Tuesday, October 29th

9:00 AM – 6:00 PM RFUN Education and Hands-on Training Breakouts
6:00 PM – 8:00 PM Welcome Reception

Wednesday, October 30th

9:00 AM – 12:00 PM Opening General Session and Keynote
12:00 PM – 2:00 PM Lunch, Sponsor Event, Networking (Spy Museum)
2:00 PM – 5:30 PM Breakout Sessions
2:00 PM – 5:30 PM Executive Roundtable
6:30 PM – 9:30 PM Networking Reception (Spy Museum)

Thursday, October 31st

8:30 AM – 12:00 PM Closing General Session and Keynote

Hands-On Training Breakouts:

Day One of Predict features four full-day hands-on training courses designed for both those new to Recorded Future as well as those with years of experience. Choose the one that is right for you:

  • addremoveCertified User
    New to Recorded Future or need a refresh on the basics? Learn about the essentials of using the Recorded Future Platform, browser extension, and Intelligence Cards. You will also gain an understanding of Recorded Future data, risk scores, and the Intelligence Goals Library.
  • addremoveCertified Analyst
    Attend the Certified Analyst Lab to understand how machine data, powered by insightful human analysts, help answer the hard questions. This hands-on training will show you how to leverage prebuilt threat hunting to quickly and effectively identify threats and mitigate risks. You will also identify, track and profile threat actors on the dark web.
  • addremovePublic Sector – GeoPolitical Certified Analyst
    Special hands-on training where you will learn how to leverage Recorded Future to support your Geopolitical use-cases by understanding investigative techniques and tactics. Learn to apply prebuilt frameworks for investigations, how to effectively utilize location data for advanced searching, and gain insight into the usefulness of geographic locations and tagging.
  • addremoveCertified Architect (formerly Certified Engineer)
    Want to take your security program to the next level? Then you need to take data from various sources, bring it into a third-party tool, and analyze and compare the data to look for correlations. In this training, you’ll learn to connect our threat intelligence to your security appliances through hands-on sessions with our Connect API, a custom-built Linux instance, and pre-built Jupyter Notebooks.

Breakout Sessions

  • addremoveThreat Intelligence: The Driver to a Mature Risk Posture
    Fred Van Keirsbilck, Verizon Risk Report Evangelist, Verizon Business Group
    In this session, Fred Van Keirsbilck, Cyber Risk Monitoring Evangelist, will provide an overview of the evolution of risk assessment toward cyber risk scoring and how threat intelligence values cyber risk scoring assessments. Specifically, he’ll look at how Recorded Future provides the context needed to prioritize decisions around improving a company’s risk posture.

    Recorded Future and Verizon provide comprehensive risk assessments; this session will also show how Recorded Future increases confidence in analytics and risk scoring by enriching or correlating data across multiple vendors and solutions.

  • addremoveMaking Threat Intelligence SOAR
    Mike Dolan, Lead Information Security Analyst, UPMC
    Security orchestration, automation, and response (SOAR) platforms are increasing in popularity, but like any other tool, you must put in the time, effort, and planning to get the most out of it. In this session, Mike Dolan, who is lead information security analyst at the University of Pittsburgh Medical Center (UPMC), explores how the security operations center at UPMC uses Recorded Future to get the most out of their SOAR platform.

    Learn how UPMC integrates threat intelligence to help them block known bad and phishing campaigns at the firewall, automate remediation of leaked credentials, and share intelligence across security functions, and more.

  • addremoveBuilding a Comprehensive Security Approach With Recorded Future
    Dusan Vignjevic, Threat Intelligence Analyst, NCR
    Advancing any organization’s security maturity level takes building a proactive security program that relies on automation and integrates threat intelligence across security functions.

    In this session, Dusan Vignjevic, who is the lead threat intelligence analyst at the NCR Corporation, will cover how to build effective security integrations with Recorded Future data, threat intelligence research, and analysis to support real-time enrichment. Additionally, Vignjevic will discuss how he and his team break down actionable intelligence into operational and strategic priorities to improve their overall security posture.

  • addremove“What the Internet Can Tell You If You Listen Close Enough”.
    Nathan McKeldin, Director, Army OSINT Training and Certifications, Army Open Source Intelligence Office
    In this session, Nathan McKeldin, the director of U.S. Army OSINT Training and Certification, will examine how the transition to Web 2.0 led to an explosion of user-generated content and online interaction which changed the way the world communicates. This unprecedented amount of information gives intelligence analysts the ability to track events of geopolitical stability concerns, assess how near-peer states exercise elements of national power, and even identify specific security threats. He will also discuss how artificial intelligence is changing the web through natural language processing, data-mining, recommending engines, and automated image tagging technology — all of which will impact future OSINT analysis.
  • addremoveMonitoring DNS for Phishing
    Adam Pridgen, Information Security Investigator, Cisco System, Inc.
    Domain names are the heart and soul of the internet. In this session, Adam Pridgen, who is an information security investigator at Cisco Systems, will show how the team there has built a process around domain name monitoring to help identify and respond to phishing attacks leveraging brands that imitate their own and identify any domains that are registered outside of their IT policy.

    Through this lens, the session will explore how others can use Recorded Future alerts on domain names to reduce their potential security risk and respond to threats and provide an overview on how to create a similar program in any organization.

  • addremoveToward a Threat Intelligence-Led Security Program
    Dave Ockwell-Jenner, Senior Manager, STORM, SITA
    Threat intelligence has the potential to transform how we think about security programs. Many traditional security programs are focused on compliance, maturity models, and addressing threats as they present themselves, like a game of whack-a-mole.

    In this session, Dave Ockwell-Jenner, senior manager of STORM at SITA, will reimagine the traditional security program by placing threat intelligence at its heart and exploring how the context it provides can allow security teams to properly distribute their limited resources to address the real threats they actually face. This includes the concept of an “intelligence-influenced investment” — essentially, using threat intelligence to help make more informed decisions for a security program.

  • addremoveRecorded Future and the MITRE ATT&CK Framework
    Mike Price, Senior Consultant, Nationwide Mutual Insurance
    MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. The ATT&CK framework is useful for understanding security risk against known adversary behavior, for planning security improvements, and for verifying that defenses work as expected.

    The problem is, these types of conclusions would take human analysts weeks to research, analyze, and report. In this session, Mike Price, threat intelligence lead at Nationwide Mutual Insurance, will explore how Recorded Future can inform MITRE ATT&CK initiatives and significantly cut down the time it takes to research.

  • addremoveSynergy of Intelligence in Threat Hunting and Incident Response
    Adrian Cheek, Threat Hunting & Threat Intelligence Lead, Deloitte
    In this session, Adrian Cheek, threat hunting and threat intelligence lead at Deloitte, examines how the team at Deloitte has integrated threat intelligence into their incident response and threat hunting efforts. This includes some of the internal processes that merge the two teams under one common goal and what kind of “packages” are supplied to the hunting teams.

    The presentation will include recent examples of how intelligence has added value to hunts, allowing the team to concentrate on specific areas of inquiry, look at how the two teams combine during an incident response engagement and show how intelligence plays a crucial role during those initial few minutes and hours of an incident.

  • addremoveWhat to Do When Nation-States Attack Corporations
    Espen Agnalt Johansen, Ops&SecMngr, Visma Software International
    In August 2018, Visma suffered a cyberattack that evidence suggests was part of a sustained cyberespionage campaign perpetrated by a Chinese nation-state threat actor. Since then, Visma has chosen to go public about this case and share all the details of this incident.

    In this session, Espen Agnalt Johansen, the operations and security manager at Visma, will bring this story to life and offer an inside view on an advanced use of threat intelligence to identify threat actor tactics, techniques, and procedures, helping to counter attacks and shift shame from the victim to the perpetrator.

  • addremoveAutomated vs Human Intelligence Analysis — Detective Work on the Digital World
    Miguel Penaranda, Deputy Chief Information Officer,State of South Dakota
    This session will cover a true-crime story where tracking a single IP number led to the discovery of a multi-million dollar scam and ended with arrests at a national level. Miguel Penaranda, a cyber intelligence analyst for the State of South Dakota, will show how he and his colleagues used Recorded Future and other solutions to get intelligence on suspected entities, performed log analysis through millions of lines, studied patterns, geo-located IPs, and put it all together.
  • addremoveUsing Threat Intelligence to Prioritize Vulnerability Information Handling
    Junichi Sumimoto, Senior Research Engineer, Nippon Telegraph And Telephone Corporation
    As the number of published vulnerability information becomes larger and larger every year, the workload of vulnerability information handling grows as well, making it paramount for vulnerability management teams to prioritize this information efficiently. But traditional models like the Common Vulnerability Scoring System (CVSS), which does not usually take into account individual environmental factors, are limited in their effectiveness.

    In this session, Junichi Sumimoto, senior research engineer at Nippon Telegraph and Telephone Corporation, will explore how threat intelligence can aid in vulnerability management. The team made a case study based on reports of real incident cases to determine whether Recorded Future provided high risk score in advance of an exploit’s reported date or at the early days of the exploitation observation period — and the results of the study suggest that using threat intelligence is effective for prioritization of vulnerability information handling.

  • addremoveAutomagical Research to Analysis: The Hype of Automation Versus Human Analysis in Threat Intelligence
    Larci Robertson, Senior Manager, Cyber Threat Intelligence, Epsilon
    Automated systems will reduce many of the burdens weighing on understaffed security teams that struggle to recruit enough skilled workers — if implemented appropriately. While automation is a tool that can save in manpower, better predict behaviors, and execute defensive actions faster (among other uses), it doesn’t get to the bottom of what it is that is being targeted nor who is doing the targeting as well as a motive.

    In this session, Larci Robertson, senior manager of cyber threat intelligence at Epsilon, will explore what aspects of a threat intelligence program cannot (or should not) be automated and make the case for the critical thinking and intuitive, big-picture analysis that only human analysts can accomplish.

  • addremoveMalware Analysis of Dropper Files
    Jeff Barto, Senior Security Engineer, Hedge Fund
    Microsoft Office files remain one of the most common vectors for malware attacks. In this session, Jeff Barto, senior security engineer, will provide insight into malicious Office files that are used to download and run malware. He’ll show how dropper analysis can be enhanced using threat intelligence from Recorded Future, including the gathering of data, correlation, identification of signatures, and attribution to a known campaign. He will also review common methods of obfuscation, including examples of VBA and Powershell, and show how the dropper code works.