9:00 am - 9:15 am ET 2:00 pm - 2:15 pm UTC | Track 1 & Plenary Welcome & Opening Remarks |
9:15 am - 10:00 am ET 2:15 pm - 3:00 pm UTC | Track 1 & Plenary Keynote | Deconstructing the Analyst Mindset Chris Sanders, Founder, Applied Network Defense; Rural Technology Fund, Applied Network Defense; Rural Technology Fund |
10:00 am - 10:15 am ET 3:00 pm - 3:15 pm UTC | Track 1 & Plenary Break |
10:20 am - 10:50 am ET 3:20 pm - 3:50 pm UTC | Track 1 & Plenary Consume and Produce: The Economics of Cyber Threat Intelligence Operations Balancing between consuming and producing while factoring in the limitations of people, processes, and technology (PPT) is a challenge all CTI teams face (vendor or end-user organizations). Some CTI shops might dedicate most of their resources to producing intelligence products, while others may apportion a majority of their capital to the consumption and application of finished intelligence. While there are no perfect formulas that can achieve CTI operational "equilibrium," we can explore the factors that can help us improve our resource allocation to empower CTI operations. This presentation explores the fundamental economics of CTI, and the factors organizations should consider when allocating people and technology in their CTI program and processes to bolster security. Specifically, we will examine the essential elements of CTI; what PPT means for CTI operations; the effects of CTI consumption/production; and explore ways to balance scarce people and technology resources to bolster CTI capabilities for your organization.
Show More
|
10:20 am - 10:50 am ET 3:20 pm - 3:50 pm UTC | Track 2 Unmasking the Iranian APT COBALT MIRAGE Lina Lau, Principal Incident Response Consultant - APJ South, Secureworks From operational security failures to a Department of Justice (DOJ) indictment, COBALT MIRAGE likes to blur the lines between espionage and revenue generation. This talk uncovers the tactics, techniques and procedures deployed by COBALT MIRAGE from incidents worked at Secureworks. It's not often white hats see operational security failures unmask the identity of the adversary and even rarer to see it reflected in a DOJ sentencing. Attendees will learn about the critical role of contractor organizations in Iranian APT groups, crossovers in tooling between APT groups, techniques leveraged by COBALT MIRAGE to compromise organisations, inconsistencies in techniques, and the use of post-exploitation ransomware to generate company-specific revenue. Attendees will walk away with a stronger understanding of Iranian APT motivations, organizational structure, and sophistication.
Show More
|
10:55 am - 11:25 am ET 3:55 pm - 4:25 pm UTC | Track 1 & Plenary Developing The Analyst: Creating Career Roadmaps for Intelligently Progressing in CTI Cyber Threat Intelligence analysts work tirelessly to know all there is to know about cyber adversaries, their operational tradecraft, and workflows to support risk exposure reduction and cyber defense efforts. From helping an organization prioritize focus on certain cyber threat groups to developing an enriched cyber threat picture to crafting signatures and supporting hunt missions, the work never seems to slow. Days and weeks pass then suddenly it is end year and you are left wondering where has the time gone and what am I doing with my life? In this talk, I provide practical guidance on career planning, including how to develop an annual roadmap, ways to approach career planning conversations with your leadership team, and defining tangible milestones to assist analysts, threat researchers, and the various other CTI disciplines. This talk is designed for CTI practitioners of all experience levels, focusing on how the planning thought process changes from newly emergent CTI practitioners to senior practitioners that will need to decide to stay individual contributors or move into management. This talk concludes by presenting a series of resources to enable analysts to progress intelligently within their careers.
Show More
|
10:55 am - 11:25 am ET 3:55 pm - 4:25 pm UTC | Track 2 Lessons Learned From Over a Decade in OSINT
Most organizations now realize that OSINT skills aren't just nice to have; they're mandatory. In this talk we'll discuss lessons learned from doing OSINT professionally for over a decade and starting up multiple OSINT units within the government. It's always more fun to hear about others' mistakes than to make your own. We'll end by discussing how these concepts relate to CTI teams.
Show More
|
11:30 am - 12:00 pm ET 4:30 pm - 5:00 pm UTC | Track 1 & Plenary Practical CTI Analysis Over 2022 ITW Linux Implants: Extending Detection Over Blind Spots Linux ecosystem remains underplayed. Cybercriminals and TA threat actors have continuously invested in tooling, from Ransomware to persistent backdoors with infostealer capabilities. As the industry, we have developed great technologies for hunting, detection, and response on Windows, while the visibility on Linux is minimal. So, the question is, how can CTI lessen the risk on Linux? Using the Cyber Kill Chain and the Diamond Model of Intrusion Analysis, we made our detection and correlation for the latest Linux campaigns. We also extracted similarities between distinct threat actors through practical in-the-wild 2022 attacks on Linux. And we created mapping based on commonly shared TTPs for different Linux threat actors. Our presentation will share different framework deliverables to detect the most recent 2022 cybercrime and TA threat actors' implants. In addition, we will also share detection rules for the families covered in our talk.
Show More
|
11:30 am - 12:00 pm ET 4:30 pm - 5:00 pm UTC | Track 2 Breaking the Ransomware Tool Set: When a Threat Actor Opsec Failure Became a Threat Intelligence Gold Mine During a recent incident response engagement I was assigned to reverse engineer the RAT that the threat actor had deployed in the environment. During the malware analysis a suspicious string was found in the memory, https://ipnumber/list.txt. The list contained a not only a complete inventory that the threat actor had, but also a link to the full repository of all their tools, almost 5 GB / over 100 files and scripts of content covering every part for an intrusion -from reconnaissance to impact and everything in between. This led to an interesting labyrinth of research on all the aspects of this tooling. This presentation goes through many of the tools that have been reverse engineered and provides advice on how to detect and mitigate the effect from this threat actor. Further, it reveals techniques used to turn off anti-virus and clear out logs, including keys used for locking down computers and much more. To conclude I will look into the threat intelligence part of the intrusion, showing how threat actors copy and stockpile techniques from each other and finish off showing how malware analysis in combination with threat intelligence made it possible to find an undetected spare back door that was deployed in the environment. In this talk I will also share several indicators of compromise as well as tools, tactics, and procedures from an active and aggressive ransomware operator that can serve as inspiration for how malware analysis and threat intelligence can be operationalized to stop an intrusion.
Show More
|
12:00 pm - 1:15 am ET 5:00 pm - 6:15 am UTC | Track 1 & Plenary Lunch/Break |
1:20 pm - 1:50 pm ET 6:20 pm - 6:50 pm UTC | Track 1 & Plenary Cracking Intelligence Programs: Lessons from Bletchley Park for Building a Collaborative and Innovative intelligence Program The practice of intelligence can at times feel like an enigma, but as the presence of intelligence programs grows in the private sector, we have the opportunity to draw lessons learned from those before us and those among us to build highly collaborative and innovative programs. This presentation will provide a brief history of Bletchley Park as a groundbreaking intelligence program in WWII, draw specific insights from Bletchley Park's rapid growth and practices applicable to modern intelligence programs, and integrate insights from the perspective of a former FBI Intelligence Program Coordinator. This presentation will expand on these applications and provide specific recommendations for enhancing collaboration across intelligence teams and stakeholders, as well as for driving a culture of innovation while balancing prioritization, requirements, and expectations. Key Takeaways: --Developing a common purpose and set of values to drive the mission of your intelligence program, especially during periods of rapid growth --Navigating team structures and roles to foster teamwork and growth while avoiding silo behaviors --Implementing prioritization and requirements without sacrificing curiosity and exploration --Promoting a culture of critical thinking through a variety of structured analytic techniques --Best practices for breaking through information overload, promoting knowledge management, and preventing collection stagnation and analysis paralysis --Recommendations for managers and team members/individual contributors to drive a culture of innovation and impact
Show More
|
1:20 pm - 1:50 pm ET 6:20 pm - 6:50 pm UTC | Track 2 The Report Writer's Grimoire John Grim, Director, Cyber Threat Intelligence, Experian A grimoire is a book of magic; specifically, one on how to use spells, create objects, or invoke entities. We're certainly not looking to conjure up new APT ghouls. And in no way are we saying that threat intelligence is magical, although some would argue intelligence is more art than science. As threat intelligence practitioners, we need grimoire or codex. We need a refence guide to help us with the 'how-tos' for effective writing and proper annotation. A Report Writer's Grimoire. Join this session and learn how to summon the good faeries associated with reporting outlines, clear communication, source reliability, confidence levels, severity ratings, and product markings.
Show More
|
1:55 pm - 2:25 pm ET 6:55 pm - 7:25 pm UTC | Track 1 & Plenary Implementing Intelligence: Formulating Detections Joe Slowik, Threat Intelligence & Detections Engineering Lead, Gigamon Threat intelligence in isolation is at best informative, at worst useless to security practitioners. Cyber threat intelligence (CTI) practitioners must look for mechanisms to employ findings whenever possible to ensure that the end result of the intelligence cycle is some concrete action improving defensive outcomes. Failure to do so consigns CTI to operational irrelevance, and ultimate obsolescence. In this presentation, we will explore an intelligence-driven process for detection development, following the traditional intelligence cycle but emphasizing "off ramps" for informing and driving detection development within the enterprise. We will examine detections as a mechanism to inform security practitioners when events of interest take place, and use such items in a fashion free of static indicators of historical activity but instead stressing observations informed by CTI of adversary behaviors and tendencies. Based on this framework, CTI becomes a critical factor driving everyday security outcomes for the mature organization, ensuring it is prepared and looking for events of interest based on analysis of threats. Through this discussion, attendees will learn how to apply CTI in an iterative, applicable fashion to achieve recognizable, measurable security outcomes through overall defensive improvement. As part of this discussion, we will explore items such as mapping observations to frameworks such as ATT&CK and the Cyber Kill Chain, but also emphasize how CTI must adapt to and recognize the needs and limitations of supported organizations in framing and presenting finalized observations. Overall, this presentation aims to connect CTI in a classic perspective with the realities of operational threat intelligence to ensure desirable, sustainable results within the information security field.
Show More
|
1:55 pm - 2:25 pm ET 6:55 pm - 7:25 pm UTC | Track 2 The Way to a Stakeholder's Heart is by Providing Value: Measuring Success of Your CTI Program Freddy Murstad, Senior Threat Intelligence Analyst, Nordic Financial CERT (NFCERT) Here the presenter will lead you through the anatomy of success by illustrating that knowledge about your stakeholders and what they really want (=value) is the recipe for success. In this talk I will provide * A process for identifying and understanding who you stakeholders really are and what they really want * An overview of how you can convert that understanding into activities for your CTI team * A suggestion for how you can then deliver on those requirements and measure if you have successfully met them Basically, this will be a suggestion for a process for how your CTI program can provide value to your stakeholders.
Show More
|
2:30 pm - 3:00 pm ET 7:30 pm - 8:00 pm UTC | Track 1 & Plenary Translating Cyber Fraud Intelligence into Alerts - A Multi-Disciplinary Approach Jason Haile, Senior Manager for Cyber Fraud Innovation, Capital One Fraud intelligence is a domain under the cyber intelligence discipline that is maturing in size and scope as threat actors increasingly rely on cyber tactics, techniques, and procedures (TTPs) for illicit financial gain. The intersection of cyber and fraud continues to illuminate itself as customer credential theft enabling account takeovers, identity theft towards creating unauthorized bank accounts for money movement, and other scams enabling large payouts requires constant vigilance and responsiveness to shifting fraudster TTPs. While these are ubiquitous problems facing financial institutions broadly, this presents an opportunity to proactively detect, respond, and mitigate cyber-enabled crime using fraud intelligence and other technical indicators of customer account compromise. We propose a new construct for fraud monitoring and alerting to inform risk for businesses reflective of how traditional cyber teams use intelligence to drive operations and create security alerts. Our approach is highly collaborative and multidisciplinary, establishing a nexus between the traditional cyber intelligence cycle, fraud subject matter expertise, and engineering teams building infrastructure to enable efficient and responsive fraud alerting capabilities for downstream teams and/or platforms. In this presentation, we will describe the blending of cyber and fraud TTPs, our work to date in this construct and vision for maturing this capability, and how we see this work producing measurable impacts that limit fraudster successes.
Show More
|
3:00 pm - 3:30 pm ET 8:00 pm - 8:30 pm UTC | Track 1 & Plenary Break |
3:35 pm - 4:05 pm ET 8:35 pm - 9:05 pm UTC | Track 1 & Plenary Malware Analysis: What's the Point? While there are many resources available on "how" to analyze malware, there are far fewer resources regarding "why" to analyze malware. This talk will focus on helping malware analysts and organizations understand the role malware analysis plays in a larger intelligence capability. To highlight this role, we'll discuss how malware analysis demystifies malware capabilities to clarify the events of security incidents, how analysis produces more reliable attribution of events to specific adversary tools, and improved detection outcomes. Attendees can expect to learn how malware analysis compliments documentation that may be flawed from traditional monitoring tools. They can expect to learn how analysis provides a clearer picture when multiple malware families are combined in a single attack. Finally, they can expect to learn how analysis takes open-source intelligence and digs deeper into documented details to find detection ideas that others haven't yet published.
Show More
|
4:10 pm - 4:40 pm ET 9:10 pm - 9:40 pm UTC | Track 1 & Plenary Ransomware Rebranding: So Hot Right Now! Ransomware rebranding is becoming one of the most common techniques that ransomware groups are leveraging to obfuscate their operations and remain under the radar. From high-profile groups like Evil Corp and Wizard Spider to up and coming groups like AlphV and Blackbyte, the rebranding process has provided viable solution for extending operational capabilities after high profile attacks, including attacks on critical infrastructure. This talk will examine rebranding trends from 2020 until present and provide a thorough review of the impacts ransomware rebranding has had on the operational capacity of multiple ransomware groups. Lastly, this talk will analyze methods that threat intelligence analysts can utilize to compare traits and behaviors between ransomware groups to determine if the group is a likely rebrand or something new altogether.
Show More
|
4:40 pm - 5:00 pm ET 9:40 pm - 10:00 pm UTC | Track 1 & Plenary Wrap-Up & Takeaways |
5:30 pm - 7:30 pm ET 10:30 pm - 12:30 am UTC | Track 1 & Plenary CTI Summit Pajama Party Let it snow, let it snow, let it snow... or rain, or sleet, or whatever. It doesn't matter, because we'll be warm and cozy inside, with puzzles, snacks, non-alcoholic bevs, games, and movies, all while wearing our comfiest clothes. Slip into something fleecy or just come as you are.
Show More
|