Program Overview

FIRST Cyber Threat Intelligence Symposium

Monday, 9 March

Training Room Wiggis
Switch
Training Room Bermina
Switch
Training Room Rigi
Switch
Meetings
UBS Conference Centre
08:00 – 09:00

Registration & Welcome Coffee

08:30 – 10:30
 NL

Obtaining Cyber Threat Intelligence through Reverse Engineering (4 hours)

Gijs Rijnders (Tesorion , NL)

 NL

101 Training Session on Intelligence Direction and Intelligence Production (4 hours)

Andreas Sfakianakis (threatintel.eu, NL)

 US

Identifying and Analyzing Adversary Infrastructure and Malware (Full Day)

Derek Thomas , Michael Schwartz (Target, US)

10:30 – 10:45

Coffee Breaks in Room

10:45 – 12:30
 NL

Obtaining Cyber Threat Intelligence through Reverse Engineering (4 hours)

Gijs Rijnders (Tesorion , NL)

 NL

101 Training Session on Intelligence Direction and Intelligence Production (4 hours)

Andreas Sfakianakis (threatintel.eu, NL)

 US

Identifying and Analyzing Adversary Infrastructure and Malware (Full Day)

Derek Thomas , Michael Schwartz (Target, US)

12:30 – 13:30

Lunch

13:30 – 15:30
 US

OPSEC for Investigators and Researchers (4 hours)

Krassimir Tzvetanov (Purdue University , US)

 GB

Analysis of Competing Hypotheses (ACH) for Cyber Warriors (4 hours)

Stewart Bertram (Digital Shadows , GB)

 US

Identifying and Analyzing Adversary Infrastructure and Malware (Full Day)

Derek Thomas , Michael Schwartz (Target, US)

CTI SIG Meetings

15:00 – 17:00

15:30 – 15:45

Coffee Breaks in Room

15:45 – 17:30
 US

OPSEC for Investigators and Researchers (4 hours)

Krassimir Tzvetanov (Purdue University , US)

 GB

Analysis of Competing Hypotheses (ACH) for Cyber Warriors (4 hours)

Stewart Bertram (Digital Shadows , GB)

 US

Identifying and Analyzing Adversary Infrastructure and Malware (Full Day)

Derek Thomas , Michael Schwartz (Target, US)

Tuesday, 10 March

Plenary
UBS Conference Centre
08:00 – 09:00

Registration & Welcome Coffee

09:00 – 09:15
 CH

Opening Remarks

Serge Droz (FIRST, CH)

09:15 – 10:00
 US

Connecting the Dots - How CTI Enables Operations and Informs the Business

Kate Yamashita , Kimberly Bucholz (Accenture , US)

10:00 – 10:30
 PL

How to Build and Use Collection Management Framework?

Bartosz Jerzman (Standard Chartered , PL)

10:30 – 11:00

Break

11:00 – 11:30
 NL

Building an Intelligence-Driven Organization

Anastasios Pingios (Booking.com, NL)

11:30 – 12:00
 NL

Assessing Value. Beyond Indicator Quality

Xander Bouwman (Delft University of Technology , NL)

12:00 – 12:30
 MX US

Latin America Under Siege: A Look at Adversaries Beyond the Wall

Enrique Vaamonde (Tekium , MX); Matt Bromiley (FireEye, US)

12:30 – 13:30

Lunch

13:30 – 14:00
 US

The Trouble with Iranian Attribution

Allison Wikoff (SecureWorks, US)

14:00 – 14:30
 US

The Men Who Never Were: Assessing Ties Between the Samsam Ransomware Campaign and the IRGC

Charlie Cullen (CrowdStrike, US)

14:30 – 15:00
 GB

Deep Derp Web? - Is Criminal Intel from the 'Dark Web' Really Still Effective?

James Chappell (Digital Shadows, GB)

15:00 – 15:30

Break

15:30 – 16:00
 NL

From Excel to TIP ... and Back: Technology Enablement in the Intelligence Cycle and the Role of TIPs

Andreas Sfakianakis (threatintel.eu, NL)

16:00 – 16:45
 LU

Turning Data into Actionable Intelligence - Advanced Features in MISP Supporting Your Analysts and Tools

Alexandre Dulaunoy (CIRCL, LU); Andras Iklody (CIRCL , LU)

16:45 – 17:15
 NL

CTI Collaboration Using STIX and Elasticsearch

Chris O'Brien (EclecticIQ , NL)

17:15 – 19:15

Wednesday, 11 March

Plenary
UBS Conference Centre
08:00 – 09:00

Registration & Welcome Coffee

09:00 – 09:30
 US

Sighting Use Cases

Sebastien Tricaud (Devo Inc., US)

09:30 – 10:00
 NL

Narrator: Generating Intelligence Reports from Structured Data

Jörg Abraham (EclecticIQ , NL); Sergey Polzunov (EclecticIQ, NL)

10:00 – 10:30
 US

MalDomain ML: A Machine Learning Model to Find Malicious Domains Before They Go Bad

John Bambenek (Bambenek Consulting, LTD., , US)

10:30 – 11:00

Break

11:00 – 11:30
 US

Bringing Intelligence into Cyber Deception with MITRE ATT&CK

Adam Pennington (MITRE, US)

11:30 – 12:00
 NL

rcATT: Retrieving ATT&CK Tactics and Techniques in Cyber Threat Reports

Valentine Legoy (University of Twente, NL)

12:00 – 12:30
 JP

Rethinking the Graph Visualization for Threat Reports

Mayo Yamasaki (NTT-CERT, JP)

12:30 – 13:30

Lunch

13:30 – 14:15
 US

How I Became Our Own Worst Enemy, I Mean Adversary

John Stoner (Splunk, US)

14:15 – 14:45
 NL

Understanding What's Next; Combining Red Team Findings and Adversary Playbooks

Gert-Jan Bruggink (Falconforce, NL)

14:45 – 15:15

Break

15:15 – 16:00
 US

xHunt... An Anime Fan's Attack Campaign in the Middle East

Brittany Ash, Robert Falcone (Palo Alto Networks, Unit 42, US)

16:00 – 16:30
 GB

Riding xWav: Defending Against a Long Term, Persistent Threat

Jack Simpson (PwC, GB)