9:00 am - 9:15 am
ET
2:00 pm - 2:15 pm UTC | In-Person and Streaming Live Online Day 1 Opening Remarks |
9:15 am - 10:00 am
ET
2:15 pm - 3:00 pm UTC | In-Person and Streaming Live Online Keynote: To Be Announced
Show More
|
10:20 am - 10:55 am
ET
3:20 pm - 3:55 pm UTC | Virtual Track Ransomware Syndicates: Cartels or Twisted Tech Unicorns? Ransomware syndicates have evolved into entities that closely resemble the agility and innovation of tech unicorns, rather than traditional organized crime cartels. These groups have adeptly merged cutting-edge technological prowess with a complex psychological framework, employing a sophisticated business mindset alongside morally ambiguous justifications for their activities. Their operations, characterized by strategic depth and manipulative tactics, challenge conventional cybersecurity defenses, calling for an in-depth exploration of their psychological warfare and the intricacies behind their seemingly legitimate business facades. This nuanced blend of strategy and psychology underscores the urgent need for a paradigm shift in understanding and combating ransomware threats.
In this presentation, we navigate the shadowy realms of ransomware groups, contrasting their operations and mentality with established business and social psychology principles, notably those articulated by Elliot Aronson. This talk uniquely dissects the business sophistication and tactical rationalization utilized by cybercriminal factions.
In confronting ransomware, it's essential to recognize that technical defenses alone are insufficient. These cyber syndicates select their targets with a discerning eye, influenced not just by potential vulnerabilities but also by strategic value and psychological impact. Acknowledging law enforcement's recent strides in disrupting ransomware operations, such as Lockbit and Black Cat, adds a critical layer to our understanding of ransomware risk. These efforts illuminate the adaptability and resilience of ransomware groups, who respond to legal pressures with evolved tactics and enhanced target selection strategies. This changing landscape underscores the need for a risk assessment model that not only captures the technical and psychological dimensions of ransomware threats but also remains agile in the face of these groups' tactical shifts in response to law enforcement actions.
Actionable presentation take-aways:
• explore how some ransomware groups navigate a blend of business acumen and ethical gymnastics, portraying themselves variously as post-paid pentesters, hacktivists, or reluctant culprits forced into action by a widespread lack of cybersecurity.
• Analyze pertinent case studies, revealing their strategies across operations, negotiations, and PR. We'll also probe why some ransomware entities target seemingly non-lucrative victims, like schools and non-profits.
• Learn mitigation and negotiation strategies and explore if traditional anti-crime and anti-terrorism strategies can be modified or reimagined to confront ransomware criminals effectively. This includes assessing if approaches for physical-world entities are viable against digital domain criminals.
Show More
|
10:20 am - 10:55 am
ET
3:20 pm - 3:55 pm UTC | In-Person and Streaming Live Online Beyond the FOMO: Expanding Horizons for Cyber Threat Intelligence Analysts As mid-career analysts consider their long-term career paths, they often face the challenge of advancing while maintaining the thrill of active engagement in cyber threat intelligence (CTI). This presentation will delve into the diverse trajectories available to CTI analysts, emphasizing roles that allow for both professional growth and continued involvement in the dynamic landscape of cyber threats.
We will explore various career options, from staying as an individual contributor or subject matter expert—perfect for those who want to remain close to the intricacies of threat actor activities—to stepping into leadership positions such as intelligence team lead, incident response lead, policy advisor, resiliency lead, and risk management specialist. For those aiming higher, we’ll discuss the transition to roles like Chief Information Security Officer (CISO), where strategic oversight and influence become paramount.
Key to this discussion will be the skills and competencies needed for each path, highlighting how a foundation in CTI is invaluable across various roles. Attendees will gain practical insights into how CTI informs incident response, shapes policy advocacy, enhances resiliency planning, and aids risk management. By understanding how intelligence interacts with these fields, analysts can effectively lead an entire information security team.
While the goal is not to drive analysts away from CTI, the aim is to cultivate a new perspective on FOMO—the "fear of missing out" on the broader opportunities available when one has a solid CTI foundation. Attendees will leave with a fresh outlook on their career options, ready to explore how they can leverage their expertise in ways they may not have previously considered. Let’s discover how to embrace new possibilities while still cherishing the exciting world of cyber threat intelligence.
Show More
|
11:00 am - 11:35 am
ET
4:00 pm - 4:35 pm UTC | Virtual Track Dissecting the Cicada - In the shadow of the Black Cat In the end of June 2024, a new enigmatic ransomware-as-a-service group emerged under the name Cicada 3301. They have apparently stolen the name and branding from a cryptographic puzzle to add mystery to their name. Since the start, this ransomware has added numerous victims to their onion site and analysis of their attacks has shown several links to the notorious ransomware group BlackCat/ALPHV, that was dissolved in a multi-million exit scam after the group’s infrastructure was hacked by international law enforcement.
This presentation will contain technical and non-technical evidence suggestion a link between Cicada and BlackCat, such as
- In-depth malware analysis of both ESXi and Windows ransomware used by Cicada and similarities to the ALPHV ransomware
- Tools, Techniques and Procedures (TTP) used in ransomware attacks investigated by Truesec, comparing Cicada 3301 incidents to BlackCat/ALPHV
- Connections to a possible access broker, responsible for the Brutus botnet
- Command and control infrastructure used by Cicada 3301 and how it is linked BlackCat
- Tracing profiles on Russian cybercrime forums related to Cicada 3301
Show More
|
11:00 am - 11:35 am
ET
4:00 pm - 4:35 pm UTC | In-Person and Streaming Live Online ONNX Store: The Rise and Fall of a Phishing-as-a-Service Platform Targeting Financial Institutions In February 2024, EclecticIQ analysts identified a rebranded Phishing-as-a-Service (PhaaS) platform called ONNX Store, which originated from the Caffeine Phishing Kit first detected by Mandiant in 2022. ONNX Store’s malicious users primarily targeted financial institutions using QR code-based phishing techniques, 2FA bypass methods and operated through Telegram bots to streamline its services for cybercriminals. The platform's operations were disrupted in June 2024 following the attribution of its creator, MRxC0DER.
This presentation will detail the development and operations of ONNX Store, the role of cyber threat intelligence (CTI) in its disruption, and the impact of attribution on financially motivated cybercriminal activities.
Key Takeaways:
1. PhaaS Model Overview: An explanation of the Phishing-as-a-Service model and its relevance to the financial sector, using ONNX Store as a case study.
2. Technical Details: Analysis of the phishing methods employed by ONNX Store, including QR code phishing and 2FA bypass, and their implications for cybersecurity defenses.
3. CTI and Attribution: Discussion on how cyber threat intelligence contributed to the identification and disruption of ONNX Store, and the significance of attribution in countering cybercrime.
4. Practical Recommendations: Guidelines for financial institutions on monitoring and defending against similar PhaaS threats, focusing on technical defenses and proactive threat identification.
What Attendees Can Expect to Learn:
• Understanding of the Phishing-as-a-Service (PhaaS) Model: The abstract outlines that attendees will learn about the PhaaS model, specifically how ONNX Store operated and targeted financial institutions using phishing techniques.
• Insight into ONNX Store’s Operations: The presentation will cover the technical aspects of ONNX Store, including its phishing methods like QR code-based phishing and 2FA bypass techniques. This provides attendees with an in-depth understanding of the tools and methodologies used by the financially motivated threat actors.
• Role of Cyber Threat Intelligence (CTI) and Attribution: Attendees will learn how CTI was used to attribute and disrupt the operations of ONNX Store, showcasing the practical application of threat intelligence in real-world scenarios.
Highlighted Actionable Takeaways:
• Monitoring and Defense Strategies: The abstract provides actionable guidance for financial institutions on how to monitor and defend against similar PhaaS platforms, focusing on technical defenses and proactive threat hunting.
• Importance of Attribution: It highlights the significance of attribution in deterring and disrupting cybercriminal activities, which is a key lesson for cybersecurity professionals.
Show More
|
11:40 am - 12:15 pm
ET
4:40 pm - 5:15 pm UTC | Virtual Track But Mom, I Need To Spend More Time on Social Media! (Bridging CTI and Fraud - Understanding Social Media Cyber Threat Landscape and Beyond) Jurgen Visser, Head of Cyber Defense and Enterprise Security, GoTo Group We would like to highlight how a mature CTI program could be used to help the Risk and Fraud team, especially on the social media front. We will talk about how the social media threat landscape is impacting our millions of customers in Indonesia, coming from one of the biggest IT companies in the country. While the US has its fair share of fake call center problems, Indonesia has social media impersonation problems.
In the presentation, we are planning to talk about:
- Why our environment is unique (combination of a large IT company in Indonesia), which may be a good consideration for any company that is already in the region or wants to expand.
- How social media is used by customers.
- How CTI may help the social media impersonation challenges.
- What we observed happening on the social media front. This is going to be a real world study case on the cases happening over here. Such as: impersonating over popular messaging apps and social media platforms (WhatsApp, Instagram, and Twitter), social media comment hijacking, Google Maps fraud, fake job postings, etc.
- Some other contributing factors that we observed to be happening outside of social media in Indonesia, such as Infostealer problems, etc.
- Last but not least, our recommendation on how CTI can help, especially in terms of bridging CTI and Fraud function.
Show More
|
11:40 am - 12:15 pm
ET
4:40 pm - 5:15 pm UTC | In-Person and Streaming Live Online Making CTI Cool!: Methods for Teaching Cyber Threat Intelligence Through Gaming In this talk, Bryan Quillen and Jibby Saetang will share their unique and innovative method of using a custom-built game to teach Cyber Threat Intelligence (CTI) to high school students, a demographic typically seen as too young for such advanced topics.
Bryan, a high school teacher in Louisville, KY, has breathed life into his cybersecurity classroom by using a CTI-focused game. His students aren’t just learning abstract concepts; they’re diving into the stories behind cyber attacks—who the attackers are, why they act, and how they operate. The opportunity to use the data to engage with the human aspect of cybersecurity has fostered a real passion for the subject.
Jibby Saetang, a former watch repairer turned security researcher, shares a similar journey. Jibby also fell in love with cybersecurity through the captivating narratives in the same game, discovering that understanding the purpose and context behind attacks can transform how people view the cyber world.
Together, they are collaborating with Bryan’s students to help them develop their own CTI-focused game. By approaching the content from this angle, these high schoolers are mastering concepts like the MITRE ATT&CK framework, the Diamond Model, and threat attribution—skills that are often considered beyond beginner level.
The key to their success is focusing on the stories behind the data. By understanding the technical side of cyber attacks as they investigate the ethical and personal implications, Bryan’s students have developed a genuine curiosity about cybersecurity that they will be able to carry with them well after they leave his class.
Show More
|
12:15 pm - 1:30 pm
ET
5:15 pm - 6:30 pm UTC | In-Person and Streaming Live Online Lunch |
1:25 pm - 2:00 pm
ET
6:25 pm - 7:00 pm UTC | Virtual Track Everybody Wants to Rule the World (of Data) John Stoner, Senior Security Consultant, Google Cloud - Public Sector John Stoner, Global Principal Security Strategist, Google Cloud Everyone in cybersecurity craves it, in fact, they Just Can’t Get Enough - DATA, that is. But the relentless pursuit of aggregating every byte into the security stack often leaves us overlooking the essentials. Before you break out your vintage Cure albums and lament like it’s 10:15 Saturday Night, let's pause and ask: what data do you actually need to answer those burning Priority Intelligence Requirements (PIRs)?
In this 30-minute session, the two John Stoners will guide you through the World Where You Live of data, with a focus on Cyber Threat Intelligence (CTI) use cases. We'll explore how data needs to be A Means to an End, some of the common mistakes that are made and as well as dissect the importance of normalized and correlated data, and take a look at Volt Typhoon as a use case.
Come along as The Passenger as we share our insights in the face of overwhelming data chaos.
Leave with a newfound appreciation for the power of data done right, and the knowledge to navigate the complexities of the CTI landscape.
Show More
|
1:30 pm - 1:40 pm
ET
6:30 pm - 6:40 pm UTC | In-Person and Streaming Live Online Interactive Game |
1:45 pm - 2:20 pm
ET
6:45 pm - 7:20 pm UTC | In-Person and Streaming Live Online From Threat Intelligence to Detection Engineering: A Case Study on Identifying Gaps in Detection and Enhancing CTI Value for the Organization This presentation will explore how Cyber Threat Intelligence (CTI) can be strategically utilized to enhance detection engineering, focusing on identifying and addressing detection gaps within an organization. Through a real-world case study, the session will illustrate how CTI can not only pinpoint weaknesses in detection systems but also provide actionable strategies that enhance the overall security posture. The presentation will emphasize how to translate threat intelligence into detection enhancements, offering practical insights for teams looking to maximize the organizational value of CTI.
Key Takeaways:
• A detailed case study showcasing how CTI was leveraged to identify detection gaps in an operational environment.
• Practical approaches for integrating threat intelligence with detection engineering to optimize security measures and workflows.
• A step-by-step process for converting CTI insights into actionable detection strategies that enhance security operations.
• Lessons learned from applying CTI to continuously improve detection systems and increase its value for the organization.
Show More
|
2:05 pm - 2:40 pm
ET
7:05 pm - 7:40 pm UTC | Virtual Track The Secret Life of Forgotten Malware C2 Eli Woodward, Cyber Threat Intelligence Analyst, Early Warning Services Building upon the seminal work of David Bianco's 'Pyramid of Pain,' this talk aims to cast a new light on the threat posed by custom malware domains and the lasting value they offer to both scammers and researchers. It is hoped that industry professionals will come to place a special emphasis on custom malware domains, recognizing their persistent and long-term value to both attackers and defenders.
Almost daily, we encounter new headlines and blog posts from various researchers and intelligence vendors, highlighting exploits from APT and crimeware groups that utilize custom domains with clever and unique names, such as Pandorasong. But what happens to these domains after they're publicly named? Do threat actors immediately abandon them? Are they repurposed for future campaigns? And should we continue to monitor these domains in our Threat Intelligence Platforms (TIPs) for intelligence purposes, especially in light of their activities being exposed by open-source intelligence?
This presentation delves into these questions, offering a deep dive from the perspective of a Cyber Threat Intelligence (CTI) analyst and researcher curious about the fate of these domains once they are 'burned.' After spending way too much money and time buying up old domains, observing compromised machines still ‘calling home,’ and identifying who else is vying to purchase these domains, the overlooked world of forgotten malware C2 domains has revealed itself to be incredibly fascinating.
Show More
|
2:25 pm - 2:55 pm
ET
7:25 pm - 7:55 pm UTC | In-Person and Streaming Live Online To Be Announced
Show More
|
2:45 pm - 3:15 pm
ET
7:45 pm - 8:15 pm UTC | Virtual Track Building the CTI Brand: A Path to Success A strong cyber threat intelligence (CTI) brand is essential for maturing your CTI program. A mature CTI brand not only secures internal trust and support but also attracts external partnerships and resources. Highlighting tangible benefits of CTI, such as reduced risk exposure, enhanced threat detection, and informed decision-making, helps gain the confidence of key stakeholders.
This presentation explores how a trusted CTI brand can enhance credibility, drive engagement, and support the overall growth of the program. By focusing on brand-building strategies, such as confident communication, engagement with the business, and showcasing successful threat intelligence operations, organizations can position their CTI program as a trusted and essential component of their cybersecurity framework.
Join the Target CTI team in this talk which emphasizes the pivotal role effective collaboration and strong partnerships play in building the CTI brand to gain internal support and enhance external trust and engagement.
Show More
|
3:00 pm - 3:20 pm
ET
8:00 pm - 8:20 pm UTC | In-Person and Streaming Live Online Break |
3:20 pm - 3:55 pm
ET
8:20 pm - 8:55 pm UTC | In-Person and Streaming Live Online Advanced Threat Research Methodologies: Unraveling a Triple-APT Intrusion While hunting for exploitation of Exchange server vulnerabilities, we stumbled upon a unique anomalous activity in our telemetry that was observed on multiple governmental entities around the world. This finding sparked a new investigative journey that led to the discovery of a new and highly sophisticated Chinese Nation-State threat actor - targeting embassies and diplomatic missions, politicians, military organizations and ministries of foreign affairs.
This newly discovered threat actor specializes in exploiting and extracting sensitive information from Exchange servers, leveraging a novel Exchange email exfiltration technique that was used by the attackers only on a few selected targets.
In addition, our research revealed that this threat actor uses a very rare set of tactics, techniques, and procedures (TTPs), setting them apart from other known threat actors. Some of those TTPs were never reported before in the wild, such as a novel and evasive in-memory webshell implant and the discovery of a new custom-built family of backdoors, and a credential stealing technique that was rarely seen in the wild.
In our presentation, we will explore some of the main TTPs employed by the threat actor throughout each phase of the attack life cycle and provide a practical guide on how to hunt for this activity. We will also share some exclusive information that has not been published yet about the attackers’ playbook and operation.
Lastly, we will dive into our attribution methodology, by which we were able to establish the threat actor’s connection to the Chinese Nexus, and eventually graduate this activity cluster to a new threat actor.
Show More
|
4:20 pm - 4:55 pm
ET
9:20 pm - 9:55 pm UTC | In-Person and Streaming Live Online Immaturity Can Be Fun: Just Not in a CTI Program For the past decade, CTI operations in industry (and government to a lesser degree) have been driven by technology and venture capital. At the root of the problem is the misconception that because cyber threats target computers, the solution to the problem must be more technology. This has driven many corporate consumers into products and services that are misaligned to their needs and has convinced them of value propositions they cannot realize.
The reality is though, that at the root of most failed cyber-intelligence endeavors is a lack of planning and processes; this is complicated by a lack of objective, industry standards. While there are many CTI maturity models available, they are most often tied to particular technologies or services; meaning they lack the breadth and depth necessary to make them broadly applicable to cyber-intelligence programs across industry. The CTI Capability Maturity Model (CTI-CMM) is a new practitioner-led initiative designed to break this cycle and provide a comprehensive, flexible framework that can be applied across industries, independent of specific technologies.
Our talk will explore how this vendor-neutral, community-driven initiative offers a clear and practical approach to assessing the maturity of cyber-intelligence programs. In particular, we’ll address how the CTI-CMM:
- Offers unique value that compliments other models
- Enables teams to broaden their operational scope (potentially securing greater funding)
- Deepens enterprise-wide engagement and appreciation for CTI
- Can be used to develop a practical roadmap for maturing your program
Show More
|
5:00 pm - 5:10 pm
ET
10:00 pm - 10:10 pm UTC | In-Person and Streaming Live Online Day 1 Wrap-Up |