Events FIRST Cyber Threat Intelligence Symposium

March 18-20, 2019 • Symposium • BT Centre • London, United Kingdom

The 2019 FIRST Symposium on Cyber Threat Intelligence (CTI) will be held March 18-20th 2019 at BT Centre (81 Newgate Street, London), hosted by BT and Digital Shadows. There will be one day of training followed by two days of plenary sessions. This event will be open to both FIRST members and non-members.

Plenary by EclecticIQ

13:00-13:30, March 20

Evaluate or Die Trying-A Methodology for Qualitative Evaluation of Cyber Threat Intelligence Feeds. --Sergey Polzunov&Jörg Abraham, CTI specialists from EclecticIQ

CTI as a practice is getting more traction in recent years. Organizations begin to understand how threat intelligence plays in context with their existing security operations. At the same time, they face difficulties to judge the quality of sources, eventually failing to assess the return on investments. In this talk, Sergey Polzunov and Jörg Abraham will present how organizations can evaluate the quality of an intelligence source and how structured intelligence aids in making a qualitative statement about the value of an intelligence feed.

The talk will conclude with a PoC demonstrating feed assessment in an automated way.

Attendees will learn: ● About a methodology to relate information from an intelligence source back to the intelligence requirements. ● How to measure the feed quality in an automated way. ● Why structured threat intelligence (STIX) plays an important role in feed assessment.

14:00-14:30, March 20

A Place for Analysis of Competing Hypothesis (ACH) in CTI: Applications and Evolution of ACH in CTI.--Caitlin Huey, CTI specialist from EclecticIQ

Within the intelligence community, analyst tradecraft is referred to as a method or a portfolio of known structured techniques, methods, and skills that aid an analyst in doing their job. Analysis of Competing Hypotheses (ACH) is commonly cited as a method used to evaluate hypotheses against a set of evidence. Analysts operating over several “INTs” have relied on a way to effectively test data coming from multiple sources and producers in order to measure evidence against them. During the course of an investigation, analysts may need to evaluate what is consistent and inconsistent across a set of hypotheses (H1, H2, H3). ACH improves an analyst’s ability to assess and validate an issue with a tested confidence assertion. In CTI, producers and consumers of cyber threat intelligence have largely relied on ACH to evaluate data and analyze it on the basis of identifying attribution, patterns, motivations, and more. As ACH in CTI is evolving, it is leading analysts to find innovative ways to represent and structure this process so that it is scalable to produce and consume.

Audience takeaways include: ● Analysis of Competing Hypothesis (ACH) has been done and is still being done by analysts operating in the private and public spheres. Not only has it been done in traditional intelligence communities, but has also been conducted by cyber threat intelligence (CTI) vendors who use ACH to evaluate an incident/emerging threat. ● Learn how ACH has been used and how to apply it to the current threat landscape. ● Understand ACH as a method used to allow producers/vendors of threat intelligence to map and structure a higher confidence in one hypothesis (H1) over a tested set of other hypotheses (H2, H3, H4). ● See how and when producers conduct ACH, it gives consumers of threat intelligence a more complete picture of an emerging threat. It also enables a consumer to see the evidence weighed against each Hypothesis and to come to a more informed decision based on the evidence available to them. ● Evolution of ACH in CTI - see how analysts can better represent this tradecraft by applying structure to the ACH process.

VISIT EVENT PAGE See other events