FIRST CTI 2023 was again a blast! The conference took place on 6, 7, and 8 of November 2023 in Berlin. Once more, Berlin was a perfect place to host the conference and this time more than 350 people participated in the conference!! I really love the way of how the audience of this conference grows year by year without losing the its community element.

Monday 6 November 2023

This year, there have been three tracks of workshops during the first day of the conference. I had the pleasure to attend the workshop from John Doyle (Google Cloud), Jamie Collier (Google Cloud), and Grace Chi (Pulsedive) on “How to Align CTI and Risk Management: Successfully Connecting Two Related Practices”. Really useful session on a topic that is not straightforward for CTI analysts. Good job guys and great delivery! Unfortunately, I did not attend any other workshop, but participants were quite happy with the trainings:

  • MISP CTI Analyst Threat Information Creator Workshop by the MISP people (the usual suspects, always great content)
  • Intelligence Requirements workshop by Michael DeBolt (Intel471) and Freddy Murstad (very helpful content about how to start with intel reqs)
  • Threat Landscaping workshop by Brian Mohr and Roman Sannikov (very hot topic nowadays and very useful workshop)
  • Hunting and Tracking Adversaries with Synapse by Bartek Jerzman (Synapse is the new kid on the bloc and Bartek a very cool and knowledgable guy)
  • Priority Intelligence Requirements Workshop by Ondra Rojcik, Vladimir Janout (Red Hat). Cool content shared.
  • A Practical Guide to Building Your Cyber Threat Profile by Simone Kraus (Orange) and Scott Small (Tidal Cyber). Very practical session!

Tuesday 7 November 2023

Day 2 of FIRST CTI 2023 was the first day of plenary sessions. Some highlights of this day include:

  • Natalie Kilber’s presentation on “Helping Organizations Anticipate and Approach Emerging Technology Threats”. What I really learned is how to use the intelligence cycle to assess emerging technologies for different readiness levels (TRL), which are the sources, etc.
  • Jamie Collier and John Doyle’s presentation on “Solving CISO Headaches: How to Align CTI and Risk Management”. This presentation was actually a 30-min summary of their 4-hour workshop they did together with Grace Chi on Day 1.
  • Alexis Dorais-Joncas and Joshua Miller’s presentation on “Will the Real Attribution Please Stand Up?”. Very enlightening presentation on how Proofpoint CTI team conducts attribution with some real world examples.
  • Lennart Maschmeyer’s presentation on “What is a Threat Actor? Tracking Sandworm’s Transformation”. Lennart’s research focuses on the evolution of threats and asks some very valid questions to practitioners. Sandworm group was used as an example and some questions were posed: Is Sandworm of 2016 the same as Sandworm 2021? How do we track their changes in TTPs, tasking, goals, team members, etc.?
  • Brian Mohr’s presentation on “If You Want to Build Good Intelligence Requirements, You Do Not Start with Intelligence Requirements”. Intelligence requirements are deep in the heart of Brian, but he elaborated that CTI teams should first understand stakeholders’ decisions and the available actions they can take. Good points.
  • Andras Iklody and Sami Mokaddem’s presentation on MISP 3. We got some new insights on the new and upcoming version of MISP.
  • Ingrid Grimstad’s presentation on “How to tango with MISP”. This was one best presentations of the conference. Lots of insights and lessons learned on how a Cyber Defense team deployed MISP, the challenges they faced, their timeline, and their success stories. Plus, Ingrid is a rising star!

Wednesday 8 November 2023

I had the pleasure to chair the morning sessions for the second day of the plenary sessions. Some highlights of this day include:

  • Clemens Sauerwein’s presentation on “Insights on the Spread and Use of Threat Intelligence Sharing Platforms”. I loved that academics come and present at FIRST CTI conference. Clemens provided some initial results of his work about a topic very close to my heart, Threat Intelligence Platforms.
  • Ross Rustici’s presentation on CTI Report Blueprints. Cool work by MITRE, especially for not very mature CTI teams. Also, a MITRE project that can deliver promising results especially if combined with a knowledge management platform.
  • Kamil Bojarski’s presentation on “Navigating Hard Targets In Open-Source Intelligence”. Very cool stuff shared in this presentation. Kamil was throwing intelligence about OSINT like there was no tomorrow! Interesting how challenging is to conduct proper OSINT investigations.
  • Catalin Curelaru and Espen Johansen’s presentation on the role of CTI in the M&A process. So many similarities with supply chain monitoring process and lots of lessons learned.
  • Freddy Murstad’s presentation on Foresight Analysis. Freddy highlighted the role of Structured Analytic Techniques (SATs) in modern CTI teams.

Spin Your CTI Process Round

On a personal capacity, I had the pleasure to present on how CTI teams can operationalize their intel process more efficiently (or how to “Spin Your CTI Process Round”). In this presentation, I wanted to highlight how CTI teams neglect to implement some basic concepts of project management and knowledge management in their early phases of their “CTI journey”. Essentially, CTI assessments are like mini (or sometimes mega) projects and case management tools (providing workflow building capabilities) can help CTI team with coordination, collaboration, knowledge management, and metrics. The presentation also focuses of some “additional ingredients” that also help CTI teams to operate more efficiently within corporate environments. Finally, the presentation is heavy on memes as I got challenged by my fiancé to deliver a presentation only with memes. I hope I have risen to the challenge adequately.

Thanksgiving

A lot of people contributed to this event and everybody deserves kudos:

  • First and foremost, the attendees that joined the conference! Lots of interactions, connections, and engagement!
  • Second, many thanks to the speakers and the instructors of the training workshops! Great job everyone!
  • Critical role in organising the conference came from the FIRST Events team and anyone else contributed. The conference was perfect from an organisation perspective!
  • Big thanks to the conference sponsors!
  • Finally, one more time a big thank you to Thomas Schreck and the Program Committee that dedicated time and effort on selecting the presentations and the workshops.

FIRST CTI 2024

The Call for Papers for FIRST CTI 2024 is already open until 13 December 2023. Remember the FIRST CTI 2024 takes place on 15-17 April 2024. See you again next April ;)

Moments from FIRST CTI 2023

One thought on “FIRST CTI 2023 Recap

  1. The banner picture makes me proud: It implies I must have composed and taken the best picture. 😀📸

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.