Program Overview

Please note: Monday sessions are being held in two different locations that are about 30 mins away by taxi:

BT
BT Centre
81 Newgate Street
London, EC1A 7AJ
DS
Digital Shadows
The Columbus Building
6th Floor, 7 Westferry Circus
London, E14 4HD

Route between DS and BT - Maps provided by Google
Map provided by Google, click on map to open in Google Maps.

Monday, 18 March

Training and Workshops - BT AuditoriumTraining and Workshops - BT A1Training and Workshops - DS/BLTraining and Workshops - DS Theater
08:00 – 09:00

Welcome Coffee & Registration (be sure to bring your ID!)

09:00 – 13:00
 US

Using ATT&CK™ for Cyber Threat Intelligence Workshop

Adam Pennington, Katie Nickels, Richard Struse (MITRE, US)

 LU

MISP Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

 US

OPSEC for investigators and researchers

Krassimir Tzvetanov (US)

 US

Beginner Tracking Adversary Infrastructure

Michael Schwartz (Target, US); Tim Helming (DomainTools, US)

10:30 – 11:00

Coffee Break

13:00 – 14:00

Lunch

14:00 – 18:00

Tutorial on OSINT tradecraft

Larry Leibrock (DA and Ph.D.)

 LU

MISP Threat Intelligence Analyst and Administrators

Alexandre Dulaunoy, Andras Iklody (CIRCL, LU)

 NO

Training: The ACT Threat Intelligence Platform

Dr. Martin Eian (mnemonic, NO)

 US

Beginner Tracking Adversary Infrastructure

Michael Schwartz (Target, US); Tim Helming (DomainTools, US)

Beginner Tracking Adversary Infrastructure

15:30 – 16:00

Coffee Break

18:00 – 21:30

Tuesday, 19 March

Plenary - March 19 - BT Centre Auditorium & Media Suite
08:00 – 09:00

Welcome Coffee & Registration (be sure to bring your ID!)

09:00 – 09:30
 NL

5 years of applied CTI discipline: where should organisations put focus on?

Andreas Sfakianakis (Royal Dutch Shell, NL)

09:30 – 10:00
 NO

Bootstrapping a Threat Intelligence Operation

Jon Røgeberg (mnemonic, NO)

10:00 – 10:45
 US

Building, Running, and Maintaining a CTI Program

Michael J. Schwartz (Target, US); Ryan Miller (Target Corporation )

10:45 – 11:15

Coffee Break

11:15 – 12:00
 NL

TIBER: connecting threat intelligence and red teaming

Marc Smeets, Stan Hegt (Outflank, NL)

12:00 – 13:00

Lunch

13:00 – 13:30
 GB

5 years in adversary emulation

James Chappell (Digital Shadows, GB)

13:30 – 14:00
 US GB

Adventures in Blunderland

Allison Wikoff (Secureworks, US); Matt Webster (Secureworks, GB)

14:00 – 14:30
 US

All Your Heatmap Are Belong To Us - Building an Adversary Behavior Sighting Ecosystem

Richard Struse (MITRE, US)

14:30 – 15:00
 GB

Logistical Budget

Éireann Leverett (Conconnity Risks, GB)

15:00 – 15:30

Coffee Break

15:30 – 16:00
 US

The Hitchhiker's Guide to Threat Research

Bryan Lee (Palo Alto Networks , US)

16:00 – 16:30
 US

Cloudy with low confidence of Threat Intelligence: How to use and create Threat Intelligence in an Office365 Environment

Dave Herrald, Ryan Kovar (Splunk, US)

16:30 – 17:00
 GB

Drawing the line: cyber mercenary or cyber threat intelligence provider?

Stewart Bertram (Digital Shadows, GB)

17:00 – 17:30
 NL

Going from Guilt to Guild: Confessions of a TI Provider

Diederik Perk (Fox-IT, NL)

17:30 – 18:00
 JP

A Lightweight Markup Language for Graph-Structured Threat Sharing

Mayo Yamasaki (NTT-CERT, JP)

19:00 – 22:00

Wednesday, 20 March

Plenary - March 20 - BT Centre Auditorium & Media SuiteWorkshop - March 20 - BT Centre A1 conference room
08:00 – 09:00

Welcome Coffee & Registration (be sure to bring your ID!)

09:00 – 09:30
 US

Turning intelligence into action with MITRE ATT&CK™

Adam Pennington, Katie Nickels (MITRE, US)

09:30 – 10:00
 GB

ATT&CK™ Is The Best Form Of…Reconnaissance: Using MITRE PRE-ATT&CK™ To Enrich Your Threat Model

Richard Gold (Digital Shadows, GB)

10:00 – 10:30
 NL

Metrics and ATT&CK. Or how I failed to measure everything.

Francesco Bigarella (ING Bank, NL)

10:30 – 11:00

Coffee Break

11:00 – 11:30
 US

Quality Over Quantity: Determining Your CTI Detection Efficacy

David J. Bianco (Target, US)

11:30 – 12:00
 US

How to get promoted: Developing metrics to show how threat intel works

Marika Chauvin, Toni Gidwani (ThreatConnect, US)

 GB US

FIRST CTI SIG BoF

James Chappell (Digital Shadows, GB); Krassimir Tzvetanov (US)

12:00 – 13:00

Lunch

13:00 – 13:30
 NL

EVALUATE OR DIE TRYING - A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds

Sergey Polzunov, Jörg Abraham (EclecticIQ, NL)

 US

The Art and Science of Attribution

Simon Conant (Palo Alto Networks, US)

13:00 – 15:00

13:30 – 14:00
 US

Insights and Challenges to Automated Collaborative Courses of Action

Allan Thomson (LookingGlass CERT – LookingGlass, US); Bret Jordan (Symantec, US)

14:00 – 14:30
 NL

A Place for Analysis of Competing Hypothesis (ACH) in CTI: Applications and Evolution of ACH in CTI

Caitlin Huey (EclecticIQ, NL)

14:30 – 15:00
 CH

Your Requirements are not my Requirements

Pasquale Stirparo (Google, CH)

15:00 – 15:30

Coffee Break

 GB US

FIRST CTI SIG BoF

James Chappell (Digital Shadows, GB); Krassimir Tzvetanov (US)

15:00 – 18:00

15:30 – 16:00
 PL

Semi-intelligence: trying to understand threats on a country level

Paweł Pawliński (CERT.PL, PL)

16:00 – 16:30
 US

Statistical Techniques to detect Covert Channels Employing DNS

Dhia Mahjoub, Thomas Mathew (Cisco Umbrella (OpenDNS), US)

16:30 – 17:00
 US

Code Reuse Analysis: Transforming a Disadvantage into a Game-Changing Advantage

Shaul Holtzman (Intezer, US)

17:00 – 17:30
 US

File-Centric Analysis through the Use of Recursive Scanning Frameworks

David Zawdie (US)

17:30 – 18:00
 US

Building STINGAR to enable large scale data sharing in near real-time

Jesse Bowling (Duke University, US)