Attendees joining us in Arlington, VA are invited to an informal pre-Summit warm-up! We’ll have snacks and games so you can meet and mingle with other Summit attendees, the advisory board, Summit speakers, and the SANS team.

Balancing between consuming and producing while factoring in the limitations of people, processes, and technology (PPT) is a challenge all CTI teams face (vendor or end-user organizations). Some CTI shops might dedicate most of their resources to producing intelligence products, while others may apportion a majority of their capital to the consumption and application of finished intelligence. While there are no perfect formulas that can achieve CTI operational "equilibrium," we can explore the factors that can help us improve our resource allocation to empower CTI operations. This presentation explores the fundamental economics of CTI, and the factors organizations should consider when allocating people and technology in their CTI program and processes to bolster security. Specifically, we will examine the essential elements of CTI; what PPT means for CTI operations; the effects of CTI consumption/production; and explore ways to balance scarce people and technology resources to bolster CTI capabilities for your organization.

From operational security failures to a Department of Justice (DOJ) indictment, COBALT MIRAGE likes to blur the lines between espionage and revenue generation. This talk uncovers the tactics, techniques and procedures deployed by COBALT MIRAGE from incidents worked at Secureworks. It's not often white hats see operational security failures unmask the identity of the adversary and even rarer to see it reflected in a DOJ sentencing. Attendees will learn about the critical role of contractor organizations in Iranian APT groups, crossovers in tooling between APT groups, techniques leveraged by COBALT MIRAGE to compromise organisations, inconsistencies in techniques, and the use of post-exploitation ransomware to generate company-specific revenue. Attendees will walk away with a stronger understanding of Iranian APT motivations, organizational structure, and sophistication.

Cyber Threat Intelligence analysts work tirelessly to know all there is to know about cyber adversaries, their operational tradecraft, and workflows to support risk exposure reduction and cyber defense efforts. From helping an organization prioritize focus on certain cyber threat groups to developing an enriched cyber threat picture to crafting signatures and supporting hunt missions, the work never seems to slow. Days and weeks pass then suddenly it is end year and you are left wondering where has the time gone and what am I doing with my life? In this talk, I provide practical guidance on career planning, including how to develop an annual roadmap, ways to approach career planning conversations with your leadership team, and defining tangible milestones to assist analysts, threat researchers, and the various other CTI disciplines. This talk is designed for CTI practitioners of all experience levels, focusing on how the planning thought process changes from newly emergent CTI practitioners to senior practitioners that will need to decide to stay individual contributors or move into management. This talk concludes by presenting a series of resources to enable analysts to progress intelligently within their careers.

Most organizations now realize that OSINT skills aren't just nice to have; they're mandatory. In this talk we'll discuss lessons learned from doing OSINT professionally for over a decade and starting up multiple OSINT units within the government. It's always more fun to hear about others' mistakes than to make your own. We'll end by discussing how these concepts relate to CTI teams.

Linux ecosystem remains underplayed. Cybercriminals and TA threat actors have continuously invested in tooling, from Ransomware to persistent backdoors with infostealer capabilities. As the industry, we have developed great technologies for hunting, detection, and response on Windows, while the visibility on Linux is minimal. So, the question is, how can CTI lessen the risk on Linux? Using the Cyber Kill Chain and the Diamond Model of Intrusion Analysis, we made our detection and correlation for the latest Linux campaigns. We also extracted similarities between distinct threat actors through practical in-the-wild 2022 attacks on Linux. And we created mapping based on commonly shared TTPs for different Linux threat actors. Our presentation will share different framework deliverables to detect the most recent 2022 cybercrime and TA threat actors' implants. In addition, we will also share detection rules for the families covered in our talk.

During a recent incident response engagement I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. During the malware analysis a suspicious string was found in the memory, https://ipnumber/list.txt. The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling. This presentation goes through many of the tools that have been reverse engineered and provides advice on how to detect and mitigate the effect from this threat actor. Further, it reveals techniques used to turn off anti-virus and clear out logs, including keys used for locking down computers and much more. To conclude I will look into the threat intelligence part of the intrusion, showing how threat actors copy and stockpile techniques from each other and finish off showing how malware analysis in combination with threat intelligence made it possible to find an undetected spare back door that was deployed in the environment. In this talk I will also share several indicators of compromise as well as tools, tactics, and procedures from an active and aggressive ransomware operator that can serve as inspiration for how malware analysis and threat intelligence can be operationalized to stop an intrusion.

The practice of intelligence can at times feel like an enigma, but as the presence of intelligence programs grows in the private sector, we have the opportunity to draw lessons learned from those before us and those among us to build highly collaborative and innovative programs. This presentation will provide a brief history of Bletchley Park as a groundbreaking intelligence program in WWII, draw specific insights from Bletchley Park's rapid growth and practices applicable to modern intelligence programs, and integrate insights from the perspective of a former FBI Intelligence Program Coordinator. This presentation will expand on these applications and provide specific recommendations for enhancing collaboration across intelligence teams and stakeholders, as well as for driving a culture of innovation while balancing prioritization, requirements, and expectations. Key Takeaways: --Developing a common purpose and set of values to drive the mission of your intelligence program, especially during periods of rapid growth --Navigating team structures and roles to foster teamwork and growth while avoiding silo behaviors --Implementing prioritization and requirements without sacrificing curiosity and exploration --Promoting a culture of critical thinking through a variety of structured analytic techniques --Best practices for breaking through information overload, promoting knowledge management, and preventing collection stagnation and analysis paralysis --Recommendations for managers and team members/individual contributors to drive a culture of innovation and impact

A grimoire is a book of magic; specifically, one on how to use spells, create objects, or invoke entities. We're certainly not looking to conjure up new APT ghouls. And in no way are we saying that threat intelligence is magical, although some would argue intelligence is more art than science. As threat intelligence practitioners, we need grimoire or codex. We need a refence guide to help us with the 'how-tos' for effective writing and proper annotation. A Report Writer's Grimoire. Join this session and learn how to summon the good faeries associated with reporting outlines, clear communication, source reliability, confidence levels, severity ratings, and product markings.

Threat intelligence in isolation is at best informative, at worst useless to security practitioners. Cyber threat intelligence (CTI) practitioners must look for mechanisms to employ findings whenever possible to ensure that the end result of the intelligence cycle is some concrete action improving defensive outcomes. Failure to do so consigns CTI to operational irrelevance, and ultimate obsolescence. In this presentation, we will explore an intelligence-driven process for detection development, following the traditional intelligence cycle but emphasizing "off ramps" for informing and driving detection development within the enterprise. We will examine detections as a mechanism to inform security practitioners when events of interest take place, and use such items in a fashion free of static indicators of historical activity but instead stressing observations informed by CTI of adversary behaviors and tendencies. Based on this framework, CTI becomes a critical factor driving everyday security outcomes for the mature organization, ensuring it is prepared and looking for events of interest based on analysis of threats. Through this discussion, attendees will learn how to apply CTI in an iterative, applicable fashion to achieve recognizable, measurable security outcomes through overall defensive improvement. As part of this discussion, we will explore items such as mapping observations to frameworks such as ATT&CK and the Cyber Kill Chain, but also emphasize how CTI must adapt to and recognize the needs and limitations of supported organizations in framing and presenting finalized observations. Overall, this presentation aims to connect CTI in a classic perspective with the realities of operational threat intelligence to ensure desirable, sustainable results within the information security field.

Here the presenter will lead you through the anatomy of success by illustrating that knowledge about your stakeholders and what they really want (=value) is the recipe for success. In this talk I will provide * A process for identifying and understanding who you stakeholders really are and what they really want * An overview of how you can convert that understanding into activities for your CTI team * A suggestion for how you can then deliver on those requirements and measure if you have successfully met them Basically, this will be a suggestion for a process for how your CTI program can provide value to your stakeholders.

Fraud intelligence is a domain under the cyber intelligence discipline that is maturing in size and scope as threat actors increasingly rely on cyber tactics, techniques, and procedures (TTPs) for illicit financial gain. The intersection of cyber and fraud continues to illuminate itself as customer credential theft enabling account takeovers, identity theft towards creating unauthorized bank accounts for money movement, and other scams enabling large payouts requires constant vigilance and responsiveness to shifting fraudster TTPs. While these are ubiquitous problems facing financial institutions broadly, this presents an opportunity to proactively detect, respond, and mitigate cyber-enabled crime using fraud intelligence and other technical indicators of customer account compromise. We propose a new construct for fraud monitoring and alerting to inform risk for businesses reflective of how traditional cyber teams use intelligence to drive operations and create security alerts. Our approach is highly collaborative and multidisciplinary, establishing a nexus between the traditional cyber intelligence cycle, fraud subject matter expertise, and engineering teams building infrastructure to enable efficient and responsive fraud alerting capabilities for downstream teams and/or platforms. In this presentation, we will describe the blending of cyber and fraud TTPs, our work to date in this construct and vision for maturing this capability, and how we see this work producing measurable impacts that limit fraudster successes.

While there are many resources available on "how" to analyze malware, there are far fewer resources regarding "why" to analyze malware. This talk will focus on helping malware analysts and organizations understand the role malware analysis plays in a larger intelligence capability. To highlight this role, we'll discuss how malware analysis demystifies malware capabilities to clarify the events of security incidents, how analysis produces more reliable attribution of events to specific adversary tools, and improved detection outcomes. Attendees can expect to learn how malware analysis compliments documentation that may be flawed from traditional monitoring tools. They can expect to learn how analysis provides a clearer picture when multiple malware families are combined in a single attack. Finally, they can expect to learn how analysis takes open-source intelligence and digs deeper into documented details to find detection ideas that others haven't yet published.

Ransomware rebranding is becoming one of the most common techniques that ransomware groups are leveraging to obfuscate their operations and remain under the radar. From high-profile groups like Evil Corp and Wizard Spider to up and coming groups like AlphV and Blackbyte, the rebranding process has provided viable solution for extending operational capabilities after high profile attacks, including attacks on critical infrastructure. This talk will examine rebranding trends from 2020 until present and provide a thorough review of the impacts ransomware rebranding has had on the operational capacity of multiple ransomware groups. Lastly, this talk will analyze methods that threat intelligence analysts can utilize to compare traits and behaviors between ransomware groups to determine if the group is a likely rebrand or something new altogether.

Let it snow, let it snow, let it snow... or rain, or sleet, or whatever.  It doesn't matter, because we'll be warm and cozy inside, with puzzles, snacks, non-alcoholic bevs, games, and movies, all while wearing our comfiest clothes.  Slip into something fleecy or just come as you are.  

Were you paying attention yesterday? Show off what you've learned so far with a fun refresher to kick off Day 2!

Structured threat content is not a new field. Since 2012 we have Structured Threat Information Expression (STIX) and since 2013 MITRE's ATT&CK framework. New trends in this field are still identified, focusing on improving storytelling using structured threat content. What does it take to make this work in your deliverables? What can we do to leverage this more effectively, saving our analyst's time? How can we view our deliverables differently and still make more impact? In this talk, the author(s) provide you a practical and hands-on view of this situation. Any given day, you might collect, process, and analyze over a dozen (intelligence) deliverable to eventually create one yourself. Perhaps some research or incident data is tagged and annotated to these or similar frameworks. Still, evaluating different perspectives, terminologies, and approaches, in different formats, consumes a lot of analyst time. Now this becomes more challenging in situations where you have more qualitative than quantitative data. Our industry does not make this easier by standardizing itself on typical formats, such as documents and presentations. The objective of this talk is twofold: provide an overview of current options for you to use structure threat content in your organization and provide new applications usable the next day. Providing insight into current research insights. Evaluating options for structured threat content. Demonstrating applications, such as quantitative vs qualitative. Finally, exploring areas of future innovation for the cyber threat intelligence industry.

Synapse is an open-source intelligence platform created to serve analysts and its base of users has exploded recently due to its popularity. Do you want your team to use Synapse, but it seems like a daunting task? This talk is meant to demonstrate the analytic benefits that come from using Synapse and give initial steps for how to set up your Synapse-centered program. Topics include setting up your databases, writing documentation, creating intelligence workflows, setting schemas, and creating outputs. 

The Vory, aka Russian Organized Crime (ROC) has a long and sordid history. Over the century, this subculture has developed into a sophisticated family of threat actors, responsible for a significant number of serious breaches and ransomware attacks. What separates Russian Organized Crime groups from other groups is the unique relationship it has had with the various Russian and Soviet governments in the last century. The history of ROC has a direct impact on how the threat actors operate. This talk will specifically address the following topics: The historical relationship between organized crime and various Russian governments The role the Vory played in the collapse of the Soviet Union and the oligarchy that emerged in its place Organized Crime or APT - how ROC capabilities cross into Advanced Persistent Threat TTPs Notable threat actor groups such as Conti and REvil Notable campaigns such as the Colonial Pipeline attack What security and intelligence practitioners need to know about the Cyber Vory What will we see in light of the current Russian/United States relationship? Security practitioners and intelligence professionals will come away with a deeper understanding of how the history of the Vory informs today and tomorrow's cyber attacks by these groups.

Pivoting, or being able to move between indicators of compromise and up David Bianco's Pyramid of Pain to uncover the threat actor's tactics, techniques and procedures (TTPs) is a common practice in Cyber threat intelligence (CTI) operations. However, it is sometimes regarded more as a black art than a science. In this talk we will discuss a threat group dubbed "Luna Moth" that leverages call-back phishing techniques, as a case study to walk you through the process of leveraging indicators of compromise identified while responding to several security breaches to uncover the threat actor's infrastructure. The talk will include: 1. An overview of several breaches we investigated focusing on the attacker's modus operandi. 2. A breakdown of two techniques which were used to pivot between IOCs to uncover and track the threat actor infrastructure. 3. Example of employing automation to continuously monitor the threat actor's infrastructure.

The field of cyber threat intelligence can be fast-paced and it can be challenging to stop and take the time to update standard operating procedures (SOPs). This is one of the main reasons it is detrimental to teams when an experienced analyst leaves. There is research to support that our brains may be programmed to forget by design to help us survive. In a way our brains may be constantly going through a data management process determining what is important and what is not so we can continue to evolve to new environments. Within this presentation, I am going to introduce the concept of think steps which can be a beneficial tool for capturing tacit knowledge from subject matter experts to improve intelligence SOPs.

KC7 is a cybersecurity game that was developed by analysts at Microsoft’s Threat Intelligence Center (MSTIC), a team that focuses on tracking the most sophisticated cyber actors in the world. In this workshop, attendees will get hands-on threat intelligence experience through KC7, which simulates adversary tracking via intrusions by multiple actors into an organization. NB: Laptops are recommended for participating in this workshop.

Attendees will:

• Learn how to use Kusto Query Language (KQL) to manipulate data in Azure Data Explorer clusters.
• Pivot across simulated datasets- including email, web browsing, passive DNS, and endpoint data- to learn how to identify adversary techniques, tools, and infrastructure.
• Use multiple “pivoting” techniques to track the activity of one or more Advanced Persistent Threat (APT) actors.
• Analyze third-party reporting on APT actors and their infrastructure and capabilities.
• Validate a threat actor’s Techniques, Tactics, and Procedures (TTPs).
• Cluster threat activity using the Diamond Model and other threat analysis frameworks.

We’ll use Proofpoint telemetry and reporting along with sensitive collection from adversary infrastructure along to better understand TA453 (CharmingKitten) and delve into their varied phishing techniques, targeting, and attribution.

We will first examine a sampling of the different techniques TA453 utilizes to engage their targets with spear phishing. Having established the baseline of typical TA453 activity, we can then look at outliers, both in targeting and techniques used. These anomalies, where TA453 deviate from their typical tactics to increase their odds of success, give us insight into how they approach particularly high value targets.

Once we understand how TA453 is collecting information, we’ll combine Proofpoint telemetry with data from TA453’s own collection to categorize and analyze TA453’s targeting. This will allow us to identify TA453 priorities and strengthen our attribution that aligns with the IRGC Intelligence Organization.

We’ll continue by looking at evidence suggesting TA453 provides holistic support to increasingly hostile IRGC operations including physical surveillance, intimidation operations and possible assassination plots.

Most cyber threat intelligence (CTI) professionals know how to tailor intelligence products for their clients. But the shape of an intelligence team can also be tailored depending on the size (and budget) of the business as well. Through various information sharing organizations, I've worked with smaller firms who often have one person covering all of information security. It's through these interactions that I've come to understand first how different sized firms use (if they use) intelligence and secondly brainstorm with them on how to improve the use of threat intelligence to fit their needs. Intelligence analysts like "intelligence needs."  This talk will focus on how to utilize CTI as a function across various sizes of information security teams from one person being responsible for information security all the way to a large dedicated CTI team, and what would be needed for each. This will include sources to focus on for collection efforts and suggestions of deliverables the team could produce. 

An increasing number of documents reporting cyber incidents, vulnerabilities, novel offensive and defensive techniques are shared on a daily basis among various public and private communities. This collective knowledge needs to be collected, processed and organized for the cyber threat intelligence (CTI) analysts to search and investigate. The large volume and diversity of knowledge available form a key challenge for analysts looking to transform the data into actionable knowledge. Expert staffing shortages, employee costs in cybersecurity industry, expensive fees for commercial data feeds and short deadlines in the cybersecurity fast-paced environment pushes organizations to find more efficient solutions to manage their threat intelligence. The proposed talk presents DocIntel, its key concepts and features, as well as how it is used in a large cyber threat intelligence team. DocIntel is an open-source knowledge platform for collecting, storing, processing, organizing, searching, and disseminating threat intelligence reports. A user-friendly web interface and command-line tools help CTI analysts to search and find the relevant information available, while controlling access to sensitive reports. Automated collection and pre-processing of documents reduce the workload of CTI analysts.