8 days left to get a GIAC Cert Attempt or $350 Off with OnDemand and vLive Training

Cyber Threat Intelligence Summit

Arlington, VA | Mon, Jan 21 - Mon, Jan 28, 2019
Event starts in 34 Days

Cyber Threat Intelligence Summit Agenda

Summit speakers

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates. The following talks and speakers have been confirmed for SANS Cyber Threat Intelligence Summit:

Sunday, January 20
5:00-8:00 pm

CTI 101: A Crash Course in Cyber Threat Intelligence Basics
New to the field of cyber threat intel? Eager to learn, but afraid that many of the Summit talks will go right over your head? Not sure of all the terminology and acronyms you've heard thrown around? The Summit advisory board will host a fun and interactive session on the eve of the Summit to bring you up to speed on key issues and trends. You'll also get a chance to ask all your questions in a more intimate setting, so you're primed for learning on Monday morning.

Featured topics include:

  • Cyber Threat Intelligence: What is It? And Why Should You Care?, Robert M. Lee @RobertMLee, Summit Co-Chair
  • Effectively Communicating Threat Intel and Its Value, Rick Holland @rickhholland, Summit Co-Chair
  • Frameworks and Why We Use Them, Katie Nickels @likethecoins, ATT&CK Threat Intelligence Lead, The MITRE Corporation
  • Intelligence Consumption: Creating Threat Intelligence that Informs the Business, Kristen Dennesen, Senior Manager – Cyber Threat Intelligence, Sony Pictures Entertainment
  • Network Defense: Integrating Threat Intel, Incident Response, and Hunting, Kris McConkey @smoothimpact, Threat Intel Lead, PwC
  • Ask Us Anything - Q&A with the advisory board
Monday, January 21
9:00-9:15 am Welcome & Opening Remarks
Rick Holland @rickhholland & Robert M. Lee @RobertMLee, Summit Co-Chairs
9:15-10:00 am


Whitney Merrill is a hacker and privacy attorney at Electronic Arts (EA). Recently, she served her government as an attorney at the Federal Trade Commission where she worked on a variety of consumer protection matters including data security, privacy, and deceptive marketing and advertising. Whitney received her master's degree in Computer Science and J.D. from the University of Illinois at Urbana-Champaign. Her graduate research examining privacy and security abuses by ad libraries on Android was published in the Network and Distributed System Security Symposium (NDSS). She was awarded Duo Security's 2017 Women in Security Award and named one of the 2017 Top Women in Cybersecurity by CyberScoop. In her free time, she also runs the Crypto & Privacy Village, which appears at DEF CON each year.
Whitney B. Merrill @wbm312, Hacker & Privacy Attorney, Electronic Arts (EA)

10:00-10:30 am Networking Break
10:30-11:00 am Applying Traditional Intelligence Experience to CTI
Cyber threat intelligence (CTI) has become a hot topic over the past few years. However, some implementations focus on what have come to be known as indicators of compromise or attack (IOCs or IOAs). Others fixate on writing narrative reports about cyber activities with little connection to an intelligence cycle or process. True CTI is rooted in traditional intelligence work, as done by intelligence agencies in the military and government. Amy will share her experiences as an intelligence analyst in those worlds and how that has informed her work on civilian teams in corporate and vendor environments.
Amy R. Bejtlich, Cyber Threat Analyst, Dragos
11:00-11:05 am


11:05-11:35 am Session description to come
Charity Wright, Cyber Threat Intelligence Fusion Analyst, EY
11:35-11:40 am Q&A
11:40 am - 12:10 pm ATT&CK™ Your CTI with Lessons Learned from Four Years in the Trenches
As a community, we struggle with how to make threat intelligence actionable. We fall back to indicators of compromise because theyre easy to apply to defenses, but we know we need to track adversary behavior to make our defenses less fragile. MITRE ATT&CK can help. The presenters will explain how you can use ATT&CK to classify adversary behavior and apply that intel to your defenses and then provide the data to ensure that this process really works. This presentation will start by explaining how you can use ATT&CK to organize the threat intelligence you're already collecting. The presenters will walk through examples of how to extract ATT&CK techniques from your data, and then suggest ideas for how you can use that intel to prioritize defenses in your organization. Next, the presenters will take the theoretical process and make it real. They will provide an exclusive first look at a rich multi-year data set of confirmed threats based on ATT&CK-mapped detection criteria. The presenters will give an overview of the methodology (including bias and limitations), then discuss what they learned from the data. Topics covered include the top techniques observed, key technique trends, and how to improve your hunting and detection based on those observations. Attendees will learn how to shift their thinking about threat intel toward tracking behavior and gain perspective on where they should prioritize their detections based on threat intel from years of confirmed threats. Analysts will learn how to structure original reporting in the form of ATT&CK techniques to increase the effectiveness and usability of the products they create for defenders.
Brian Beyer, Red Canary, CEO & Co-Founder
Katie Nickels @likethecoins, ATT&CK Threat Intelligence Lead, The MITRE Corporation
12:10-12:15 pm Q&A
12:15-1:30 pm Lunch & Vendor Expo
1:30-2:00 pm Language and Culture in Threat Intelligence
Language serves as the required medium for every form of communication, whether it be via email, a phone call, or face-to-face conversation. For its part, Cyber threat intelligence (CTI) is the study of adversaries and their approaches to the compromise and disruption of communications infrastructure. As such, language and associated cultures have an incredible influence on CTI. Cultural and linguistic knowledge of potential and actual adversarial regions shape the way an analyst must shape a CTI program or engagement. Using his background in Chinese threat intelligence paired with fluency in Mandarin Chinese and a continuing academic background concerning Chinese history, politics, and culture, Mitchell Edwards will highlight the role that the Chinese language and culture has in the unique Chinese threat. Using China as a case study, the presentation will highlight the importance of studying the culture and history of potential and actual adversarial regions, as well as the importance of native fluency in threat intelligence programs and engagements targeting these areas.
Mitchell Edwards @Viking_Sec, CTI Analyst
2:00-2:05 pm Q&A
2:05-2:35 pm Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Discussions on threat intelligence often get bogged down between machine speed ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In the U.S. Navy and similar services, this is referred to as threat indications and warning (I&W) a step beyond a simple observable refined to ensure accuracy and timely receipt. The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report. This discussion will explore the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation will explore the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speakers past activity in threat intelligence, incident response, and military operations. Attendees will walk away with two key lessons: first, do not let perfect (finished, complete intelligence) be the enemy of the good (actionable, if incomplete, information) when it comes to network defense; second, network defense consists of multiple phases of activity, from tactical to strategic, but ignoring the spaces in between results in fractured and incomplete operations. As a result of this discussion, attendees will be better armed and equipped to ask critical questions of their threat intelligence providers and have an enhanced set of expectations for what threat intelligence can do to support defensive operations.
Joe Slowik @jfslowik, Principal Adversary Hunter, Dragos Inc.
2:35-2:40 pm Q&A
2:40-3:10 pm Unsolved Mysteries - Revisiting the APT Cold Case Files
No matter how fascinating the advanced persistent threats (APTs) we discover, we often find that theres never enough time for adequate study. The next blog release is forthcoming...a deadline is missed...resources must be diverted elsewhere. In the process of chasing the PR high, we often find that intriguing questions fall through the cracks and certain mysteries are left unsolved. Moreover, at no fault of the analysts, it turns out some of these mystery cases were ahead of their time a time when we lacked the technology to dig deeper, span wider datasets, and understand the nature of the threat at hand. Lets correct this. While vendors continue to race one another for the next hot thing, lets instead take pause and revisit the cold cases and the unsolved mysteries. Lets find ways to hunt, cluster, and perhaps even attribute yesterdays rarest intrusion sets. In the process of leveraging these to find our culprits, well learn to value the techniques and solutions developed over the past half-decade of private sector APT hunting.
Juan Andres Guerrero-Saade @juanandres_gs, Researcher, Chronicle Security
3:10-3:15 pm Q&A
3:15-3:45 pm Networking Break
3:45-4:15 pm A Brief History of Attribution Mistakes
This presentation will examine the analytic mistakes the infosec community has made over the past ten years when attributing nation state cyber attacks. We will contrast successful and failed attempts at attribution to identify the root causes of failures. The talk will cover basic logical fallacies (eg, mirror imaging and cherry picking) and briefly explain pivoting pitfalls when observing TTPs like dynamic DNS sites or tor exit nodes. Lastly, well explore historic examples of attribution mistakes and identify unexpected sources of those failures.
Sarah Jones @sj94356, Principal Analyst, FireEye
4:15-4:20 pm Q&A
4:20-4:50 pm Quality Over Quantity: Determining Your CTI Detection Efficacy
Youve collected a lot of indicators of compromise, but is your cyber threat intelligence (CTI) process serving you well? Quantity alone doesnt tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection? These are hard questions to answer, and theres little existing guidance for answering them. Using models such as the MITRE ATT&CK framework and the Pyramid of Pain, attendees will learn analysis and visualization techniques to help them evaluate the quality of their collected CTI information, not just its quantity.
David J. Bianco @DavidJBianco, Principal Engineer - Cybersecurity, Target Corporation
4:50-4:55 pm Q&A
5:00 - ??? CTI After Hours
Details to come
Tuesday, January 22
9:00-10:00 am Keynote
Ann Barron-DiCamillo @annie_bdc, Vice President, Cyber Threat Intelligence and Incident Response, American Express
10:00-10:30 am Networking Break
10:30-11:00 am Applying WWII-Era Analytic Techniques to CTI
In World War II, Sherman Kent developed much of the analytic process that led to the planning of the Allied invasion of North Africa. Later, Kent codified his analysis methodologies into a set of tenets known today as “Kent’s Analytic Doctrine.” Principles of his doctrine are still used today by the US intelligence community and by intelligence agencies worldwide. Many cyber threat intelligence (CTI) professionals lack formal intelligence training and try to reinvent the wheel. Even among those with formal intelligence training, many find Kent’s Analytic Doctrine difficult to apply to cyber threats. In this session, you’ll learn the nine tenets of Kent’s Analytic Doctrine and how to successfully apply them to CTI. You’ll be armed with actionable takeaways that you can use to up your intelligence game and make better, more consistent, and more reliable CTI assessments.
Jake Williams @malwarejake, Principal Consultant, Rendition Infosec; Senior Instructor, SANS Institute
11:00-11:05 am


11:05-11:35 am How to Get Promoted: Developing Metrics to Show How Threat Intel Works
Many organizations have operationalized threat intelligence as part of a well-rounded security program, but we often struggle to show the return on investment. This talk will focus on developing measures of effectiveness whether your program is just getting started or is pretty well established, independent of what tools or vendors you use. Based on multiple surveys of threat intelligence practitioners, directors, and cybersecurity decision-makers, the presentation will show where the disconnects are between those roles and how to focus on those metrics that are most useful when explaining the value of threat intelligence to decision-makers in your organization.
Marika Chauvin, Senior Threat Intelligence Researcher, ThreatConnect
Toni Gidwani @t_gidwani, Director of Research, ThreatConnect
11:35-11:40 am Q&A
11:40 am - 12:10 pm Schroedinger's Backslash: Tracking the Chinese APT Goblin Panda with RTF Metadata
The APT Group Goblin Panda (aka, Conimes and China 1937CN Team) is an active threat to government and diplomatic organizations in the Asia-Pacific region, specifically in nations located along the South China Sea. This threat, which is thought to be aligned with the Chinese state and its espionage interests in the region, most commonly targets Vietnam, Malaysia, the Philippines, Indonesia, and India, utilizing historic exploits like CVE-2012-0158 delivered via phishing attachments. This presentation seeks to demonstrate through the examination of metadata in Goblin Panda CVE-2012-0158 RTF phishing lures that a single phishing builder has been in continuous use by the group since 2010. Despite having undergone at least one major overhaul, the phishing builder creates unique RTF Tags within the phishing lures that analysts can leverage to correlate campaigns across diverse targets in different geographic regions. This presentation will demonstrate the geographic areas targeted by Goblin Panda, the varying nature of targeted victims (government, military, diplomatic, civil society/dissidents), and the evolution of the phishing builder from 2010 through 2018.
Michael Raggi, Senior Cyber Intelligence Analyst, Anomali
12:10-12:15 pm Q&A
12:15-1:30 pm Lunch & Learn Sessions
1:30-2:00 pm Cloudy with Low Confidence of Threat Intelligence: How to Use and Create Threat Intelligence in an Office 365 World
Everyone is moving to the cloud, specifically Microsoft Cloud. Microsoft expects to have 66 percent of its Office business customers in the cloud by 2019. Doing so makes sense: it's easier than having on-premises mail servers, it (theoretically) reduces costs, and Microsoft Office 365 has one of the best security teams in the world. However, there is a downside, which is that it's hard to protect what you can't see or access. As of today, it is extremely difficult (or impossible, depending on your subscription level) to apply your externally created threat intelligence into Microsoft Office 365 detections. It is even more frustrating to try and search for known indicators on a platform that is not designed to help the security community. This talk will describe methods and release open-source code to enhance your Office 365 security by analyzing email metadata, attachments, and even full content with tools like stoQ or LaikaBOSS and by looking at how to use that information to research and create actionable threat intelligence via platforms like Splunk.
Dave Herrald @daveherrald, Staff Security Strategist, Splunk
Ryan Kovar @meansec, Principal Security Strategist, Splunk
2:00-2:05 pm Q&A
2:05-2:35 pm 숨은 영웅 - Hidden Heroes and Other Gangsters from 39 North
숨은 영웅 - Hidden Heroes, and Other Gangsters from 39 North is an illumination of the Democratic People’s Republic of Korea’s (DPRK) military and civilian cyber Order of Battle. The talk will examine the infamous and frequently misattributed Unit 121 and provide an expanded understanding of the many operational and active cyber-capable units within the DPRK’s Reconnaissance General Bureau and Korea Workers Party. We will also look at the historical path of those entities, from more traditional criminal activity to revenue generation in the world of cyber fraud. Finally, the talk will also examine the pitfalls of researching DPRK activity due to South Korean intelligence activities, the far-reaching aspects of the Korean diaspora, and signals that often allow DPRK actors to blend in with non-DPRK actors.
Tom Creedon @n300trg, Senior Managing Director – Asia Pacific, LookingGlass
2:35-2:40 pm Q&A
2:40-3:10 pm Untying the Anchor: Countering Unconscious Bias in Threat Intelligence Analysis
Bias is an unavoidable facet of an analyst’s life, but it is something that good analysis techniques can help to remedy. Anchoring is just one of the many forms of bias that with which an analyst must grapple. Anchoring involves focusing on a piece of information to the exclusion of others, and it can cause analysts to stop looking further or to disregard otherwise relevant information. To avoid this common dilemma, the PricewaterhouseCoopers LLP team has looked at ways that to untie this anchor in everyday analysis and view the vast sea of data from a fresh perspective. This talk will cover how the team has applied traditional intelligence techniques into its ways of working, including introducing “surges” and how these have helped challenge the team’s assessments. A case study will be presented that shows how a variety of different analysis techniques have been applied to avoid bias, as well as the lessons learned from their application. This talk will not only provide attendees with practical examples of analytical techniques in action and how they can refocus threat actor attribution, but will also explore how recognizing bias can support threat intelligence being used effectively by security teams.
Rachel Mullan, Strategic Threat Intelligence Lead, PricewaterhouseCoopers LLP
Jason Smart, Technical Threat Intelligence Lead, PricewaterhouseCoopers LLP
3:10-3:15 pm Q&A
3:15-3:35 pm Networking Break
3:35-4:05 pm Session to be announced
4:05-4:10 pm Q&A
4:10-5:00 pm Session to be announced