Publications (2026)

• CTI Threat Hunting with Effectiveness

  Ken Dunham

  Ken Dunham has over three decades of combined business, technical, and global leadership experience in cybersecurity, incident response, and cyber threat intelligence. His career path is non-traditional, starting with education, consulting, and programming.

  Mr. Dunham has extensive experience with all sectors and business sizes and former TS-SCI US DOD experience (redacted). He has led many of the largest global investigations in the history of computing and countered emergent threats to counter actors, campaigns, and payloads of all types as the threat of the unknown are discovered and countered.

  CTI threat hunting is a critical function for effective actionable outcomes in reducing cyber risk to an organization. Changes in the CTI community in the last few years, coupled with tooling and culture and influence of CRINK nations and bias, have diluted our collective integrity and understanding of analytical tradecraft for effective and efficient threat hunting outcomes in the CTI lifecycle. What are the essential tenants of success to ensure efficient and effective CTI threat hunting outcomes to reduce risk within an organization to the left of boom?

  CTI Threat Hunting with Effectiveness

  January 7, 2026 09:00-11:00
•  LTTLP:CLEAR

  How to Scale Up Your SOC Capabilities with Open-Source Tools

  Arūnas VenclovasArūnas Venclovas (NRD Cyber Security, LT)

  Security analysts and threat hunters often want to sharpen their ability to detect and respond to malicious network activity, especially without relying on expensive commercial platforms. In this presentation we will review a curated set of free, open-source tools, which provide deeper visibility into organizational network traffic and uncover threats before they escalate.

  The presentation begins with a quick dive into core network traffic collection methods, such as packet capture, logging, and NetFlow analysis. We will also explore the daily workflows and investigative mindset of an effective threat hunter. Lastly, we will go through how to identify suspicious patterns, enrich findings with intelligence feeds from the Malware Information Sharing Platform (MISP), and connect the dots between seemingly unrelated events.

  Through brief case studies and live-style investigative walkthroughs, you will see how theory translates into practice. The session will conclude with a guided, hands-on demonstration of open-source tools in action—equipping participants with ready-to-use techniques to strengthen their monitoring and detection capabilities immediately.

  Arūnas Venclovas, Director of Product Development at NRD Cyber Security Arūnas is an experienced leader in product development with a deep understanding of cybersecurity, IT, and telecommunication markets. Currently serving as the Director of Product Development at NRD Cyber Security, Arūnas is responsible for deploying cyber security solutions in National and sectorial CERTs with the aim to automate operations, build capacity and empower for successful work. Arunas has played a major role in automating and modernizing CSIRTMalta (Malta Critical Infrastructure Protection) operations by improving Incident Detection, Response and Threat Intelligence actualization. Also, he is working closely with multiple CIRT's (Eg-FinCIRT, etc.) in assisting them to improve network detection capabilities by automating threat hunting, rulesets adjustment and solving other related challenges. 

  FIRST Regional Symposium for Central Asia

  Tashkent, UZ

  February 27, 2026 14:15-14:45

  Hosted by UZCERT

  Friday-27-1415-1445-Arunas-Venclovas-How-to-Scale-Up-Your-SOC-Capabilities-with-Open-Source-Tools_v2.pd

  MD5: e885de5279279ab3407a2a3654b28fa2

  Format: application/pdf

  Last Update: March 4th, 2026

  Size: 1.82 Mb

•  ATTLP:CLEAR

  IntelMQ Hands-on Workshop - Half Day

  Sebastian WagnerSebastian Wagner (Institute for Common Good Technology, AT)

  IntelMQ is a Free and Open Source tool chain to automate Threat Intelligence data handling.

  IntelMQ automates the boring processes of incident handling to concentrate on the tasks that really need your attention. Learn how to ingest data from various sources such as Shadowserver, how to arrange your bespoke workflows, connect with other systems (such as MISP, databases, RDAP, Ticketing systems etc) and how to notify your constituency.

  Contents of the workshop include:

  • IntelMQ's unique flexible architecture
  • How to quickly set it up
  • Practical tips and examples
  • Showcase and tryout of different solutions for constituency contact management
  • How to notify your constituency about the IoCs in their networks
  • Where to get help and connect with the IntelMQ community
  • IntelMQ universe: Tools contributed to IntelMQ, augmenting your workflows
  • Who is the IntelMQ community
  • How to easily extend your system: development basics
  • At which stages can Artificial Intelligence help, or not?
  • System management and data flow management

  The content may vary based on participants' input and questions. Participants are encouraged to send in their questions and examples to intelmq@commongoodtechnology.org beforehand, so we can cover them in more detail in the workshop

  About IntelMQ: The open source tool was created in 2014 by CERT.pt and CERT.at (Aaron Kaplan, Tomas Lima) and is used globally for incident handling automation globally by at least 600 IT security teams. It is entirely free of charge. IntelMQ.org is the community supporting the project's the long-term evolution.

  What will participants gain from the workshop? An in-depth know-how as well as the skills to deploy and adapt the IntelMQ tool to their specific automation needs.

  Sebastian Wagner is an IT-Security expert and trainer, Free Software enthusiast, full-stack software developer, and project manager. He currently working for a small software firm, and is active in NGOs for the common good in cooperation with FIRST and Shadowserver. He co-maintains IntelMQ for 11 years and previously worked at CERT.at for six years.

  FIRST Regional Symposium for Central Asia

  Tashkent, UZ

  February 26, 2026 13:30-15:00, February 26, 2026 15:30-17:30

  Hosted by UZCERT

  intelmq-shareable.pdf

  MD5: 5eef0cb292a5464db0023f2a33c4ebac

  Format: application/pdf

  Last Update: March 23rd, 2026

  Size: 553.67 Kb

•  ATTLP:CLEAR

  OpenSource CSIRT Tooling

  Sebastian WagnerSebastian Wagner (Institute for Common Good Technology, AT)

  In today's cyber threat landscape, effective coordination among incident response teams is crucial. This session will provide participants with a high-level overview of open-source tools that facilitate coordination, data sharing, and threat intelligence. The session will cover key tools like MISP and TheHive, and also highlight lesser-known gems that help you maintain an overview of your constituency.

  We will focus on coordination tools and also scrape the topic of analysis and forensics.

  The session gives you an overview of the role of open-source tools in enhancing coordination and cooperation among teams, including these tooling areas: Threat Intelligence Sharing and OSINT gathering, Attack Surface Reduction, Incident Response, Forensics and Analysis Tools, Analysis tools, Network Monitoring

  Sebastian Wagner is an IT-Security expert and trainer, Free Software enthusiast, full-stack software developer, and project manager. He currently working for a small software firm, and is active in NGOs for the common good in cooperation with FIRST and Shadowserver. He co-maintains IntelMQ for 11 years and previously worked at CERT.at for six years.

  FIRST Regional Symposium for Central Asia

  Tashkent, UZ

  February 27, 2026 15:30-16:15

  Hosted by UZCERT

  csirt-oss-tooling-shared.pdf

  MD5: c3feb9017d5a2ec12d30b020e9a50aad

  Format: application/pdf

  Last Update: March 23rd, 2026

  Size: 2.05 Mb

  Shadowserver-shared.pdf

  MD5: 744764a451f357906d15def44cefedcb

  Format: application/pdf

  Last Update: March 23rd, 2026

  Size: 4.74 Mb

•  DE TW

  The risks of AI (over)reliance to the security and privacy, also how to address those risks at the early stages of AI integration

  Vladimir KropotovFyodor YarochkinVladimir Kropotov (Trend Micro, DE), Fyodor Yarochkin (Trend Micro, TW)

  AI is bringing a lot of good by optimising processes, finding unexpected correlations, predicting critical events, creating content, and significantly optimising our jobs and daily routine tasks. At the same time over reliance on AI can bring risks to a variety of critical verticals and humans. This talk will be focused on increasing awareness about the risks of over reliance on AI decisions and highlight both general risks and the risks for particular critical verticals. It will include insights on how AI is changing the attack surface and being leveraged in different opportunistic, hacktivism and targeted attack scenarios.

  Vladimir Kropotov is an Advisor and principal researcher with the Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies. He holds a master's degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir was a speaker at a variety of cyber security events, including BHEU, BHAsia, HITB, hack.lu, FIRST and others.

  Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.

  The risks of AI (over)reliance to the security and privacy

  February 18, 2026 09:00-10:00