Cybersecurity teams face an asymmetric battle against AI-enabled adversaries who register millions of malicious domains daily, often lying dormant to evade traditional newly-registered-domain detections. This presentation explores advanced approaches to DNS and NetFlow telemetry that transform raw network data into actionable threat intelligence.
We demonstrate how domain clustering analysis detects sophisticated typosquatting campaigns and bulk-registered brand impersonation domains that evade conventional security tools. Through real-world case studies, we show how major security platforms miss 60-100% of coordinated domain registrations, while cluster-based detection identifies behavioral and infrastructural patterns that may indicate state-sponsored activity.
The session covers the strategic integration of passive and active DNS data with NetFlow telemetry to achieve comprehensive visibility across the threat landscape. Topics include: infrastructure reuse detection, shadow IT discovery, attack surface mapping, and adversary pattern analysis. We examine how NetFlow's "agentless" approach enables forensic timeline reconstruction, exfiltration quantification, and incident response maturity measurement.
Attendees will learn practical fusion techniques for correlating DNS and NetFlow data to reduce false positives, accelerate threat detection, and close visibility gaps in modern security operations. The presentation emphasizes that detection maturity requires not just data collection, but contextual correlation—transforming telemetry from noise into strategic defensive capability.
Ed Gibbs, is a seasoned cybersecurity executive with WHOISXMLAPI.Com and a Forbes Technology Council member. With decades of experience spanning roles at Cisco, McAfee, Symantec, and most recently leading technical and research efforts at WhoisXML API, Ed has cultivated a reputation for advancing cyber threat intelligence, DNS analytics, and internet infrastructure security. His work involves spearheading domain and subdomain discovery techniques, overseeing passive DNS research, and managing complex security data ecosystems used by governments, cybercrime units, and market researchers globally. As an accomplished team leader, Ed has built and led diverse groups of security professionals and researchers while fostering collaborations with internet registrars and infrastructure providers to combat abuse and elevate security standards. Ed brings a deep well of knowledge on security operations, firewalls, VPNs, and cutting-edge threat intelligence methodologies. His insights into DNS and domain-based research especially how passive DNS and domain enrichment can expose malicious activity make him an ideal guest for discussions on emerging cyber threats, operational security challenges, and innovations in managing external attack surfaces. Whether it's discussing AI's role in cybersecurity, sharing real-world insights from enterprise security leadership, or examining the future of DNS infrastructure, Ed delivers compelling, informed perspectives tailored for both technical and strategic audiences.
Ernesto Guzmán leads the Digital Forensics and Incident Response team at ES Consulting, bringing more than 15 years of experience in technology, cybersecurity, and digital forensics. He holds certifications as ISO/IEC 27035 Lead Incident Manager, ISO/IEC 27001 Lead Auditor, ISO/IEC 9001 Lead Auditor, Certified Ethical Hacker (CEH), among other international credentials.
Throughout his career, he has successfully led critical incident response operations and complex forensic investigations, strengthening his expertise in digital asset protection, threat intelligence, and comprehensive security incident management.
His work includes the development of practical methodologies for forensic analysis and data recovery, enhancing organizational resilience after security incidents. Currently, he leads the cyber defense team at ES Consulting, driving advanced strategies for digital resilience and incident management aligned with international standards.
