Program Overview

2026 Peak Incident Response Technical Colloquium

Tuesday, May 5^th
Day 1
Wednesday, May 6^th
Day 2

Tuesday, May 5^th

	Day 1
13:00 – 13:10	Opening
13:10 – 13:40	CH Open Source Software as Underfinanced Critical Infrastructure Christian Folini (Netnea, CH)
13:40 – 14:10	LU OpenSource and Open Data, How Those Will Improve Resilience and Strategic Autonomy? Mika Lauhde (Luxembourg House of Cybersecurity, LU)
14:10 – 14:40	TT Geopolitical Cybersecurity Threats and National Security Rick Logan-Stanford (TTCSIRT, TT)
14:40 – 15:10	CH Visibility, Blocking, and Impact: Operationalizing DNS Cybersecurity at Scale in the Swiss Context John Todd (Quad9, CH)
15:10 – 15:30	Break
15:30 – 16:00	IT WHOIS is Your Incident Response Best Friend! Vito Alfano (CYTIA4, IT)
16:00 – 16:30	PL DNS Threat Hunting at Scale: Turning Million Daily Queries into Actionable Intelligence Damian Woszczak, Marcin Barszcz (CSIRT MON, PL) TLP:AMBER
16:30 – 16:55	CH Keynote: Cybersecurity in a Geopolitical Context Florian Schütz (NCSC.ch, CH)
16:55 – 17:20	Dialoge Giacomo Paoli & Florian Schutz Florian Schütz (NCSC.ch); Giacomo Paoli
17:20 – 18:00	Q&A Florian Schütz (NCSC.ch); Giacomo Paoli

Wednesday, May 6^th

	Day 2
09:00 – 09:45	CH Opening Keynote: Securing a Global Insfrastructre Stefan Lüders (CERN, CH)
09:45 – 10:15	Dialogue Stefan - Bill on Global Infra
10:15 – 10:45	CH It's About Time: A Blueprint for Operating Resilient, Sovereign, and Authenticated NTP at Global Scale Raphael Seebacher (Open Systems, CH)
10:45 – 11:15	Coffee
11:15 – 11:45	US Securing the DNS Infrastructure at Global Scale Bill Woodcock (Packet Clearing House, US)
11:45 – 12:15	CH The Invisible Infrastructure: DNS Security from Authentication to Availability Branko Mijuskovic (Proton AG, CH)
12:15 – 12:45	FR Understanding What Makes DNS Abuse Easy: Operational Lessons for Defenders Maciej Korczynski (Grenoble Alpes University / KOR Labs, FR)
12:45 – 14:15	Lunch Break
14:15 – 14:45	Lessons Learned from Malicious Domain Measurement and Disruption Graeme Bunton (NetBeacon)
14:45 – 15:15	CH Detecting Malicious Domain Registration Batches: Patterns, Prevalence, and Implications for Incident Response Carlos Gañán (ICANN, CH)
15:15 – 15:45	CH The Role of Formal Verification in Isolating Critical Services David Cock (Neutrality, CH)
15:45 – 16:15	CH What the Fuzz? Thorough Testing of Systems and Configurations Mathias Payer (EPFL (HexHive), CH)
16:15 – 16:30	Coffee
16:30 – 17:00	CH Behind the Scenes of Cybersecurity at Eurovision Song Contest 2025 Carlos Verde, Olivier Spielmann (Senthorus, CH)
17:00 – 17:30	CH Using passive DNS (and more) for Threat Research and creating your own CTI Tom Ueltschi (Swiss Post CERT, CH)
17:30 – 18:00	CH Fighting fraud and building trust in online marketplaces Mikel Grabocka (Swiss Marketplace, CH)
18:00 – 18:30	Final Words

CH
Behind the Scenes of Cybersecurity at Eurovision Song Contest 2025
Carlos Verde (Senthorus, CH), Olivier Spielmann (Senthorus, CH)
In this session, we will share our firsthand experience safeguarding one of Europe’s most high‑profile live events: the Eurovision Song Contest. This presentation will walk the audience through the unique operational complexity of securing a large‑scale, globally broadcast event and the multifaceted cyber defense strategy required to keep it running safely.

We will detail how threat intelligence, threat detection, and incident response activities were orchestrated in real time, as well as how crisis management processes and governance models were designed to ensure resilience under pressure. Attendees will gain insights into practical lessons learned, coordination challenges, cross‑team collaboration, and the security frameworks that enabled effective protection of such a visible and time‑critical event.
May 6, 2026 16:30-17:00
CH
Detecting Malicious Domain Registration Batches: Patterns, Prevalence, and Implications for Incident Response
Carlos GañánCarlos Gañán (ICANN, CH)
Cybercriminals routinely register domains in large, time-bound batches to launch phishing campaigns, distribute malware, and establish botnet command-and-control infrastructure at scale. Yet systematic, large-scale measurement of this behavior and its operationalization into actionable defender tooling has remained limited, particularly since the post-GDPR disappearance of registrant-level WHOIS data.

This talk presents the first comprehensive, empirical analysis of batch domain registrations across the gTLD landscape, drawn from 16.6 million newly registered domains in Q1 2025. We introduce a clustering methodology using only publicly available thin registration features (registrar identity, authoritative nameservers, and creation timestamps) to reliably identify coordinated registration batches at scale. Applied to ICANN's BRDA dataset and cross-referenced against seven major threat intelligence feeds (Spamhaus, PhishTank, APWG, URLhaus, SURBL, WMC-Global, and Urlscan), our results reveal that at least 16% of all newly registered gTLD domains exhibit batch registration patterns, with abuse rates reaching 45.7% for spam and over 24% for phishing domains.

We will demonstrate that batch registration rates are a statistically significant predictor of registrar-level abuse, and show how batch-based domain expansion (pivoting from a single known-malicious seed domain to all co-registered domains in the same batch) increases detected malicious domains by 80%, uncovering an additional 289,000 likely-abused domains beyond what threat intelligence feeds would flag alone, and enabling early detection of domains days before they appear in any blocklist.

Attendees will leave with a practical, open framework for real-time batch detection deployable by registrars, registries, CERTs, and threat intelligence analysts, with direct implications for proactive DNS abuse mitigation, incident response pivoting, and ICANN policy discussions around registrar API controls and registration verification requirements.
May 6, 2026 14:45-15:15
Dialoge Giacomo Paoli & Florian Schutz
Florian Schütz (NCSC.ch), Giacomo Paoli
Placeholder

The contemporary geopolitical landscape is profoundly shaped by the rapid evolution and weaponization of technology, fundamentally altering national security strategies and statecraft. Key technological domains like microchip manufacturing, data science, or quantum computing - to name a few - are no longer merely enablers but instruments of power projection, economic leverage, and military advantage. This shift has led to a "race for tech supremacy" among major powers, creating both unprecedented opportunities for cooperation and significant risks of conflict and instability. The pervasive digitalization of the economy, governments and society exposes nations to new vulnerabilities, compelling states to invest heavily in both offensive and defensive technological capabilities while at the same time trying to deny access to advanced technology, innovation and manufacturing methods for adversaries. Interestingly, the policy tool of choice so far has been predominantly regulation. Unfortunately, regulation applied without an in-depth understanding of supply chains and its economics can easily do more harm than good.
May 5, 2026 16:55-17:20
PLTLP:AMBER
DNS Threat Hunting at Scale: Turning Million Daily Queries into Actionable Intelligence
Damian Woszczak (CSIRT MON, PL), Marcin Barszcz (CSIRT MON, PL)
DNS telemetry is one of the richest and most underutilized data sources available. This talk demonstrates how a national military CSIRT turned million daily DNS queries into a practical threat hunting pipeline, using commodity tools that most teams already have deployed.

CSIRT MON — operating within Polish Cyber Command (POL CC) — monitors DNS traffic across military infrastructure networks. We will walk the audience through our real operational data and the precise findings it produces.

To begin with baseline establishing: it is worth noting that 62.4% of DNS responses in the observed infrastructure have TTL below the CISA fast flux detection threshold (300 seconds) — and then explainimg why TTL-based alerting is useless without multi-layer correlation combining ASN diversity, geolocation entropy, and residential vs datacenter IP classification.

Secondly, demonstration of full infrastructure pivoting workflow: starting from a single IP address published in a CERT-UA campaign advisory, the passive DNS, Censys, and WHOIS usage to identify related infrastructure, then how to map the adversary's hosting patterns, and avaluate probable targeting objectives — up to showing how a public IOC becomes the seed for a comprehensive threat picture.

The talk concludes with ready-to-use detection playbook: KQL queries that any ELK-based team can deploy immediately. Every query, every threshold, and every finding in this talk comes from production data gathered by the national CSIRT team — not a lab environment.

This presentation directly addresses the colloquium's focus on using DNS as a tool for threat detection and incident response, and on tools and techniques that leverage DNS in cybersecurity, while providing real-world case studies that peers can adopt in their own environments.
May 5, 2026 16:00-16:30
CH
Fighting fraud and building trust in online marketplaces
Mikel GrabockaMikel Grabocka (Swiss Marketplace, CH)
Mikel Grabocka is a Security Architect for Identity and Trust at Swiss Marketplace Group (SMG), where he focuses on passwordless authentication, digital identity, and trust. His work spans both security and user experience, emphasizing building practical, scalable identity solutions using FIDO and passkeys. Mikel also represents SMG in the FIDO Alliance and actively contributes to the evolving conversation around authentication and digital trust.

This session will cover how risk-based decision making can be used for fighting fraud and building trust in some of the biggest online marketplaces of Switzerland (e.g., homegate.ch, ricardo.ch, tutti.ch etc.). It will cover:
- Fraud modalities and fraudster incentives (e.g., starting from online marketplaces and progressing into bank accounts)
- Mechanisms used to build trust and prevent fraud (e.g., phishing resistant passwordless authentication.
- How ML / AI powered decision making can make a difference (e.g., reduce up to 90% of fraud)
- Digital identity being the control plane for trust
May 6, 2026 17:30-18:00
TT
Geopolitical Cybersecurity Threats and National Security
Rick Logan-StanfordRick Logan-Stanford (TTCSIRT, TT)

Rick Logan-Stanford is a highly motivated and results-oriented ICT/Security Professional with 13 years of experience designing, maintaining, and troubleshooting complex systems. He possesses a strong foundation in network security and is currently advancing his career in Cybersecurity, focusing on incident response, digital forensics, vulnerability assessments, and cyber law/diplomacy. With a proven track record in incident response, vulnerability assessments, and gap analysis, he is committed to safeguarding critical infrastructure and fostering international collaboration against evolving cyber threats. Rick is eager to contribute to a dynamic team and pursue a leadership role within the cybersecurity domain, leveraging his extensive experience to navigate and overcome complex challenges."

Cyberspace has emerged as a launching ground, or rather the staging ground for geopolitical conflict under the guise of competition or exercise and a critical national security concern. This addition to the cyber threat landscape is being defined by state-sponsored operations, advanced persistent threats, and the convergence of state and criminal actors, effectively blurring the lines between espionage, sabotage, and warfare. This environment establishes cyberspace as a continuous battlefield where nations pursue strategic objectives, project power, and engage in conflict under the radar of the traditional threshold of war.

Cyber operations serve as dual-purpose instruments, as tools for achieving geopolitical advantage and as existential threats to national security infrastructure. Incidents such as the SolarWinds espionage campaign and the NotPetya disruptive attack illustrate tangible consequences, including compromised government networks, severe economic damage, and the erosion of international norms. These realities present new challenges to national resilience and economic stability. Effectively mitigating these risks necessitates a paradigm shift toward enhanced public-private collaboration, the development of robust cyber resilience frameworks, and the pursuit of credible international deterrence strategies to manage this escalating dimension of modern conflict.
May 5, 2026 14:10-14:40
CH
It's About Time: A Blueprint for Operating Resilient, Sovereign, and Authenticated NTP at Global Scale
Raphael SeebacherRaphael Seebacher (Open Systems, CH)
Raphi is a Staff Engineer and "Systems T(h)inker" who thrives at the intersection of people and distributed systems. With a background in electrical engineering and a decade of experience at Open Systems, he has managed everything from global edge nodes to high-stakes incident responses. He is an ETH Zurich alumnus, a Swiss Armed Forces officer, and an active radio amateur and maker.

Time synchronisation using the Network Time Protocol (NTP) is a silent dependency for nearly every security control in a modern stack - from TLS certificate validation and MFA to forensic log correlation. Yet, for many organisations, it remains an unmonitored and unauthenticated "set and forget" utility. In 2019, a single, long standing configuration choice - the prefer statement on our local GPS reference clock - exposed how easily this critical foundation can fail. When that clock lost its GPS fix and dropped to Stratum 12, the prefer directive bypassed standard Marzullo consensus logic, leading to a "silent failure" only discovered when a customer noticed the stratum change because their downstream clocks failed to synchronise.

This session details the journey of Open Systems as we modernize the time synchronisation of over 10'000 globally managed nodes. We move beyond the "set and forget" of the past towards a model of resilient, sovereign, and authenticated time synchronisation.

The talk provides a reproducible blueprint for transforming time synchronisation into a hardened, sovereign, and fully observed security asset. Key technical takeaways include
- Time Reference Clock Selection: Considerations for selecting a diverse set of reference clocks to ensure long-term operational resilience and sovereign control over the time foundation.
- Scaling Time Distribution Globally: How to navigate the real-world hurdles of scaling time synchronisation across a distributed fleet, from ISP-level filtering to the synchronisation quirks of legacy OT hardware, illustrated with a packet capture.
- Observability as a Security Guardrail: Transitioning from "customer-notified failures" to real-time telemetry and proactive quality monitoring using a modern observability stack, featuring real-world data.
- The Path to Authentication: An outlook on the deployment of Network Time Security (NTS) at scale, providing strategic pointers and early lessons for organizations preparing for the transition to authenticated time.
May 6, 2026 10:15-10:45
Lessons Learned from Malicious Domain Measurement and Disruption
Graeme Bunton (NetBeacon)
Over the past four years, the NetBeacon Institute has enabled the reporting of hundreds of thousands of malicious domains to domain registrars, registries, and web hosts, while also measuring mitigation rates and uptimes. Drawing from this experience we share four related insights: a) what matters for effective disruption of malicious domains b) the challenges in measuring mitigation attribution c) what mitigation rates look like across the DNS and d) why upcoming policy changes will make reporting malicious domains more important and impactful.

The NetBeacon Institute works to make the Internet safer for everyone by providing free insights, education, and services. The Institute is a part of Public Interest Registry, the not-for-profit that operates the .org TLD, and it operates in support of PIRs public benefit mission.
May 6, 2026 14:15-14:45
CH
Open Source Software as Underfinanced Critical Infrastructure
Christian FoliniChristian Folini (Netnea, CH)

Christian Folini is a teacher, author and application security engineer with twenty years of experience.

He is the author of the 2nd edition of the ModSecurity Handbook and one of the best known experts of the Open Source ModSec Web Application Firewall (WAF). He is a Co-Lead of the OWASP ModSecurity Core Rule Set (CRS) project and represents the project externally. His best known contributions to the project are the concept of Paranoia Levels and his design of the plugin architecture as well as his set of canonical Apache / ModSecurity / Core Rule Set tutorials that he maintains on our website.

Open Source software (OSS) is a crucial component of most software and most services these days. Without open source software the internet would come to a halt and mobile phones would shut down. Open source is critical infrastructure.

Yet OSS is critical infrastructure built on a shoestring budget.

This has hurt us before and the future may be even more painful. The open nature of the code makes OSS an easier prey for AI adversaries who can easily search vulnerabilities locally. AI agents are also submitting issues to open projects and more and more also pull requests that eat scarce human review resources.

Developers struggle to keep up and risk to give write access to malicious players that seemingly support the project with reviews and maintenance.

AI raises the risk for OSS security by eating developer resources.

We need to come up with practical solutions to finance at least the top tier of critical OSS libraries and the modest widespread building blocks of the digital ecosystem.

This talk explores the problem based on the example of OWASP CRS, the dominant web application firewall rule set, and points to possible solutions.
May 5, 2026 13:10-13:40
CH
Opening Keynote: Securing a Global Insfrastructre
Stefan LüdersStefan Lüders (CERN, CH)

Stefan Lüders (PhD) graduated from the Swiss Federal Institute of Technology in Zurich and joined the European Organization for Particle Physics (CERN) in 2002. Since 2009, he is heading the CERN Computer Security Incident Response Team as CERN’s Computer Security Officer with the mandate to coordinate all aspects of CERN’s computer security – office computing security, computer centre security, GRID computing security, and control system security – whilst taking into account CERN’s operational needs. Dr. Lüders has presented on computer security and control system cyber-security topics on many different occasions to international bodies, governments, and companies, and published several articles.

Perliminary Abstract: CERN is located in Geneva, CERN's detectors are located in Geneva: But scientific work, based on gigantic amounts of collected data are processed globally in independent locations across jurisdictions. Securing this original cloud is a challange and a sucess story.
May 6, 2026 09:00-09:45
LU
OpenSource and Open Data, How Those Will Improve Resilience and Strategic Autonomy?
Mika Lauhde (Luxembourg House of Cybersecurity, LU)
Governments, humanitarian organizations, and private companies alike must navigate the growing operational difficulties stemming from advances in digitalisation, automation, AI, data flows, and the rise of quantum computing and networking.

Yet at the same time, access to meaningful cybersecurity data is becoming increasingly critical for ensuring secure operations. To facilitate access to sanitized, relevant, and structured data, Luxembourg has established the Luxembourg Cybersecurity Factory (LCF), powered by 4 engine: Data Space, AI Hub, Quantum Lab and Cyber Commons Office. By offering an open data space for cybersecurity, this initiative makes information security exchange more accessible and stimulates new business opportunities. Building on this approach, the LCF seeks to enhance both national and pan-European resilience and strategic autonomy.
May 5, 2026 13:40-14:10
US
Securing the DNS Infrastructure at Global Scale
Bill WoodcockBill Woodcock (Packet Clearing House, US)

Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system. Since entering the Internet industry in 1985, Bill has helped establish more than three hundred Internet exchange points. In 1989, Bill developed the anycast routing technique that now protects the domain name system. In 2007, Bill was one of the two international liaisons deployed by NSP-Sec to the Estonian CERT during the Russian cyber-attack. In 2011, Bill authored the first survey of Internet interconnection agreements, as input to the OECD’s analysis of the Internet economy, and conducted follow-on surveys in 2016 and 2021, with participation from more than 27,000 Internet service providers in 192 countries. Bill served on the Global Commission on the Stability of Cyberspace, and the Commission on Caribbean Communications Resilience. He chairs the board of the Quad9 Foundation, he’s on the board of directors of the M3AA Foundation, and was on the board of the American Registry for Internet Numbers for fifteen years. Now, Bill’s work focuses principally on the security and economic stability of critical Internet infrastructure.

The Domain Name System is a global critical communications infrastructure which cannot be operated by individual states in isolation, nor in an entirely "sovereign" fashion. This talk explores the policy and technical choices which allow states to ensure maximal security and availability for their national top-level domains, and provides an overview of the technical architecture of the largest and oldest DNS service network, detailing the security and availability challenges, and the engineering and operational choices that address them.

PCH is the intergovernmental treaty organization which operates the noncommercial DNS service network supporting three-quarters of the world's national top-level domains, many of the root nameservers, and many critical infrastructure domains. It's directly connected to thousands of other networks at more than 440 Internet exchange points in 135 countries, and answers hundreds of millions of queries per second, with better than six-nines of uptime over the past thirty-two years.
May 6, 2026 11:15-11:45
CH
The Invisible Infrastructure: DNS Security from Authentication to Availability
Branko MijuskovicBranko Mijuskovic (Proton AG, CH)
Branko Mijuskovic is a seasoned Senior Site Reliability Engineer based in Geneva with nine years of DevOps and Linux systems experience, specializing in cloud and high-availability architectures. He currently serves as Senior SRE at Proton/ProtonMail, where he designs and maintains scalable CI/CD pipelines, monitoring, and incident response for international teams. His technical breadth spans CloudStack, AWS, Docker, Kubernetes, Ansible, Terraform, Packer, and automated bare-metal OS provisioning, with a strong focus on HA clustering (Corosync, Pacemaker, Keepalived) and storage systems (ZFS, NFS, Cloudian). He has led infrastructure initiatives at HIAG Data AG and Safe Swiss Cloud, delivering centralized logging (ELK stack, Zabbix, Nagios) and robust monitoring (Grafana/Telegraf/InfluxDB), with experience in MySQL/Percona clustering and web-scale deployments. His early career includes Linux administration for high-availability web infrastructures and complex social/web platforms, supported by a Bachelor's in Information Systems and Technologies from the University of Belgrade. Based in Switzerland, he brings a global perspective to building reliable, secure, and scalable systems across cloud and on-prem environments.

DNS is simultaneously the backbone of email authentication and a primary attack surface for adversaries. This presentation explores the dual reality of DNS in operational security: how it enables email trust through SPF, DKIM, and DMARC, and how attackers exploit these same mechanisms for abuse and disruption. We begin with a brief overview of email authentication protocols, then reveal a sophisticated attack vector that exploits the reusability of DKIM signatures - verified through DNS-published public keys - to bypass authentication controls: the DKIM replay attack. We'll examine why this attack is particularly difficult to defend against at scale. From detection to defense, we'll cover industry-standard DKIM replay mitigation and detection practices, open-source anomaly detection approaches, eBPF-based abuse mitigation strategies, and the operational tradeoffs of TTL tuning across DNS layers. Drawing from production experience, we'll share real-world lessons on caching behavior, prefetching implications, and the latency pitfalls of CNAME-delegated DKIM records. Attendees will gain actionable insights for detecting email attacks that leverage DNS, and tuning their DNS infrastructure for resilience without sacrificing availability.

Key Takeaways:
- Recognize the dual nature of DNS as both a defense mechanism and an attack surface
- Implement detection pipelines using open-source tools
- Apply industry-standard DKIM replay mitigation practices in your environment
- Implement resilient DNS infrastructure that withstands abuse while serving legitimate traffic.
May 6, 2026 11:45-12:15
CH
The Role of Formal Verification in Isolating Critical Services
David Cock (Neutrality, CH)
This talk will give an overview of the threat environment that motivated the design of Neutrality's Atoll verified hypervisor, and where we see those conditions applying to organisations in the field. We will discuss the ways in which formally-verified isolation mechanisms represent a qualitative improvement over the status quo when it comes to operating critical infrastructure. We will further cover the challenges in deploying verified software in real-world systems, and where its higher assurance guarantees change the tradeoffs for operators.
May 6, 2026 15:15-15:45
FR
Understanding What Makes DNS Abuse Easy: Operational Lessons for Defenders
Maciej KorczynskiMaciej Korczynski (Grenoble Alpes University / KOR Labs, FR)

Maciej Korczynski is a Full Professor in cybersecurity and Internet measurement at Université Grenoble INP / Université Grenoble Alpes, and a co-founder of KOR Labs. His work bridges research and operations, focusing on measuring and understanding Internet abuse, particularly DNS- and domain-related threats, and translating those insights into actionable intelligence for defenders and ecosystem partners. He has authored multiple peer-reviewed papers on domain abuse, attacker infrastructure, and ecosystem-level defenses, and regularly engages with industry and operational communities to support coordinated mitigation and multi-stakeholder response.

Phishing operators rely on a constant supply of new domain names, yet abuse is far from evenly distributed across the DNS ecosystem. Some registrars attract a disproportionate share of malicious registrations, creating both operational challenges for defenders and opportunities for earlier intervention. This talk presents results from the InferMAL project, which examines why certain parts of the domain registration ecosystem are more attractive to phishers than others, and what defenders can do with that knowledge.

Drawing on a dataset of 14,500 maliciously registered phishing domains and 15,400 benign domains, we analyze 73 features describing registrar and registry practices, including pricing, bundled services, registration workflows, verification measures, and reactive security practices. We show that malicious registrations are strongly associated with low registration costs, free bundled services, and automation-friendly workflows such as API-based registration or account creation. By contrast, stricter registration requirements are associated with substantially lower abuse. We also show that some measures commonly viewed as important, such as mitigation speed, may have less deterrent value than expected for single-use phishing operations.

Beyond the statistical findings, the talk will focus on practical implications for incident response and DNS abuse mitigation. We will discuss how these insights can help defenders prioritize monitoring, improve enrichment and triage, identify ecosystem-level risk factors earlier, and support more targeted engagement with registrars, registries, and other operational stakeholders. The presentation will also reflect on how policy and operational practice can reinforce one another to raise the cost of abuse without unduly burdening legitimate users.
May 6, 2026 12:15-12:45
CH
Using passive DNS (and more) for Threat Research and creating your own CTI
Tom UeltschiTom Ueltschi (Swiss Post CERT, CH)

Tom has been working at Swiss Post CERT for over 15 years and has presented at different security conferences since 2012. He’s an active member of many trust groups and communities sharing about infosec topics.

Main Topic: "Using DNS as a tool for threat detection, incident response, digital forensics or threat/malware research"

If you're able to block and quarantine nearly all malicious email attachments, that's a great source to create your own CTI from. Automate the malware analysis pipeline as much as possible to extract the C2 configs from analyzed samples. For over a decade we developed our own framework to do this, but since then there are open source projects that make this easier for you. ( https://github.com/threatcat-ch/malware-analysis-pipeline )

MISP is a great tool to store and correlate (and share as much as you can!) malware C2. Using different passive DNS sources is useful to enrich and expand on the C2 infrastructure used for different malware campaigns and threat activity clusters.

However, there is even another approach beside pDNS to cluster C2 hosts together. NetBIOS names from Windows hosts used to serve as C2, which may have RDP or SMB exposed to the Internet, can be seen and indexed by many scanning platforms like Censys, Validin and many more. Using any of these platforms can help you connect clusters with different C2 domains and IPs via the same NetBIOS name seen on the different C2 IPs. For the past 18 months I've been exploring and improving this approach to build threat activity clusters based on NetBIOS names.

Each of these clusters can be linked back to malware sample analyses from our pipeline as well as targets (intended email recipients, who did not receive the malware email attacks) via exported email logs.

Through limited access to platforms like HYAS and EPIEOS, I was able to correlate dynamic DNS (e.g. duckdns) to registration emails and in many cases also Personally Identifiable Information (PII) that could help identify threat actors behind these attacks. This information might also be interesting to LEA for further investigation.
May 6, 2026 17:00-17:30
CH
Visibility, Blocking, and Impact: Operationalizing DNS Cybersecurity at Scale in the Swiss Context
John ToddJohn Todd (Quad9, CH)

John is the Chief Technology Officer of Quad9 and has been involved with internet infrastructure and the DNS for nearly 30 years.

DNS telemetry offers a ground-level view of the threat landscape that few other data sources can match — high volume, exceptionally wide user communities, and geographic attribution. This talk presents a practical account of DNS-based cybersecurity as implemented through Quad9's public resolver infrastructure, with a focus on what that data reveals about Swiss and EU user communities. We examine the pipeline from IOC ingestion to blocking action, discuss how campaigns and attacker infrastructure become visible in DNS query patterns, and present example statistical findings drawn from Swiss endpoint data. Particular attention is given to the practical deployment of DNS security tooling within Swiss NGOs — organizations that often operate with constrained resources but face real threat exposure. The session bridges conceptual foundations (how DNS blocking works and where it fits in a defense stack) with empirical findings (what Swiss users are actually encountering), offering both orientation for those new to DNS security and concrete data points for practitioners already operating in this space, from the perspective of Swiss-based Quad9, one of the largest open recursive resolvers in the world.
May 5, 2026 14:40-15:10
CH
What the Fuzz? Thorough Testing of Systems and Configurations
Mathias PayerMathias Payer (EPFL (HexHive), CH)

Mathias Payer is a security researcher and professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques.

The Internet's backbone relies on increasingly complex software stacks: routing software, DNS resolvers, service daemons, orchestration systems, and virtualization layers running in large-scale cloud environments. Ensuring that these components are secured and behave correctly have become a major headache for network operators.

Fuzz testing is the most effective technique for uncovering software vulnerabilities. Over the past decade, fuzzers have discovered hundreds of thousands of bugs across all layers of critical infrastructure. Yet fuzzing remains mostly used by bug hunters and software engineers, not by the practitioners who deploy and operate these systems.

This talk introduces fuzzing from a practitioner's perspective. We will explain why fuzzing is so effective, how it applies to network infrastructure, and how it can help uncover not only memory-safety bugs but also subtle configuration and logic errors. The goal is to show how fuzzing can become a practical tool for improving the robustness of the systems that keep the Internet running.
May 6, 2026 15:45-16:15
IT
WHOIS is Your Incident Response Best Friend!
Vito AlfanoVito Alfano (CYTIA4, IT)

Vito is a specialist in Digital Forensics, Incident Response, Vulnerability Management Cyber Threat Intelligence, Threat Hunting, Security Awareness and Secure Networks Design with 15+ years of experience in the field and tons of projects completed in different regions (Europe, APAC, US, MEA) and investigating and responding to hundreds of security incidents, primarily related to APTs and Cybercrime, in intergovernmental organizations, space and defense entities and in the banking sector.

The speech will share a short tale about a real incident response investigation that unexpectedly led to identify several IoCs which, through WHOIS, allowed to reveal a huge cybercrime infrastructure provided to APT, Ransomware and Cybercrime groups operating in different countries.
May 5, 2026 15:30-16:00