xorl %eax, %eax

Archive for the ‘conferences/trainings’ Category

OSAC NL Chapter: Cyber Threat Briefing

leave a comment »

Recently (February 2021) a colleague of mine and the Diplomatic Security Service with U.S. Embassy of the Hague gave me the opportunity to present at the Overseas Security Advisory Council (OSAC), Netherlands chapter. My presentation was titled “Cyber Threat Briefing: A look at 2020 and assessing the near future” and although I cannot share the slides of my talk, I’ll do my best to go through the experience of presenting at OSAC.

First of all, the OSAC-NL/U.S. Embassy of the Hague team were incredible and I want to thank them for all their feedback, help, and support. Having said that, my presentation was structured as follows:

  • Cyber domain trends
  • Cyber-actors activities related to EU and the Netherlands
    • Hacktivism
    • Cyber-crime
    • Cyber-espionage
  • Case studies from 2020
  • Cyber threat forecast for 2021

I really enjoyed the engagement with the participants of the event but more importantly, the openness even for controversial subjects to be heard in a U.S. government sponsored event such as how specific cyber operations of the the U.S. government and/or the FIVE EYES can have negative impact (e.g. collateral damage, retaliation) to private sector entities.

Overall, it was an event where I got the vibe that all participants deeply cared on how to protect their organizations, with all the potential political aspects completely removed. It was a great event and an honor to be part of it. I hope to be able to participate in more of them in the future.

Written by xorl

April 27, 2021 at 11:01

BSidesBUD 2020: A gentle introduction to building a threat intelligence team

leave a comment »

I just I realized that I never shared any summary of that conference talk I did in 2020, so here it is… This is a talk I gave at BSides Budapest in Hungary (AKA BSidesBUD). My talk was titled “A gentle introduction to building a threat intelligence team” and you can find the slides here.

The event had some really great talks and it was an honor to be part of it. The talks weren’t recorded but you can get an idea from the agenda. They were covering a wide spectrum of topics. Unfortunately, the slides without the context aren’t that useful, but it’s better than nothing. So, please check them out and reach out if you have any feedback.

Typically, when I build threat intelligence training programs the content I covered in those slides is broken down to 1-2 full days to go through them in sufficient depth. However, in this event the aim was to give a quick overview of what are the necessary building blocks and some theory required to build an effective threat intelligence team.

Big thanks to the BSidesBUD team!

Written by xorl

April 22, 2021 at 21:48

BSides Athens 2020: Threat Landscape: Greece

leave a comment »

In June 2020 I got the opportunity to present at BSides Athens for the first time. As you can see in the agenda, the event had a wide variety of topics ranging from security engineering, to exploitation, case studies, and others.

In my case, I decided to do something to help me better understand what threats my home country is dealing with. So, I spent a few weekends in a period of 2-3 months to study this topic and the outcome was the presentation I did for that conference. You can find the slide deck here.

Of course, the slides themselves are not that useful since they lack the required context. However, BSides Athens recorded all the sessions and made them available through YouTube. This means that you can watch my talk here.

It’s always an honor being able to use your knowledge to give back something to your home country and hopefully that threat landscape provided some insights into the cyber threats that Greece had been dealing with and what this means for the future.

Now that we are almost a year after this presentation, it’s an excellent time to revisit some of the assessments that I made in the final section of the talk, and whether or not those actually reflect what’s happening.

  • In hacktivism my assessment was a medium risk of geopolitically motivated hacktivism movements with low sophistication (DDoS and website defacements) mainly from Turkish threat actorts due to the tensions in East Mediterranean region. This unfortunately was proven true with several such cases during August 2020, others in September 2020, and continuing to this day, clearly following geopolitical tensions between Greece and Turkey. This was reflected also at PwC’s “Cyber Threats 2020: A Year in Retrospective” report from December 2020.
  • Regarding cyber-crime I had assessed that there is medium risk mainly from non-targeted/commodity malware with the domestic activity being mainly around scams. As we can see in the news Greece was involved in some high-profile cyber-crime cases but not targeting Greece. In October 2020 the Hellenic Bank Association (HBA) issued a warning for increase of tech support scams in Greece.
  • Finally, on cyber-espionage due to the continuously increased tensions in East Mediterranean region I was assessing that there is a high risk of cyber-espionage operations mainly from Turkey, Russia, FIVE EYES and China targeting government entities but also specific industries such as telcos. Publicly available attribution is usually non-existent for those types of operations but in October 2020 one of the biggest telcos of Greece responded to a cyber-espionage operation, on September 2020 there were reports on APT35 (although allegedly with tasking from Turkish liaison officers) compromising personal accounts of Greek Navy officers, and even more recently, in March 2021 several Greek journalists started receiving a nation-state attack warning from Google Security that some government actor is trying to infiltrate in their accounts. If you have access to premium threat intelligence reporting it’s easy to validate my other assessments for cyber-espionage too but I was unable to find any public reports to attach here.

In conclusion, one side of me is happy that my threat landscape was quite accurate in the future assessment section, but on the other side I’d wished that none of that would have happened. In any case, I’d like to thank the BSides Athens team once again for giving me this opportunity and I’m looking forward to dive more into some of those specific threats against my home country in the future.

Written by xorl

April 2, 2021 at 16:22

HUMINT in the age of cyber

leave a comment »

For the last few years I have been spending significant amount of time learning, researching, and evaluating different intelligence disciplines for use in the cyber/online domain. One of them was Human Intelligence (HUMINT), and no I don’t mean social engineering, more like adapting traditional HUMINT for cyber intelligence operations. At some point in 2020 I got the opportunity to present some of my findings from this research in a private conference event.

There are many TTPs from traditional HUMINT tradecraft that can be used equally effectively in online intelligence collection operations. I cannot publicly share this slide deck but here is a rough overview of the topics I talked about in that private conference from 2020:

  • Definitions/terminology
  • HUMINT examples as a cyber collector and as a cyber defender
  • Preparation (cover story, infrastructure, OPSEC measures)
  • Deep dive in the two main HUMINT collection approaches
    • Elicitation
    • Recruitment
  • Frameworks – theory & practice
  • How to select your approach
  • Key takeaways

Although I cannot share the content, I can share the some important recommendations in case you are performing, or you are interested, in online HUMINT.

  • Your security is the first priority. Remember that you are dealing with either criminals or intelligence professionals.
  • Don’t limit yourselves in any framework, use them as guidelines.
  • Humans change, don’t assume what you used in the past will still work in the future. Do your assessment.
  • Know (and set) your limits. It’s easy to end up doing criminal activities if you don’t.
  • If you are doing that professionally, make sure you have all required legal sign-offs before starting.

In case you want to get this one step further and perform Information Operations (IO) by exploiting the human nature, I highly recommend you to check out this leaked slide deck from GCHQ’s Human Science Operations Cell (HSOC) which goes through the Online Covert Action Accreditation (OCAA) program the Joint Threat Research Intelligence Group (JTRIG) was setting up in 2012-2013. It covers:

  • Introduction to online HUMINT
  • Introduction to online Influence & Information Operations
  • Introduction to Computer Network Attacks (CNA) & Disruption operations

A video presentation of it is available here. It’s slightly outdated, but it has some really good foundations.

Written by xorl

April 1, 2021 at 16:47

PrivSec Global: Mastering the use of Cyber Threat Intelligence

leave a comment »

A couple of months ago I received an invitation to speak at a panel discussion in PrivSec Global 2021, and I accepted it. The panel’s topic was “Mastering the use of Cyber Threat Intelligence” and it was comprised by the following people. It was a great experience for me as a speaker and I hope that it was equally pleasant for all the attendees too.


I really liked the fact that although we didn’t have any prior alignment on our answers, we all had a very similar perspective on what are the key areas for a successful Cyber Threat Intelligence (CTI) program, what CTI is and the value it brings to a business, and what are the pitfalls to be careful of if you are starting your journey now. Most importantly, none of us was focusing on specific products or vendors but on the core components of what’s needed to build an effective CTI team.

Of course, with six people in a panel the time we had for answering was carefully tracked and followed which means that many of our answers were not going into all the details and process as a presentation would. Nevertheless, if you were one of the several hundreds of people that attended PrivSec Global 2021 and have questions about my answers in this session, please let me know. I’d be more than happy to answer them.

On a final note, I’d like to thank Rosie F., Ruki R., and my co-speakers from this panel for this opportunity to participate in this event, and share some of my views on CTI programs with leaders of the industry.

Written by xorl

March 30, 2021 at 14:28