Mastering Security With Intelligence

Recorded Future customers, partners, and threat intelligence experts will congregate for over two days of education, networking, and fun at the seventh annual Recorded Future User Network (RFUN) conference. This year’s theme is “Mastering Security With Intelligence.”

Threat intelligence is an integral part of every security program. From valuable context for alert triage to real-time exploit data for patch prioritization, threat intelligence empowers teams to make better decisions faster. Attend the industry’s premier conference to up your game in threat intelligence. Whether you are new to threat intelligence or an industry veteran, this conference has something for you. To learn more about some of the topics we discussed last year, read the recap.

Why Attend?

Expand your knowledge of threat intelligence. RFUN brings together speakers from many industries and experiences. Whether you’re just starting your threat intelligence capability or looking to mature it, RFUN has something for you.

Network with fellow Recorded Future customers. Learn how other customers are implementing threat intelligence at their organizations. Meet like-minded security professionals in your role, industry, or geography.

Maximize your usage of Recorded Future. Get the most out of how you use Recorded Future with in-depth trainings led by our experts. Learn about the latest features and come home knowing how to use them in your organization.


At RFUN you’ll hear from a wide variety of speakers, including industry luminaries, peers, and Recorded Future experts. Our featured speakers include:

Geoff Brown

Geoff Brown


Geoffrey Brown was appointed chief information security officer for the City of New York in 2016, a position focused on cybersecurity and aggregate information risk for over 100 NYC departments and agencies.

Alexander Schlager

Alexander Schlager


Alexander Schlager leads Verizon’s Security Services product organization. His background in computer sciences, telecommunications, and business administration enabled him to cover a wide range of disciplines in ICT.


The conference will consist of a mix of main stage speakers and interactive breakout sessions. The breakout sessions will allow attendees to explore topics of particular interest to them, based on role, industry, use cases, and more.

RFUN 2018 Agenda

Breakout Sessions

Breakout sessions feature presentations by Recorded Future customers and our own internal experts. Topics include how to get value from integrations, strategies for prioritizing vulnerabilities, content specific to public sector, and more. A sample of the planned breakout presentations is featured below.

Tuesday, October 23th

2:30 PM – 3:15 PM

How can Recorded Future indicators correlate and enrich security operations within Splunk? In this talk, Rich Dube, professional services delivery manager at Recorded Future, will look at different techniques to increase the productivity of threat intelligence solutions you already use, including how to correlate against data sources, enrich and prioritize investigation and remediation, and perform retrospective analysis indicators against old events.

Specifically, the presentation will touch on the integration of indicators into the Splunk Enterprise Security Threat Intelligence Framework, using the Splunk Explorer to build new dashboards, how to tune searches in Enterprise Splunk and connected applications, and more.

What are the fundamental elements and best practices that go into developing an effective cyber threat intelligence program? In this talk, AJ Nash, the senior manager of cyber threat intelligence at Symantec, will outline the fundamentals of threat intelligence, including sources and methods, tools, personnel, best practices, and how to operationalize threat intelligence.

Kyle McGroarty, Threat Intelligence Consultant, Recorded Future

The terms artificial intelligence and machine learning have become pervasive in today’s intelligence analysis tradecraft discussions, but there’s still confusion around what they can do for analysts. In this talk, Nathan McKeldin, OSINT subject matter expert for the United States Army, will provide an overview of the capabilities, limitations, and applications for artificial intelligence and machine learning for intelligence analysis.

This will include looks at machine-aided analysis through natural language processing and neural network machine translation engines; automated search, discovery, and retrieval processes; keywords lists versus ontological hierarchies of related entities; and anticipatory analysis through contextual and pattern-matching algorithms — as well as some of the challenges of trusting the results of algorithmic deductions that may be drawn from biased or incomplete data.

3:15 PM - 4:00 PM

Basing your cybersecurity posture on unpredictable scenarios, like who might attack your organization’s network and when, can be unnerving. In this talk, Danika Blessman and Jeannette Dickens-Hale, senior threat intelligence analysts at NTT Security, will discuss the relevance of geopolitical analysis to improving your security team’s predictive powers and moving from a reactive to a more proactive security posture.

Using real-world examples such as the current situation with North Korea and the United States’ trade wars with China, the presentation will show how studying the geopolitical climate will always be relevant in a threat assessment for any organization, regardless of size or industry.

Industrial control systems run infrastructure that directly impacts the lives of countless people around the world. In this talk, Sergio Caltagirone, the director of threat intelligence at Dragos, will detail the threat intelligence approach the team at Dragos takes in developing the world's only dedicated industrial control threat hunting and intelligence program working against adversaries that threaten lives worldwide.

He will highlight the threats and adversaries involved, discuss the difficulty in protecting these high-risk environments, and illustrate the usefulness of integrating Recorded Future into the process.

Recorded Future has many uses beyond just integrations into SIEM products. In this talk, Justin Grosfelt, senior solutions architect at Recorded Future, presents a scenario in which a security operations program is designed from the start to utilize Recorded Future across the entire work stream.

The presentation will demonstrate how Recorded Future can speed up, add additional context to, and automate a great number of workflows that various cybersecurity teams currently engage in.

China’s One Belt and Road Initiative aims to link China to European markets through a land-based Silk Economic Belt and sea-based Maritime Silk Road. In this talk, Recorded Future’s own Scott Donnelly, Chris Kash, Priscilla Moriuchi, and David Peduto will discuss the history and implications of China’s efforts to create a modern-day Silk Road.

By traversing and encircling the “axial supercontinent” that is Eurasia, the Belt and Road Initiative is a central element in China’s effort to both adapt to and guide global economic development.

4:30 PM – 5:15 PM

Matt Kodama, Vice President Product, Recorded Future

This session will describe how security testers can integrate Recorded Future into the penetration testing process flow. It will review phases from a standard penetration testing execution framework such as PTES and provide real-life examples as to how security testers can leverage Recorded Future to obtain valuable output for each phase during the testing process.

Cybersecurity professionals are always on the lookout for intentional exfiltration, but what about accidental leakage? In this talk, Zachary Hinkel, global cyber threat manager at the law firm Hogan Lovells, will show how Recorded Future can be used to baseline company trends in order to detect outliers that need to be investigated. He will then look at some uncommon examples of how credentials and data can leak out of networks.

How can law enforcement take information provided from the private sector and generate a criminal case? In this talk, Christian Bell, a special agent for the Homeland Security Investigations branch of the Department of Homeland Security, will discuss how criminal cases for law enforcement can be generated using reporting initially provided by Recorded Future and further researched by law enforcement using open source information, focusing on a real-world example.

Wednesday, October 24

9:00 AM – 9:45 AM

Many security vendors offer a daily intelligence report including the latest news in the information security industry — using Recorded Future, it’s possible to automatically generate a similar report in-house. In this talk, Zakary Baumann, an information security analyst at the financial services organization TIAA, will discuss how to use Recorded Future’s sources and some additional customizations to disseminate a custom, daily intelligence report to internal employees for security awareness.

The presentation will also cover other top use cases for Recorded Future, including integrating Recorded Future alerts into your SIEM, detecting insider threats and intellectual property theft, and monitoring domain registrations for brand abuse.

Large or small, all companies rely on indicators of compromise to detect potential incidents or stop an attack against their organization — but not all indicators are created equal. In this talk, Adrian Porcescu, professional services manager for EMEA countries at Recorded Future, will look at different types of indicators and the impact they have on the performance of cybersecurity teams.

Because of a mix of associated attributes like the source, method of identification, context, and risk, each indicator is unique, but not every indicator is suitable for each course of action. The focus will be on how to optimize the use of indicators, helping analysts and content developers understand how to turn a bad indicator into a good one.

Threat intelligence can and should be integrated into any current cybersecurity infrastructure, regardless of industry. In this talk, Darian Lewis, Amanda Fennell, and Jerry Finley of Relativity, an e-discovery software provider, will look at how Recorded Future and other threat intelligence is integrated into and makes up a core component of their security workflows and processes.

Creating finished, standardized intelligence is often a necessity for threat intelligence teams. In this talk, David Carver, a threat intelligence analyst at Recorded Future, will discuss some best practices for creating effective reports to pass on threat intelligence to the people who can take action on it.

Whether it’s quick summaries or more complex pieces that can inform policy at a higher level, standardizing finished intelligence starts with well-defined intelligence requirements, and also includes a healthy curiosity on the part of the writers, an attention to detail, and an awareness of the intended audience’s needs.

10:00 AM – 10:45 AM

A good risk scoring system gives you actionable intelligence: It tells you both what you should pay attention to and why you should care. In this talk, Staffan Truvé and Kristy Simmons of Recorded Future will look at how risk scores are determined in-house, including how the rules are designed, ontologies are created and sorted, and overall risk levels are assigned.

Recorded Future processes a vast amount of data in real time — distilling that information into a quickly interpretable score takes thinking about what factors go into individual risk rules and how to combine them to make a broad but still informative picture of the risk-related content associated with an entity.

In particular, the presentation will explore how Recorded Future has lately significantly improved its company risk scoring by creating a database of over one hundred thousand curated, ontology-rich companies to create a deep precedent for researchers to draw on.

Two of the great challenges in security operations is actioning on threat intelligence and simplifying workflow and alerting operations to reduce the need on staffing. An Automation and Orchestration tool can reduce your staffing needs, create consistency in workflows and, with the use of threat intelligence, add contextual data which can quickly be consumed, acted on, and remediated at speeds that analysts watching screens cannot do. This is disruptive in the way robots disrupted the assembly line.

Open source threat reports are often taken at face value, and indicators are loaded into tool sets without assessing the value of the intelligence. In this talk, Daniel Garcia, a threat hunting analyst at Royal Dutch Shell, will look at what actionable intelligence means for an organization, how to assess information to produce good intelligence, what endpoint indicators are of the highest value, and some threat hunting best practices based on the intelligence your organization produces.

One of the key functions of threat intelligence is to facilitate the creation of actionable and easy-to-understand reports that get seen by the right people. In this talk, Storm Swendsboe, manager of analyst services at Recorded Future, will focus on what it takes to write intelligence with a purpose.

The presentation will cover scoping requests and projects, how to understand the needs of the intended audience for a particular cycle of threat intelligence development, and the most effective ways to present information in order to achieve the goals of intelligence requirements.

11:15 AM – 12:00 PM

Exploited software vulnerabilities account for 90 percent of reported security incidents, but vulnerability management within in an organization, especially a large one, can be difficult. In this talk, Ryan Miller, cyber threat intelligence manager at Target, will discuss how dedicated intelligence support can help identify, track, and prioritize vulnerabilities and assist vulnerability management teams get ahead of critical exploitable vulnerabilities.

The presentation will touch on basic intelligence tasks and functions that help directly support vulnerability management teams to prioritize, expedite, and understand the true risks posed by vulnerabilities.

Recorded Future has a wide range of DNS intelligence, much of it untapped by clients. In this talk, Allan Liska, the senior solutions architect at Recorded Future, will demonstrate how to use Recorded Future's DNS threat intelligence to improve an organization's security in four ways: By building RPZ blacklists using very malicious, punycode, and newly registered domains; by monitoring for new domains that may be used in phishing campaigns against your organization or your customers; by tagging domains using fastflux DNS for command and control purposes, and by tying malicious domains to malware and attack groups to build out the full picture of a threat.

Matt Kodama, Vice President of Product, Recorded Future

How can Recorded Future be used to identify the intent of threat actors to instigate violent conflict? In this talk, Eduardo Albrecht and Christopher Mahony, who work in the International Relations Program at Mercy College, will discuss their work identifying the specific forms of language that influential social, economic, security, and political actors use in Kenya that is associated with onset of violent conflict in the country.

Using Recorded Future sentiment scores, the two have created an application that automatically assesses violent conflict risk based on evidence of language configurations obtained using data science and ethnographic methodologies.

Training Sessions

Sharpen your product skills with training sessions led by Recorded Future experts. In these hands-on training workshops, you'll learn the skills for expanding your threat intelligence knowledge and maximizing your use of Recorded Future.

Wednesday, October 24th

1:00 PM - 2:00 PM

Quick IOC lookups aren't the only thing you can do with Intelligence Cards. In this module, we'll explore how to gain context through quick pivots, dive deeper into OMNI Extensions, and look at how to compile entities in lists.

Learn to use Recorded Future visualizations to emphasize data points and highlight important findings. Visualizations can demonstrate different elements of sources, entities, and events in easily understood formats.

Do you know there are five different ways to find a location in Recorded Future? Analysts taking this course will see how locations are used in Recorded Future and gain proficiency in using locations in a variety of geopolitical and cyber queries.

2:00 PM - 2:15 PM


2:15 PM - 3:30 PM

Did you know vulnerabilities are generally reported seven days before appearing in the National Vulnerability Database? And CVSS scores can be delayed even longer. In this module, analysts will learn how to identify vulnerabilities disclosed prior to NVD, monitor vulnerabilities for exploitation, and find signs of weaponization of exploits.

In this module, analysts will learn how to begin using threat intelligence to seed threat hunting activities, from identifying leaked sensitive data and credentials to identifying exposed exploit proofs of concept.

Almost all intelligence teams are required to provide reporting to leadership and other security teams. In this module, we will cover the creation of a daily digest using Recorded Future analyst notes and pre-configured alerts, making these daily reports easy.

In this module, we explore the underground economy of criminal actors, including considerations of access, how to track personas and actor behavior, and how to identifying actors through timing on forum posts. We will also analyze use cases such as Islamic hackers, failed ransomware groups, and criminal forum actors.

Fusion is the easiest and fastest way to automate your data streams, creating trusted threat feeds that can be directly ingested by various security appliances for tasks like automated blocking, file inspection, and more. We will work together to add files and create new Fusion flows for your environment.

3:30 PM - 3:45 PM


3:45 PM - 5:00 PM

In this module, analysts dive deeper into threat hunting by learning to seed threat hunting activities, including malware sandbox submissions, non-distributing scanners, and the identification of exploit code exposed in public code repositories.

Much requested, this workshop focuses on cleaning up alerts. Analysts will be given poorly configured alerts and work to filter noise and identify valuable data, sharing best practices along the way.

Think you could be using Recorded Future's data in more places? You're probably right. In this workshop, we'll explore use cases where you can integrate Recorded Future into EDR, network IDS/IPS, SIEMs, and more.

In this session, Levi Gundert, Recorded Future's vice president of intelligence strategy, walks you through how threat intelligence value is measured today, and how you can use threat intelligence combined with trained estimation and Monte Carlo simulations to create a quantative measure of risk to your business.

Since the attack on Pearl Harbor, intelligence has focused on preventing strategic surprise: an attack so devastating that recovery is difficult to impossible. In this module, we explore the methods and techniques for conducting indications and warning intelligence with OSINT tools and data.


Interested in sponsoring RFUN? Contact [email protected] for more information.



The Wharf DC

Washington’s next great meeting place has finally arrived. The Wharf brings dazzling water views, hot new restaurants, year-round entertainment, and waterside style all together in one inspiring location. It’s the most exciting neighborhood in the history of the nation’s capital.

Beyond amazing restaurants and shops, The Wharf offers countless things to do and see — on and off the water. Take a stroll along the piers, or rent a kayak to paddle past some of D.C.’s most famous attractions. Discover more at


Special rates for RFUN attendees have been arranged at the following hotel:

InterContinental Washington D.C. - The Wharf
Address: 801 Wharf Street SW, Washington, DC 20024
Rate: $349 per night
Phone Reservation: Call 1-833-249-1029 and use group code RF1
Online Reservation: Recorded Future RFUN 2018

Hyatt House Washington D.C. / The Wharf
Address: 725 Wharf Street SW, Washington, D.C. 20024
Rate: $279 per night
Phone Reservation: Call 1-202-554-1234 and use group code G-RFUN
Online Reservation: Recorded Future RFUN 2018

Getting to the Wharf

Conveniently located seconds away from major thoroughfares, The Wharf is just a few blocks to public transit stops and a mere five miles from the Reagan National Airport. Getting to the Wharf is easy and effortless, so you can focus on enjoying your stay. Learn more at


Register before October 5 and receive $500 off the standard price:

  • $495 Early-Bird Price | June 15 to October 5, 2018
  • $995 Standard Price | October 6 to October 19, 2018

The conference registration package includes access to all sessions and evening events, as well as breakfast and lunch Tuesday and Wednesday.