Full Agenda | 10:30am - 4:30pm ET
Timeline (ET) | Session Details |
---|---|
10:30am - 10:40am | Event Kickoff & Introduction Doug McKee, Event Chairperson & SANS Certified Instructor Candidate |
10:40am - 11:15am | Building Effective Threat-Driven Security Posture Validation Programs This session explores how to implement a threat-driven security posture validation program that goes beyond traditional approaches. Learn how tools like OpenCTI and OpenBAS can help centralize threat intelligence and simulate real-world attacks to identify security gaps, ensuring a proactive and robust defense strategy. |
11:15am - 11:50am | Threat intelligence research: Navigating the threat landscapes Join us as we explore the latest findings in threat intelligence research, focusing on emerging threats from nation-state actors and cybercriminals. Sherrod will share key trends and real-world case studies, highlighting the importance of timely intelligence for collective defense. Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft |
11:50am - 12:25pm | Using Infostealer Logs for Advanced Threat Intelligence Work More than 1 million users are infected every week from infostealer malware, leading to account takeovers through stolen credentials and session cookies. Over 80 million stealer logs have been circulated in various dark web forums, chats, and marketplaces, enabling attackers to log directly into corporate and customer accounts through bypassing 2FA and other security controls - potentially exposing organizations to major security breaches. In this session, we’ll reveal threat actor TTPs, the complexity of the cybercrime ecosystem, what information a stealer log captures, and how you can use that to your advantage in your threat intelligence reporting and threat mitigation processes to strengthen your security posture. Nick Ascoli, Director of Product Strategy at Flare |
12:25pm - 12:40pm | Break Time - we'll be back in 15 min. |
12:40pm - 1:15pm | Who’s Afraid of Little Old Me? Tracking Ransomware Groups Targeting Your Third Parties As ransomware attacks hold steady, ransomware actors will say “don’t blame me” and instead blame the ransomware victim. (And it’s all too well that the victim could be one of your third-party vendors.) During this session, we’ll walk through a real-world example of triaging a ransomware attack targeting that unlucky supplier. We’ll identify the labyrinth of leaked files and map the vigilante threat actor tactics, techniques, and procedures (TTPs) to your own environment. By the end, you’ll have the tools to craft a report for leadership—proving you were the 1 who helped your organization stay ahead of the threat. Kathleen Kuczma, Technical Marketing Manager at Recorded Future |
1:15pm - 1:50pm | Beyond Detection: Using Malware Analysis to Enhance CTI and Proactive Defense In today’s evolving cyber threat landscape, adversaries are constantly refining their tactics to evade detection, making it imperative for SOC teams, CTI analysts, and security leaders to elevate their threat intelligence (CTI) capabilities beyond static indicators. The key to proactive defense lies in behavioral malware analysis, which uncovers deep adversary insights, enabling security teams to anticipate, disrupt, and neutralize threats before they escalate. This session will demonstrate how advanced malware analysis and sandboxing techniques can strengthen threat intelligence frameworks by revealing adversary infrastructure, malware command-and-control (C2) patterns, malware evasion detection, and TTPs aligned with MITRE ATT&CK. Attendees will gain actionable insights into how to pivot from malware behavior to proactive threat modeling—transforming raw data into high-confidence intelligence that informs detection engineering, hunting, and risk mitigation strategies. Key Takeaways: - From Indicators to Intelligence – Learn how extracting malware configurations, C2 infrastructure, and behavioral patterns strengthens strategic and operational CTI. - Benchmarking Your Threat Intelligence – Understand how to evaluate malware sandbox effectiveness in detecting advanced threats and evasion techniques. - Real-World Malware Analysis in Action – Watch a live demo showcasing how behavioral malware analysis uncovers high-value IOCs, ASN insights, and threat actor infrastructure clues. - Operationalizing CTI for Proactive Defense – Discover how to integrate sandbox insights into SIEM, EDR/XDR, SOAR, and threat intelligence platforms to accelerate response and improve decision-making. - Eliminating the need for manual processing—We will show you how to automate phishing analysis and threat intelligence extraction using VMRay’s abuse-mailbox set-up. Shyam Pema, Enterprise Senior Security Sales Engineer at VMRay |
1:50pm - 2:25pm | Navigating the NVD Slowdown: AI and OSINT Strategies for Vulnerability Prioritization Staying on top of vulnerabilities is tough; with the National Vulnerability Database (NVD) slowdown, it’s tougher. What if those delays could spark innovation? While NIST works to address the backlog of unprocessed vulnerabilities, there are methods to track, assess, and prioritize CVEs effectively. Join us to see how OSINT and AI are reshaping vulnerability prioritization, enabling teams to address the NVD slowdown. Bonus: Attendees will leave with a free resource to make Patch Tuesdays more manageable. Josh Darby MacLellan, Staff Threat Intelligence Advisor at Feedly |
2:25pm - 2:40pm | Break Time - we'll be back in 15 min. |
2:40pm - 3:15pm | Your Threat Intelligence Called...It Wants to Be Actionable Threat intelligence is only as valuable as your ability to operationalize it. Too often, organizations are flooded with data but struggle to turn insights into meaningful action. Join us to learn how to bridge the gap between threat reports and real-world defenses. Discover strategies to automatically map intelligence to your existing security tools enabling faster, smarter responses. We'll cover how to prioritize threats, optimize detection coverage, and ensure your team isn’t just reactive but proactive. It’s time to give your threat intelligence the spotlight it deserves. Jay Lillie, VP of Customer Success at CardinalOps |
3:15pm - 3:50pm | Separating Phish from the Chaff: Searching for Phishing Page Infrastructure Phishing-as-a-service (PaaS) is an increasing threat to businesses. Sporting dangerous new capabilities like the ability to bypass MFA protections, these services are proliferating across the cybersecurity landscape. These platforms have lowered the barrier to entry for threat actors to engage in phishing while also empowering them with sophisticated new capabilities. In this session you’ll hear first-hand examples of how Sophos X-Ops is proactively searching for attacker’s phishing infrastructure, how attackers attempt to evade discovery and in depth details of example PaaS platforms and the related intelligence. Jordon Olness, Threat Intelligence Analyst at Sophos |
3:50pm - 4:25pm | Improving Ransomware Threat Assessment with Structured Prioritization In a landscape filled with an ever-growing number of ransomware operations, most security teams would agree that prioritization is a must. But the exact mechanics of that prioritization remain the subject of fierce debate. Using real-world examples focused on recently trending ransomware clusters, this session will demonstrate why structured, repeatable threat prioritization is an essential skill for CTI teams operating in today’s ever-evolving landscape and give practical guidance to enable teams to move towards improved comparison of new & long-standing ransomware threats. Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber |
4:25pm - 4:30pm | Event Recap & Closing Remarks Doug McKee, Event Chairperson & SANS Certified Instructor Candidate |