Happy New Year everyone! 2019 was just another interesting year in CTI. Every year I use to list my top 20 CTI presentations. See below the ones I enjoyed most, I learned something that I used in my day to day work, and gave me insights into cyber threats. I hope you enjoy them and I am looking forward to seeing your favourite ones. Enjoy and let’s have a chat about them (and about yours) during an upcoming CTI event in 2020!
- [CTI/Tradecraft] SANS CTI Summit 2019: Analytic Tradecraft in the Real World
Presenter: Amy R. Bejtlich
Link to video
Link to presentation
Comment: My favourite CTI presentation for 2019! It includes tangible takeaways for CTI analysts in terms of analytic tradecraft. - [CTI/Attribution] SANS CTI Summit 2019: A Brief History of Attribution Mistakes
Presenter: Sarah Jones
Link to video
Link to presentation
Comment: Must-see presentation related to attribution mistakes. This presentation is that useful that Katie Nickels included it in her Top 10 CTI Reading List. - [CTI/CTI Program] FIRST CTI 2019: Building, Running, and Maintaining a CTI Program
Presenters: Michael J. Schwartz and Ryan Miller
Link to presentation
Comment: The slides have very useful tips on how to build your CTI program. Especially like the CTI focus based on the number of FTEs (Full Time Employees) in your CTI team. Don’t forget that this is based on what worked for Target, your organisation might have different needs, priorities, and budget. - [CTI/Reporting] SANS Webcast: Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them
Presenter: Lenny Zeltser
Link to video
Comment: Lenny Zelster providing some top-notch advice on reporting in cyber security. I cannot stress more how important are reporting skills for CTI analysts. - [CTI/Metrics+ATT&CK] FIRST CTI 2019: Metrics and ATT&CK. Or how I failed to measure everything.
Presenter: Francesco Bigarella
Link to presentation
Comment: Francesco nailed it, he knows how to create a slide deck and more importantly he provides lots of insights on CTI metrics…because metrics matter! - [CTI/Intelligence Direction] FIRST CTI 2019: Your Requirements are not my Requirements
Presenter: Pasquale Stirparo
Link to presentation
Comment: Pasquale provides the basics over the value of intelligence requirements within CTI programs. Real-world examples are also presented. - [CTI/Threat Detection] SANS CTI Summit 2019: Quality Over Quantity: Determining Your CTI Detection Efficacy
Presenter: David Bianco
Link to video
Link to presentation
Comment: After the “Pyramid of pain” David Bianco now presents the “Heatmap of pain”. Nuff said! - [CTI/ICS] SANS ICS Summit 2019: Evolution of ICS attacks: from BlackEnergy3 to TRISIS
Presenter: Joe Slowik
Link to presentation
Comment: Joe Slowik was on fire during 2019. In this presentation, Joe provides his insights on how attacks against ICS have evolved. - [CTI/Metrics] SANS CTI Summit 2019: How to Get Promoted: Developing Metrics to Show How Threat Intel Works
Presenters: Tony Gidwani and Marika Chauvin
Link to video
Link to presentation
Comment: Great talk on CTI metrics. The highlight is the final slide that includes CTI metrics based on their difficulty to produce and their value. - [CTI/ATT&CK ] ATTCKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities
Presenter: David Westin and Andy Kettell
Link to video
Link to presentation
Comment: This presentation shows how Nationwide has implemented its threat actor tracking process (see their quadrant analysis!!!) and how they use ATT&CK framework. Great work! - [CTI/Threat Investigation] Security Analyst Summit 2019: Who is GG?
Presenters: Juan Andres Guerrero-Saade and Silas Cutler
Link to video
Comment: This is again great threat investigation work from Juan Andres and Silas. I would recommend reading also the blog post as well as their interview in The CyberWire . - [CTI/Information Operations] CYBERWARCON: Infosec 1930
Presenter: Thomas Rid
Link to presentation
Comment: Thomas Rid presents the first information operation against US back in 1930. Thomas actually mentioned during the presentation “I’m writing the history of disinformation right now”. A fascinating story!
(This talk is from CYBERWARCON 2018 but it was uploaded to Youtube during 2019). - [CTI/ATT&CK] Black Hat 2019: MITRE ATT&CK: The Play at Home Edition
Presenters: Katie Nickels and Ryan Kovar
Link to video
Link to presentation
Comment: Great introduction on ATT&CK framework. Very nice presentation as well! - [CTI/Information Warfare] Security Analyst Summit 2019: Opaque at Both Ends
Presenter: thegrugq
Link to video
Comment: thegrugq is a great guy to listen to when he speaks on information warfare. Also interesting is his interview on The CyberWire on Influence Operations. - [CTI/Threat Investigation] SANS CTI Summit 2019: Unsolved Mysteries – Revisiting the APT Cold Case Files
Presenter: Juan Andres Guerrero-Saade
Link to video
Comment: Well, I am a little bit biased with Juan Andres Guerrero-Saade. His work in our area is unique and the topics he presents are always intriguing. In this presentation, he discusses about revisiting cold cases with new tools and data and thus gaining more insights on threats. He makes a fair point that sometimes as analysts we analyze threats, we present them (sometimes hyped by marketing which is fairly part of the game) and then we tend to forget about them. - [CTI/ATT&CK] SANS CTI Summit 2019: ATT&CK Your CTI w/ Lessons Learned from 4 Years in the Trenches
Presenters: Katie Nickels and Brian Beyer
Link to presentation
Comment: Very interesting presentation that presents the top ATT&CK techniques used by the adversaries. Interesting here is to observe the diff of techniques used based on 2 different data sets: Red Canary data and MITRE compiled data. A good reminder that different datasets provide different visibility and different analysis results. - [CTI/SecOps] SANS CTI Summit 2019: Meet Me in the Middle: Threat Indications and Warning in Principle & Practice
Presenter: Joe Slowik
Link to video
Link to presentation
Comment: Practical presentation from Joe Slowik on how CTI can support operations. He explains how a military concept (“indications and warnings”) can be applied within SOCs. Interesting to see the balance between CTI’s finalized intelligence product and SOC’s need for timely threat information. - [CTI/ATT&CK] ATT&CKcon 2.0: TRAM
Presenter: Sarah Yoder and Jackie Lasky
Link to video
Link to presentation
Comment: TRAM seems like a very promising tool (it is in GitHub and actively developed)! Looking forward to watching their presentation during SANS CTI Summit 2020 “Automation: The Wonderful Wizard of CTI (Or Is It?)” - [CTI/OSINT] CAMLIS 2019: TweetSeeker: Extracting Adversary Methods from the Twitterverse
Presenter: Matthew Berninger
Link to video
Link to presentation
Comment: Matthew presented last year about APTinder. This year he strikes back with Twitterverse, an attempt to use Twitter as an intelligence source by using data science techniques. The Twitter infosec community is very active and there is quite a lot of information sharing that stays within Twitter, is not properly documented and is not easily searchable. Joe Slowik has also published a relevant blog post on Historical Memory and Information Security. - [CTI/Information Operations] CYBERWARCON: “False Leaks” – A Network Lens on Cyber-Enabled Information Operations
Presenter: Camille François
Link to video
Comment: Interesting analysis of information operations that are designed to disseminate hacked material. The whole issue with leaks is so interesting as they could include false information and could be leveraged for information operations.
(This talk is from CYBERWARCON 2018 but it was uploaded to Youtube during 2019).
PS. For clarity, the presentations in the above list are in random order.
Tilting at windmills 
Thanks a ton for this wonderful collection Andreas!
Thanks a lot CyberDude. Glad that you find them useful.