Tuesday, October 29th

9:00 AM – 5:00 PM RFUN Education and Hands-on Training Breakouts
6:00 PM – 8:00 PM Welcome Reception

Wednesday, October 30th

8:30 AM – 12:00 PM Opening General Session and Keynote
12:00 PM – 2:00 PM Lunch, Sponsor Event, Networking (Spy Museum)
2:00 PM – 5:30 PM Breakout Sessions
6:30 PM – 9:30 PM Networking Reception (Spy Museum)

Thursday, October 31st

8:30 AM – 12:00 PM Closing General Session and Keynote

Hands-On Training Breakouts:

Day One of Predict features four full-day hands-on training courses designed for both those new to Recorded Future as well as those with years of experience. Choose the one that is right for you:

  • addremoveCertified Architect (formerly Certified Engineer)
    Want to take your security program to the next level? Then you need to take data from various sources, bring it into a third-party tool, and analyze and compare the data to look for correlations. In this training, you’ll learn to connect our threat intelligence to your security appliances through hands-on sessions with our Connect API, a custom-built Linux instance, and pre-built Jupyter Notebooks.
  • addremoveCertified Analyst
    Attend the Certified Analyst Lab to understand how machine data, powered by insightful human analysts, help answer the hard questions. This hands-on training will show you how to leverage prebuilt threat hunting to quickly and effectively identify threats and mitigate risks. You will also identify, track and profile threat actors on the dark web.
  • addremoveCertified User
    New to Recorded Future or need a refresh on the basics? Learn about the essentials of using the Recorded Future Platform, browser extension, and Intelligence Cards. You will also gain an understanding of Recorded Future data, risk scores, and the Intelligence Goals Library.
  • addremovePublic Sector – GeoPolitical Certified Analyst
    Special hands-on training where you will learn how to leverage Recorded Future to support your Geopolitical use-cases by understanding investigative techniques and tactics. Learn to apply prebuilt frameworks for investigations, how to effectively utilize location data for advanced searching, and gain insight into the usefulness of geographic locations and tagging.

General Sessions

  • addremoveBack To the Future — Predictive Threat Intelligence
    Staffan Truve, Founder and Chief Technology Officer, Recorded Future
    Josefin Ondrus, Software Engineer, Recorded Future
    Recorded Future produces aggregated risk scores for entities like IP addresses, domains, and vulnerabilities. These scores are based on historical observations — but we believe we can also produce forward-looking predictive risk scores for these entities.

    Explore the techniques we use for our predictive analytics, including the data, machine learning algorithms, and production systems used to compute predictive risk scores in real time and at internet scale.

  • addremoveFireside Chat: Hiring Diverse Teams and Creating a Culture of Intelligence Led Security
    Brett Wallace, Global Head of Attack Analysis & Cybersecurity, JP Morgan
    Christopher Ahlberg, CEO, Recorded Future
  • addremoveGlobal Strategic Intelligence and Decision Making: OSINT as a Component of Decision Sciences
    Craig Gruber, Associate VP Northeastern University
    Admiral Paul Becker, Rear Admiral, US Navy
    Rear Admiral Becker (U.S. Navy, retired) and Lieutenant Commander Gruber (U.S. Navy) will draw on their extensive combined experience in the intelligence field to explore how the operational battlefield supports strategic-level decision-making and policy implementation. They will also examine the crucial need to place actionable intelligence — particularly open source intelligence (OSINT) — into the hands of decision-makers at every level, as rapidly as possible. In their estimation, transitioning operational intelligence into actionable policy and avoiding “paralysis by analysis” requires bridging the gap between analysts in security operations centers and leadership of all kinds.
    Rear Admiral Becker previously served as the Director of Intelligence (J2) for the United States Pacific Command (PACOM) and then the senior intelligence advisor to the Chairman of the Joint Chiefs of Staff. Lieutenant Commander Gruber’s experience in the intelligence field comes through a combination of military service and academia.

  • addremoveLearning From the Past: How Global Influence Operations Will Target the 2020 Election
    Priscilla Moriuchi, Director of Strategic Threat Development, Recorded Future
    The 2016 Presidential elections stand as an example of foreign influence operations in action. The countless reports and government investigations into Russian election interference have shown how digital media generally, and social media more specifically, can be used to divide and influence both the electorate and policy makers. As part of a large scale effort to improve our monitoring, detection, and countering of social media influence operations, Recorded Future’s Insikt Group conducted a historic retrospective analysis of global social media operations since 2015.
    This presentation details several of Insikt Group’s key findings, including emerging TTP among influence operations, new insights into systemic malign influencers, and our assessment regarding what the U.S. can expect during the 2020 election cycle.

  • addremoveWhat Breaches Teach Us
    Brian Krebs, American Journalist and Investigative Reporter
    The daily drumbeat of data spills, breaches, and thefts can foster breach fatigue, apathy, and cynicism among even the most hardy security professionals. What sets in is a suspicion that all our efforts are for naught, and that we are perpetually a step behind the bad guys.

    In truth, most of these incidents are not only preventable, but they take months or years to bubble up. This talk examines some of the more alarming trends in cybercrime today, and offers some perspectives on how businesses, consumers, and infosec pros can up their game in response.

  • addremoveYour Company’s Network Access Is King — Here’s How to Start a Revolution
    Levi Gundert, VP Threat Intelligence and Customer Success, Recorded Future
    Winnona DeSombre, Threat Intelligence Researcher, Recorded Future
    What do media company web server credentials, local law enforcement server access, and energy company documents all have in common? Adversary monetization. Explore the accelerating trend of global opportunistic compromises due to the evolving recognition that traditional pay-per-install (PPI) malware models are less profitable.

    PPI was a decade-long standard for malware monetization, but the advent of unauthorized access auctions on criminal forums has created new demand for access to your networks and data. This session reviews PPI mechanics and illuminates the past two years of intrusions that never made headlines. We discuss the most prevalent categories of successful initial intrusions and the key takeaways for operational defenders and security leaders alike. We’ll also offer valuable and prescriptive guidance on reducing risk from phishing, technology vulnerabilities, and third-party exposures.

Breakout Sessions

  • addremoveAutomagical Research to Analysis: The Hype of Automation Versus Human Analysis in Threat Intelligence
    Larci Robertson, Senior Manager, Cyber Threat Intelligence, Epsilon
    Automated systems will reduce many of the burdens weighing on understaffed security teams that struggle to recruit enough skilled workers — if implemented appropriately. While automation is a tool that can save in manpower, better predict behaviors, and execute defensive actions faster (among other uses), it doesn’t get to the bottom of what it is that is being targeted nor who is doing the targeting as well as a motive.

    In this session, Larci Robertson, senior manager of cyber threat intelligence at Epsilon, will explore what aspects of a threat intelligence program cannot (or should not) be automated and make the case for the critical thinking and intuitive, big-picture analysis that only human analysts can accomplish.

  • addremoveBuilding a Comprehensive Security Approach With Recorded Future
    Dusan Vignjevic, Threat Intelligence Analyst, NCR
    Advancing any organization’s security maturity level takes building a proactive security program that relies on automation and integrates threat intelligence across security functions.

    In this session, Dusan Vignjevic, who is the lead threat intelligence analyst at the NCR Corporation, will cover how to build effective security integrations with Recorded Future data, threat intelligence research, and analysis to support real-time enrichment. Additionally, Vignjevic will discuss how he and his team break down actionable intelligence into operational and strategic priorities to improve their overall security posture.

  • addremove“Countering Domestic Terrorism: Predict Threats from Extremist Forums”
    Staffan Truve, Founder & Chief Technical Officer, Recorded Future
    Chris Kash, Senior Intelligence Consultant, Intelligence Services, Recorded Future
    Sebastian Goslin, Data Science Intern, Recorded Future
    Recorded Future team members — Staffan Truve, Chris Kash, and Sebastian Goslin — will present the results of a project intended to identify emerging domestic terrorism threats. This effort will be accomplished by increasing Recorded Future’s collection from extremist forums, improving natural language processing and machine learning to determine author sentiment, and applying rule-based methodologies to assess risk.
  • addremove“Data Structures and Risk Scores”
    Garth Griffin, Senior Director, Data Science, Recorded Future
    Kristy Simmons, Manager, Data Science Signals & Analytics, Recorded Future
    Learn more about the technical underpinnings of how Recorded Future does Data Science, including how we collect from all different kinds of web sources, how we mine high-volume technical data like Certificate Transparency Logs, and how we build a risk score. This talk will be most interesting for people who already have some level of familiarity with Recorded Future’s data and are interested in getting a deeper understanding of how our technology works.
  • addremoveDeveloping and Implementing PIRs in Recorded Future
    Maulik Limbachiya, Intelligence Consultant, Team Lead, Recorded Future
    Joe McInroy, Team Technical Lead, Intelligence Services, Recorded Future
    Priority Intelligence Requirements (PIRs) are essential for any security intelligence team. But developing these PIRs can be a daunting task. In this panel we are looking to shed light on identifying what a PIR is, how to develop intelligence requirements in Recorded Future, and how to implement that requirement using Recorded Future’s Alert API, a SIEM, or a SOAR platform. We will discuss topics ranging from prioritization methodologies to implementing workflows that will help you turn data points into actionable intelligence in Recorded Future.
  • addremove“Don’t Call It a Comeback: The Resurgence of Ransomware and How to Knock It Out!”
    Allan Liska, Senior Security Architect, Recorded Future
    Late 2018 and 2019 has seen a resurgence in ransomware along with a change in the tactics of ransomware actors. This talk will look at how the ransomware landscape has changed, which ransomware families organizations need to be worried about and which are mostly hype, and how to use the Recorded Future Platform to track ransomware. This talk will also offer practical suggestions for protecting your organization against modern ransomware campaigns.
  • addremoveEyes on Iran: Seeing What Others Don’t via Recorded Future
    David Peduto, Threat Intelligence Analyst
    There is more than meets the eye when it comes to the Islamic Republic of Iran. Much more. This briefing will demonstrate how Recorded Future can shed light on actions taken by the Iranian regime and its regional partners that fall beyond the purview of the public eye. Touching on the importance of Recorded Future’s natural language processing (NLP) capabilities, we’ll highlight consequential activities — transnational railroad construction, port development, etc. — that may otherwise be hidden to most non-Farsi speakers. This discussion will be less crystal ball and more magnifying glass.
  • addremoveHunting for Data Leakage in Recorded Future
    Scott Lewandowski, Cyber Threat Hunter, American Express
    Recorded Future is known as a platform for threat intelligence, but it can also be used to great effect when hunting for data leakage within an organization. In this presentation, Scott Lewandowski, cyber threat hunter at American Express, will explore how threat hunting can be used to find data leaks by walking through a high-level hunt process using Recorded Future: forming a hypothesis, gathering data, setting up and vetting alerts, and then automating them for SOC consumption. He’ll also look at who leaks data and why, where to find leaks, and what steps to take to stop them.
  • addremoveMaking Threat Intelligence SOAR
    Mike Dolan, Lead Information Security Analyst, UPMC
    Security orchestration, automation, and response (SOAR) platforms are increasing in popularity, but like any other tool, you must put in the time, effort, and planning to get the most out of it. In this session, Mike Dolan, who is lead information security analyst at the University of Pittsburgh Medical Center (UPMC), explores how the security operations center at UPMC uses Recorded Future to get the most out of their SOAR platform.

    Learn how UPMC integrates threat intelligence to help them block known bad and phishing campaigns at the firewall, automate remediation of leaked credentials, and share intelligence across security functions, and more.

  • addremoveMalware Analysis of Dropper Files
    Jeff Barto, Senior Security Engineer, Hedge Fund
    Microsoft Office files remain one of the most common vectors for malware attacks. In this session, Jeff Barto, senior security engineer, will provide insight into malicious Office files that are used to download and run malware. He’ll show how dropper analysis can be enhanced using threat intelligence from Recorded Future, including the gathering of data, correlation, identification of signatures, and attribution to a known campaign. He will also review common methods of obfuscation, including examples of VBA and Powershell, and show how the dropper code works.
  • addremoveMonitoring DNS for Phishing
    Adam Pridgen, Information Security Investigator, Cisco Systems, Inc.
    Domain names are the heart and soul of the internet. In this session, Adam Pridgen, who is an information security investigator at Cisco Systems, will show how the team there has built a process around domain name monitoring to help identify and respond to phishing attacks leveraging brands that imitate their own and identify any domains that are registered outside of their IT policy.

    Through this lens, the session will explore how others can use Recorded Future alerts on domain names to reduce their potential security risk and respond to threats and provide an overview on how to create a similar program in any organization.

  • addremoveRecorded Future and the MITRE ATT&CK Framework
    Mike Price, Senior Consultant, Nationwide Mutual Insurance
    MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. The ATT&CK framework is useful for understanding security risk against known adversary behavior, for planning security improvements, and for verifying that defenses work as expected.

    The problem is, these types of conclusions would take human analysts weeks to research, analyze, and report. In this session, Mike Price, threat intelligence lead at Nationwide Mutual Insurance, will explore how Recorded Future can inform MITRE ATT&CK initiatives and significantly cut down the time it takes to research.

  • addremoveSynergy of Intelligence in Threat Hunting and Incident Response
    Adrian Cheek, Threat Hunting & Threat Intelligence Lead, Deloitte
    In this session, Adrian Cheek, threat hunting and threat intelligence lead at Deloitte, examines how the team at Deloitte has integrated threat intelligence into their incident response and threat hunting efforts. This includes some of the internal processes that merge the two teams under one common goal and what kind of “packages” are supplied to the hunting teams.

    The presentation will include recent examples of how intelligence has added value to hunts, allowing the team to concentrate on specific areas of inquiry, look at how the two teams combine during an incident response engagement and show how intelligence plays a crucial role during those initial few minutes and hours of an incident.

  • addremoveThreat Intelligence: The Driver to a Mature Risk Posture
    Fred Van Keirsbilck, Verizon Risk Report Evangelist, Verizon Business Group
    In this session, Fred Van Keirsbilck, Cyber Risk Monitoring Evangelist, will provide an overview of the evolution of risk assessment toward cyber risk scoring and how threat intelligence values cyber risk scoring assessments. Specifically, he’ll look at how Recorded Future provides the context needed to prioritize decisions around improving a company’s risk posture.

    Recorded Future and Verizon provide comprehensive risk assessments; this session will also show how Recorded Future increases confidence in analytics and risk scoring by enriching or correlating data across multiple vendors and solutions.

  • addremoveToward a Threat Intelligence-Led Security Program
    Dave Ockwell-Jenner, Senior Manager, STORM, SITA
    Threat intelligence has the potential to transform how we think about security programs. Many traditional security programs are focused on compliance, maturity models, and addressing threats as they present themselves, like a game of whack-a-mole.

    In this session, Dave Ockwell-Jenner, senior manager of STORM at SITA, will reimagine the traditional security program by placing threat intelligence at its heart and exploring how the context it provides can allow security teams to properly distribute their limited resources to address the real threats they actually face. This includes the concept of an “intelligence-influenced investment” — essentially, using threat intelligence to help make more informed decisions for a security program.

  • addremove“Uncovering an Extensive Infrastructure Network for Iranian Threat Actor APT33”
    Recorded Future Analysts
    Earlier this year, Insikt Group uncovered an extensive infrastructure network comprising of over 1,200 domains relating to 19 different RAT families strongly linked to Iranian Threat Actor APT33 activity.

    This presentation will demonstrate how the analysis pioneered the operational use of new Recorded Future Platform features such as Security Control Feeds and Network Traffic Analysis. We will also delve behind the scenes on the research revealing what was found, how the links to APT33 were made, how to detect and stop this activity, and what this activity implies in the broader geopolitical context given the rising tensions in the Middle East.

  • addremoveUsing Threat Intelligence to Prioritize Vulnerability Information Handling
    Junichi Sumimoto, Senior Research Engineer, Nippon Telegraph And Telephone Corporation
    As the number of published vulnerability information becomes larger and larger every year, the workload of vulnerability information handling grows as well, making it paramount for vulnerability management teams to prioritize this information efficiently. But traditional models like the Common Vulnerability Scoring System (CVSS), which does not usually take into account individual environmental factors, are limited in their effectiveness.

    In this session, Junichi Sumimoto, senior research engineer at Nippon Telegraph and Telephone Corporation, will explore how threat intelligence can aid in vulnerability management. The team made a case study based on reports of real incident cases to determine whether Recorded Future provided high risk score in advance of an exploit’s reported date or at the early days of the exploitation observation period — and the results of the study suggest that using threat intelligence is effective for prioritization of vulnerability information handling.

  • addremove“What the Internet Can Tell You If You Listen Close Enough”.
    Nathan McKeldin, Director, Army OSINT Training and Certifications, Army Open Source Intelligence Office
    In this session, Nathan McKeldin, the director of U.S. Army OSINT Training and Certification, will examine how the transition to Web 2.0 led to an explosion of user-generated content and online interaction which changed the way the world communicates. This unprecedented amount of information gives intelligence analysts the ability to track events of geopolitical stability concerns, assess how near-peer states exercise elements of national power, and even identify specific security threats. He will also discuss how artificial intelligence is changing the web through natural language processing, data-mining, recommending engines, and automated image tagging technology — all of which will impact future OSINT analysis.
  • addremoveWhat to Do When Nation-States Attack Corporations
    Espen Agnalt Johansen, Ops&SecMngr, Visma Software International
    In August 2018, Visma suffered a cyberattack that evidence suggests was part of a sustained cyberespionage campaign perpetrated by a Chinese nation-state threat actor. Since then, Visma has chosen to go public about this case and share all the details of this incident.

    In this session, Espen Agnalt Johansen, the operations and security manager at Visma, will bring this story to life and offer an inside view on an advanced use of threat intelligence to identify threat actor tactics, techniques, and procedures, helping to counter attacks and shift shame from the victim to the perpetrator.