Here’s my 4 key takeaways from FIRST CTI 2024

First, pun intended, did anyone notice that FIRST quietly upgraded this event from a symposium to an actual conference? This is quite remarkable. This ‘right’ was only reserved for the big event. Have not read any official wording, except I interpreted this as a sign that FIRST is doubling down on its ambition to make this one of the leading cyber threat intelligence events globally.

Personally, I believe this event is already a leading CTI event. What makes this conference different from the others is emphasis on technical research or implementations (notably in the IR domain, because FIRST), rather than wider topics like people and process. I do feel that the latter are underrepresented topics at conferences in general. While this could just be bias from the program committee, just highlighting subtle differences in approaches when compared to other conferences like SANS CTI.

Regardless, the program committee managed to build a balanced and current program that I personally feel addresses the current state and/or needs of the industry. Plus, an amazing social gathering of some amazing CTI experience and talent.

Let’s dive into it!

1. The CTI function versus the CTI mindset

Over the past 24 months, I’ve noticed a shift in the winds of CTI. Economic climate and current events have dampened budgets, resulting in hiring freezes or advisory/technology acquisitions to slow down, and subsequently forcing teams to do more with less. Teams struggle with this new status quo. Even a step further, teams are asked to provide and prove more value. For example, interest in my CTI metrics research has never been higher.?

While this situation showcases a profound misunderstanding in the application and use of CTI, there is something deeper happening: not all organizations benefit from building a CTI function, however ALL organizations benefit from a CTI perspective or mindset to inform their specific decision making process.?

Turns out I was not the only one noticing this.?

• Joe Slowik published an excellent article on exactly this which I consider post-event recommended reading for everyone: https://pylos.co/2024/04/17/the-cti-mindset-the-cti-function/. He also alluded to this in his talk on the ‘defenders dilemma’, which was a balanced and subtle take on the debate involving when and how to release details on active campaigns or offensive security research to aid defenders. Oh, Joe, in the previous paragraph I stole one of your lines because it was just too damn good not to mention it directly. <3
• Asger Deleuran Strunk and David Rüfenacht presented on intelligence driven incident response, highlighting their collaboration between CSIRT and CTI teams. Zooming in on the symbioses between IR teams and CTI, stressing that cross collaboration is crucial for success.?
• Various AI talks emphasized cool use cases; except more exploration should double down on establishing supporting elements that explicitly reduce a practitioner's execution of repetitive decision-support tasks and support a CTI professionals role in spreading the CTI mindset across the organization. For example, to save human creativity for complex stakeholder engagement. Time will tell?
• Sherman Chu and I also extensively addressed this situation in our talk on ‘Using Attack Trees’. Addressing that it is not so much about using the concept of attack trees, but that you apply your CTI tradecraft to support the decision making process from any practitioner - SOC analyst or business executive.

I want to reiterate that this situation is not something you can note in a few bullets. This is, with the risk of poor paraphrasing, about CTI effectiveness vs efficiency. For proper nuancing, I recommend reading Joe’s article.?

This is truly an inflection point and CTI practitioners need to proactively adapt to remain relevant. This is not just for CTI btw, I notice similar trends with other niche functions, for example threat hunting, red teaming, detection engineering.?

All I’m saying is this: this is the most important area for any CTI practitioner in 2024.

2. CTI function’s effectiveness versus efficiency?

I noted most of the research practitioners put forward talks that emphasized efficiency gains over actual effectiveness. I always find it interesting to observe how people differentiate between the two.?

On effectiveness:

• S?awek Kiraga , who built a tailored cyber threat intelligence maturity model for his employer; sharing some vital lessons learned from his journey. I find this topic always very interesting, so I looked at this talk with much interest.?
• E. Eyo , who shared her approach to cyber threat management. Her talk was the first talk that explicitly talked about supporting ‘business’. This is crucial, see key takeaway #1.

On efficiency:

• Aaron Kaplan, Paolo Di Prodi , and Syra Marshall on their initial findings on creating a CTI benchmark dataset for machine learning. Very fascinating research.
• Cheng-Lin Y. , KuanLun Liao on leveraging GenAI applications for CTI. I also thought that this talk included some good introductory details for new players in this field.
• Enrico L. on how he and his team managed their technical implementation of MISP over the years, highlighting the lessons learned. Great energy!

3. It’s never been this easy to get started in CTI

On the effectiveness front, there is a silver lining. Various talks at the conference were geared towards teams or individuals starting in the industry. When you are in the audience, you sometimes hear people complain about exactly this stuff. Not surprisingly, some practitioners consider themselves beacons of wisdom and know everything; except the reality is that there are still new folks joining the community every single day. I’m here to welcome their new insights.?

If you are new to the community, here’s a few talks I recommend watching once the videos are published:

• Josh D. on how you can start using priority intelligence requirements on a budget.

• Pratik M. on extensively breaking down the concept of attribution and how you leverage it using artifact metadata.
• Hsiang Yu Cheng and SYUE-SIANG SU , providing a meaningful breakdown of CTI sourcing and how this can be influenced. More notably, giving a good introductory breakdown if different elements are involved.
• Antoine K. & LE JAMTEL Emilien , sharing their routine of the day job.

If you are new to this field and actually have something you like to see more of, let me know!?

4. The prevalence and relevance of hands-on workshops?

Not just the getting started materials, also workshops by practitioners, for practitioners, are a signature tactic at this conference.?

Ever since we got the green light to start traveling again after COVID, I found these to be highly valuable; especially because you can directly talk to some of the very smart folks behind it:

• Michael DeBolt and Freddy M. on how to create an intelligence plan. Leveraging all the amazing work their teams did over the years around the GIRH.?

• Robin Dimyanoglu on early warning intelligence & forecasting (really a de-prioritised, but very important, area if you ask me).
• Alexandre Dulaunoy & Christian Studer on leveraging MISP; most notably the API & automation functions.?
• Not to forget, Remco Sprooten and Ruben Groenewoud on Malware analysis and event collection using their platform, and Patrick Ventuzelo & Tanguy Laucournet on leveraging OSINT skillset in a Web3 era.?

In 2021 together with my team we created a ‘Build Your Own Threat Landscape’ workshop and this year we did the third iteration. The interest and positive feedback has been overwhelming. We had a significant number of people (almost 100) attending the workshop. Just amazing. The workshop also includes a capstone exercise and below you see some examples of what teams constructed.

Thank you for the great participation and feedback José Manuel Monroy Díaz , Josh Darby MacLellan, CISSP, CCSP & Ippolito Forni!

I was looking to battle Alexandre, Michael and Freddy to create the longest running successful workshop; except I'm afraid that due to the well-deserved success of MISP in recent years, Alexander is already way ahead of us. ??

All-round great research & honorable mentions

I’ve met so many new and cool individuals and viewed various interesting talks. I always take home that some of the most knowledgeable folks in the room might never present at conferences. Imposter syndrome is real. However, sharing is caring. When you have the opportunity to talk about your current research, I recommend taking it. What you will find is that you might be working on something that folks never thought of!

Here’s the folks that just put their research out there, deserving a honorable mention:

• Jose Luis S. on how he is tracking specific actors on their usage of technical artifacts - in this case the images they used in their phishing emails. Very cool stuff.
• Pasquale Digregorio on their ongoing research into CTI specific service architectures.
• Kamil Bojarski ,on exploring technical infrastructure tracking. Pivot!
• Yury Sergeev , on his ongoing research in feedback threat reports to the machine; what worked well and what didn’t.
• Philippe Lin , Erick Thek , Vladimir Kropotov on their technical and non-technical CTI research.
• Andy G. , Frédéric Baguelin on their research into automation & vulnerability management. Showcasing a simple, yet effective way of approaching this topic.

If you ever want to present at this conference and have no clue where to start, just reach out to me. Happy to help you get on your way.

Final thanks to the FIRST team ( Grace Staley , Traci Wei , Dana Jacobucci and all others), program committee ( Patrick Grau , Thomas Schreck , Hendrik Adrian, Alexander J?ger , Enrico L. Terry MacDonald , Tobias Mainka , Ryusuke Masuoka, PhD, CISSP , Vasileios Mavroeidis , Andreas Muehlemann & Andreas Sfakianakis ) and to the sponsors ( Intel 471 , Silobreaker , EclecticIQ , CrowdSec , ThreatConnect , Tines , Silent Push , VMRay , HiSolutions , 西门子 & QuoIntelligence )!

Wrapping up

The social aspect of conferences remains unrivaled. I genuinely love the interaction and relationship building parts. That said, I was pretty drained when I got back home. Not sure if it was travel or just the social efforts. Regardless, I had a great time. Until next time!

Cheers!

GJ

PS. If you like this article, then you’ll love our curated threat scenario repository we have at Venation. It’s basically our system that allows teams to create narratives around cyber threats from A-Z.

Together with my Venation team we curate and customize these scenarios for teams, train & educate teams, and we support the implementation of this thinking within the existing CTI & cyber security program.

Check out more information via www.venation.digital.

#CTI #FIRST #Cybersecurity