Last day to save $500 off interactive Live Online courses taught by industry experts during SANS 2021!

Cyber Threat Intelligence Summit - Live Online

Virtual, US Eastern | Thu, Jan 21 - Sat, Jan 30, 2021

Cyber Threat Intelligence Summit

Live Online | January 21-22

Add all of the CTI Summit presentations to your schedule by subscribing to the CTI Summit Calendar
*You must be registered for the Free Summit to gain access to these presentations. Register now!


Thursday, January 21 (times are EST)
9:00-9:15 am
Welcome & Intros

calendarAdd to Calendar

9:15-9:45 am
Keynote

Chris Krebs @C_C_Krebs, Fmr. Director, US Cybersecurity and Infrastructure Security Agency (CISA); Founder, Krebs Stamos Group

calendarAdd to Calendar

9:45-10:00 am

Break

calendarAdd to Calendar

10:05-10:40 am
Track 1

Riding the WAVE to Better Collaboration and Security

  • Kelsey Helms, Lead Cyber Threat Intelligence Analyst, Target
  • Nate Icart, Lead Threat Intelligence Detection Engineer, Target Corporation

calendarAdd to Calendar

Many organizations strive to build an intelligence-led security program, but aligning to a single, effective intel model is often an obstacle. Divergent processes across different parts of the security organization often lead to gaps in communication. Target’s Cyber Intelligence Team has developed a new approach that eases cross-team collaboration. In this talk, we will introduce the Workflow for Adversary Verification & Evaluation (WAVE) Matrix, a multi-disciplinary threat model that organizes tactics, techniques, and procedures in a new way to simplify communication and improve understanding across security functions. Target has used WAVE to dramatically increase the amount of intelligence developed into custom detection. Learn about the birth of the WAVE Matrix, how Target increased its active ransomware coverage by 700%, and how to implement this process in your organization to create massive cross-team security wins.


Track 2

Hack Your Stakeholder: Eliciting Intelligence Requirements with Design Thinking

Brian Kime @BrianPKime, Senior Analyst, Forrester

calendarAdd to Calendar

“Rule #1: Everyone sucks at intelligence requirements,” said Rob M. Lee at last year’s CTI Summit. We cannot bridge the gap between intelligence producers and our stakeholders without understanding their requirements. Unfortunately, traditional military intelligence processes for generating intelligence requirements are too cumbersome and time consuming for the current cyberthreat landscape. Design Thinking is an iterative process in which we seek to understand the user, challenge our assumptions, and redefine problems to identify alternative solutions that might not be apparent based on a “gut instinct” or brainstorming session. By starting with empathy for your stakeholders, rather than brainstorming, we will assemble a better collection plan more closely aligned to the business’s risk management program. Attendees will leave with the tools needed to enumerate their stakeholders’ intelligence requirements quickly and more completely and no longer suck at intelligence requirements.


Workshop

10:05-11:30 am

Threat Intelligence the "EASY" Way

Chris Cochran, Founder & Producer, Hacker Valley Media

calendarAdd to Calendar

Chris Cochran has spent the majority of his career in the intelligence field. This includes having had his own consulting firm, and building threat intelligence capabilities across industries. After years of repeating the same advice over and over again, he began to wonder, “Wouldn’t it be great to have a button that someone could press to guide them to building, enhancing, or correcting a threat intelligence program?” And from that question the “Threat Intelligence EASY Framework” was created. The pillars of the framework are as follows:

  • Elicit Requirements
  • Assess Collection Plan
  • Strive for Impact
  • Yield to Feedback

It is a very simple and practical guide for intelligence, and in this workshop we will dissect use cases and apply the framework to some of the common issues with implementing intelligence for teams and organizations.

10:40-10:50 am

Break

Add to Calendar

10:50-11:25 am
Track 1

Asleep at the wheel? The effects of sleep on CTI professionals

Lincoln Kaffenberger @LincolnKberger, Threat Intelligence Service Lead, Deloitte Global

calendarAdd to Calendar

Stress and burnout are problems for cybersecurity professionals, but how do sleep habits fit into this picture? This session will reveal discoveries from a recent survey of cybersecurity professionals’ work patterns, stress levels, and sleep habits. The survey shows that cybersecurity professionals - especially CTI pros - sleep less than the clinically recommended amount and that there may be a correlation between sleep and stress levels. The survey also shows participants’ professional and personal habits may be contributing to reduced quality of sleep which may correlate to their stress levels. This session will also provide suggestions into how - based on the survey and recent academic sleep research - professional and personal habits can be adjusted to possibly help reduce stress, improve health, and be a more effective CTI professional.


Track 2

Better Than Binary: Elevating State Sponsored Attribution via Spectrum of State Responsibility

Joshua Miller @chicagocyber, Senior Intelligence Analyst

calendarAdd to Calendar

Attribution matters, and too often state-sponsored attribution is seen as binary. As more indictments, sanctions and government advisories illuminate the adversaries tracked by the private industry, we bear a responsibility to include nuance about the level of state responsibility observed into our analysis. Elevating our attribution discussion by incorporating the Atlantic Council's Spectrum of State Responsibility will result in more informed analysis and increase the accuracy of the risk discussions generated by our products. We will learn about the Spectrum of State Responsibility by using real world examples for each of the levels and look forward to what we can do to increase CTI's attribution discipline as a whole.

11:30 am - 12:05 pm
Track 1

xStart When You’re Ready

John Southworth @BitsOfBinary, Threat Intelligence Analyst, PwC UK

calendarAdd to Calendar

Uncovering a new intrusion set can lead threat intelligence teams to a better understanding of the capability, infrastructure and targeting of threat actors, and bolster our techniques used to track them. In this talk, we will deep dive into a new intrusion set which has not had much attention in open source. This will involve understanding its capability, through the use of its unique Cobalt Strike dropper called "xStart;" analysing its infrastructure, and learning how to track it; and, highlighting how it targets organisations based in China, specifically in the government, financial services, and utilities sectors. Those who attend this talk will also further understand how we wrote signatures for xStart with YARA, and tricks that made it possible to find more samples.


Track 2

Cyber-Espionage: Out of the shadows. Into the digital crosshairs

John Grim, Distinguished Architect | Head of Research, Development, Innovation, Verizon Threat Research Advisory Center

calendarAdd to Calendar

Cyber-Espionage breaches pose a unique challenge. Through advanced techniques and a specific focus, Cyber-Espionage threat actors seek to swiftly gain access to heavily defended environments, laterally move with stealth, efficiently obtain targeted assets and data, and move out smartly (or even stay back and maintain covert persistence). The Verizon Cyber-Espionage Report (CER) is our first-ever data-driven publication that focuses on advanced cyberattacks as reflected in the DBIR “Cyber-Espionage” pattern. We've examined seven years (2014-2020) of Data Breach Investigations Report (DBIR) data for Cyber-Espionage breaches and all breaches.

12:05-1:00 pm

Lunch

Add to Calendar

1:00-1:35 pm
Track 1

Not That Kind of Vulnerability! - Human Trafficking During Coronavirus

Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation

calendarAdd to Calendar

Coronavirus has exposed new vulnerabilities for victims and survivors of human trafficking. From children’s online schooling to non-compliant businesses, COVID-19 has amplified the evils of modern slavery. Sherrie shares practical lessons on keeping your children safe from traffickers online and novel techniques and data sets to exploit while gathering intelligence on businesses, threats, and individuals in the current era. Lastly, get involved in the fight against human trafficking by joining project Crista!


Track 2

The Joy of Threat Landscaping

Gert-Jan Bruggink @gertjanbruggink, Co-founder, CTI analyst & defensive specialist, FalconForce

calendarAdd to Calendar

Bob Ross once said, “I think there’s an artist hidden at the bottom of every single one of us.” When you are “painting” a company’s threat landscape, you try to convey answers to intelligence requirements as effective way as possible. Channel your inner artist if you will. This could for example be building a periodic briefing or yearly write up. Still what makes a good threat landscape? What essential information should it contain? What works? In this talk, I will share best practices, tips, tricks and my happy accidents when creating a threat landscape intelligence product. This is based on years of building these products, in different formats and for different stakeholders. This talk provides cyber threat intelligence teams the canvas, paint, brushes, and techniques needed to successfully create (recurring) threat landscape products. In addition, creating a larger narrative around cyber threats to support both business and senior stakeholders’ decision making.

1:40-2:15 pm
Track 1

Jackpotting ESXi Servers For Maximum Encryption - How One Criminal Organization is Upping The Stakes for Targeted Ransomware

Eric Loui, Senior Intelligence Analyst, CrowdStrike
Sergei Frankoff, Senior Security Researcher, CrowdStrike

calendarAdd to Calendar

SPRITE SPIDER is a major eCrime actor that has conducted numerous successful attacks using the Defray777 ransomware. Despite SPRITE SPIDER’s consistent operational tempo and numerous successes, there has been minimal public reporting on the adversary. This is likely due in part to the adversary’s particularly sophisticated tactics, techniques, and procedures (TTPs), which thwart many traditional cyber threat intelligence (CTI) methodologies. Our presentation describes SPRITE SPIDER’s current modus operandi, focusing on the adversary’s advanced operational security and uncommon TTPs.


Track 2

Threat Intel for Everyone: Writing Like A Journalist To Produce Clear, Concise Reports

Selena Larson @selenalarson, Cyber Threat Analyst, Dragos

calendarAdd to Calendar

One of the key tenants of journalism is to write for the masses. No one will read your reporting if they do not understand it. We are told in journalism school to write for an eighth grade reading level -- not because we think people who read the news are uneducated, but because the easier something is to read and comprehend, the more people will read it. The same thing applies to threat intelligence. Threat intelligence reporting is only useful if people read, comprehend, and take action on it. Because threat intelligence can be distributed and operationalized across an entire organization, from SOC analysts to the C-suite, it should be written for a broad audience. In this talk I will take applications of journalism -- like the Inverted Pyramid style of news reporting, importance of a nutgraf, and killing passive voice -- to show attendees how to craft clear, concise, and actionable threat intelligence reports. Attendees will learn a new process and style for effective writing and reporting that everyone at the organization can benefit from.

2:20-2:55 pm
Track 1

The CTI Shadow Army: Tales from the Trenches - Small Business Owner/Solopreneur Edition

Xena Olsen @ch33r10

calendarAdd to Calendar

There's a shadow army of CTI analysts just waiting to be activated; it's the legion of tech-savvy small business owners and solopreneurs. Small business owners and solopreneurs need to wear numerous hats and many have a negative security budget with zero fancy Enterprise security solutions or security staff. How are they surviving the onslaught of cybercrime, fraud, and other unpleasant aspects of doing business? This is where threat intelligence comes in; it's a zero-cost way of keeping your business and customers safe. In this talk, I'll share the practical application of threat intelligence to a real estate business. Join me for an exciting adventure where we will analyze the real estate threat landscape, perform counter intelligence operations, and create threat actor profiles...the tips you learn and share might just save a life! Takeaways include practical CTI suggestions for small businesses and solopreneurs, potential interview questions for hiring managers to ask small business/solopreneur career-transition candidates, and a plan to operationalize threat intelligence for the highly targeted small business owners and solopreneurs in the real estate industry.


Track 2

The Cognitive Stairways of Analysis

Nicole Hoffman @threathuntergrl, Intelligence Analyst, GroupSense

calendarAdd to Calendar

Analysis. You might hear this term all the time. What does it really mean? How do you analyze data? Unfortunately, this is something I had to sort out on my own when I landed my first info sec job as a cyber security analyst intern. I have learned a lot since that day, but I still feel there is a huge gap in training when it comes to analysis. So, I wanted to take a deeper dive into the tradecraft of analysis. As I researched the topic of analysis, I found myself confining myself to cyber threat analysis specifically. I found a lot of great information, but the data I was finding was repetitive and vague. Some analytic frameworks I stumbled upon had analysis as a step but did not really go into cognitive process. So, I decided to expand my search to figure out how other industries are performing analysis. This presentation will focus on a six of the analytic models I found and the key takeaways I used to create my own model. Finally, I will introduce my new analysis framework the Cognitive Stairway of Analysis and guide audience members through each step in the process. I created this framework as well as this presentation to help newer Analysts in the field, but I hope the presentation can be equally exciting to seasoned Analysts. So, if you fall into one of these categories or are just a huge analytics nerd like myself, please join me in this presentation. You will not be disappointed.

2:55-3:05 pm

Break

Add to Calendar

3:05-3:40 pm
Track 1

Spooky RYUKy: Chapter 2

Van Ta, Sr. Threat Analyst, Mandiant;
Aaron Stephens, Sr. Threat Analyst, Mandiant

calendarAdd to Calendar

On October 28th, 2020, Van and Aaron presented a timely dive into UNC1878, a prolific actor attributed to the recent deployments of RYUK ransomware. Substantial coverage followed as the U.S. government, and several news outlets reported on the healthcare sector being affected by RYUK ransomware. This presentation aims to provide updates Mandiant has on the group's operation, and expand on the tradecraft previously presented to highlight important concepts when dealing with interactive ransomware operators.


Track 2

Data matters: More effective threat hunting and defense with internet scan data

Derek Abdine @dabdine, Chief Technology Officer, Censys

calendarAdd to Calendar

Whether hunting for forgotten infrastructure to defend, or discovering a network of C2 infrastructure during an investigation, internet scan datasets needed to come out with high quality and informed decisions are critical. Differences in scanner capabilities, shifting state-aligned perspectives on freedom of speech, as well as global physical routing can undermine data and ultimately impact decision-making. In this talk, we will discuss trends in internet presence, and how investigating, understanding, and in some cases combining your data sources can aid in higher quality results.

3:45-4:20 pm
Track 1

Collections and Elections: How The New York Times built an intel collections program in 2020

  • Neena Kapur, Security Intelligence Manager, The New York Times
  • Emily Wilson @thirdemily, Intelligence Collections Manager, The New York Times

calendarAdd to Calendar

Any major event is a high-stakes environment for information security teams - and none more high stakes than the 2020 Presidential Election. What is it like to spin up a new component of your security team in the middle of it all? In this session, join Neena Kapur, Security Intelligence Manager, and Emily Wilson, Intelligence Collections Manager, from The New York Times’ Information Security Team to unpack the process of building a collections practice in the middle of an election cycle. This session offers key takeaways from the team-building process; why we chose to invest in a collections program and build it early, even with a small team; and guidance and reflections on how we quickly built a high-impact collections strategy with a major world event in play. Speakers will also present a case study of the NYT collections timeline building toward Election Day and beyond, with lessons learned on priorities, collaboration, and what comes next.


Track 2

Full Cycle: Blending Intelligence Requirements and Custom Dissemination Tools to Drive Operations

  • Jon Jurado, Principle Associate, Cyber Threat Intelligence, Capital One
  • Robert McLean, Senior Manager, Cyber Threat Intelligence , Capital One

calendarAdd to Calendar

Two common inhibitors to corporate CTI teams are their inability to identify the information needs of their customers, plan collection, and disseminate information in a robust, sustainable, and actionable manner. Intelligence by its nature is unpredictable, but a mature intelligence team can manage the unpredictability by understanding its information gaps and proactively collecting information responsive to planned and well-coordinated intelligence requirements. This preparation, structure, and proactive approach to intelligence is the true standard of a mature high-performing intelligence program. It enables intelligence to drive operations and adeptly inform decision makers. The application of intelligence requirements within the private sector is a challenge if one does not follow best practices and lessons learned from experiences in the public and private sectors. This presentation will describe how to develop standing and priority intelligence requirements, how to review those with your customers on a recurring schedule to ensure their accuracy and continued relevance, and how to incorporate these intelligence requirements into production to identify audiences and measure collection strongpoints and gaps. The presentation will also provide guidance on methods to engage customers unfamiliar with intelligence concepts, unaware of collection opportunities, or lacking experience with cyber issues.

4:25-5:00 pm
Track 1

Day 1 Wrap-Up Panel

calendarAdd to Calendar

Join speakers from both tracks, our Summit chairs, and the advisory board for a super-sized Q&A to wrap up the day.

Friday, January 22 (times are EST)
9:00-9:15 am
Welcome & Intros

calendarAdd to Calendar

9:15-10:00 am
Keynote

SolarWinds of Change: A New Era of Supply Chain Attacks and its Impact on Analysis and Attribution

Isif Ibrahima @isifmobile, FLARE-AP Principal Threat Analyst, Mandiant
Jacqueline O’Leary, Manager, Advanced Analysis, Mandiant
Stephen Eckels @stevemk14ebr, FLARE Reverse Engineer, Mandiant

calendarAdd to Calendar

10:05-10:40 am

Pivoting from Art to Science

Joe Slowik @jfslowik, Senior Security Researcher, DomainTools

calendarAdd to Calendar

Threat intelligence production is linked to the concept of “pivoting” on indicators. Yet while the cyber threat intelligence (CTI) discipline relies on this technique, definitions and methodologies for pivoting remain scarce or are limited to concepts of “feeling” and “intuition.” Given the importance of linking observables to produce information en route to finalized intelligence, the concept of pivoting requires some serious discussion and refinement if we wish to move the discipline of CTI forward. This presentation will provide a definition of pivoting that emphasizes an iterative methodology of analysis and refinement designed to yield insights into adversary behaviors.

10:40-10:50 am

Break

Add to Calendar

10:50-11:25 am

VERISIZE your way into CTI

David Thejl-Clayton, Cyber Defence Center Department Manager, JN Data

calendarAdd to Calendar

This presentation will look at how with a few simple changes in your data collection within your incident response process, you can begin to produce and leverage threat intelligence from this data. Attendees will learn how to apply the VERIS framework to an incident demonstrated within the presentation. From this the talk will move into how to scrape metrics from this newly "VERISized" data. The talk will end with showing how these metrics can enable threat intelligence and help your organization drive change both internally but also by sharing these metrics with your peers.

11:30 am - 12:05 pm

Six CTI Challenges and Their Solutions - Reaching CTI's Full Potential

  • Dr. Christian Doerr, Chair of Cyber Security and Enterprise Security, Hasso Plattner Institute
  • Kris Oosthoek @f00th0ld, Senior CTI Analyst, Rijkswaterstaat (Dutch Public Works / Critical Infrastructure Agency)

calendarAdd to Calendar

Walk into almost any security department today and you will hear people naturally say they need “intel” on this or that. Having good CTI is taken for granted in many places, while every analyst has only a certain amount of time to spend on a plethora of threats. We all know that attribution, triaging raw CTI, meaningful sharing and analysis can be hard nuts to crack. In this fast-paced talk you will learn about 6 structural challenges that exist in our field currently and are relevant to all of us. We provide a root cause analysis for each of these challenges and demonstrate how big CTI failures are the result of these problems. Based on interviews with CTI experts, ethnographic field research and results from our CTI maturity survey, we provide a roadmap to move CTI forward, including practical takeaways to implement in your daily practice and boost your impact.

12:05-1:00 pm

Lunch

Add to Calendar

BONUS SESSION - 12:30-12:50 pm

SANS Technology Institute Graduate Program: An Insider's View

Kim Kafka, Admissions Specialist, SANS Technology Institute
Megan Roddie, Cyber Threat Researcher, IBM

This summit presentation will cover information on SANS Technology Institute. The SANS Technology Institute is an accredited college and offers programs at the graduate and undergraduate level. We’ll cover an overview of the school’s graduate programs, including admissions requirements, and curriculum review and feature Megan Roddie, a current master’s student, who is also a Cyber Threat Researcher at IBM.

1:05-1:40 pm

Still thinking about your Ex(cel)? Here are some TIPs

Andreas Sfakianakis @asfakian, Cyber Threat Intelligence Analyst

calendarAdd to Calendar

During the past years, cyber threat intelligence (CTI) discipline has been adopted by organisations worldwide. While CTI’s best practices are still developing, finding the right technology to support your CTI analysts’ workflows and daily activities is hard. And advertising from vendors makes it even harder. This session will cut through the propaganda: providing a vendor-agnostic look at the process of selecting the right tools by providing a primer on the CTI cycle. Second, hear an overview of the current threat intelligence platform (TIP) landscape and explore the limitations that have been spotted by researchers and practitioners. Finally, learn tangible recommendations related to TIPs for different user groups.

1:45-2:20 pm

Analyzing Chinese Information Operations with Threat Intelligence

  • Che Chang, Cyber Threat Analyst, TeamT5
  • Silvia Yeh @silvia_yeh, Cyber Threat Analyst, TeamT5

calendarAdd to Calendar

This year, Chinese Information Operations (InfoOps) on social media platforms have received unprecedented attention across the globe. In major events such as the Hong Kong protest, the COVID-19 pandemic, and the U.S. presidential elections, the Chinese threat actors have weaponized the social media to shape narratives and manipulate online users for the strategic interest of the People's Republic of China. TeamT5 Inc., as a cyber security firm based in Taiwan, has been investigating Chinese InfoOps since 2016. By adopting the mindset of threat intelligence, we have managed to illustrate the Chinese InfoOps threat landscape as well as identify threat actors emerging across social media. In this presentation, we will share trends in Chinese InfoOps which we observed in this year. First, we will demonstrate the overt operations launched by the state media, embassies, and diplomats, which involve propagation of conspiracy theories and disinformation, as well as the mobilization of patriotic netizens (a.k.a Little Pink) to conduct verbal attack or doxxing against dissidents. Then, we look into the covert operations, which can be observed in pro-China Facebook pages, content farms, and spam botnet. More importantly, we believe advanced persistent threat (APT) actors might have entered the InfoOps threat landscape. APT actors, typically a state-sponsored hacker group, usually conduct prolonged and targeted cyberattacks to mine highly sensitive data. However, in 2020 mid-July, we identified an InfoOp targeting Taiwanese authorities that can be linked to a notorious Chinese APT group which our intelligence team has tracked for years. We assess this is a targeted social media campaign spreading disinformation based on highly confidential data, and it could be used against other countries and cause distrust and chaos in democratic societies. Due to threat actors' fast-evolving tactics and social media's fast-changing nature, it is often difficult to identify the threat actors before they cause widespread disinformation. In this case, threat intelligence can help to combat the issue by providing better understanding and instant insights into actor methodologies and exposing potential risks.

2:25-3:00 pm

Quantifying Intelligence: Increasing Executives IQ

Colin Connor, Global Threat Intelligence Analyst, IBM

calendarAdd to Calendar

In an acronym soup of APTs, FINs, and TAs, how should we disseminate cyber threat intelligence to executives? Intelligence reports (even with bottom line up front, BLUF) often are too long; didn’t read (TL;DR). Enterprise risk management has gravitated to quantitative models. Articulation of financial risks has empowered the migration from lengthy reports to risk reduction conversations. For effective executive communication, cyber threat intelligence requires similar methods to reduce potential business impact. In this talk, Colin will examine articulating threats to executives in their language. CISOs and security leaders must translate cybersecurity threats into business risk. They categorize key business prioritizes into reputation, regulatory, and revenue. Intelligence analysts must communicate cyber threats similarly and use storytelling visualization to make evident the likelihood of impact. Together, these steps empower risk conversations and convey the potential consequences of the threat landscape while evangelizing successful security posture enhancements.

3:05-3:15 pm

Break

Add to Calendar

3:15-3:50 pm

Will they Read my Reports? - Creating Value Driven Reports

Christopher Lopez @l0psec, Tanium

calendarAdd to Calendar

Threat intelligence drives an organization's decisions. Threat intel analysts spend a lot of their time drafting reports to inform their leadership. How much do the decision makers actually read? How do they determine if a report is valuable? Are analysts able to effectively communicate their intelligence? What does an effective report look like? Let's have a conversation about delivering value and exceeding the expectations of leadership. We will discuss: understanding your audience, writing styles, the importance of grammar, creating a BLUF statement, including a summary and conclusion, and methods of delivery.

3:55-4:30 pm

Day 2 Wrap-Up Panel

calendarAdd to Calendar

Join speakers from both tracks, our Summit chairs, and the advisory board for a super-sized Q&A to wrap up the day.

4:30-5:30 pm
Bonus Session

Happy Hour: CTI Career Success

calendarAdd to Calendar

Bring us your questions about careers in Cyber Threat Intelligence! Want to know what skills are valuable? What career growth looks like? Salary negotiations? How to find (or be) a mentor? Join members of the CTI Summit Advisory Board for a lively Q&A session. We promise the answers won't always be "it depends"!