9:00 am - 9:15 am ET 2:00 pm - 2:15 pm UTC | Track One Opening Remarks |
9:15 am - 10:00 am ET 2:15 pm - 3:00 pm UTC | Track One Keynote
Show More
|
10:00 am - 10:20 am ET 3:00 pm - 3:20 pm UTC | Track One Break |
10:20 am - 10:55 am ET 3:20 pm - 3:55 pm UTC | Track One Applying Threat Intelligence Practically to Meet the Needs of an Evolving Regulatory Environment Effective and operationalized threat intelligence is required now more than ever. Even as organizations around the world grapple with shifting market conditions, an increasingly complex regulatory environment is also emerging that will impact cybersecurity programs and processes across many sectors. More recent examples such as DORA and the September 2023 SEC ruling concerning material cyber incidents join established frameworks such as those from NIST and the UK's Cyber Assessment Framework (CAF). Threat intelligence can help organizations develop, prioritize, and action plans and strategies as part of threat and risk management, which ultimately informs these regulatory and compliance assessments. However, a universal threat intelligence methodology or crosswalk does not exist, challenging organizations and threat intelligence professionals with navigating multiple guidelines and standards for operationalizing threat intelligence to meet these expectations. We have approached this challenge by identifying common themes we see across security assessments around the world which intersect with or are dependent on threat intelligence. From these themes, we further identified methods and practices that have led to more operationalized threat intelligence within organizations, while considering varying levels of maturity and resource availability. Our presentation will provide attendees with examples for operationalizing threat intelligence in the context of common themes we see as part of these assessments. We further provide leading practices concerning how this information can be more broadly applied through the context of threat intelligence maturity. This includes how threat intelligence can be integrated within: Organizational strategies and charters; The development of priorities and requirements; Collection evaluation and management; Security operations playbooks; and, Threat modeling scenarios.
Show More
|
10:20 am - 10:55 am ET 3:20 pm - 3:55 pm UTC | New2CTI Bridging the Intelligence Divide: Building CTI Blueprints for Value Based Production CTI programs live and die by their own tribal knowledge. There is a large capability gap between new programs with small teams and junior analysts, and mature programs with a large team of senior analysts. Ascending the capabilities ladder is arduous and derailed by one or two key departures. We can bridge this gap. For CTI products to provide better value and sustain analyst attrition, the Center and its partners created a new standard for CTI reports. We share a set of templates with prescriptive instructions on what to include and to whom the report should be focused. This talk will also introduce a publicly available suite of tools that will support best practices, automation, and enable dissemination of human and machine-readable reports. raising These capabilities will accelerate production for teams and analysts embarking on building new programs and careers. In this session, we will:
Show More
|
11:00 am - 11:35 am ET 4:00 pm - 4:35 pm UTC | Track One Beyond the Basics: The Role of LLM in Modern Threat Intelligence Threat intelligence is replete with challenges, necessitating a large experience, knowledge, and techniques to really understand the threat landscape, the TTPs, and to accurately track threat actors. Given this context, it is crucial to innovate and introduce the tools and techniques to both the current and next generation of analysts who stand to benefit from shared experience. A promising avenue of innovation is the advent of large language models (LLMs). The widespread accessibility of these tools undoubtedly heralds a new era of innovation. However, practical questions arise: How do we effectively harness this technology? How might it address existing challenges? And, most crucially, how can it assist in tracking threat actors and empowering threat analysts? In this presentation, we will share some of our experiments in relation to LLMs. we will discuss the fundamental concepts and their application in Threat Intelligence. As organizations wrestle with the daunting task of finding the appropriate talent, analysts and security professionals face mounting pressure due to the vast volume of data, and increasingly sophisticated threats. LLMs emerges as a powerful solution, providing opportunities to streamline, enhance, and analyze information more effectively to better understand and analyze the threat landscape. We will kick of our presentation by providing a high-level overview of the fundamentals of large language models then we will discuss about the current techniques commonly used in prompt engineering (use to optimize the efficacy of large language models). We will delve in details about few-shot learning, role prompting, RAG and we will also discuss about implementing LLM agents to automate threat intelligence processes. Attendees will gain practical insights into how LLM can be utilized to maximize the efficacy of Threat Intelligence processes while also being aware of potential challenges and limitations. The presentation will not simply sing the praises of LLM; instead, it will offer a constructive and practical approach to using these new tools for empowering security analysts around the world. At the end of the presentation, you will have a clear understanding of how to use these tools not only to enhance your daily work but also to expand your application of LLMs across various domains. Key takeaway: - Understanding of LLMs: Attendees will gain a comprehensive understanding of how large language models function within Threat Intelligence.
Harnessing LLMs: Attendees will learn the optimal strategies and techniques, from prompt engineering to the specifics of few-shot learning, role prompting, and RAG. TI Automation with LLM Agents: Attendees will explore how to leverage LLMs for automating threat intelligence processes. Enhancing TI Processes: Attendee will discover how to optimize and refine Threat Intelligence processes using AI tools. Understanding the Challenges: They will also understand potential pitfalls, limitations, and challenges inherent to using LLMs in the security domain.
Show More
|
11:00 am - 11:35 am ET 4:00 pm - 4:35 pm UTC | New2CTI Zero to CTI: A Novice's Journey into Threat Intelligence Garland Curry, Cyber Threat Intelligence Officer, Pediatrix Medical Group Tasked with the daunting mission of establishing a Cyber Threat Intelligence (CTI) capability amidst limited experience, tools, and resources? You're not alone. Dive into a real-life narrative where similar challenges were faced head-on. It all started with pinpointing the organization's most invaluable assets and recognizing the need to shield them. The journey progressed through the intricate layers of CTI, learning the nuances of the 'Who,' 'Why,' 'How,' 'Where,' and 'What' of potential threats. Fostering collaboration became vital: turning to Information Sharing and Analysis Centers (ISACs) for sector-specific insights and building invaluable alliances with government agencies. Internally, it was crucial to carve out and define the CTI role to bridge gaps and facilitate collaboration. Using free and paid resources/tools like our SIEM, Security and Vulnerability Management Solutions I was able to merge internal and external perspectives, and translate them into actionable items. Whether you're swimming in resources or navigating on a shoestring budget, this tale of tenacity, resilience, and innovation will inspire and guide those aiming to fortify their cyber defenses from ground zero.
Show More
|
11:40 am - 12:15 pm ET 4:40 pm - 5:15 pm UTC | Track One Clustering Attacker Behavior: Connecting the dots in the RaaS Ecosystem As ransomware-as-a-service (RaaS) offerings arose on the scene, the volume and variety of ransomware attacks greatly expanded. Now, dozens of affiliates are deploying the same variant, leading to differing attack chains depending on who's behind the intrusion. This session walks through organizational clustering efforts when it comes to the messy world of ransomware affiliates and highlights how to separate the common tactics from the narrow details that may be indicative of a specific affiliate. Featuring case studies of two Threat Activity Clusters (TACs) tracking ransomware affiliates, this session will demonstrate how identifying unique indicators in attacks can assist in connecting the dots across incidents, thus allowing us to determine a pattern of attacker behavior independent of the ransomware variant deployed. In this talk, analysts will learn how to compare attack chains across incidents and identify overlaps in TTPs and indicators, in turn enabling them to generate actionable intelligence to form effective detections and more quickly identify malicious activity before ransomware is deployed.
Show More
|
11:40 am - 12:15 pm ET 4:40 pm - 5:15 pm UTC | New2CTI The Cyber-Hobbit: There and Back Again in CTI "The Cyber-Hobbit: There and Back Again in CTI" intertwines the classic tale of "The Hobbit" with the modern challenges and opportunities of the cyber threat intelligence world; providing valuable insights for those embarking on this unexpected journey, and mentors seeking to bring new talent to the field. Highlighted Takeaways: - Embrace the Unexpected: Just as Bilbo's journey began unexpectedly, be open to opportunities that may lead you into the world of cybersecurity and threat intelligence.
- Seek Guidance: Mentors and advisors play a critical role in your journey. Reach out for guidance and mentorship in the cybersecurity field.
- Adapt to Challenges: Cybersecurity, like Bilbo's adventures, involves facing unforeseen challenges. Be prepared to adapt and learn as you encounter new threats.
- Specialized Training: Develop specialized skills through training and education to excel in the field of cyber threat intelligence.
- Hands-On Experience: Gain practical experience through projects and internships to apply your knowledge in real-world scenarios.
- Career Growth: Recognize that personal growth and progression are natural in cybersecurity, as you move from entry-level positions to more advanced roles.
- Apply Knowledge: Like Bilbo's return to the Shire, use your skills and expertise to protect digital realms and make a real impact in cybersecurity.
Exploring these parallels shows how the journey of Bilbo Baggins in The Hobbit aligns with the journey of a college student aspiring to enter the field of cyber threat intelligence, highlighting the challenges, growth, and transformation that occur along the way.
Show More
|
12:15 pm - 1:15 pm ET 5:15 pm - 6:15 pm UTC | Track One Lunch |
1:15 pm - 1:50 pm ET 6:15 pm - 6:50 pm UTC | Track One OSINTer - Automating the CTI heavylifting the open source way! Find out how OSINTer, created by a 17-year-old wiz kid, is making this job a whole lot easier. Let's be honest, sifting through heaps of data to find reliable intelligence for cyber threats is a grind. You could go for pricey off-the-shelf tools, but they're often a pain to fit into your existing setup. Here's where OSINTer comes in. The kicker? It's the brainchild of a 17-year-old who took top honours at the Danish national science fair with this open source tool! This talk will spill the beans on how OSINTer is automating the dull stuff, helping you focus on what really matters. We're talking about a tool that pulls in the latest, most reliable info from sources of your choice and lays it out for you, no fuss. It's only getting better, with plans for machine learning and vector search on the horizon to increase the relevancy of your data analysis. Key Takeaways:
Show More
|
1:15 pm - 1:50 pm ET 6:15 pm - 6:50 pm UTC | New2CTI Why Won't They Listen? -- Connecting your CTI to Decision Makers Bret Erwin, Information Systems Security Analyst, CGS Administrators LLC The best cyber threat intelligence in the world may be useless, unless it can help shape decisions at senior leadership levels. A well-written and thoroughly researched report may just end up as another task on an ever-increasing to-do list for executive leadership teams without any good effect. How can CTI better inform the critical security decisions for organizations? There is no easy answer, because organizations differ greatly in structure, knowledge, funding, and strategy. This presentation focuses on how increase the effectiveness of CTI reports, recommendations, and warnings to better inform strategic decision making in organizations. This is through a process of 'credible communication', which aims to build trust, break down barriers, and speed decision-making. Using real-life examples from over 20 years in the intelligence community, federal law-enforcement, and the Infosec community, the presenter will walk CTI professionals through the most critical part of building trust with their executive teams: how to have credible communications that build trust, rather than relying on less effective means that could leave critical vulnerabilities open for adversaries. Seeing examples from the U.S. Intelligence Community, federal law enforcement operations, and also recent information security issues such as the MGM hack in Las Vegas will provide up-to-date and relevant examples, coupled with a few stories from the lighter side of things that demonstrate that credible communication is a human endeavor, and it does not have to be robotic, boring, or an endless string of bad news.
Show More
|
1:55 pm - 2:30 pm ET 6:55 pm - 7:30 pm UTC | Track One Beyond Cryptojacking: Studying Contemporary Malware in the Cloud Matt Muir, Threat Intelligence Researcher, Cado Security As commercial adoption of cloud technologies continues, cloud-focused malware campaigns have continued to evolve. After observing a shift away from cloud compute and on to serverless environments, containers and other managed services, it's clear that the cloud remains an increasingly attractive target for malware developers pursuing a variety of objectives. x will provide technical insight into a new group of contemporary cloud-focused malware campaigns. Specifically, x will focus on those that have diversified from the common objective of cryptojacking, and will discuss TTPs unique to these malware families. Attendees can expect to gain knowledge of how these campaigns achieve initial access and evade host and network-based detection mechanisms in cloud environments. x will also discuss detection opportunities for defenders, along with new trends and observations from his experience working in cloud threat intelligence.Â
Show More
|
2:30 pm - 2:50 pm ET 7:30 pm - 7:50 pm UTC | Track One Break |
2:50 pm - 3:25 pm ET 7:50 pm - 8:25 pm UTC | Track One External Partnerships: How an Information Sharing Analysis Center Works With its Members to Improve Cyber Defenses for their Sector As more firms interact with the government agencies and regulators, external partnerships are becoming a priority. An Information Sharing and Analysis Center and one of its members want to give an overview of what ISAC/ISAOs are and how firms can benefit from this partnership and how ISACs are a good place to start when building external partnerships. The talk would start with an overview of ISACs to include how the ISACs provide anonymity to its members when sharing through their organization as well as how the ISACs interact with government entities and other ISACs. The member firm will then talk through why they joined the ISAC and what benefits they have seen for themselves and the sector as a whole. As part of this process, the firm would describe how they developed an internal procedure to share observed threat data to the ISAC. The talk would wrap up with a recent example of a real-world crisis and how the ISAC information sharing partnership worked.
Show More
|
2:50 pm - 3:35 pm ET 7:50 pm - 8:35 pm UTC | New2CTI Workshop How to Build an Effective Cyber Threat Intelligence Program Having a firm understanding of organizational stakeholders, their needs, and use cases should inform CTI staff resourcing decisions. As a CTI program grows in scope, scale, and its supporting role over time, misalignment of staff skill composition may occur, calling into question the program’s ability to service its diverse consumer sets. During this workshop, we will describe programmatic elements found within CTI programs and highlight best practices for standing up, operationalizing, and maturing a CTI program in a way that allows optimal flexibility to adjust to emerging needs. We also cover: - The current state of play with CTI program maturity assessment models
- Mandiant’s evaluation methodology it uses when working with client CTI programs
- A sneak peek at a new CTI maturity model led by Intel 471 in collaboration with industry experts
We conclude the talk by providing links to a series of resources to empower practitioners, CTI leadership, and CISOs with core programmatic building blocks to maximize support against multiple mission objectives.
Show More
|
3:30 pm - 4:05 pm ET 8:30 pm - 9:05 pm UTC | Track One How to Leverage Cloud Threat Intelligence Without Drowning: The Zero-Noise Approach Why is Threat intelligence so difficult to effectively utilize in the Cloud? Different Cloud environments share many characteristics, leading attackers to often use the same TTPs in a multitude of attacks. Sounds like an easy case of using TI to detect and investigate malicious activity, until we encounter one problem : noise. The vast amounts of Cloud TI data combined with increasingly high volumes of automated Cloud attacks have created a situation in which most organizations can't effectively handle their TI feeds. Instead of enabling better detections, these feeds often lead to alert fatigue and hinder the identification of true malicious activity. To tackle this problem, we developed a unique methodology for ingesting Cloud TI and detecting malicious activity : The Zero Noise Approach. While initially challenging to execute, taking an attacker's perspective to create tailored baselines, continuous feedback loops for every detection and a “no alert left behind” mentality, enable us to stop looking for needles in haystacks and focus only on high fidelity attacker TTPs. In this session we'll detail our approach and its key benefits, along with real-world case studies highlighting the dramatic security impacts of implementing a true Zero Noise approach to Cloud Threat Intelligence.
Show More
|
4:10 pm - 4:45 pm ET 9:10 pm - 9:45 pm UTC | Track One Threat Intelligence is a Fallacy, But I May Be Biased Andy Piazza, Global Head of Threat Intelligence, IBM X-Force As threat intelligence practitioners, we often discuss our biases, mental models, and the common fallacies that impact our analysis and reporting. This talk looks at how we've failed to effectively communicate some of the decisions that we've made consciously and unconsciously during the production and dissemination of threat intelligence, and how that impacts how our stakeholders think about the data. For example, threat profiles and analysis reports often talk about the targeted industry without actually discussing if the industry was specifically targeted, or if a member of that industry was breached as a target-of-opportunity. Without that clarity, organizations in that industry may misunderstand their threat landscape and prioritize defensive projects for lower-priority groups.
Show More
|
4:45 pm - 5:00 pm ET 9:45 pm - 10:00 pm UTC | Track One Day One Wrap-Up & Day Two Preview |
5:30 pm - 7:30 pm ET 10:30 pm - 12:30 am UTC | Track One Summit Night Out at the Museum: Museum of Illusions Washington
Show More
|