Hey folks! 2020 was a year to remember mostly because of non-CTI related stuff. Every year I write a blog post about my top CTI presentations but this time I am a little bit late (aren’t we still in 2020 mode in any case?).
Due to the pandemic, we had the opportunity to participate in many online conferences/summits and watch lots of presentations. See below (in random order) the CTI presentations I enjoyed most, learned something that I applied to my day-to-day work, and gave me insights into cyber threats and CTI practices.
Hopefully this year we will have more F2F conferences and interaction. Enjoy and stay safe!
- [Ransomware] Mandiant – Proactive Solutions to Stop Modern Ransomware in its Tracks
Presenters: Nader Zaveri, Matt Bromiley, Kimberly Goody
Abstract: This webinar brings together Mandiant incident response, threat intelligence and managed detection and response experts to discuss strategic and tactical solutions that will help your organization: 1) Learn modern ransomware trends and attacker behaviors observed on the frontlines, 2) Realize why proactive assessment is critical when preparing for and preventing ransomware, 3) Understand how threat intelligence, hunting, and response provides the decision support and detection needed to outmaneuver ransomware actors, and 4) Implement effective mitigation strategies to stop ransomware attackers in their tracks
Link to video
Comment: Human Operated Ransomware (aka Big Game Hunting) was the top threat of 2020. In July 2020, I found this specific presentation extremely helpful to better understand the threat and proceed on the relevant recommendations in terms of prevention, detection, and response. Mandiant has also published a very detailed report on Ransomware Protection and Containment Strategies. - [Close Access Ops] CrisisCon – Close Access Operations and You
Presenter: Alex Orleans
Abstract: Examination of close access operations as a type of edge case in CTI analysis, including impacts to attribution and subsequent guidance to customers. Case study will focus on close access operations attributed to the GRU by US and Dutch governments, and subsequent attribution issues arising from industry reporting on those operations (e.g., APT28/FANCY BEAR, Sandworm/VOODOO BEAR, Hades).
Link to video
Comment: This presentation is kinda special since the topic is not very common. As Alex mentions, close access operations may represent an edge case of what we typically encounter as analysts. Such cases though have an impact on our CTI analysis, threat model, and the subsequent recommendations. Alex makes a case study on GRU’s close access operations and the attribution challenges. I admit that I am a little bit biased about this presentation since I was living in The Hague when Dutch Defence Intelligence and Security Service disrupted GRU’s operation targeting OPCW and it was the top news story covered by the mainstream media. - [CTI Future] Virus Bulletin 2020 – 2030: Backcasting the rise and fall of cyber threat intelligence
Presenter: Jamie Collier
Abstract: The year is 2030. After encouraging growth in the early 2020s, the cyber threat intelligence (CTI) industry has almost entirely collapsed. Many of the leading CTI vendors have gone bankrupt while most professionals working in the industry have transitioned to other cybersecurity functions.
This talk will explore what went wrong. The presentation will use the analytical technique of backcasting to create this imagined future and highlight the various hazards that could exist within the CTI industry. These include vendors over-hyping threats and resorting to fear-based sales, a lack of empirical rigour within intelligence assessments, and CTI teams ostracizing themselves from security and leadership teams.
The talk is neither a prediction nor intended as an industry hit job. Instead, it will provide an opportunity to reflect on where we are as an industry, anticipate potential pitfalls, and consider how the industry can improve.
Link to video
Link to slides / report
Comment: This presentation is one of my favourites during 2020. So, fast forward to 2030, CTI industry completely disappears! Jamie did something clever, he used an analytical technique (backcasting) to highlight some of the current (and potential) issues within the CTI domain. This preso/exercise provides food for thought for all the people working in the CTI industry. - [Threat Modeling] Shmoocon 2020 – Resistance Isn’t Futile
Presenter: Katie Nickels
Abstract: There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.
The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.
Link to video
Link to slides
Comment: Katie discusses about threat modeling (with a threat intelligence perspective) and recommends an easy way to get started. The “US and Them” slide is an instant classic, it sticks to your mind, and makes it easier to understand what threat modeling is all about. The presentation also includes examples with mind maps and tangible recommendations on how to start conducting threat modeling within your organisation. Resistance isn’t futile! - [Attribution] SANS CTI Summit 2020 – Achieving Effective Attribution: Case Study on ICS Threats
Presenter: Robert M. Lee
Abstract: This presentation will cover an alternative method to achieving the value of true attribution without the analytical and resource cost associated with government attribution and the risks it carries. The talk will look at ICS threats and the current geopolitical tension with Iran as an example of what success can look like.
Link to video
Comment: This is a very special keynote where Rob presents a-la Cliff Stoll style with a projector (Cliff Stoll’s keynote is probably the best keynote ever in SANS CTI Summits). I liked the interactive part of the presentation where Rob discusses why all CTI sources can be problematic for attribution by themselves. Rob also presents about the value of attribution and explains how a CTI team can create a custom attribution model so that the CTI analysts are analytically responsible in their attribution assessments while reducing costs to get there (e.g. “activity group X matches our perceived understanding of Iranian attribution”, “activity group Y matches Iranian interests as we track them“, etc.). - [Information Operations] vOPCDE #4 Keynote – Active Measures
Presenter: Thomas Rid
Abstract: We live in the age of disinformation—of organized deception. Spy agencies pour vast resources into hacking, leaking, and forging data, often with the goal of weakening the very foundation of liberal democracy: trust in facts. Thomas Rid, a renowned expert on technology and national security, was one of the first to sound the alarm. More than four months before the 2016 election, he warned that Russian military intelligence was “carefully planning and timing a high-stakes political campaign” to disrupt the democratic process. But as crafty as such so-called active measures have become, they are not new.
Link to video
Comment: Active Measures was probably the best CTI-related book that was published during 2020. This book is an essential reading to understand intelligence operations in the 20th century (and subsequently cyber operations in the 21st century). In this presentation, Thomas presents the first known hack-forge-leak case. Thomas also presented during SAS at Home on “Operation V-Neptun“. Another great resource is the CSIS webinar with Thomas Rid and Ben Buchanan (author of the also recommended book “The Hacker and the State“). - [Intelligence Requirements] Risk-Based Intelligence Requirements
Presenter: Brian Mohr
Abstract: Intelligence is more than just “providing context” or “enriching the data” of indicators of compromise (IOCs). Context is critical, yes, but not just for the answer. You need context for the question as well! Your requirements should reflect what it is you are trying to do and they should speak to your organization’s RISK.
Link to slides (LinkedIn)
Comment: This presentation is a very good primer on intelligence requirements. Brian’s slides explain very well what intelligence requirements are all about especially with the 2 examples that are presented. Brian highlights the need to shift from threat-based intelligence towards risk-based intelligence. - [CTI Career] BSidesNoVA 2020 – Career Hacking: Tips and Tricks to Making the Most of Your Career
Presenter: Andy Piazza
Abstract: At some point in your infosec career, you’ll hit a point of “now what?” You may experience this as soon as you land your first role, or you’ll experience it as a seasoned veteran of the field. There are plenty of talks out there now for “getting into infosec”, but where is the advice for managing and maintaining a career? This is my attempt to fill that gap. This talk will discuss several key areas for building an awesome career, including actionable takeaways for becoming a better analyst, teammate, and leader. Most importantly, we’ll break down the How and Why behind each concept presented and include specific examples based on real experiences.
Link to video
Link to blog post
Comment: While this presentation is not CTI per se, it is my firm belief that there are quite a lot of points that help CTI analysts. The main areas where Andy focuses on are 1) building a strong network (remember being a CTI analyst requires also quite some soft skills), 2) effective professional development (learn-train-do, reading as a critical skill, passive vs active learning, etc.), and 3) moving on up (actually knowing when to change job). Andy’s blog post has also lots of references for you to deep dive into. - [APT Research] Virus Bulletin 2019 – King of the hill: nation-state counterintelligence for victim deconfliction
Presenter: Juan Saade Guerrero
Abstract: Cyber situational awareness is the ultimate outcome of mature threat intelligence. Though we normally think of threat intelligence as a defender’s practice, extensive study of advanced cyberespionage operations reveals that attackers are engaged in a similar activity. Defenders apply threat intelligence insights to ensure that attackers don’t gain persistent access to their enterprise machines. Similarly, attackers monitor for the presence of other threat actors to ensure that they’re the sole owners of a given victim box. While allied organizations engage in a bureaucratic process of victim deconfliction, it turns out that adversarial organizations have turned to embedding anti-virus-like techniques into their malware in order to do the same. This paper will focus on in-the-wild examples of these techniques and provide a conceptual framework for understanding adversarial deconfliction and its ramifications.
Link to video
Link to report
Comment: JAGS “The Paleontologist” did some exciting work over the past 1-1.5 years on adversarial cyber situational awareness and on revisiting Territorial Dispute. Apart from the VB2019 presentation and report, JAGS also presented on “Mining Disputed territories: Studying Attacker Signatures for Cyber Situational Awareness” where he focused on TeDi and provided some new insights. Finally, JAGS specifically focused on TeDi #37 Signature in this presentation and report. - [Yara] Upping the APT hunting game: learn the best YARA practices from Kaspersky
Presenter: Costin Raiu
Abstract: This brief webinar is based on Kaspersky’s exclusive training on YARA rules, which has already helped improve the APT detection strategies of many cybersecurity teams from leading businesses across the world. During the webinar, you will learn how to write test and improve effective YARA rules. You will also get a glimpse of some of our internal tools and learn how to maximize your knowledge for building effective APT detection strategies with YARA.
This practical webinar is useful for security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT researchers and IT security staff. The content is suitable for both beginners and seasoned YARA users.
Link to video
Comment: Costin shares some useful Yara tips and best practices during this 75-min webinar and it is a great intro for Yara. The presentation includes some real world-examples like BlueTraveller, TripleFantasy, and others. As a follow-up, Costin has also presented at SAS at Home on “Combining code similarity with Yara to find goodies“. In case you want to deep dive into the world of Yara and APT hunting, Kaspersky’s training Hunt APTs with Yara like a GReAT Ninja is also recommended. - [Deception] FIRST CTI Webinar Series – Bringing Intelligence into Cyber Deception with MITRE ATT&CK
Presenter: Adam Pennington
Abstract: Deception has become a popular concept in cybersecurity, but are we really fooling adversaries? Honeypots and other technical solutions often don’t align with what real adversaries do. This presentation will examine how we can successfully deceive adversaries by using threat intelligence mapped to MITRE ATT&CK™. In classical deception planning, intelligence serves a key role in understanding an adversary’s likely beliefs, expectations, and reactions, but this often hasn’t carried over into the cyber realm. In this talk, I’ll show how to bridge that gap and leverage ATT&CK for cyber deception planning. I’ll present a methodology for making decisions on where to focus deception resources based on adversary techniques and how to align deception capabilities with the expectations and visibility of real cyber threat actors. Attendees will learn how they can leverage cyber threat intelligence to deceive their adversaries and gain valuable new intelligence as they do so.
Link to video
Link to slides
Comment: This is the best presentation I have watched so far related to cyber deception. This presentation has traditional deception + CTI approach + ATT&CK framework! I liked the way Adam walk us through the intel-driven cyber deception planning process explaining the deception decisions we can take, our biases, our adversaries’ biases, and what is the role of intelligence in deception planning. - [Malware Analysis] SANS CTI Summit 2020 – Threat Intelligence and the Limits of Malware Analysis
Presenter: Joe Slowik
Abstract: Threat intelligence is guided (and limited) by the availability and nature of underlying data for analysis. As a result, threat intelligence reporting is shaped by the sources from which it emerges: incident data, a fusion of multiple sources, and technical analysis. One of the most frequently produced threat intelligence reports consists of malware analysis and conclusions (or assumptions) drawn from technical functionality. Yet, such analyses are limited to a narrow view of events that may not be accurate or relevant to broader operations. This presentation will examine how different views of event information – with an emphasis on malware analysis – influence and shape subsequent threat intelligence reporting. Overall, the goal is to demonstrate to consumers and practitioners the boundaries that specific technical analysis sometimes places on conclusions and subsequent decisions. By understanding specifically how technical malware analysis as a discipline contributes to overall threat intelligence functions – and its limitations, ranging from attribution to specific adversary tracking – threat intelligence consumers and practitioners can gain a more accurate understanding of its relevance to actual defensive operations.
Link to video
Link to slides / report
Comment: This is a must-watch presentation (plus the detailed report) for anyone that conducts malware analysis or hunts via Virus Total Intelligence. Joe very successfully presents how malware analysis is just one part of the overall picture when analyzing an intrusion (context, purpose, and function are also critical to understand the intrusion and help the defenders). Joe also presents a number of case studies (2016 Ukraine Power Event, Linking APTs by tools, Lookback and APT10). His slide “APT as Bureaucracy” is an all-time classic as it does not depict APTs as being one team (monolithic entities) but rather compromised of multiple teams with a specific structure. - [Threat Actors] Circle City Con 7.0 – CyberSafari: Underexamined threat actors from the global threat landscape
Presenter: Yoshi LNU
Abstract: Typical discussions around state-nexus threat actors focus on Pandas (China), Bears (Russia), Kittens (Iran), and Chollimas (North Korea). While those actors tend to be the most high-profile, the threat landscape includes enough activity from Cranes (South Korea), Leopards (Pakistan), Buffalos (Vietnam) and more to constitute a whole cyber-safari of underexamined actors. This sub-set of adversaries represents the proliferation of how more and more state-nexus actors are increasingly conducting targeted intrusions, intent on capitalizing on the asymmetric advantages offered by cyber operations. By examining these actors and their activity, we can see the diversity of their motivations, methodologies, and targets. This allows for a more accurate understanding how truly global the threat landscape is and subsequently better tailor threat models and defensive postures.
Link to video
Link to sources
Comment: Most of the presentations we watch (and news we read) about state-nexus threat actors are about adversaries mostly linked with Russia, N. Korea, China, or Iran. But what about state-nexus threat actors not linked with these 4 countries? Yoshi first presents some relevant models, i.e. Diamond Model and The Spectrum of National Responsibility for Cyberattacks. Then, he presents state-nexus threat actors from the Netherlands, France, Spain, Turkey, Israel, Lebanon, UAE, Morocco, Uzbekistan, Pakistan, India, S. Korea, and Vietnam. Cool to get this perspective of the threat landscape and Joshi provides lots of resources to deep dive into. - [Offensive Security Tools] Red Team Village – RedSourcing: Cyber War Tool Development Outsourcing
Presenter: Christopher Glyer, Nick Carr
Link to video
Comment: The OST debate has been quite prevalent in Infosec Twitterverse. This presentation is the extended version of Chris and Nick’s CYBERWARCON 2019 talk. I love when they deep dive into actors and campaigns (APT1, APT32, APT33, APT28, APT29, Temp.Veles, Copy-Paste Campaign) and elaborate on the various types of tools that have been used (free, red sourced, custom, criminal underground). The slide that compares APT1 tools usage as as compared to the recent 2020 Copy Paste Campaign depicts how the landscape has evolved. Also relevant, this Virus Bulletin 2020 presentation from Paul Litvak is a good piece of research that focuses on 1) which OST libraries are used within custom malware implants, and 2) creating a map of all the threat actors together with the OSTs that they use. - [Information Ops & Critical Infrastructure] CYBERWARCON 2019 – Full-Spectrum Information Ops for Critical Infrastructure Attacks & Disruption
Presenter: Joe Slowik
Abstract: Non-kinetic critical infrastructure attacks are typically viewed as limited to the field of “cyber” by policy makers, defenders, and even most attackers. Yet this view is extremely limited and ignores multiple possibilities for attack amplification and propagation mechanisms using multiple aspects of information warfare beyond computer-enabled operations. Furthermore, even within the realm of cyber-induced impacts, potential (and desired) impact scenarios may stretch well beyond simple disruption (or even destruction) towards more subtle messaging and indirect effects. By exploring how other information warfare disciplines such as influence operations and deception can work in conjunction with cyber capabilities, attackers can devise powerful attacks with far greater scope for disruption than cyber capabilities alone.
Link to video
Comment: This is a fascinating presentation by Joe presenting on how non-kinetic critical infrastructure attacks combined with other information warfare disciplines can end up having a greater impact. We have seen adversaries combining these disciplines (e.g. cyber and electronic warfare) and we will likely observe more such operations in the future (as adversaries are experimenting, learning and evolving). Joe also presented at virtual x33fcon 2020 on “Cyber Consequences, Operational Dependencies, and Full-Scope Security“. - [Executive Communication] S4x19 – Risk Management & Executive Communication
Presenter: Patrick Miller
Abstract: Asset owners are not truly interested in security; they care about managing risk. Much ICS security activity today is busy work with little risk reduction. Learn how to make decision from a risk management approach, and importantly how to effectively communicate with executives and board members to get the support you need for an ICS security program.
Link to video
Link to slides
Comment: This is one of the best presentations that I have watched on how to communicate cyber risk to management. This is not a pure CTI presentation, it might seem a little bit ICS-focused but the insights provided apply to all sectors. Please watch it and identify the soft skills you might want to develop! - [Threat Group Naming] SANS STAR Webcast – Making Order out of Chaos: How to Deal with Threat Group Names
Presenter: Katie Nickels
Abstract: Cozy Bear or APT29? Carbanak or FIN7? Lazarus or HIDDEN COBRA? For years, analysts have been frustrated by different threat group naming conventions. Efforts at creating a unified naming systemor even a Rosetta Stone for existing nameshave proven futile in the face of subtle but important differences.
In this webcast, Katie Nickels will help you make order of the naming chaos in a way that will also improve your analysis methodology. She will help you understand why there are so many names and why it’s okay that we don’t agree on them. You’ll learn a practical approach for how to track names, decide when to name your own groups or default to existing names, and how to keep things clear while not contributing to the confusion. Katie will end with a call for action on how we can better communicate publicly about groups, so we don’t make this a bigger mess than it already is.
Link to video
Comment: This is a deep dive into Threat Group Naming. Katie highlights the different visibility of different organisations as well as the different methods for clustering threat groups. Credits are given during the presentation to some must-read resources: 1) Rob M Lee presentation “Threat Intelligence Naming Conventions: Threat Actors, & Other Ways of Tracking Threats” (one of the best CTI presentations back in 2018) , 2) Florian Roth’s blog post on threat actor naming , and 3) FireEye’s blog post on how they track threat activity. - [Infosec Learning] The Standoff – Towards an open, shareable, contributor-friendly model of speeding infosec learning: the Githubification of Infosec
Presenter: John Lambert
Abstract: John Lambert talked about how to speed up the training of defenders. According to the expert, an open and vendor-neutral approach guided by our society can help us to achieve this goal. If each organization shares its own unique experience, while also relying on the experience of other community members, we will be able overcome the lack of cooperation in information security and stay one step ahead of attackers.
Link to video
Comment: I love this presentation because John has a vision. According to a well-known quote, “it takes 10000 hours to become an expert on a topic”; a variation of that is ” you are 2 years of hard work from being a global expert in a new technology“. But can we speed this up and improve the learning rate for defenders? John presents how this could be accomplished with organized knowledge (MITRE ATT&CK), executable know-how (SIGMA), repeatable analysis (Jupyter), and supporting our community. John’s last slide includes a Call To Action for defenders, security product engineers, security researchers, infosec managers, and cyber security organisations / CERTs. John has also written this blog post on the “Githubification of Infosec“. - [ICS ATT&CK] Introducing MITRE’s ATT&CK for ICS
Presenter: Otis Alexander, Joe Slowik
Abstract: Learn how ICS network defenders now have a common lexicon for categorizing ICS specific techniques and threat behaviors to improve their ability to detect and respond to threats.
Link to video
Link to report
Comment: In 2020, the ATT&CK for ICS has been launched! This presentation is a great primer for ATT&CK for ICS and, as a follow-up, there is the presentation from Austin Scott titled “Mapping Incidents to ICS ATT&CK” where he presents on how to use ATT&CK for ICS to test and understand coverage for detection. - [ICS OSINT] RSA Conference – ICS OSINT: An Attacker’s Perspective
Presenters: Amy Bejtlich, Selena Larson
Abstract: Destructive ICS attacks generally require specialized skill and resources, but initial reconnaissance to plan an attack requires little advanced capabilities. Learn how defenders can decrease their attack surface and increase adversary friction by developing an awareness of ICS-specific open source intelligence (OSINT) techniques and the type of freely available data adversaries use in attacks.
Link to video
Link to slides
Comment: Amy and Selena do a great job putting OSINT into an ICS attacker perspective. The examples that are presented are interesting, especially the one related to SEC’s EDGAR database (please check your organisation’s SEC 10-K reports!). A key recommendation of the presentation is to conduct regular OSINT assessments for your organisation. In case you need on how to do it, Casey Brooks and Selena Larson have published a report describing a framework on how to develop and conduct an ICS OSINT security assessment. - [ATT&CK] Training – Using ATT&CK for Cyber Threat Intelligence
Presenter: Adam Pennington, Katie Nickels
Abstract: The goal of this training is for students to understand the following: 1) What ATT&CK is and why it’s useful for cyber threat intelligence (CTI), 2) How to map to ATT&CK from both finished reporting and raw data, 3) Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that, 4) How to perform CTI analysis using ATT&CK-mapped data, and 5) How to make defensive recommendations based on CTI analysis.
Link to video
Link to slides
Comment: If you are using MITRE’s ATT&CK for CTI operations you have to watch this great 4-hour training from Adam and Katie. Nuff said! - [Civil Society] 32 Annual FIRST Conference Keynote – Tracking Targeted Digital Threats: A View from the Citizen Lab
Presenter: Ron Deibert
Abstract: Political struggles in and through the global Internet and related technologies are entering into a particularly dangerous phase for openness, security, and human rights. A growing number of governments and private companies have turned to “offensive” operations, with means ranging from from sophisticated and expensive to home-grown and cheap. A large and largely unregulated market for commercial surveillance technology is finding willing clientele among the world’s least accountable regimes. Powerful spyware tools are used to infiltrate civil society networks, targeting the devices of journalists, human rights defenders, minority movements, and political opposition, often with lethal consequences. Meanwhile, numerous disinformation and harassment campaigns are feeding intolerance and even violence, largely without mitigation. Drawing from the last decade of research of the University of Toronto’s Citizen Lab, I will provide an overview of these disturbing trends and discuss some pathways to repairing and restoring the Internet as a sphere that supports, rather than diminishes, human rights.
Link to video
Comment: Citizen Lab‘ s research matters. This presentation was the keynote of this year’s FIRST Conference and Ron presented some super interesting evidence-based info from 2014 (Hacking Team), 2015 (Finfisher), 2018 (NSO), 2019 (NSO), and 2020 (Dark Basin). The perspective provided by Citizen Lab on targeted threats for civil society is critical given the limited coverage of such threats by cyber security firms. - [Security Tools] Security Analyst Toolset Workshop
Presenter: Florian Roth
Link to slides
Comment: This presentation from Florian includes the most significant tools that security analysts should know how to use to analyze threat activity. It is a great collection that can act as a starting point for CTI analysts to get to know some of their tools and sources. - [Cybercrime] vOPCDE #8 – CrimeOps: The operational art of cybercrime
Presenter: The Grugq
Abstract: Cybercrime rewards innovative organisations. Groups can innovate at the tactical level (e.g. new or updated TTP), the strategic level (e.g. new monetisation methods), or at the operational level — the management of resources and personnel to achieve strategic objectives. The operational level is seldom analyzed because it is rarely visible to information security researchers. Changes in TTP are discovered quickly on the ground, and new strategies emerge by monitoring major shifts and trends. The operational glue that enables a group to execute well is almost never apparent to an outside observer.
Link to video
Link to blog post
Comment: This presentation gives us some insights into how a modern and mature cybercrime organisation (FIN7 in our case) is run. According to The Grugq, “what distinguishes the most successful criminals are more sophisticated and professional operations, not more advanced TTP tactics”. - [Threat Reporting] SANS CTI Summit 2020 – Hack the Reader: Writing Effective Threat Reports
Presenter: Lenny Zeltser
Abstract: Drawing on best practices covered in his SEC402 course, Cybersecurity Writing: Hack the Reader, Lenny will break down strategies for compiling concise and compelling threat reports.
Link to video
Link to slides
Comment: This was my favourite presentation for 2020. Yes, Lenny is the winner of this year’s CTI stroopwafel trophy (check last year’s winner). The sheer knowledge that Lenny shares about threat report writing are just amazing. Lenny also provided a useful cheat sheet for threat report writing that can be found here.
