The following are selected presentations and events at which I’ve spoken.
SLEUTHCON 2023 - Crime, Uh, Finds A Way: The Evolution of Ecrime in a Post-Macro World
MAY 2023: Over the last year, the cybercriminal ecosystem has experienced a monumental shift in activity and threat behavior in a way researchers have not previously seen. (Almost like the DNA of ecrime actors has been engineered to respond to changes in their habitat.) This is driven by Microsoft blocking macros by default and forcing everyone along the threat actor food chain -- from the lamest skiddies to the most experienced cybercriminals that enable major ransomware attacks -- to change the way they conduct business. And new attack chains just keep hatching.
https://www.youtube.com/watch?v=Vjc4ZudRRqA&ab_channel=SLEUTHCON
MITRE ATT&CKCon 3.0 Keynote: Intelligence Failures of Lincoln’s Top Spies: What CTI Analysts Can Learn From the Civil War
MARCH 2022: At the onset of the Civil War, a man whose name would eventually become synonymous with famous American detectives was reportedly providing false reports to the Union’s top general. Allan Pinkerton, who once successfully smuggled Abraham Lincoln into Washington, D.C. to avoid a rumored assassination attempt before he was even sworn in as president, acted as General George McClellan’s top intelligence officer. He was considered one of the best spymasters in the United States, responsible for effectively founding the nation’s first secret service.
In this piece, we’ll dive into some major intelligence reporting failures that dogged the renowned spymaster, how effective and concise intelligence reporting can change the course of history, and how the MITRE ATT&CK framework can help streamline and effectively communicate actionable threat intelligence.
https://www.youtube.com/watch?v=07eaF2RVxK0&ab_channel=mitrecorp
Blog: https://medium.com/mitre-attack/intelligence-failures-of-lincolns-top-spies-what-cti-analysts-can-learn-from-the-civil-war-35be8d12884
What Cyber Threat Intelligence Analysts Can Learn From Sherlock Holmes — Virus Bulletin
OCTOBER 2021: In 1887, Sir Arthur Conan Doyle introduced readers to Sherlock Holmes. The brilliant, arrogant, and cocaine-addicted consulting detective became one of the best-beloved characters in literary history. Holmes' unbelievable adventures reported by his trusty sidekick Doctor John Watson introduced Victorian popular culture to the capabilities of forensic science and analytical techniques that would become the foundations of modern detecting. And these can be applied to cyber threat intelligence, too.
https://vblocalhost.com/uploads/VB2021-Larson.pdf
Writing Like a Journalist to Produce Clear, Concise Reports — SANS, Online
JANUARY 2021: One of the key tenets of journalism is to write for the masses. No one will read your reporting if they do not understand it. We are told in journalism school to write for an eighth-grade reading level -- not because we think people who read the news are uneducated, but because the easier something is to read and comprehend, the more people will read it. The same thing applies to threat intelligence. Threat intelligence reporting is only useful if people read, comprehend, and take action on it. Because threat intelligence can be distributed and operationalized across an entire organization, from SOC analysts to the C-suite, it should be written for a broad audience. In this talk, I will take applications of journalism -- like the Inverted Pyramid style of news reporting, importance of a nutgraf, and killing passive voice -- to show attendees how to craft clear, concise, and actionable threat intelligence reports. Attendees will learn a new process and style for effective writing and reporting that everyone at the organization can benefit from.
https://www.youtube.com/watch?v=gqsE2coucjg&ab_channel=SANSDigitalForensicsandIncidentResponse
ICS OSINT: An Attacker’s Perspective — RSA Conference San Francisco
MARCH 2020: Co-presentation with Dragos Director of Threat Intelligence Amy Bejtlich discussing open source intelligence gathering and defense against its operationalization.
https://www.rsaconference.com/industry-topics/presentation/ics-osint-an-attackers-perspective
Understanding Our Adversaries: Using Threat Intelligence To Protect Energy Infrastructure — S4 Conference Miami
JANUARY 2020: Co-presentation with a Dragos customer discussing the challenges and path to progress in understanding ICS-targeting adversaries. And more importantly how to use this understanding in a security program and a risk management program.
https://www.youtube.com/watch?v=O_pl3lWxPu0&feature=youtu.be
Keynote: The Nexus Between IT & OT Threat Intelligence — Virus Bulletin, TIPS
OCTOBER 2019: Keynote speaker for the Cyber Threat Alliance Threat Intelligence Practitioners Summit at Virus Bulletin on how ICS threat intelligence differentiates itself from traditional cyber threat intelligence in the enterprise.
https://www.youtube.com/watch?v=Bx9V6r2YRH4
Debunking the Hacker Hype: The Reality of Widespread Blackouts — RSA Conference San Francisco
FEBRUARY 2020: Discussed the reality of adversary activity and the potential or likelihood of a cyberattack that could disrupt the electric grid, and separating fact from fiction.