TBA

Effective and operationalized threat intelligence is required now more than ever. Even as organizations around the world grapple with shifting market conditions, an increasingly complex regulatory environment is also emerging that will impact cybersecurity programs and processes across many sectors. More recent examples such as DORA and the September 2023 SEC ruling concerning material cyber incidents join established frameworks such as those from NIST and the UK's Cyber Assessment Framework (CAF). Threat intelligence can help organizations develop, prioritize, and action plans and strategies as part of threat and risk management, which ultimately informs these regulatory and compliance assessments. However, a universal threat intelligence methodology or crosswalk does not exist, challenging organizations and threat intelligence professionals with navigating multiple guidelines and standards for operationalizing threat intelligence to meet these expectations. We have approached this challenge by identifying common themes we see across security assessments around the world which intersect with or are dependent on threat intelligence. From these themes, we further identified methods and practices that have led to more operationalized threat intelligence within organizations, while considering varying levels of maturity and resource availability. Our presentation will provide attendees with examples for operationalizing threat intelligence in the context of common themes we see as part of these assessments. We further provide leading practices concerning how this information can be more broadly applied through the context of threat intelligence maturity. This includes how threat intelligence can be integrated within: Organizational strategies and charters; The development of priorities and requirements; Collection evaluation and management; Security operations playbooks; and, Threat modeling scenarios.

CTI programs live and die by their own tribal knowledge. There is a large capability gap between new programs with small teams and junior analysts, and mature programs with a large team of senior analysts. Ascending the capabilities ladder is arduous and derailed by one or two key departures. We can bridge this gap.

For CTI products to provide better value and sustain analyst attrition, the Center and its partners created a new standard for CTI reports. We share a set of templates with prescriptive instructions on what to include and to whom the report should be focused. This talk will also introduce a publicly available suite of tools that will support best practices, automation, and enable dissemination of human and machine-readable reports. raising These capabilities will accelerate production for teams and analysts embarking on building new programs and careers.

In this session, we will:

• Share problems with current CTI production and dissemination identified through stakeholder interviews;

• Describe how our standard and the derived templates address these problems; and

• Demonstrate how you can use the tool suite to create actionable reports.

Threat intelligence is replete with challenges, necessitating a large experience, knowledge, and techniques to really understand the threat landscape, the TTPs, and to accurately track threat actors. Given this context, it is crucial to innovate and introduce the tools and techniques to both the current and next generation of analysts who stand to benefit from shared experience. A promising avenue of innovation is the advent of large language models (LLMs). The widespread accessibility of these tools undoubtedly heralds a new era of innovation. However, practical questions arise: How do we effectively harness this technology? How might it address existing challenges? And, most crucially, how can it assist in tracking threat actors and empowering threat analysts? In this presentation, we will share some of our experiments in relation to LLMs. we will discuss the fundamental concepts and their application in Threat Intelligence. As organizations wrestle with the daunting task of finding the appropriate talent, analysts and security professionals face mounting pressure due to the vast volume of data, and increasingly sophisticated threats. LLMs emerges as a powerful solution, providing opportunities to streamline, enhance, and analyze information more effectively to better understand and analyze the threat landscape. We will kick of our presentation by providing a high-level overview of the fundamentals of large language models then we will discuss about the current techniques commonly used in prompt engineering (use to optimize the efficacy of large language models). We will delve in details about few-shot learning, role prompting, RAG and we will also discuss about implementing LLM agents to automate threat intelligence processes. Attendees will gain practical insights into how LLM can be utilized to maximize the efficacy of Threat Intelligence processes while also being aware of potential challenges and limitations. The presentation will not simply sing the praises of LLM; instead, it will offer a constructive and practical approach to using these new tools for empowering security analysts around the world. At the end of the presentation, you will have a clear understanding of how to use these tools not only to enhance your daily work but also to expand your application of LLMs across various domains. Key takeaway:

• Understanding of LLMs: Attendees will gain a comprehensive understanding of how large language models function within Threat Intelligence.

• Harnessing LLMs: Attendees will learn the optimal strategies and techniques, from prompt engineering to the specifics of few-shot learning, role prompting, and RAG.

• TI Automation with LLM Agents: Attendees will explore how to leverage LLMs for automating threat intelligence processes.

• Enhancing TI Processes: Attendee will discover how to optimize and refine Threat Intelligence processes using AI tools.

• Understanding the Challenges: They will also understand potential pitfalls, limitations, and challenges inherent to using LLMs in the security domain.

Tasked with the daunting mission of establishing a Cyber Threat Intelligence (CTI) capability amidst limited experience, tools, and resources? You're not alone. Dive into a real-life narrative where similar challenges were faced head-on. It all started with pinpointing the organization's most invaluable assets and recognizing the need to shield them. The journey progressed through the intricate layers of CTI, learning the nuances of the 'Who,' 'Why,' 'How,' 'Where,' and 'What' of potential threats. Fostering collaboration became vital: turning to Information Sharing and Analysis Centers (ISACs) for sector-specific insights and building invaluable alliances with government agencies. Internally, it was crucial to carve out and define the CTI role to bridge gaps and facilitate collaboration. Using free and paid resources/tools like our SIEM, Security and Vulnerability Management Solutions I was able to merge internal and external perspectives, and translate them into actionable items. Whether you're swimming in resources or navigating on a shoestring budget, this tale of tenacity, resilience, and innovation will inspire and guide those aiming to fortify their cyber defenses from ground zero.

As ransomware-as-a-service (RaaS) offerings arose on the scene, the volume and variety of ransomware attacks greatly expanded. Now, dozens of affiliates are deploying the same variant, leading to differing attack chains depending on who's behind the intrusion. This session walks through organizational clustering efforts when it comes to the messy world of ransomware affiliates and highlights how to separate the common tactics from the narrow details that may be indicative of a specific affiliate. Featuring case studies of two Threat Activity Clusters (TACs) tracking ransomware affiliates, this session will demonstrate how identifying unique indicators in attacks can assist in connecting the dots across incidents, thus allowing us to determine a pattern of attacker behavior independent of the ransomware variant deployed. In this talk, analysts will learn how to compare attack chains across incidents and identify overlaps in TTPs and indicators, in turn enabling them to generate actionable intelligence to form effective detections and more quickly identify malicious activity before ransomware is deployed.

"The Cyber-Hobbit: There and Back Again in CTI" intertwines the classic tale of "The Hobbit" with the modern challenges and opportunities of the cyber threat intelligence world; providing valuable insights for those embarking on this unexpected journey, and mentors seeking to bring new talent to the field.

Highlighted Takeaways:

• Embrace the Unexpected: Just as Bilbo's journey began unexpectedly, be open to opportunities that may lead you into the world of cybersecurity and threat intelligence.
• Seek Guidance: Mentors and advisors play a critical role in your journey. Reach out for guidance and mentorship in the cybersecurity field.
• Adapt to Challenges: Cybersecurity, like Bilbo's adventures, involves facing unforeseen challenges. Be prepared to adapt and learn as you encounter new threats.
• Specialized Training: Develop specialized skills through training and education to excel in the field of cyber threat intelligence.
• Hands-On Experience: Gain practical experience through projects and internships to apply your knowledge in real-world scenarios.
• Career Growth: Recognize that personal growth and progression are natural in cybersecurity, as you move from entry-level positions to more advanced roles.
• Apply Knowledge: Like Bilbo's return to the Shire, use your skills and expertise to protect digital realms and make a real impact in cybersecurity.

Exploring these parallels shows how the journey of Bilbo Baggins in The Hobbit aligns with the journey of a college student aspiring to enter the field of cyber threat intelligence, highlighting the challenges, growth, and transformation that occur along the way.

Find out how OSINTer, created by a 17-year-old wiz kid, is making this job a whole lot easier.

Let's be honest, sifting through heaps of data to find reliable intelligence for cyber threats is a grind. You could go for pricey off-the-shelf tools, but they're often a pain to fit into your existing setup. Here's where OSINTer comes in. The kicker? It's the brainchild of a 17-year-old who took top honours at the Danish national science fair with this open source tool!

This talk will spill the beans on how OSINTer is automating the dull stuff, helping you focus on what really matters. We're talking about a tool that pulls in the latest, most reliable info from sources of your choice and lays it out for you, no fuss. It's only getting better, with plans for machine learning and vector search on the horizon to increase the relevancy of your data analysis.

Key Takeaways:

• How a teenager's award-winning project could change the way you handle CTI.

• Quick wins for making your CTI process run like a well-oiled machine with OSINTer.

• A sneak peek at future roadmap items like machine learning and vector search capabilities for OSINTer.

The best cyber threat intelligence in the world may be useless, unless it can help shape decisions at senior leadership levels. A well-written and thoroughly researched report may just end up as another task on an ever-increasing to-do list for executive leadership teams without any good effect. How can CTI better inform the critical security decisions for organizations? There is no easy answer, because organizations differ greatly in structure, knowledge, funding, and strategy. This presentation focuses on how increase the effectiveness of CTI reports, recommendations, and warnings to better inform strategic decision making in organizations. This is through a process of 'credible communication', which aims to build trust, break down barriers, and speed decision-making. Using real-life examples from over 20 years in the intelligence community, federal law-enforcement, and the Infosec community, the presenter will walk CTI professionals through the most critical part of building trust with their executive teams: how to have credible communications that build trust, rather than relying on less effective means that could leave critical vulnerabilities open for adversaries. Seeing examples from the U.S. Intelligence Community, federal law enforcement operations, and also recent information security issues such as the MGM hack in Las Vegas will provide up-to-date and relevant examples, coupled with a few stories from the lighter side of things that demonstrate that credible communication is a human endeavor, and it does not have to be robotic, boring, or an endless string of bad news.

As commercial adoption of cloud technologies continues, cloud-focused malware campaigns have continued to evolve. After observing a shift away from cloud compute and on to serverless environments, containers and other managed services, it's clear that the cloud remains an increasingly attractive target for malware developers pursuing a variety of objectives. x will provide technical insight into a new group of contemporary cloud-focused malware campaigns. Specifically, x will focus on those that have diversified from the common objective of cryptojacking, and will discuss TTPs unique to these malware families. Attendees can expect to gain knowledge of how these campaigns achieve initial access and evade host and network-based detection mechanisms in cloud environments. x will also discuss detection opportunities for defenders, along with new trends and observations from his experience working in cloud threat intelligence. 

As more firms interact with the government agencies and regulators, external partnerships are becoming a priority. An Information Sharing and Analysis Center and one of its members want to give an overview of what ISAC/ISAOs are and how firms can benefit from this partnership and how ISACs are a good place to start when building external partnerships. The talk would start with an overview of ISACs to include how the ISACs provide anonymity to its members when sharing through their organization as well as how the ISACs interact with government entities and other ISACs. The member firm will then talk through why they joined the ISAC and what benefits they have seen for themselves and the sector as a whole. As part of this process, the firm would describe how they developed an internal procedure to share observed threat data to the ISAC. The talk would wrap up with a recent example of a real-world crisis and how the ISAC information sharing partnership worked.

Having a firm understanding of organizational stakeholders, their needs, and use cases should inform CTI staff resourcing decisions. As a CTI program grows in scope, scale, and its supporting role over time, misalignment of staff skill composition may occur, calling into question the program’s ability to service its diverse consumer sets. 

During this workshop, we will describe programmatic elements found within CTI programs and highlight best practices for standing up, operationalizing, and maturing a CTI program in a way that allows optimal flexibility to adjust to emerging needs. We also cover:

• The current state of play with CTI program maturity assessment models
• Mandiant’s evaluation methodology it uses when working with client CTI programs
• A sneak peek at a new CTI maturity model led by Intel 471 in collaboration with industry experts

We conclude the talk by providing links to a series of resources to empower practitioners, CTI leadership, and CISOs with core programmatic building blocks to maximize support against multiple mission objectives.

Why is Threat intelligence so difficult to effectively utilize in the Cloud? Different Cloud environments share many characteristics, leading attackers to often use the same TTPs in a multitude of attacks. Sounds like an easy case of using TI to detect and investigate malicious activity, until we encounter one problem : noise. The vast amounts of Cloud TI data combined with increasingly high volumes of automated Cloud attacks have created a situation in which most organizations can't effectively handle their TI feeds. Instead of enabling better detections, these feeds often lead to alert fatigue and hinder the identification of true malicious activity. To tackle this problem, we developed a unique methodology for ingesting Cloud TI and detecting malicious activity : The Zero Noise Approach. While initially challenging to execute, taking an attacker's perspective to create tailored baselines, continuous feedback loops for every detection and a “no alert left behind” mentality, enable us to stop looking for needles in haystacks and focus only on high fidelity attacker TTPs. In this session we'll detail our approach and its key benefits, along with real-world case studies highlighting the dramatic security impacts of implementing a true Zero Noise approach to Cloud Threat Intelligence.

As threat intelligence practitioners, we often discuss our biases, mental models, and the common fallacies that impact our analysis and reporting. This talk looks at how we've failed to effectively communicate some of the decisions that we've made consciously and unconsciously during the production and dissemination of threat intelligence, and how that impacts how our stakeholders think about the data. For example, threat profiles and analysis reports often talk about the targeted industry without actually discussing if the industry was specifically targeted, or if a member of that industry was breached as a target-of-opportunity. Without that clarity, organizations in that industry may misunderstand their threat landscape and prioritize defensive projects for lower-priority groups.

Join us at the Museum of Illusions in Washington, D.C. Enter the wonderful world of illusions where you can truly experience the impossible!

In today's fast-paced world, how do you build teams able to adapt and thrive amidst constant change? Traditional approaches to cyber threat intelligence team development often fall short; teams having to do more with less, leaving people burnt out, underperforming, or leaving their company. To avoid this problem, where do you begin? What do you do differently when starting a team?  What do you do to mature an existing team? 

This session provides unique insight to answer these questions  by reviewing parallels between the art of slow cooking, the science of building CTI teams, and the experience of the presenter. Demonstrating how patience, meticulous preparation, and the infusion of diverse ingredients can be applied to team development for success. This involves breaking down what makes up a high performing team, the role of (cyber) security leadership, and the key roles that communication and collaboration play within these teams. We will explore how to keep employees engaged (within your company) with practical steps to build safe, diverse and well-defined environments, and how to evaluate your current team(s) to develop plans for further growth.

Learn how you “ as a leader“ can apply a "slow cooking" approach to building teams. Like the simmering pot transforming raw ingredients into a delicious dish, we will showcase how nurturing relationships allows for growth and transforms a group of individuals into a cohesive unit. 

The talk will focus on the people aspect of building a team dedicated to a cyber threat intelligence mission. The talk compares best practices and science to real-life use cases and experiences, supported by using the metaphor of slow cooking. 

The talk has two primary objectives: : 

• provide a practical guide for participants starting their own CTI program who are struggling with  where to begin.  

• provide participants with existing teams the right means to evaluate their current practices.

The content includes practical lessons learned, tips, tricks, and, where possible, templated content will be made available. 

As the world becomes increasingly reliant on technology, the threat landscape also continues to evolve, making it more important than ever to have effective threat intelligence programs in place. The development of artificial intelligence (AI) has the potential to revolutionize the way threat intelligence is gathered, analyzed, and acted upon.

AI can sift through vast amounts of data, identify patterns, and make predictions in ways that would be impossible for a human to do; meaning it can quickly identify emerging threats and provide actionable insights to help organizations stay ahead of potential attacks. Also, AI can automate certain tasks allowing analysts to focus on more complex tasks.

There are challenges associated with the use of AI in threat intelligence. One is ensuring that the AI algorithms are trained on high-quality data sets, as poor-quality data can lead to inaccurate predictions. Another challenge is the potential for AI to be hacked or manipulated by threat actors, which could lead to false alarms or missed threats.

By leveraging the power of AI, organizations can better protect themselves against a constantly evolving threat landscape. However, it is important to approach the use of AI in threat intelligence with caution and ensure that proper safeguards are in place to mitigate the risks.

Mapping your intelligence outputs to ATT&CK may be a hot trend, best practice, and potentially an unspoken expectation at this point. But let's be real, what value does this extra effort really add? In this talk, we'll explore how mapping CTI to ATT&CK tactics and (sub-)techniques can enable your audience to better consume, contextualize, and action your findings. But more importantly we'll also discuss how to identify and avoid when the process of creating mappings can be a distraction and have diminishing returns. We'll finish with understanding how to make the most out of presenting ATT&CK mappings in products, and how these mappings can help you more completely and accurately capture the story you are telling.

"Indicators" or "Indicators of Compromise" (IOCs) form the common currency of threat intelligence communication and, at times, application. Yet further examination of the concept of "the indicator" reveals significant fuzziness around what the term actually means in definition or subsequent use. Some might feel this is mere nit-picking, but confusion and conflation surrounding the use of the word "indicator" has effectively set back the threat intelligence discipline and led to suboptimal outcomes in using intelligence concepts.

In this session, we will explore the concept of the indicator in rigorous fashion from the perspective of threat intelligence research and communication. In this discussion we will differentiate between mere data, observations of interest, and indicators of threat actor activity in such a fashion that will allow us to understand different tiers of certainty and applicability for threat intelligence.

After illustrating with examples differentiating between indicators as "mere data" and indicators as "composite objects yielding insight to adversary behavior," the session will conclude with a proposed definition of the indicator as a robust, enriched object around which analysts and researchers must exert more care. Treading carefully around the use and labeling of observations as "indicators" will clarify intelligence applications and facilitate easier, more direct action resulting from such analysis - moving beyond the mere "block and alert" approach to more robust understanding of underlying adversary activity. As a result, we will bridge the seemingly impossible chasm between technical indicators and adversary behaviors.

Russia’s invasion of Ukraine got everyone in the private sector from CTI analyst to board member worried that their organization would be attacked. While this concern is valid it was rarely well assessed as no formal, effective framework exists for evaluating the overlap between cyber risk, geopolitical tensions - especially armed conflict - for a given private sector organization. To address this gap, our CTI team developed a comprehensive "Framework for assessing Geopolitical Cyber Risk" that proved invaluable both during the early days of the Russian invasion of Ukraine and for assessing other potential geopolitical cyber risk flashpoints worldwide. While our CTI team developed this framework for our organization, we believe it can be used by others for determining the overlap and assessing the threats and risks organizations are potentially exposed to around geopolitical cyber risk. This framework can help CTI analysts use a data driven approach to  identify potentially unknown areas of cyber risk for their organization, better assess the likelihood of these risks, and better develop indications and warnings to monitor for changes in the threat landscape. This talk will provide an overview of the framework, describe our findings at a high level, and provide resources that other teams can use to assess their own level of geopolitical cyber risk.

In today's hospitality industry, vacation rental software has shifted from a luxury to a must-have for hotels, resorts, and smaller businesses, simplifying booking, guest interactions, and property management. While vacation rental software may seem focused on booking, it holds valuable data like credit card info, guest preferences, and communications. This data is a prime target for cybercriminals seeking financial gain or unauthorized access. This deep-dive article examines a recent breach targeting a small resort in the United States. The attack was supported by a suite of tailor-made malware, designed by the threat actor to seamlessly integrate with the software's architecture. This underscores the threat actor's intricate understanding of the software's internal workings and highlights their capacity to exploit its functionalities for extracting sensitive information.

This paper presents a comprehensive analysis of a real-world incident, referred to as "The D.R. Incident," when the Dominican Republic National Computer Security Incident Response Team (CSIRT) we uncovered a sophisticated threat actor compromising a wide spectrum of targets, including governmental, private, and critical infrastructure entities.

The core focus of this paper revolves around the instrumental role played by threat intelligence in both defending against and responding to the nation-state-sponsored threat actor. We delve into the utilization of publicly available threat intelligence sources and, critically, the generation of our own threat intelligence tailored to the specific incident. We outline how these sources of threat intelligence were leveraged to gain critical insights into the adversary's tactics, techniques, and procedures, enabling effective response and mitigation strategies.

Furthermore, this paper aims to emphasize the importance of sharing valuable threat intelligence with the broader cybersecurity community. We discuss how the knowledge and lessons learned from "The D.R. Incident" can be utilized to enhance the collective cybersecurity posture, emphasizing the collaborative approach required to safeguard national interests.

By examining this incident through the lens of threat intelligence, this paper provides valuable insights into the proactive defense and response measures that can be adopted by national CSIRTs and organizations worldwide when confronted with nation-state-sponsored cyber threats.

In 1983, Prince sang "A-U-T-O-MATIC, just tell me what to do," and discussed parallels between a physical relationship and the predicted brink of destruction set to occur in 1999. While said destruction did not occur, the internet experienced unprecedented growth in the late 90s, only to be upstaged by the maturation of cybercriminals and abuse of internet services. 40 years after the release of "Automatic," cybersecurity practitioners work daily to understand and outpace cybercriminals. Armed with cyber threat intelligence (CTI), cybersecurity teams collect, process, and analyze threat actor motives and tradecraft to detect suspicious activity and disrupt adversarial objectives. However, the number of threats drastically increase as technology continues to advance and more consumers own more internet-connected devices. How can CTI teams effectively contribute to business's cybersecurity posture and external customers while ingesting voluminous threat information? How do we ensure CTI analysts are not burdened by fatigue from performing repetitive, yet vital tasks? CTI teams should take a systematic approach to automate routine workflows. This presentation will provide guidance on implementing automation in common CTI practices, like maintaining awareness of threat actor tradecraft and detecting brand impersonation threats, while providing tangible examples using threat actor Muddled Libra. After attending this talk, attendees will have an understanding of how to identify, prioritize, and implement automation opportunities in CTI programs and proactively understand the limitations of these opportunities, impacting the effectiveness of CTI for their respective organizations.

Two years ago, CTI professionals worldwide loudly proclaimed the necessity and practical value of sharing. The inaugural survey on CTI networking put data to industry behaviors and attitudes (bit.ly/cti-networking-survey). Free and reputation-based networking methods yielded concrete benefits - before, during, and after attacks. Standardization and organizational support for CTI networking efforts left much to desire. External blockers like legal liabilities and sharing restrictions prevented more fruitful sharing efforts.

The drumbeat that teams cannot effectively operate in an intelligence silo persists today. Since 2022, we’ve observed increased industry- and government-led investments to enhance CTI dissemination/reporting, wider adoption of technical standards like STIX/TAXII, cross-functional enablement, and flourishing open source sharing community tools.

So, what's changed since? This talk builds on previous research to delve into the changing behaviors, attitudes, and initiatives surrounding CTI sharing programs - shining a spotlight on this overlooked aspect contributing to the success of CTI programs. We compare the networking landscape and highlight shifts behind the most popular methods, content, and results where sharing occurs. Beyond the data, we’ll share anecdotes and best practices on purposeful CTI sharing from individuals and companies.

Attendee Takeaways:

• Actionable Insights: Gain practical, data-driven insights to optimize your CTI networking strategy, enabling you to receive, act on, and share threat intelligence more effectively.

• Assessment: Understand potential value and ROI associated with different networking approaches. Leverage these insights to benefit yourself, your team, and your organization.

• Proactive Problem-Solving: Learn how to identify and address challenges, de-risking your efforts.

• Diverse Opportunities: Uncover CTI networking opportunities and hear from real-world experiences to get inspired to contribute and benefit.

As the call to break down intelligence silos beats on, we can leverage data and tools to do it more effectively and collaboratively than ever before.

Join Robert M. Lee and Rebekah Brown, co-authors of the FOR578: Cyber Threat Intelligence course, for an informal fireside chat about the state and future of CTI.