1bde41f1ba73a03eaf892a4
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.11 Mb