To Be Announced

Ransomware syndicates have evolved into entities that closely resemble the agility and innovation of tech unicorns, rather than traditional organized crime cartels. These groups have adeptly merged cutting-edge technological prowess with a complex psychological framework, employing a sophisticated business mindset alongside morally ambiguous justifications for their activities. Their operations, characterized by strategic depth and manipulative tactics, challenge conventional cybersecurity defenses, calling for an in-depth exploration of their psychological warfare and the intricacies behind their seemingly legitimate business facades. This nuanced blend of strategy and psychology underscores the urgent need for a paradigm shift in understanding and combating ransomware threats.
 In this presentation, we navigate the shadowy realms of ransomware groups, contrasting their operations and mentality with established business and social psychology principles, notably those articulated by Elliot Aronson. This talk uniquely dissects the business sophistication and tactical rationalization utilized by cybercriminal factions.

 In confronting ransomware, it's essential to recognize that technical defenses alone are insufficient. These cyber syndicates select their targets with a discerning eye, influenced not just by potential vulnerabilities but also by strategic value and psychological impact. Acknowledging law enforcement's recent strides in disrupting ransomware operations, such as Lockbit and Black Cat, adds a critical layer to our understanding of ransomware risk. These efforts illuminate the adaptability and resilience of ransomware groups, who respond to legal pressures with evolved tactics and enhanced target selection strategies. This changing landscape underscores the need for a risk assessment model that not only captures the technical and psychological dimensions of ransomware threats but also remains agile in the face of these groups' tactical shifts in response to law enforcement actions.

 Actionable presentation take-aways:
 • explore how some ransomware groups navigate a blend of business acumen and ethical gymnastics, portraying themselves variously as post-paid pentesters, hacktivists, or reluctant culprits forced into action by a widespread lack of cybersecurity.
 • Analyze pertinent case studies, revealing their strategies across operations, negotiations, and PR. We'll also probe why some ransomware entities target seemingly non-lucrative victims, like schools and non-profits.
 • Learn mitigation and negotiation strategies and explore if traditional anti-crime and anti-terrorism strategies can be modified or reimagined to confront ransomware criminals effectively. This includes assessing if approaches for physical-world entities are viable against digital domain criminals.

As mid-career analysts consider their long-term career paths, they often face the challenge of advancing while maintaining the thrill of active engagement in cyber threat intelligence (CTI). This presentation will delve into the diverse trajectories available to CTI analysts, emphasizing roles that allow for both professional growth and continued involvement in the dynamic landscape of cyber threats.
 
 We will explore various career options, from staying as an individual contributor or subject matter expert—perfect for those who want to remain close to the intricacies of threat actor activities—to stepping into leadership positions such as intelligence team lead, incident response lead, policy advisor, resiliency lead, and risk management specialist. For those aiming higher, we’ll discuss the transition to roles like Chief Information Security Officer (CISO), where strategic oversight and influence become paramount.
 
 Key to this discussion will be the skills and competencies needed for each path, highlighting how a foundation in CTI is invaluable across various roles. Attendees will gain practical insights into how CTI informs incident response, shapes policy advocacy, enhances resiliency planning, and aids risk management. By understanding how intelligence interacts with these fields, analysts can effectively lead an entire information security team.
 
 While the goal is not to drive analysts away from CTI, the aim is to cultivate a new perspective on FOMO—the "fear of missing out" on the broader opportunities available when one has a solid CTI foundation. Attendees will leave with a fresh outlook on their career options, ready to explore how they can leverage their expertise in ways they may not have previously considered. Let’s discover how to embrace new possibilities while still cherishing the exciting world of cyber threat intelligence.

In the end of June 2024, a new enigmatic ransomware-as-a-service group emerged under the name Cicada 3301. They have apparently stolen the name and branding from a cryptographic puzzle to add mystery to their name. Since the start, this ransomware has added numerous victims to their onion site and analysis of their attacks has shown several links to the notorious ransomware group BlackCat/ALPHV, that was dissolved in a multi-million exit scam after the group’s infrastructure was hacked by international law enforcement.
 
 This presentation will contain technical and non-technical evidence suggestion a link between Cicada and BlackCat, such as
 - In-depth malware analysis of both ESXi and Windows ransomware used by Cicada and similarities to the ALPHV ransomware
 - Tools, Techniques and Procedures (TTP) used in ransomware attacks investigated by Truesec, comparing Cicada 3301 incidents to BlackCat/ALPHV
 - Connections to a possible access broker, responsible for the Brutus botnet
 - Command and control infrastructure used by Cicada 3301 and how it is linked BlackCat
 - Tracing profiles on Russian cybercrime forums related to Cicada 3301

In February 2024, EclecticIQ analysts identified a rebranded Phishing-as-a-Service (PhaaS) platform called ONNX Store, which originated from the Caffeine Phishing Kit first detected by Mandiant in 2022. ONNX Store’s malicious users primarily targeted financial institutions using QR code-based phishing techniques, 2FA bypass methods and operated through Telegram bots to streamline its services for cybercriminals. The platform's operations were disrupted in June 2024 following the attribution of its creator, MRxC0DER.
 This presentation will detail the development and operations of ONNX Store, the role of cyber threat intelligence (CTI) in its disruption, and the impact of attribution on financially motivated cybercriminal activities.
 
 Key Takeaways:
 
 1. PhaaS Model Overview: An explanation of the Phishing-as-a-Service model and its relevance to the financial sector, using ONNX Store as a case study.
 2. Technical Details: Analysis of the phishing methods employed by ONNX Store, including QR code phishing and 2FA bypass, and their implications for cybersecurity defenses.
 3. CTI and Attribution: Discussion on how cyber threat intelligence contributed to the identification and disruption of ONNX Store, and the significance of attribution in countering cybercrime.
 4. Practical Recommendations: Guidelines for financial institutions on monitoring and defending against similar PhaaS threats, focusing on technical defenses and proactive threat identification.
 
 What Attendees Can Expect to Learn:
 
 • Understanding of the Phishing-as-a-Service (PhaaS) Model: The abstract outlines that attendees will learn about the PhaaS model, specifically how ONNX Store operated and targeted financial institutions using phishing techniques.
 • Insight into ONNX Store’s Operations: The presentation will cover the technical aspects of ONNX Store, including its phishing methods like QR code-based phishing and 2FA bypass techniques. This provides attendees with an in-depth understanding of the tools and methodologies used by the financially motivated threat actors.
 • Role of Cyber Threat Intelligence (CTI) and Attribution: Attendees will learn how CTI was used to attribute and disrupt the operations of ONNX Store, showcasing the practical application of threat intelligence in real-world scenarios.
 Highlighted Actionable Takeaways:
 • Monitoring and Defense Strategies: The abstract provides actionable guidance for financial institutions on how to monitor and defend against similar PhaaS platforms, focusing on technical defenses and proactive threat hunting.
 • Importance of Attribution: It highlights the significance of attribution in deterring and disrupting cybercriminal activities, which is a key lesson for cybersecurity professionals.

We would like to highlight how a mature CTI program could be used to help the Risk and Fraud team, especially on the social media front. We will talk about how the social media threat landscape is impacting our millions of customers in Indonesia, coming from one of the biggest IT companies in the country. While the US has its fair share of fake call center problems, Indonesia has social media impersonation problems.
 
 In the presentation, we are planning to talk about:
 - Why our environment is unique (combination of a large IT company in Indonesia), which may be a good consideration for any company that is already in the region or wants to expand.
 - How social media is used by customers.
 - How CTI may help the social media impersonation challenges.
 - What we observed happening on the social media front. This is going to be a real world study case on the cases happening over here. Such as: impersonating over popular messaging apps and social media platforms (WhatsApp, Instagram, and Twitter), social media comment hijacking, Google Maps fraud, fake job postings, etc.
 - Some other contributing factors that we observed to be happening outside of social media in Indonesia, such as Infostealer problems, etc.
 - Last but not least, our recommendation on how CTI can help, especially in terms of bridging CTI and Fraud function.

In this talk, Bryan Quillen and Jibby Saetang will share their unique and innovative method of using a custom-built game to teach Cyber Threat Intelligence (CTI) to high school students, a demographic typically seen as too young for such advanced topics.

Bryan, a high school teacher in Louisville, KY, has breathed life into his cybersecurity classroom by using a CTI-focused game. His students aren’t just learning abstract concepts; they’re diving into the stories behind cyber attacks—who the attackers are, why they act, and how they operate. The opportunity to use the data to engage with the human aspect of cybersecurity has fostered a real passion for the subject.
 
Jibby Saetang, a former watch repairer turned security researcher, shares a similar journey. Jibby also fell in love with cybersecurity through the captivating narratives in the same game, discovering that understanding the purpose and context behind attacks can transform how people view the cyber world.
 
Together, they are collaborating with Bryan’s students to help them develop their own CTI-focused game. By approaching the content from this angle, these high schoolers are mastering concepts like the MITRE ATT&CK framework, the Diamond Model, and threat attribution—skills that are often considered beyond beginner level.
 
The key to their success is focusing on the stories behind the data. By understanding the technical side of cyber attacks as they investigate the ethical and personal implications, Bryan’s students have developed a genuine curiosity about cybersecurity that they will be able to carry with them well after they leave his class.

Everyone in cybersecurity craves it, in fact, they Just Can’t Get Enough - DATA, that is. But the relentless pursuit of aggregating every byte into the security stack often leaves us overlooking the essentials. Before you break out your vintage Cure albums and lament like it’s 10:15 Saturday Night, let's pause and ask: what data do you actually need to answer those burning Priority Intelligence Requirements (PIRs)?
 
 In this 30-minute session, the two John Stoners will guide you through the World Where You Live of data, with a focus on Cyber Threat Intelligence (CTI) use cases. We'll explore how data needs to be A Means to an End, some of the common mistakes that are made and as well as dissect the importance of normalized and correlated data, and take a look at Volt Typhoon as a use case.
 
 Come along as The Passenger as we share our insights in the face of overwhelming data chaos.
 
 Leave with a newfound appreciation for the power of data done right, and the knowledge to navigate the complexities of the CTI landscape.

This presentation will explore how Cyber Threat Intelligence (CTI) can be strategically utilized to enhance detection engineering, focusing on identifying and addressing detection gaps within an organization. Through a real-world case study, the session will illustrate how CTI can not only pinpoint weaknesses in detection systems but also provide actionable strategies that enhance the overall security posture. The presentation will emphasize how to translate threat intelligence into detection enhancements, offering practical insights for teams looking to maximize the organizational value of CTI.
 
 Key Takeaways:
 • A detailed case study showcasing how CTI was leveraged to identify detection gaps in an operational environment.
 • Practical approaches for integrating threat intelligence with detection engineering to optimize security measures and workflows.
 • A step-by-step process for converting CTI insights into actionable detection strategies that enhance security operations.
 • Lessons learned from applying CTI to continuously improve detection systems and increase its value for the organization.

Building upon the seminal work of David Bianco's 'Pyramid of Pain,' this talk aims to cast a new light on the threat posed by custom malware domains and the lasting value they offer to both scammers and researchers. It is hoped that industry professionals will come to place a special emphasis on custom malware domains, recognizing their persistent and long-term value to both attackers and defenders.
 
Almost daily, we encounter new headlines and blog posts from various researchers and intelligence vendors, highlighting exploits from APT and crimeware groups that utilize custom domains with clever and unique names, such as Pandorasong. But what happens to these domains after they're publicly named? Do threat actors immediately abandon them? Are they repurposed for future campaigns? And should we continue to monitor these domains in our Threat Intelligence Platforms (TIPs) for intelligence purposes, especially in light of their activities being exposed by open-source intelligence?
 

This presentation delves into these questions, offering a deep dive from the perspective of a Cyber Threat Intelligence (CTI) analyst and researcher curious about the fate of these domains once they are 'burned.' After spending way too much money and time buying up old domains, observing compromised machines still ‘calling home,’ and identifying who else is vying to purchase these domains, the overlooked world of forgotten malware C2 domains has revealed itself to be incredibly fascinating.

To Be Announced

A strong cyber threat intelligence (CTI) brand is essential for maturing your CTI program. A mature CTI brand not only secures internal trust and support but also attracts external partnerships and resources. Highlighting tangible benefits of CTI, such as reduced risk exposure, enhanced threat detection, and informed decision-making, helps gain the confidence of key stakeholders.
 
This presentation explores how a trusted CTI brand can enhance credibility, drive engagement, and support the overall growth of the program. By focusing on brand-building strategies, such as confident communication, engagement with the business, and showcasing successful threat intelligence operations, organizations can position their CTI program as a trusted and essential component of their cybersecurity framework.
 
Join the Target CTI team in this talk which emphasizes the pivotal role effective collaboration and strong partnerships play in building the CTI brand to gain internal support and enhance external trust and engagement.

Acknowledging a systematic and time-tested methodology dating back to 1982, this session explores the intricate method of "Attack Trees". To this day it still offers a powerful holistic approach to modeling cyber security threats and their sequential actions against assets. In addition, being a powerful tool both for visualizing complex attack sequences to business leaders and effective stakeholder engagement.

Attendees will understand Why Attack Trees provide a comprehensive framework for analyzing real-life threat activity threads which remains relevant to this day. This will be demonstrated by navigating the fundamental concepts of Attack Trees, emphasizing their relevance in contemporary cyber threat intelligence methodologies. By combining elements from MITRE ATT&CK, the Diamond Model of Intrusion, threat scenario research, and the attack tree methodology, the presenters demonstrate How the methodology enables cybersecurity professionals to collate threat actor activities and assess realistic defensive measures. From identifying sequential stages and nuanced tactics to visualizing attack chains, this exploration promises practical applications for daily use.

After the session, attendees will have a clear understanding of why they should adopt Attack Tree’s and how they can use them together with their own knowledge of the threat landscape, their organization’s threat surface, and their defender’s capability and resources.

The increasing use of strategic threat modeling to prioritize an organization's finite defensive resources has led to CTI teams implementing strategic workstreams and even building a comprehensive organizational cyber threat profile. In light of growing need for CTI support to strategic functions, practitioners cannot afford to overlook lessons from emergent geopolitical flashpoints. Regional outbreaks, military conflict, and other geopolitical escalations often will have direct and indirect effects on an organization's business operations and existing growth strategy. A series of predictable intelligence needs will emerge in the lead up of a conflict through its finality, which CTI teams can service through a programmatic approach that minimizes disruption to its production cadence.
 
 This talk seeks to use the Russia-Ukraine war as a case study on how CTI teams can determine relevance and impact throughout rising geopolitical tensions, delving into third and fourth order effects. The talk will examine threat actor dynamics, ranging from targeting decision calculus to capabilities and frequency employed to how baseline understanding is apt to shift from a preconceived understanding of normal MO. It will discuss the potential for an emergence of new cyber threat actors to appear that were not previously tracked like GRU Unit 29155 operators.
 
 Attendees will be pressed to reconsider their assumptions around appropriate messaging, cadence, and workflows relating to relevant threat actors baselines from the onset of rising geopolitical tensions to full-fledged war. Additional discussion points will include the use of situational reports (SITREPs), how and when to adjust threat profile prioritization, transforming geopolitical situational context to technical understanding, and establishing a cross-functional tiger team.
 
 The talk concludes by challenging the audience to think about how a China-Taiwan conflict may impact its organizations, similarities in approach, and how this type of geopolitical event varies from what transpired during the Russia-Ukraine conflict, acknowledging China's more prominent global influence and blowback potential to most organizations.

For the past decade, CTI operations in industry (and government to a lesser degree) have been driven by technology and venture capital. At the root of the problem is the misconception that because cyber threats target computers, the solution to the problem must be more technology. This has driven many corporate consumers into products and services that are misaligned to their needs and has convinced them of value propositions they cannot realize.
 
 The reality is though, that at the root of most failed cyber-intelligence endeavors is a lack of planning and processes; this is complicated by a lack of objective, industry standards. While there are many CTI maturity models available, they are most often tied to particular technologies or services; meaning they lack the breadth and depth necessary to make them broadly applicable to cyber-intelligence programs across industry. The CTI Capability Maturity Model (CTI-CMM) is a new practitioner-led initiative designed to break this cycle and provide a comprehensive, flexible framework that can be applied across industries, independent of specific technologies.
 
 Our talk will explore how this vendor-neutral, community-driven initiative offers a clear and practical approach to assessing the maturity of cyber-intelligence programs. In particular, we’ll address how the CTI-CMM:
 
 - Offers unique value that compliments other models
 - Enables teams to broaden their operational scope (potentially securing greater funding)
 - Deepens enterprise-wide engagement and appreciation for CTI
 - Can be used to develop a practical roadmap for maturing your program

To Be Announced

The threat landscape is increasingly moving toward a model of optimized accesses and capabilities, either for a price or for larger enterprise coordination. More plainly, threat actors from numerous origins and motivations took the “sharing is caring” message literally. Cyber criminals continue to monetize fragments of their operations, selling stolen credentials for initial access, modular malware and phishing kits, and renting out capabilities to drive intrusions, theft, and extortion (such as the Ransomware-as-a-Service ecosystem). Even hacktivists are engaging in DDoS campaigns using leased capabilities, bringing back a thread of activity that went relatively dormant for almost a decade.
 
Espionage motivated threat actors have historically been the leaders with regard to tool sharing, particularly those assessed to be based in China. These threat actors have famously been sharing tools such as PlugX, ShadowPad, and PoisonIvy, for well over a decade, now evolving these collaborations into the infrastructure side, such as shared obfuscation networks.These operating procedures have historically been effective at making the attribution challenge more erroneous for threat intelligence practitioners, and the subsequent discussions and decisions muddied by confusion and uncertainty.

It is this challenge that this presentation attempts to both highlight and tackle. Using the case study of a China-based threat actor we track as Red Ishtar, but which in open source is tied to multiple intrusion sets, we are going to provide the trials, tribulations, and successes of tracking a threat actor that has so many competing narratives surrounding its capabilities. We analyze the threat actor’s tools, techniques, and procedures (TTPs) from our visibility and vantage point, following that up by understanding how different organizations and reports analyzed the unique telemetry of their variant of the “Red Ishtar” intrusion set. We will compare attribution findings, as well as the underlying information that prompted these assessments, such as visibility of threat activity and telemetry.
 
Finally, we’ll provide attendees with a (threat agnostic) framework for conducting comparative attribution analysis to assist the community (we like to share, too) with navigating intelligence from multiple sources, as well as multiple vantage points and analyses of threat actor behavior - to ultimately detect and understand activity as threat actors continue to share, and likely increase their use of shared, capabilities.

This presentation starts with a story. I joined a new intel team to help build a program from the ground up, and we were doing amazing work. We were pumping out intel products, emailing strategic forecast reports to the C-Suite, and rapidly onboarding new vendors. Then I got laid off. Where had I gone wrong? I didn’t find the answer to that question until I started doing CTI in startups.
 
This talk will explore how adopting a growth mindset, taking ownership, and being customer-obsessed makes me a better CTI professional and can be applied to CTI in any organization. I will ground the fluffiness of a startup mindset in tangible, real examples of CTI projects, products, and workflows I’ve worked on.
 
 This talk draws upon my experience of doing intel in different types of threat intel teams in large 40-50,000 people corporate organizations, mid-size companies, and the last 2 years spent in startups in silicon valley and Europe.
 
 High level overview of lessons and takeaways:
 - Adopting a startup mindset has turned me into a better CTI professional
 - Working in startups has uncovered areas where I was falling short as a CTI analyst
 - I learned the hard way that a startup mindset could benefit my CTI work - I had to go through the process, make mistakes, and invest years working in multiple sectors to understand a startup mindset can be applied to enhance CTI
 - You don’t have to go through this long process. You don’t have to work in a startup to adopt a startup mindset and apply it to how you do CTI
 - Growth mindset, taking ownership, and customer obsession can be implemented today in the CTI work we all do, regardless of the size of your organization
 
 

To Be Announced

Many intelligence analyses of contemporary threat actors have pointed out their business-like operations. What if they’re even similar to us, the defenders? What if they’re - gasp - doing the same things as SALES and MARKETING? Moreover, what if understanding those tactics could help you create better threat intelligence products and teams?
 
We will identify common ground between modern technical sales and marketing disciplines and threat actor operations. Of course, we’ll use the MITRE ATT&CK(r) framework to categorize parallels between marketing and threat actor tactics, techniques, and procedures (TTPs). How do marketers perform reconnaissance? What resources do they develop and use? How do salespeople achieve initial access, escalate privileges, and evade defenses? We’ll tell you a few secrets from inside the sales and marketing cubicles.
 
Then, we’ll relate these tactics to some real threat actor TTPs. Using public reporting from several cyber threat intelligence (CTI) organizations, we’ll align known cyber threat actor activities with similar sales and marketing activities. Could threat actors use the same TTPs as your friendly salesperson and event marketer?
 
 We’ll also show how criminal threat actor groups are marketing themselves to achieve greater success. 

We will also identify some sales and marketing TTPs that CTI analysts can use in intelligence analysis. Some are openly available, and some cost money… but your marketing department probably has access.
 

Decoding cyber threats: A Practical Guide to using Attack Trees

We’ll recommend ways to improve CTI by using marketing and sales tactics. How can you better defend yourself against S&M and threat actors? How can you exploit the vendor-customer relationship to your benefit? Should you start looking at marketers as potential threat analysts?
 
 And, finally, want to spend less time on annoying cold calls? We’ll disclose the top five ways (you won’t believe number three!) And one weird trick that will radically improve your experience with salespeople!!!
 
 Key takeaways include:
 Understanding how you could use marketing tools to create faster and more contextualized threat intelligence investigations;
 Identifying skills from other disciplines that could make you a better analyst;
 Learning how to interact with sales and marketing that creates better outcomes for both parties and
 An unexpected way you might grow your team.
 

Acknowledging a systematic and time-tested methodology dating back to 1982, this session explores the intricate method of "Attack Trees". To this day it still offers a powerful holistic approach to modeling cyber security threats and their sequential actions against assets. In addition, being a powerful tool both for visualizing complex attack sequences to business leaders and effective stakeholder engagement.

Attendees will understand Why Attack Trees provide a comprehensive framework for analyzing real-life threat activity threads which remains relevant to this day. This will be demonstrated by navigating the fundamental concepts of Attack Trees, emphasizing their relevance in contemporary cyber threat intelligence methodologies. By combining elements from MITRE ATT&CK, the Diamond Model of Intrusion, threat scenario research, and the attack tree methodology, the presenters demonstrate How the methodology enables cybersecurity professionals to collate threat actor activities and assess realistic defensive measures. From identifying sequential stages and nuanced tactics to visualizing attack chains, this exploration promises practical applications for daily use.

After the session, attendees will have a clear understanding of why they should adopt Attack Tree’s and how they can use them together with their own knowledge of the threat landscape, their organization’s threat surface, and their defender’s capability and resources.

This presentation offers a deep dive into the practical application of CyberHUMINT (Human Intelligence in Cyberspace) in Cyber Threat Intelligence investigations. We explore how integrating classic intelligence discipline of HUMINT (Human Intelligence) into the field of CTI enhances intelligence production and analysis, going beyond technical data to reveal the adversary’s intent, tactics, and vulnerabilities. Key aspects of the presentation include lessons learned from building online covert profiles with credible legends for the purposes of CTI investigations, and engaging directly with human sources within malicious online communities. The session also addresses the complexities of cultivating rapport with threat actors, the challenges of maintaining covert identities, and also the critical steps to take when an operation is compromised. Through anonymized case examples, we will provide real-world lessons and actionable insights for practitioners.

After this talk, attendees will be equipped with practical strategies for kickstarting CyberHUMINT operations in their organization and building a clear, secure CyberHUMINT framework within their CTI workflow.
 
 

To Be Announced