Free Virtual Summit: Jan 27-28 | Summit Co-Chairs: Katie Nickels, Rebekah Brown, and Rick Holland | Summit CPEs: 12
Training: Jan 31 - Feb 5 | Live Online

Cyber Threat Intelligence Summit is Back!

At this year’s Cyber Threat Intelligence Summit, you’ll have the chance to learn, connect, and share with thousands of cybersecurity professionals in attendance from around the globe. No matter your background or skill level, you’ll walk away from CTI Summit with interesting perspectives and case studies that challenge CTI assumptions and result in a shift in your understanding.


Register now to enjoy:

Two Days of Highly Technical Summit Talks: Cyber Threat Intelligence Summit presentations are curated and designed around specific analytical techniques and capabilities, through case studies and firsthand experience, that can be utilized to properly create and maintain threat intelligence in your organization.

Interactive Workshops, Sessions and Panels: This is the singular annual Cyber Threat Intelligence event where we throw EVERYTHING we've got into the mix for an incredible hands-on learning experience to transform your skills and take you to the next level.

A One-of-a-Kind Virtual Networking Experience - This Live Online format offers exclusive access to connect with your community, leading experts and analysts, as well as SANS instructors. Attendees tell us time and again that one of the greatest takeaways from a SANS Summit is the many industry connections they forge or deepen during their time with us.

NEW - CTI Summit en Español - We're excited to introduce a new Cyber Threat Intelligence track for our Spanish speaking attendees that will take place on Thursday, January 27. We are thrilled to have assembled a remarkable group of individuals who will donate their time and expertise to build the best possible CTI Summit en Español track agenda to deliver actionable content that meets the needs of the community. Our CTI Summit en Español Advisory Board includes:


To learn more about our CTI Summit en Español Advisory Board members, please visit their profile pages:
Jess Garcia
, Valentina Costa-GazcónMark Fernandez, Enrique Vaamonde, Jennifer Chavarria Reindl, Carlos R

What Attendees Say About Their Summit Experience

"This summit is critical for anyone in CTI regardless of experience level. The various elements required to be successful are presented and thoroughly discussed." - Robert Morgan, LANL

"Some great speakers who provide valuable content based on their professional experience, much of which can be immediately applied to your own CTI role." - Don Franke, Amazon

"I left the Summit with an entire list of important action items. Incredible content overall!" - Ken Hensley, CME Group


Boost Expertise with a Bundled Course

Choose from a number of hands-on, immersion-style SANS Live Online courses to help you expand your information security expertise. SANS courses are taught by experienced practitioners who are among the best cybersecurity instructors in the world. They will provide you with the guidance and skills you need to protect your organization and advance your career.

NetWars - Students enrolled in courses at Cyber Threat Intelligence Summit & Training 2022 can join us Live Online for everyone’s favorite action-packed challenge environment where participants can build their skills while having fun. As a paid course registrant for SANS Cyber Threat Intelligence Summit & Training 2022, you will receive an email invitation the week of the event detailing how to confirm your spot and join online. You will need to follow the steps in the email to join the tournament.

If you are looking for in-person SANS Training, check out these top SANS DFIR courses being offered in-person the week of January 31 in the DC Metro area.

Summit CPEs & Certificate of Completion

  • You will get 12 CPEs for attending the SANS Cyber Threat Intelligence Summit, 6 for each day you attend.
  • Currently, we are not able to issue CPEs to those that view the Summit recordings.
  • A Certificate of Completion will be available in your account after the conclusion of Cyber Threat Intelligence Summit & Training 2022 on February 5.
  • SANS will automatically submit your CPEs to GIAC within 7-10 days after the event’s end date of February 5. No action is required on your part.

We're working on building out a great agenda for you. Check back often as we confirm more talks. Here's what we've got so far:

Keynote - Use Your Voice: Why Diversity and Inclusion Matter for Cyber Threat Intelligence

Lillian Teng, Director - Threat Investigations, Yahoo! 

Cyber threat intelligence (and cybersecurity) continues to be a homogenous population. If the focus of the field is on defeating dedicated human adversaries, applying homogeneous thinking (groupthink) is ineffective. We as an industry need to encourage and bring in more diverse voices in order to better protect our assets, no matter the industry. In this talk, you’ll hear how diversity, equity, inclusion, and belonging (DEI&B) compliments threat intelligence, and some strategies for CTI practitioners and leaders to incorporate these principles day to day.

Clip Addiction: A Threat Intelligence Approach to Video-Based Chinese InfoOps

Che Chang
, Cyber Threat Analyst, TeamT5 Cyber Threat Intelligence Team
Silvia Yeh, Cyber Threat Analyst, TeamT5 Cyber Threat Intelligence Team

As video clips are dominating cyberspace, China’s Information Operation (InfoOp) actors have increasingly weaponized video clips to deliver political messages. TeamT5 Cyber Threat Intelligence (CTI) team has taken an approach to investigating Chinese-language, video-based InfoOps across social media platforms. We will summarize the tactics, techniques and procedures (TTPs) to see how a wide range of actors launch these video-based InfoOps. We found that China’s propaganda system will outsource content creation and marketing to private companies in China, as we discovered that several digital marketing firms have ties with local Chinese media or military branches. We will also analyze two significant Chinese InfoOp campaigns in 2020/2021 -- #StopXinjiangRumours and #PatriotGoverningHongKong -- by using the AMITT (Adversarial Misinformation and Influence Tactics and Techniques) framework. Based on what we observed in these campaigns, we assess there are two future trends that are worth noting. First, advanced artificial intelligence (A.I.) could make the production of auto-generated videos faster and more believable. Second, as the pandemic continues, Chinese nation-state InfoOps actors will continue to launch more campaigns in the Covid-19 information war.

Mark Your Calendars: Why Dates Matter to Adversaries
Nate Beach-Westmoreland, Head of Strategic Cyber Threat Intelligence, Booz Allen Hamilton

Holidays and anniversaries are times to celebrate, to memorialize – and to be targeted by adversaries. This talk will examine the different reasons that adversaries take dates into account when they conduct their operations. We will examine diverse recent and historical examples to show how state actors, criminals, and hacktivists use dates to gain an upper hand on defenders, leave calling cards, express displeasure, intimidate, confuse, rally, and more. Attendees will learn ways to anticipate date-minded adversaries relevant to their organizations and develop strategies to mitigate associated risk. Because we don't want an adversary to spoil the party.

Applied Forecasting - Using Forecasting Techniques to Anticipate Cyber Threats

Gert-Jan Bruggink, Founder & Head of Cyber Threat Intelligence, Venation

It’s hard to balance your precious time as a defender. With a changing threat landscape, it is hard to even consider a future farther than the present. On the other hand, digital threats evolve over time. Understanding that evolution allows you to anticipate and act accordingly. Forecasting is one of the techniques teams can leverage to do exactly this. Commonly used by cyber intelligence analysts and weather specialists alike, they compare how the (threat) landscape changes over time and how it could evolve in the future. By breaking down what you “forecast” to happen, you can greatly improve risk management decision making. This talk explores how forecasting works in the private sector, focussing on how to apply forecasting techniques in your daily routine. The objective of this talk is to provide defenders the practical means to apply forecasting techniques and a narrative to educate stakeholders on how cyber threats evolve over time. Demonstrating how it can support business and senior stakeholder’s decision making.

DeadRinger : Three APTs Walk into a Bar...

Assaf Dahan, Head of Nocturnus Threat Research, Cybereason
Tom Fakterman, Threat Researcher, Cybereason
Daniel Frank
, Senior Malware Researcher, Cybereason

In the world of threat intelligence, attribution can be one of the greater challenges analysts and researchers face. When analyzing large intrusions that spread over years, and with the possibility of multiple threat actors operating in the same environment, the task of attributing and separating one kill chain from another can be a rather daunting one. Some analysts might even be tempted to treat the multiple kill chain as part of a larger attack, which can often lead to misattribution. Following the discovery of Hafnium attacks targeting Microsoft Exchange vulnerabilities, our team proactively hunted for various threat actors trying to leverage similar techniques in the wild. At the beginning of 2021, our team investigated multiple intrusions targeting the telecommunications industry in multiple countries. This investigation was the beginning of a thrilling journey that ultimately produced great insights and re-examine our perspective on attribution. In our session, we will talk about the challenges that attribution poses for threat intelligence analysts, using a case study of a breach that involved not one, but three sophisticated nation-state APT groups, all suspected to be operating on behalf of Chinese state interests. In the first part of the session, we will share how we initially discovered an active breach that remained undetected for years, dating back to 2017.

Getting Started as a Cyber Threat Intel Analyst: How it Begins

Meghan Jacquot, Cyber Threat Intel Analyst, Recorded Future

The presenter has pivoted to a career in cybersecurity and would like to share the following: how to pivot and begin a career in cyber, how to get started as an analyst, and how to continue progressing in one's learning once you've started. The talk will close with a review of one of the analytic frameworks for security intelligence paired with an analysis of some intel gleaned (that can be shared) since the speaker has started her role as a cyber threat intel analyst.

I Award You No Points, and May God have Mercy Upon your Soul: Feedback in CTI

Garrett Guinivan, Cyber Threat Analyst, People Centric Security Program, Proofpoint

Feedback is a way to empower producers of cyber threat intel products. It can be done internally to help non-customer facing teams learn to create effective environments for feedback, and why negative feedback is crucial (and how to give it constructively). See how to provide feedback as a consumer and how to illicit feedback as a producer based on case studies of briefing government leadership and as a customer facing CTI analyst at Proofpoint. For a great example of feedback, watch this clip from the cinematic classic Billy Madison, in which Billy (played by Adam Sandler) knew he got the answer wrong, made changes and won the decathlon after all:

Inside the Persistent Mind of a Chinese Nation-State Actor

Lina Lau, Principal Incident Response Consultant - APJ South, Secureworks

The motivation behind Chinese APT groups have always been deeply rooted in nationalistic pride. Former Chairman Deng XiaoPing once stated, “It doesn't matter if a cat is black or white as long as it catches mice”. These words ring true in the series of targeted attacks launched by the Chinese APT groups throughout the years to gather intellectual property and conduct cyber espionage. But what does it take to build a nation-state actor? Indoctrination in the early years? A hiring system inbuilt into the education system? In this talk, I will explore the tactics, techniques and procedures utilised by Chinese APT groups to launch cyber-attacks, how hiring and recruitment works at a nation-state level and use examples from recent incident response engagements we’ve worked at Secureworks. Attendees will not only learn about how Chinese APT groups conduct attacks and the various tools and techniques they use – but they will gain an understanding from a psychological standpoint, the motivations behind these attacks and what drives the mind of a Chinese nation-state actor.

Is Sharing Caring? A Deeply Human Study on CTI Networking

Grace Chi, Co-Founder & COO, Pulsedive

In the CTI space, there’s a steady drumbeat repeating a mantra: security teams cannot successfully and sustainably operate in an intelligence silo. This feeds continuous discourse around how developing cross-boundary collaborations in intelligence sharing, standardization, and reporting are key to proactive defense, collective resilience, coordinated response, and effective remediation during an active attack. Of course! Yet, the enormity - and complexity - of it all feels intangible when considering how CTI professionals can most effectively network and share intelligence *today*. So what’s really going on at the individual level? This presentation shines a light on the human aspect of today’s CTI sharing practices via networks - both formal and informal, public and private. The session lays out the landscape of popular channels for CTI networking following peer-to-peer, peer-to-hub, and hybrid models; previous research and ongoing efforts to enhance CTI sharing by public-private groups like MITRE and others; and well-known blockers (hello, legal approvals!) to effective networking. Survey insights add depth to this foundation by benchmarking real practitioner behaviors and attitudes. We seek answers like: how do good old-fashioned 1-to-1 ‘DMs’ compare to invite-only Discords, paid industry memberships, or national sharing initiatives? What real-world networking experiences actually prevented an attack?

Mind Your Gaps: Leveraging Intelligence Gaps to Drive Your Intelligence Activities

Brian Mohr, CEO & Co-Founder, Reqfast

It is not uncommon for cyber intelligence practitioners to disregard their gaps in intelligence: “Well, if I don’t know it, I don’t know it, so it doesn’t matter.” Even worse, they think announcing or publishing what they don’t know is a sign of weakness on their part : “I can’t just admit I don’t know something, I’m the intelligence expert!” This is all wrong. Your intelligence gaps can be a strength. In this presentation, I will discuss the four major categories of intelligence gaps. You may have severe intelligence gaps because you have made assumptions that you know something already, or worse, you have a cognitive bias to believe that you believe something to be true that is not. Don’t be sad, we all make these assumptions and hold these biases. The strength comes from recognizing them. We will give you some examples of biases and how they might manifest in your intelligence activists. We will also provide some further resources, as this is a huge topic and beyond our scope. We hope to remove the stigma of “admitting you don’t know something” and show you how your gaps can be your strengths.

The First Purpose: Rediscovering Warning Analysis for CTI

JD Work, Research Scholar, Saltzman Institute of War and Peace Studies, Columbia University

It is all too easy for cyber threat intelligence practitioners to become entangled in the day to day demands in dealing with the endless treadmill of new vulnerabilities, reversing samples, managing IOCs, tracking campaigns, and responding to the relentless pressure of RFIs. Along the way, sometimes these very necessary activities of intelligence overtake the ultimate purposes of intelligence as outcome. Despite all of our tools, and all of our investments in technical and target expertise, we find ourselves seemingly always reacting to new threats that have surprised our consumers, if not also our shops. Preventing surprise is the first purpose of intelligence. But it is well known that the tyranny of current intelligence production can rob us of the time and bandwidth to focus on the critical tasks that enable us to anticipate the ways and means by which future threats will develop, as we are caught up in describing and explaining events happening right now. Yet we can choose to implement processes and to pursue analytic products that can set the groundwork to succeed despite what seems like inevitable conditions. This talk will explore the history and evolution of warning analysis tradecraft, and discuss common pathologies that corrode anticipatory intelligence. We will explore structured analytic techniques and other methodologies intended to guard against these sources of error, and consider debates over their application in fast moving environments and small team contexts. We will explore examples across vulnerability discovery, malware development, and other adversary change cases. Attendees will gain new insights into consumer outcomes value – especially the core value of actionability – across different timelines for response opportunities. They will take away both fundamental tradecraft, but also the connected theory linking its application to recurring problems, and to improved consumer outcomes.

Threat Actor of in-Tur-est : Unveiling Balkan Targeting

Jack Simpson, Senior Analyst, PwC
Louise Taggart, Lead Specialist - Threat Intelligence, PwC UK

Who would want to recompile Open Hardware Monitor and backdoor it? In 2020, the PwC Cyber Threat Intelligence team identified an espionage threat actor, which we’ve named ‘White Tur’, targeting government and defense organizations in Serbia and Republika Srpska from 2017-2021. In early 2020 we identified some initial tools, techniques and procedures which provided us with greater understanding of this threat actor. In particular, we observed attempts to recompile Open Hardware Monitor with a backdoor, connections to criminally motivated threat actors, and multiple custom backdoors to gain access to victim networks. In this talk we take a deep dive into the backdoors, PowerShell scripts, and weaponized documents used by White Tur. From these technical findings, we then discuss the strategic implications of this threat actor and some of the geopolitical factors at play in this part of the world, an area which often flies ‘under the radar’. Whilst we often observe case studies from Russia-based and China-based threat actors in threat intelligence, gaining insight into other intrusion sets - particularly those which have limited public reporting - can help to challenge frequent attribution biases. This talk will provide attendees insight into how we identified a threat actor with persistent targets in the Balkans and the difficulties in its attribution. Viewers will gain insight into a threat actor who is rarely discussed in public reporting and access to indicators of compromise to investigate and hunt further.

We’re in Now, Now: The Tyranny of Current Intelligence and How to Manage It

Sherman Chu, Technical Lead, Cyber Threat Intelligence Team, NYC Cyber Command

Current intelligence deals with day-to-day events. While current intelligence is an integral component of threat intelligence, threat intelligence teams' effort to respond to their customers' current needs can dominate collection and analysis, resulting in piecemeal and narrowly focused intelligence flow. The domination can also hinder the continuity of analyses and the production of other levels of intelligence analysis meant to protect the organization. This presentation will first define what current intelligence is and how it differs from the other intelligence analysis products. We will then explore the dangers of over-prioritizing current threat intelligence to an organization and its stakeholders. Finally, the presentation will provide recommendations on managing current intelligence with your customers and within your threat intelligence team.

Can't wait for the 2022 Cyber Threat Intelligence Summit? Check out these talks from the 2021 Summit.

Important Dates

Refund Date
January 10, 2022