Agenda | Anomali


Wednesday, September 19

3:00 - 6:00pmRegistration OpenWoodrow Wilson Registration Desk
6:00 - 8:00pmWelcome ReceptionPOSE Lounge

Thursday, September 20

8:00 - 8:50amBreakfastCherry Blossom Ballroom
9:00 - 12:30pmKeynotesWoodrow Wilson Ballroom
12:30 - 2:30pmLunch/Turbo TalksCherry Blossom Ballroom
12:30 - 5:30pmExhibits OpenCherry Blossom Ballroom
2:40 - 5:30pmTechnical Breakout SessionsAnnapolis 1-4
7:00 - 11:00pmConference PartyWoodrow Wilson Ballroom

Friday, September 21

8:00 - 8:50amBreakfastCherry Blossom Ballroom
8:00 - 2:00pmExhibits OpenCherry Blossom Ballroom
9:00 - 12:00pmTechnical Breakout SessionsAnnapolis 1-4, Woodrow Wilson B
12:00 - 2:00pmLunch/Turbo TalksCherry Blossom Ballroom
2:00 - 4:00pmTechnical Breakout SessionsAnnapolis 1-4, Woodrow Wilson B

Session Schedule

Thursday, September 20

Turbo Talks
1:00 – 1:20pm

Focus Security Where it Matters Most

Enterprises are navigating the perfect storm of digital convergence, struggling to enable digitization across every area of their business while also maintaining a secure environment. The attack surface has expanded, increasing internal/external pressure and security program complexity, while making it nearly impossible to prove return on investment or effectively quantify actual mitigation of risk.

Chris Novak, Global Director Verizon Threat Research Advisory Center – Verizon

Turbo Talks
2:00 – 2:20pm

Know Your Enemy

While cyber incidents and compromises are now regularly making headline news, organizations often focus on stopping malware or minimizing the incident. However, employing research and intelligence resources to better understand who the attacker is and how they operate will allow organizations to better understand their risk.

This discussion will help you understand:

  • The importance of understanding not just the specific attack, but gaining a larger perspective on the attacker performing it.
  • Multiple case studies and the attackers behind attacks that had not just a business or regional implication, but in some cases global impact.

Josh Burgess, Threat Intel SME – Crowdstrike

2:40 – 3:30pm

False Flag Attacks: Blaming the Enemy of My Enemy

A false flag attack is a technique used to shift the blame or to make attribution for an attack harder. The term is derived from pirate ships that flew flags of different countries as a way to conceal their country of origin. Within the last few years, this technique has been used more and more by sophisticated threat actors which makes attribution and connecting campaigns to a specific group harder. For example, the cyber attack during the Olympic opening ceremony used false flag techniques to shift the attribution to multiple nations. This presentation will take a look at nation-state actors’ use of false flags and why attribution is difficult. Is this a new trend and what can we learn from it?

Joakim Kennedy, Principal Security Researcher – Anomali
Ryan Robinson, Security Researcher – Anomali 

Protecting the Herd: Why Information Sharing Matters

As cyber threats increase in frequency, scale, sophistication, and severity of impact, the sharing of cyber threat information within and across industry verticals plays a significant role in tackling the most relevant threats confronting businesses of all sizes. To increase situational awareness and facilitate better information risk decision making, sector-based Information Sharing and Analysis Centers (ISACs) leverage Anomali's ThreatStream to identify, assess, monitor, and respond to cyber attacks targeting their industry. Recognizing the need for optimizing information sharing exchanges, the Anomali Threat Analysis Center (A-TAC) partners with ISACs and its members to enhance automated machine sharing, deliver structured human sharing, facilitate ad-hoc collaborations, and offer mediated translations. This offers the A-TAC a unique perspective on industry-related threats and attack trends; thereby, empowering ISACs and their members with the key insights and tools necessary for improving their overall security posture.

Roberto Sanchez, Director Threat & Information Analysis – Anomali

Case Study: A bank ATM "cash-out” scheme deconstructed

FIN7 and other cybercrime groups often target bank ATM networks with meticulous planning, reconnaissance and highly coordinated execution. The challenge for security professionals is to recognize the signs of malicious activity and respond in time to prevent serious damage and fraud losses. Visa will walk through a recent case involving a global ATM network compromise and deconstruct every phase of the attack that resulted in criminals siphoning millions from ATMs around the world in a matter of hours. Learn how Visais working to proactively defend against one of the most damaging and financially destructive cyberattacks and how to apply the same approach in your own environment to prepare for and defend against these threats. You will hear real world examples of how others have successfully detected and disrupted ATM cash-out and other types of cyberattacks using threat intelligence Visa has amassed over several years of observing criminal activity in the payment ecosystem.

Glen Jones, Risk Products – Visa

Behind the Next Destructive Attack - Threat Intelligence Briefing

Board of Directors and C-Level executives concerns around cyber attacks consistently reflect the need for resiliency: can you defend against the next attack like NotPetya? Do you know what threat actors target your industry? What is your plan for crisis response when an attack occurs or after a breach? Gain valuable insight into topics ranging from nation-state adversaries and the tools, tactics and procedures (TTPs) they are employing, to the prevailing attack trends and how they may impact your organizational security in 2018.

Adam Meyers, Vice President, Intelligence - Crowdstrike

3:40 – 4:30pm

Tagging and Bagging: Management of IOCs at Scale

You have thousands of IOCs you can now consume. But how? How do you determine what qualifies as a 'good' IOC beyond the traditional filter-based bar of acceptance? How do you track which IOCs are being processed by different data lakes in your environment? How can you tell at a glance which IOCs have generated alerts/action? And what do you do once they do? Our company sought to answer all these questions and with the help of internal firm teams and the staff at Anomali, we may have actually figured it out.

In this presentation, we introduce a process pipeline for automation and granular control of IOCs based on their mutable features and REST automation. These processes and tooling allow our analysts to spend more time performing analysis while giving them highly tuned control over the threat intelligence being automatically applied to internal firm data sets.

Stephanie Copley, VP Threat Intelligence – Morgan Stanley

Getting the Most from Your Threat Intelligence

Many organizations complain that they are in an ongoing battle with threat intelligence overload. The common problem is that they have so much information from various threat feeds. The intelligence in these feeds can be very valuable to the organization but combing through the vast amounts of often redundant data can leave the organization in the same spot as before they started moving into the threat intelligence arena.

Our focus will be inform you on how to start developing a consistent set of curated intelligence. This intelligence will be ingested and utilized by all perimeter and internal toolsets. Trending and tracking the TTPs, IOCs, and APTs will help you effectively develop strategic and tactical threat intelligence programs. This will help you combat active threats against your organization but also allow you to paint a picture for the C-Suite and Board.

Jeff Spaeth, Director Cyber Risk – Grant Thorton

Cyber Espionage Targeting of Maritime & Academic Institutions

This presentation will address alleged Chinese cyber espionage activity targeting US-based maritime & academic institutions dating back to 2013. An emphasis will be placed on discussing the groups motivation, targeting requirements, TTPs, and possible linkage to the PLA Navy.

Matthew Brady, Associate Security Manager, Cyber Espionage – Accenture

Threat Intelligence Collaboration - An African Perspective

Defending against cyber adversaries has become a team sport, with the need for strong trust relationships and collaboration initiatives at the forefront. This was put to the test when two African banks worked together to stop a cyber crime actor dead in its tracks during an active cash out operation. This is the story of how detection, Incident Response, Threat Intelligence and Forensic investigations seamlessly worked together to stop the bad guys from getting to the gold.

Andrew de Lange, Solutions Consultant – Anomali

4:40 – 5:30pm

Connecting the Dots with Anomali ThreatStream, MHN and the Cyber Kill Chain

APT (Advanced Persistent Threat) – targeted, continuous in frequency, person with intent and capability.

In this talk, we will show how security teams can leverage the Cyber Kill Chain methodology to detect motivated attackers (APTs), apply context from the Modern Honey Network and use Anomali to correlate, identify and understand motivated and targeted attacks against their organization. Ultimately, this solution architecture supports the operationalization of relevant threat intelligence utilizing existing security infrastructure.

Dave Empringham, Principal Security Engineer – Anomali

Practical Threat Intelligence Use Cases

A session on practical Threat Intelligence use cases

  • Historic search of Tor nodes and lessons learned from Black Energy and Sandworm
  • How to mitigate impact of ghosts with IOCs: Specter & Meltdown example
  • Catching the StealthPhish by linking datasets with ThreatStream
  • Real-time threat-busting with IOC enriched data and the ELK stack
  • Lock n’ load the proton guns with Sigma rules for better threat hunting

Andrii Bezverkhyi, CEO – Soc Prime

To Catch a Scammer: Exposing a Scammer’s Digital Web with Passive DNS

Cybercriminals often create complex infrastructures to conduct and conceal their counterfeit and other malicious activities. In this presentation, “To Catch a Scammer: Exposing a Scammer’s Digital Web with Passive DNS,” Farsight Security CTO, Ben April will provide real-world examples such as online counterfeit prescription drug scams that illustrate how bad guys rely on DNS to build and keep their infrastructures, hopping from IP to IP as they get kicked off one hosting provider after another. He will also show how these criminals can redirect digital detectives to avoid detection. Mr. April will also demonstrate how security analysts can use passive DNS to successfully track these malicious actors and recommend policies and techniques to prevent harm to their brands.

Ben April, CTO – Farsight Security

Domain Abuse Detection- Are you really making full use of your DMARC policies

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the latest and greatest advance in email authentication. It rides over two standards known as SPF and DKIM. Having a strict DMARC policy helps an organization to safeguard their customers from phishing/spamming attacks and to protect the reputation of their brand. Many organizations have implemented DMARC policy but are not aware of what to do next.

But are we aware about the mass email phishing attack attempts abusing our domain. This is a very important activity as it will allow us to report against the domain/IP and take suitable actions. Most of the organizations outsource this activity which incur a substantial cost. This capability can be developed in-house. In my presentation, I will be discussing on integrating DMARC reporting with SIEM (Security Information and Event Monitoring) solution. I will be explaining on configuration of domain abuse alerts by automation of DMARC reports monitoring.

Sabyasachi Samanta, Senior Analyst Information Security – Al Masraf

Friday, September 21

9:10 – 10:00am

Account Takeover and Credential Stuffing: What’s Yours, is Mine

Account takeover (ATO) attacks use previously compromised credential pairs to automate login attempts. Also known as “identity testing” or “credential stuffing”, these attacks use data that may have been procured from paste sites like Pastebin, or directly by the attackers themselves in previous operations.

With the wide range of available attack tools and stolen credentials available within the Deep and Dark Web, account takeover is on the rise, and actors of all sophistication levels can start their own ATO campaigns. This presentation will cover:

  • What is Account Takeover (ATO)?
  • Different methods of ATO
  • Overview of threat actors associated with these types of attacks
  • Demo of credential stuffing attack from attacker and defender sides

David Shear, Intelligence Analyst – Flashpoint

Threat Intelligence Metrics? Yes, and They are Pretty Darn Useful

How do you show security and threat intelligence value from a business resiliency and profitability perspective? The elusive Security Return on Investment is a struggle that most Cyber Threat Intelligence (CTI) teams pursue while simultaneously defending against being viewed as a cost center. Depending on the maturity of the CTI function in an organization, it can provide tactical, operational and even strategic intelligence to enhance and inform security decisions. These outcomes are often seen solely in operational terms and not in monetary cost saved or avoided. In this presentation, we will provide a construct for moving beyond counting “beans’ toward value driven CTI metrics – those mapped to and in support of business profitability.

Mike Anderson, VP Partnerships – Intel 471
Travis Farral, Director Security Strategy – Anomali

Penny Pinching: How to Build a Threat Intel Program on a Budget

There is no map for the journey to building a mature threat intelligence program that effectively reduces risks to an organization. Many organizations believe a mature threat intel program is out of reach. We are here to debunk the myths that hinder many organizations from managing and reducing organizational risk.

  • Threat Intelligence programs are too expensive
  • Threat Intelligence is just a bunch of feeds to block at my firewall
  • Building a Threat Intelligence program require ex-military knowledge
  • Only large organizations benefit from a Threat Intelligence program

Greg Mathes, Cyber Security Analyst  – Arvest Bank

What to do When your Treadmill Runs Without You

The world is full of things, we have things in our pockets, things that protect our homes, things that help us get fit, and things that keep our lights on. Most, if not all, of these things have some form of internet connectivity. The emerging need to keep everything connected is increasing at an alarming rate. Unfortunately, many of these devices are one and done firmware/software downloads. So how do we protect all these devices sharing our inner most secrets like how many days it’s been since I haven’t stepped on the treadmill? In this talk we will discuss and demonstrate the challenges of monitoring the Internet of Things (IOT). We will also cover how the retrospective analysis, coupled with the Advance Threat Matching of Anomali, can save you from leaking your last meal eaten, and protect you from the next power outage.

Nicholas Hayden, Director Threat Intelligence – Anomali

Every Contact Leaves a Trace

Using a combination of the right data set (network, endpoint, email) and Anomali can help you find the traces that someone is in your environment or has been. The Locard’s Exchange Principle states that "with contact between two items, there will be an exchange." For example, burglars will leave traces of their presence behind and will also take traces with them.

Colin Gibbens, Director Product Management – Symantec

10:10 – 11:00am

Building a Security Response Hot Rod with Threat Intelligence

Everyone talks about automation and orchestration. How meaningful or effective these technologies are depends ultimately on how much efficiency they truly add to defensive operations. In this talk, we will discuss ways to use existing tools in a typical environment to add meaningful efficiency to observed events. We will describe how to identify high fidelity events from existing tools, add available context from other tools and data, and apply specific responses where possible thereby improving efficiency in daily operations.

Travis Farral, Director Security Strategy – Anomali
John Kitchen, Security Engineer – Anomali

Behind the Scenes: Stopping 100 Million Threats a Day with Cloud Threat Intelligence

The Cloud and mobility are challenging how enterprise control risk and neutralize emerging threats. As users and apps leave the network for the cloud, traditional security appliances and their threat visibility remain left behind in the data center. Cloud delivered security has proven to not just seamlessly align with enterprise network transformation, but also better manage the threat intelligence challenge. Join this session to get insights to how the Zscaler Cloud Security platform can stop emerging threats within seconds and protects enterprises from over 100 million threats/day. Hear how global enterprises rely on the Zscaler and Anomali’s Threat Intelligence integration to effectively manage today’s threat landscape and mitigate risk better.

Deepen Desai, Vice President, Intelligence – Zscaler

ISACs: Individual Commitment to a Group’s Security Efforts

As the world becomes more digitally connected and cyber attacks increase in both volume and sophistication, companies are faced with threats that have outpaced their ability to analyze and protect their networks. The sector-specific Information Sharing and Analysis Centers or ISACs aim to inculcate a shared situational awareness and achievement of a heightened understanding of the threat landscape to help its members improve their decision making process. This panel of sector-specific expects will identify their sectoral top cyber security challenges, opportunities, and how collaboration amongst ISAC members has reduced uncertainty and strengthened the collective's security posture. They will cover topics including sector-specific threats, strategies for establishing trust and building confidence amongst ISAC members, and the vital role ISACs play in improving the overall security of the community.

Josh Singletary, CIO – NH-ISAC
Andrew Zambrano, Security Analyst – EnergySec
Stacy Moore – NCFTA
Freisi Alfonseca – MS-ISAC
Ken Towne – GRF

The Intersection of Threat Intelligence and Business Objectives

Intelligence exists as a supporting function. It always has a purpose – to inform decision making and drive action. In the government this is inherently understood and the value of intelligence is easy to derive. However, businesses often struggle to determine the value of their threat intelligence team/organization/processes/tools. The terminology of Threat Intelligence (TI) is usually not compatible with the business lexicon, leading to misunderstanding of the purpose and value of threat intelligence.

There are a few ways to address this, and our presentation will look in depth at one specific method that helps TI teams convey their value to the business by linking the TI program to macro level business objectives.

Justin Swisher, Security Solutions Manager – Anomali
Travis Farral, Director Security Strategy – Anomali

11:10 – 12:00pm

Your CTI Looks Unwell. What Are You Feeding It?

This talk will focus on what you are feeding your Cyber Threat Intelligence platforms, threat feed value to your business, finding the right feeds for you, and where to get additional IOC of value for your organization. Not all threat feeds are created equally and vary greatly between vendors, so how do you know how to choose the feed(s) that will provide the best value for your organization whether you are looking at open-source or commercial feeds? I will also discuss additional source of IOCs to feed your CTI program, where to find them and how to share your intelligence with others. The goal of this session is to arm you with the knowledge to select meaningful and relevant intelligence sources for your organization and help you fortify your security posture via Cyber Threat Intelligence.

Jeff Weaver, Senior Security Engineer – Frontier Airli

T-Talk: Tactics to Transform Thinking Through Tabulating Types and Tags

While indicators help us understand threats to an enterprise, insufficient knowledge of how the indicators are grouped can cause confusion and reduce analyst productivity. Misconceptions exist due to an unclear understanding of what differentiates indicator groupings like the Advanced-Persistent-Threat.

This data-driven talk will focus on comparing indicator groups, based on enrichment data and actor tactics. From these observations, we identify situations when threat intelligence producers confuse threat groups. Some threat groups are easily confused based on enrichment data such as exploit, malware and phishing domains. Other threat types are not confused with other malicious threat groups such as spam domains. Disambiguating indicator groups and understanding indicator group characteristics can enable more rapid triage and better distinguish adversary patterns in threat intelligence.

Evan Wright, Principal Data Scientist – Anomali

The Weakest Link

In the world of false flag operations, determining how to defend against modern advanced attacks in all levels of your enterprise is very similar to how football teams counter defend offensive measures from various schemes and styles in high pressure games. Like in the modern football landscape, cyber security defense methodologies and enterprise solutions are mainly in a reactive mode and usually several steps behind to adversaries who are constantly on the offensive to target and take advantage of the weakest links in an organizations security levels: the user. Research is presenting vast amounts of attribution to indicators of compromise leveraging phishing attacks, social engineering, stolen credentials, and various tactics that leave an organization defenseless. In this discussion, we talk about how user's who are highly targeted can arm themselves with proactive detection insight to malicious activity, conduct advanced forensics, adapt and pivot to associated threats based around incident response, facilitate offensive threat hunting.

Kris Palmer, Principal Security Engineer – Anomali

Cyber Insurance: What It Is and Why It Matters

Cybersecurity is commonly described as a technology problem. But in isolation, this can lead to a company focusing narrowly on the technology budget rather than thinking holistically about the risks posed by cyber threats and strategies to mitigate those risks. These topics – risk mitigation and risk reduction – are foundational to another industry: insurance.

While insurance may seem completely unrelated to cybersecurity, it is in fact playing an increasingly important role in how companies manage cyber risk.

This presentation will introduce cyber insurance – how it works, and why it should become part of your company’s toolkit. We will discuss insurance concepts that can help improve your understanding of risk and improve your communications about cyber risk with stakeholders across the enterprise.

Jonathan Laux, Cyber Analytics – Aon Benfield

GDPR Challenges for Threat Intelligence

On the 25th of May 2018, the EU introduced new legislation: GDPR. The General Data Protection Regulation strengthens and unifies existing data protection rules for individuals within the EU and addresses the export of that data outside of the EU. It applies to all organizations that do business in the EU and affects the gathering of threat intelligence, cyber research and attribution in ways that we as cyber security professionals may not have considered.

In this talk I will cover:

  • Background to GDPR
  • Sanctions for non-compliance
  • Definition of PII, including ‘does this include IP addresses’?
  • The ‘right to be forgotten’
  • What is a ‘legitimate interest’?
  • How GDPR is causing major changes for domain registrars and how we use WHOIS
  • Law enforcement agencies (LEA)
  • When does attribution clash with GDPR?

Niall MacLeod, Director of Solutions Engineering – Anomali

Turbo Talks
12:30pm – 12:50

Operationalizing iDefense Threat Intelligence in ThreatStream

Learn how to operationalize threat intelligence in Anomali ThreatStream from Kyle Maxwell, iDefense, and Harrison Parker, Anomali. Kyle and Howard will discuss security operations, incident response, threat hunting and other threat intelligence driven use cases in ThreatStream utilizing iDefense threat intelligence.

Kyle Maxwell, Product Manager – Accenture iDefense
Harrison Parker, Global Alliance Architect – Anomali

Turbo Talks
1:00pm – 1:20

Threat Intel at Scale

This talk will go over how we decided to implement Anomali's threat intel platform in an environment with dozens of customers with different requirements. Topics include deploying threat data, managing trusted circles, building custom content in Splunk and implementing filters for customer specific needs.

Patrick Orzechowski, VP Research & Development – Guidepoint

Turbo Talks
1:30pm – 1:50

A Spy in the Enemy Camp – What do Cybercriminals Have on You?

Cybercrime – just like cybersecurity – is an industry with its own models for collaboration. There are services for hire, marketplaces, resource centres and information exchanges on the open and dark web, where cybercriminals have a space to be agile and creative. In these spaces, they are cooking up all sorts of new tactics, techniques and procedures to target enterprises, governments and individuals. And often, by the time the good guys have caught up with these TTPs, it is too late – they have already been impacted financially or reputationally.

Keeping your infrastructure, digital assets, credentials and other critical data secure is one of the most important tasks a modern company must deal with. With the dizzying pace of innovation in the cybercriminal world, it is no longer enough to simply protect your perimeter and manage threats as they turn into incidents. Real-time, relevant and actionable threat intelligence is like putting a spy in the enemy’s camp, gathering and feeding back information to build stronger defenses around the enterprise. This much-needed layer of deep defense helps security teams manage the sheer volume of threats and address lack of resource by providing only useful and targeted data.

Better understanding what cybercriminals have on you forces you to put in place appropriate defense measures to minimize your attack surface. When protecting yourself, gathering intelligence about your attacker is not only useful, but common sense. If there are tools are available to help, why wouldn’t you use them?

Patryk Pilar, Head of Sales Engineering – Blueliv

2:10 – 3:00pm

The Art of Deception

Honeypots, honeynets, honeytokens, honey …

It's very likely you've heard of honeypots, but unlikely you've considered deploying them in your environment for a number of reasons. This session will change everything. I'll walk you through a brief history of cyber deception and show how you can turn simple deception campaigns into valuable threat intelligence.

David Greenwood,Senior Product Manager – Anomali

The Juice Is Worth the Squeeze: Building Trust to Support Information Sharing *and* Security

Information Sharing is intended to be bidirectional, but too often, users only passively consume information rather than actively creating intel for the broader community. The reason for withholding beneficial, timely, and relevant information boils down to distrust. While distrust is practically a job requirement for security professionals, businesses in the sharing economy have figured out how to create infrastructures that allow strangers to trust each other to exchange goods and services to the benefit of all involved. This talk will examine information sharing in the context the sharing economy and the greater cultural shift happening around social trust, and will argue that the benefits of bidirectional information sharing far exceed the perceived risk.

Katie Kolon, Technical Account Manager – Anomali

CVE Correlation to Threat Intel CVEs

This session covers advantages and challenges in correlating Common Vulnerability Enumeration CVE, with corresponding intelligence sources. The presentation covers various existing CVE intelligence sources such as CVSS, Threat Intelligence, Patch Management, Intrusion Detection, and many more. The session then covers various security integrations such as Vulnerability Management with Patch Management, Vulnerability Management, and Threat Intelligence systems, and others, which employ CVE correlation to its various intelligence sources as well as the interesting security use cases these integrations achieve. The session then covers possible future CVE intelligence sources which do not currently exist, but for which are required in order to achieve certain interesting integrations.

Gordon MacKay, EVP/CTO – Digital Defense

The Rise of Malicious Mining for Cryptocurrency

This session will cover the basic building blocks of cryptocurrency, how mining works, and why cryptomining is profitable. I will discuss why threat actors are moving to include cryptomininers in malware instead of one-and-done payloads like Ransomware. We will show how to mitigate mining so you can better protect yourself from these types of threats.

Brady Sullivan, Solutions Engineer – Anomali

Go Hack Yourself: Moving Beyond Assumption-Based Security

You have many security products, probably too many. But you are still not secure because it’s nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security.

Brian Contos, CISO – Verodin

3:10 – 4:00pm

Fog of War: Situational Awareness Through Threat Intelligence

There is a significant amount of threats that organizations face today and will in the future. The ability to understand what threats we will face is invaluable. The Fog of War pertains to not having that clear picture of the battle field: Imperfect situational awareness. Increasing visibility or plainly situational awareness is a goal all organizations should have. This talk will discuss how to build a successful threat intelligence program with a mix of people, process and of course technology. The session will wrap up with how people can leverage Anomali products to give their organizations improved situational awareness.

Brian Roy, Senior Solutions Engineer – Anomali

The Intelligence Driven Response Process

Many people are taking advantage of threat intelligence today to help generate alerts, but may not have the processes in place to know how it benefits the IR process. This talk will provide education and strategies on how users can apply threat intelligence to drive incident response processes in their own environment. By leveraging the Intelligence Cycle, organizations can implement an effective use of intelligence capabilities. The use of F3EAD and OODA can allow your organization to support incident response and make quick decisions to mitigate risks.

Teddy Powers, Senior Solutions Engineer – Anomali

Accelerating Your Integrations

The biggest value of threat intelligence is the ability to operationalize in your network to detect and prevent the most serious threats. Most organizations use a base level filter when they begin integrating threat intelligence with their infrastructure. Over time, they begin to identify what constitutes a priority. Often, this varies across the security devices on their network. ThreatStream offers over 30 different fields that organizations can use to filter intelligence down to the most relevant for their organization. This talk will cover a process that organizations can use to identify the right filter that accounts for you industry vertical, the types of log sources, integrations on your network and how you use them.

Jill Cagliostro, Sr. Manager Customer Operations – Anomali

Exploit Kits are dead! Long Live Exploit Kits!

The “cyber threat” has garnered national attention and the world is mobilizing to respond. Traditionally, intelligence, law enforcement and the military have been marshaled to respond to security threats. But the cyber domain is unlike any other threat we have ever faced. Whereas every other threat to national security, from natural disasters to terrorist attacks, is bounded by the physical world, cyber threats are bounded by technology and exist in a virtual world. To combat this threat, we need to situate the response in the proper place in our organizations –the technology shop, home to computer engineers, not cops, warfighters and spies –and ensure that responders, policy makers and operators have the right kinds of skills to both understand and combat the problem.

Paul Sheck, Senior Threat Research Analyst – Anomali

International Domain Names and Homograph Detection

An overview of International Domain Names and homograph detection.

Today I will be discussing the IDN standards that have been created, some details and examples about how it works, and finally the work we have done recently in detecting Unicode homographs.

here have been two major standards developed by the Unicode Consortium to address the need/desire to have domain names available in non-latin languages/character sets. These standards are IDNA2003 and IDNA2008. Most of this discussion will focus on IDNA2008, as this is the standard that most registrars are using, and it offers a much larger display set of characters that could be used inappropriately. Finally I will discuss some of the work done internally at Anomali to ensure that we can detect homograph registrations within our DNS data.

Jim Goddard, Threat Intelligence Analyst – Anomali