SANS CTI Summit Solutions Track 2025 | Day 2

  • Tuesday, 28 Jan 2025 10:30AM EST (28 Jan 2025 15:30 UTC)
  • Speaker: Douglas McKee

CTI Summit Solutions Track | 2 Full Days
-> Register here for Day 1 to revisit the talks and presentations shared.
-> To view our full agenda, please scroll down past our list of sponsors.

As cyber threats grow in sophistication and scale, organizations must rely on actionable, contextualized Cyber Threat Intelligence (CTI) to secure operations, mitigate risks, and meet evolving business or mission objectives. Yet, CTI professionals face significant challenges, from filtering actionable insights from overwhelming volumes of data to countering rapidly evolving threat tactics like AI-driven attacks and fileless malware. Limited skilled resources, siloed systems, and the increasing sophistication of threat actors further compound the complexities of building effective CTI programs.

The CTI Summit Solutions Track 2025 will address these pressing issues. Through expert-led sessions and real-world case studies, the summit will explore solutions for overcoming common obstacles, such as integrating CTI into existing security infrastructures, ensuring timely dissemination of intelligence, and fostering collaboration through standardized frameworks. Presentations will also highlight strategies for bridging the skills gap, aligning CTI outputs with business objectives, and combating adversaries’ use of advanced automation.

Whether you are a CISO, SOC manager, threat hunter, or analyst, this summit offers the tools, knowledge, and strategies to turn CTI challenges into opportunities for a stronger, more adaptive cybersecurity posture. Join us for part two of this event to learn how cutting-edge solutions and collaborative approaches transform CTI into a critical enabler of cyber resilience.


Why Register?
- Expert-led Sessions
- Flexible Attendance (Attend live or watch on your own time)
- On-Demand Access (Revisit sessions and download presentations at your convenience)
- Connect with Industry Leaders
- Build Your Professional Network
- Earn CPE Credits

470x382-Day-2_CTI-2025-Solutions-Track.jpg

Thank You to Our Summit Sponsors

CardinalOps-CMYK_transparent.pngCensys_Logo_Black_Text.pngLogo 1.10.25.pngfullcolor-logo (2).pngLOGO_FILIGRAN_COULEURS.pngFlare Logo Full Color.pngGC Security wordmark.pngBlack_GN_horizontal.pngIntel471 Logo - Transparent.pngMicrosoft_-_Transparent.pngrrr2024_long-format_horizontal_final_gradient.pngPrimary Logo - Digital (RGB).pngNEW.pngSilent Push Logo Full Color.pngSilobreaker-logo-col-1200px.pngsophos logothreatconnect-signature.pngThreatLocker_Logotype_Primary_Color.pngTidal-Horizontal-Hero-Reg.pngVMRay Logo - Dark Blue
This webinar is offered free of charge through collaboration between SANS and its sponsor(s). If you prefer not to share your registration details with sponsor(s), a recorded webinar will be available approximately 30 days after its initial release through the SANS archive. To access the recording, you will need to create a SANS account, but your information will not be shared with the sponsor(s).

Full Agenda | 10:30am - 4:30pm ET

Check out our lineup of presentations for day 2 of this event, below.

Timeline (ET)Session Details
10:30am - 10:40amEvent Kickoff & Introduction

Doug McKee, Event Chairperson & SANS Certified Instructor Candidate
10:40am - 11:15amBuilding Effective Threat-Driven Security Posture Validation Programs

This session explores how to implement a threat-driven security posture validation program that goes beyond traditional approaches. Learn how tools like OpenCTI and OpenBAS can help centralize threat intelligence and simulate real-world attacks to identify security gaps, ensuring a proactive and robust defense strategy.

Samuel Hassine, CEO & Co-Founder at Filigran
11:15am - 11:50amThreat intelligence research: Navigating the threat landscapes

Join us as we explore the latest findings in threat intelligence research, focusing on emerging threats from nation-state actors and cybercriminals. Sherrod will share key trends and real-world case studies, highlighting the importance of timely intelligence for collective defense.

Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft
11:50am - 12:25pmUsing Infostealer Logs for Advanced Threat Intelligence Work
More than 1 million users are infected every week from infostealer malware, leading to account takeovers through stolen credentials and session cookies. Over 80 million stealer logs have been circulated in various dark web forums, chats, and marketplaces, enabling attackers to log directly into corporate and customer accounts through bypassing 2FA and other security controls - potentially exposing organizations to major security breaches.

In this session, we’ll reveal threat actor TTPs, the complexity of the cybercrime ecosystem, what information a stealer log captures, and how you can use that to your advantage in your threat intelligence reporting and threat mitigation processes to strengthen your security posture.

Nick Ascoli, Director of Product Strategy at Flare
12:25pm - 12:40pmBreak Time - we'll be back in 15 min.
12:40pm - 1:15pmWho’s Afraid of Little Old Me? Tracking Ransomware Groups Targeting Your Third Parties

As ransomware attacks hold steady, ransomware actors will say “don’t blame me” and instead blame the ransomware victim. (And it’s all too well that the victim could be one of your third-party vendors.)

During this session, we’ll walk through a real-world example of triaging a ransomware attack targeting that unlucky supplier. We’ll identify the labyrinth of leaked files and map the vigilante threat actor tactics, techniques, and procedures (TTPs) to your own environment. By the end, you’ll have the tools to craft a report for leadership—proving you were the 1 who helped your organization stay ahead of the threat.

Kathleen Kuczma, Technical Marketing Manager at Recorded Future
1:15pm - 1:50pm Beyond Detection: Using Malware Analysis to Enhance CTI and Proactive Defense

In today’s evolving cyber threat landscape, adversaries are constantly refining their tactics to evade detection, making it imperative for SOC teams, CTI analysts, and security leaders to elevate their threat intelligence (CTI) capabilities beyond static indicators. The key to proactive defense lies in behavioral malware analysis, which uncovers deep adversary insights, enabling security teams to anticipate, disrupt, and neutralize threats before they escalate. This session will demonstrate how advanced malware analysis and sandboxing techniques can strengthen threat intelligence frameworks by revealing adversary infrastructure, malware command-and-control (C2) patterns, malware evasion detection, and TTPs aligned with MITRE ATT&CK.

Attendees will gain actionable insights into how to pivot from malware behavior to proactive threat modeling—transforming raw data into high-confidence intelligence that informs detection engineering, hunting, and risk mitigation strategies. 

Key Takeaways:

- From Indicators to Intelligence – Learn how extracting malware configurations, C2 infrastructure, and behavioral patterns strengthens strategic and operational CTI.
- Benchmarking Your Threat Intelligence – Understand how to evaluate malware sandbox effectiveness in detecting advanced threats and evasion techniques. 
- Real-World Malware Analysis in Action – Watch a live demo showcasing how behavioral malware analysis uncovers high-value IOCs, ASN insights, and threat actor infrastructure clues.
- Operationalizing CTI for Proactive Defense – Discover how to integrate sandbox insights into SIEM, EDR/XDR, SOAR, and threat intelligence platforms to accelerate response and improve decision-making.
- Eliminating the need for manual processing—We will show you how to automate phishing analysis and threat intelligence extraction using VMRay’s abuse-mailbox set-up.

Shyam Pema, Enterprise Senior Security Sales Engineer at VMRay
1:50pm - 2:25pm Navigating the NVD Slowdown: AI and OSINT Strategies for Vulnerability Prioritization

Staying on top of vulnerabilities is tough; with the National Vulnerability Database (NVD) slowdown, it’s tougher. What if those delays could spark innovation? While NIST works to address the backlog of unprocessed vulnerabilities, there are methods to track, assess, and prioritize CVEs effectively. Join us to see how OSINT and AI are reshaping vulnerability prioritization, enabling teams to address the NVD slowdown.

Bonus: Attendees will leave with a free resource to make Patch Tuesdays more manageable.

Josh Darby MacLellan, Staff Threat Intelligence Advisor at Feedly
2:25pm - 2:40pmBreak Time - we'll be back in 15 min.
2:40pm - 3:15pmYour Threat Intelligence Called...It Wants to Be Actionable

Threat intelligence is only as valuable as your ability to operationalize it. Too often, organizations are flooded with data but struggle to turn insights into meaningful action. Join us to learn how to bridge the gap between threat reports and real-world defenses. Discover strategies to automatically map intelligence to your existing security tools enabling faster, smarter responses. We'll cover how to prioritize threats, optimize detection coverage, and ensure your team isn’t just reactive but proactive. It’s time to give your threat intelligence the spotlight it deserves.

Jay Lillie, VP of Customer Success at CardinalOps
3:15pm - 3:50pmSeparating Phish from the Chaff: Searching for Phishing Page Infrastructure

Phishing-as-a-service (PaaS) is an increasing threat to businesses. Sporting dangerous new capabilities like the ability to bypass MFA protections, these services are proliferating across the cybersecurity landscape. These platforms have lowered the barrier to entry for threat actors to engage in phishing while also empowering them with sophisticated new capabilities.

In this session you’ll hear first-hand examples of how Sophos X-Ops is proactively searching for attacker’s phishing infrastructure, how attackers attempt to evade discovery and in depth details of example PaaS platforms and the related intelligence.

Jordon Olness, Threat Intelligence Analyst at Sophos
3:50pm - 4:25pmImproving Ransomware Threat Assessment with Structured Prioritization

In a landscape filled with an ever-growing number of ransomware operations, most security teams would agree that prioritization is a must. But the exact mechanics of that prioritization remain the subject of fierce debate.

Using real-world examples focused on recently trending ransomware clusters, this session will demonstrate why structured, repeatable threat prioritization is an essential skill for CTI teams operating in today’s ever-evolving landscape and give practical guidance to enable teams to move towards improved comparison of new & long-standing ransomware threats.

Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber
4:25pm - 4:30pmEvent Recap & Closing Remarks

Doug McKee, Event Chairperson & SANS Certified Instructor Candidate