Martin Ebner, CISO gov based Agency at Ministry of Defence Austria

Investigations classified „SECRET“ on a Threat Intelligence Platform
In most cases the beginning of an internal investigation must be held under cover or information that has to be used for is marked as SECRET (internal, national, EU, NATO) or TLP RED (not to share). Also there is the threat that an investigation in the internet and cloud based services show up to the attacker that his operation is covered up. That gives them time to delete traces and to switch the operation on other infrastructures in the net.

So such information cannot be used on Internet connected or cloud based Platforms. OnPrem Solutions are not delivered by every company on the market. So there is a dilemma between needed information, secrecy, ability to investigate on platforms and the market. It is to clarify how a solution must look like and which restrictions are to be done so that a solution works well and fulfils all standards internal, international, EU and NATO.

Martin invented a solution for that issue together with an AUT vendor as the coordinator for development and bringing together the different global acting TI Vendors who were willing to participate. First the platform itself and second the normalisation of data of the sources. The solution is now in use within the armed forces and still in an ongoing development circle process.

Ruxandra-Maria Caba, Sr. Manager Data Science at CrowdStrike

GenAI Warfare: Exploring the Risks of Malicious Use
Progress in AI, particularly in the area of large language models (LLMs), has resulted in powerful and versatile dual-use systems. This intelligence can be put towards a wide variety of beneficial tasks, yet it can also be used to cause harm.

We delve into the dark side of AI, particularly focusing on Generative AI (GenAI), and the threats it poses when used by malicious actors.

Jordan Summerfield, Director of Intelligence Solutions - EMEA & RoW at Intel 471

Growing Threats of Cybercrime in the Alps
In 2023, the DACH region witnessed an increase in cybercriminal activities. This intelligence briefing offers a comprehensive overview of the evolving threat landscape, underpinned by detailed insights into the modus operandi of
ransomware groups, initial access brokers, hacktivists, and the deployment of malware.

A critical component of our analysis is the examination of common Tactics, Techniques, and Procedures (TTPs) observed across these malicious activities. By dissecting the operational patterns of adversaries, we provide an in-depth look at how cybercriminals exploit digital and human vulnerabilities, orchestrate phishing campaigns, leverage exploits, and deploy ransomware for extortion. The presentation also explores how initial access brokers facilitate the commodification of access to compromised systems, further complicating the cyber threat landscape.

The briefing also takes a deep dive into the surge of hacktivism fueled by the Russo-Ukrainian War, marking a significant increase in politically motivated cyber attacks originating from or inspired by the conflict. These hacktivist groups have demonstrated a keen ability to disrupt operations, sow discord, and leverage cyber tactics in support of their ideological aims, posing a unique but distinct threat to the region's cyber and physical security.

Tom Ueltschi, Senior Security Analyst / APT Hunter at Swiss Post

How creating your own CTI may lead to a cybercriminal's arrest
In this presentation I will share some of my experiences at Swiss Post CERT over the past 15 years. During this time, we continuously reduced the number of security incidents, malware infections and intrusions. By reducing our incident response workload and freeing up resources, I started building up a semi-automated malware analysis pipeline and creating our own CTI by analyzing quarantined email attachments.

In early 2018, I started tracking a threat actor which we internally named "DESKTOP-group". In late 2019, I presented about this TA for the first time at BotConf and started a research group for sharing and collaborating about it. Three years later in November 2022, Group-IB and Orange-CERT-CC, both members of the research group, presented their analysis of the TA under the alias "Opera1er" in a report titled "Playing God without Permission". In some banks from their customer base, the group was able to steal millions of dollars.

Thanks to the cooperation of Group-IB and Orange-CERT-CC with INTERPOL, a key figure of this threat group was arrested in June 2023. Nonetheless, we still saw attack mails believed to come from this TA since then. It seems that the arrest of a key member of this group did not deter or stop the activities of trying to breach more banks and steal more money. The saga will continue.

Roundtable 1: Coen Bongers, Head IT Security at AMINA Bank AG

Threat Intelligence and Best Practices: Prevent, Detect, and Enrich Security Incidents
In the dynamic landscape of cybersecurity, threat intelligence plays a pivotal role in safeguarding organizations. This roundtable discussion delves into the integration of Threat Intelligence data with the SIEM/SOAR technology stack in a SOC, to identify and mitigate security threats. We explore how threat intelligence informs the SOC Incident lifecycle, from prevent, to Detect and Enrich.

Join us to unravel the synergy between threat intelligence and effective incident response, bridging the gap between anticipation and action.


Roundtable 2: Peter Hladky, Founder at cybensis GmbH

Frameworks and Methodologies for Intelligence Production
The main objective of intelligence is to provide actionable information to aid the decision making process (whether it is on the strategic, tactical, operational or technical level). Different frameworks and methodologies existed before the dawn of the cyber domain and due to the growing prevalence of network intrusions within this domain new ones came to existence in recent years: Intrusion Kill Chains, MITRE ATT&CK, Diamond Model to name a few.

Let us discuss the different frameworks and methodologies for intelligence production, practical experiences with their applications, their suitability and advantages/limitations. This roundtable is aimed at the whole spectrum (strategic, tactical, operational, technical) of practitioners (producers and consumers) involved in the intelligence cycle with the objective to learn from our unique experiences.


Roundtable 3: Nicolas Krassas, Head of Threat & Vulnerability Management at Henkel

Threat Intelligence, proactive measures and advance team building
I would like to discuss a different approach on CTI, where instead of only waiting for TI companies to deliver data, one will proactively research, monitor trends, and build internal teams that can spot threats in the business landscape before these will be used by actors.


Roundtable 4: Florian Wüst, Cyber Defense Consultant at Migros-Genossenschafts-Bund

Threat intelligence-driven security (T.I.D.S) in the Trenches: A Roundtable on Lessons Learned and Real-World Impact
Threat intelligence-driven security (T.I.D.S) holds immense potential for proactive defense. This roundtable invites professionals from Cyber Security Teams, CSIRT, threat hunting, SOC operations, and security engineering to share their frontline experiences with implementing T.I.D.S.  
 
We'll dive into:
 

• Successes and Triumphs: where has T.I.D.S made a tangible difference in your team's work?
• Challenges and Roadblocks: what obstacles did you face when integrating T.I.D.S, and how were they overcome?
• Insights for Practitioners: share your key takeaways for making T.I.D.S work effectively within your domain.
• Cross-Team Collaboration: how can T.I.D.S improve communication and workflows across security teams?
• Sharing Best Practices: what strategies have you found successful for disseminating intelligence to relevant stakeholders?

 
Join this interactive discussion to glean practical insights, learn from your peers, and shape the future of threat intelligence-driven security.