OMEGA HALL | Moderator: Mr. Oskars Priede |
11:00 - 11:30 |
The emerging threat landscape - How intelligence reduces
risk, Mr. Richard LaTulip (Recorded Future,
UK)
Conversation about the emerging threat landscape and how intelligence reduces
risk.
|
11:30 - 12:00 |
Open, Composable, Unstoppable: The Next Gen of Threat
Hunting, Mr. Matthias Vallentin (Tenzir, DE)
This talk advocates for an open and composable data stack as the foundation for
the next generation of security architectures, specifically targeting detection
engineering, threat hunting, and incident response. In an industry plagued by
fragmented point solutions, there is an urgent need for a more sustainable and
flexible approach to system architecture.
The presentation begins by examining the current landscape, highlighting the challenges and limitations of existing methods. It then introduces a modular, open-standards-based framework that fosters interoperability across the security ecosystem. At a technical level, the talk explores opportunities for standardization across various abstraction layers, including data storage, log/event encoding, schema normalization, and the representation of detections, threat intelligence, and analytics. The goal is to demonstrate how a modular, interoperable stack can effectively support and enhance critical operational security functions. |
12:00 - 12:30 |
CTI from the Underground: harness cybercrime intelligence
to defend your organization and investigate threat actors, Ms. Irina
Nesterovsky (KELA)
Join us for a comprehensive session on the importance of incorporating
cybercrime intelligence into your CTI or threat hunting toolset. Learn about the
latest cyber threats emerging from the cybercrime underground and how to
effectively gather and translate this intelligence into actionable insights.
This presentation will cover the key areas where cybercriminals operate, the
methods they use, and how to hunt them. Gain the knowledge and tools necessary
to investigate and mitigate these threats, ensuring your organization's defense
against evolving cyber risks.
|
12:30 - 13:30 |
Lunch |
13:30 - 15:00 |
NATO - from Information Sharing to integrated Cyber
Defence
Moderator: Mr. Rolands Heniņš (NCSC, LV) Panelists: Dr. Mart Noorma (NATO CCDCoE, EE), MGen. Dave R. Yarker (Canadian Cyber Forces, CA), Col Michal Golak (POL Cyber Command, PL), Brigadier Richard Alston (Royal Marines, UK)
Since February 2022, threat level in Latvia and across NATO states has been
constantly high, showing the new reality to which we all have to adapt to. This
high threat level puts constant pressure on all NATO member states to work
together, share the best practices and continue further development of cyber
defence capabilities and cyber resilience level at national and Allied
level.
Our experienced panellists will provide an insight in the world of NATO, showcasing the significance of NATO in advancing our cyber defence from different perspectives – collective defence, capability development, research and education, and political aspects – with the goal of strengthening NATO alliance by individual and collective efforts. |
15:00 - 15:30 |
Coffee break
|
15:30 - 16:00 |
Protecting the Blueprint of Life: The Importance of
Comprehensive Information Security at the Sub-Molecular Level, Dr. Gregory
Carpenter (KnowledgeBridge International, US)
This presentation discusses the need for information security (INFOSEC) at the
molecular level to protect our genetic information in light of the increasing
use and significant advancements of gene editing technologies such as
CRISPR/Cas9. The proliferation of these technologies, coupled with tools from
crippling ransomware attacks, has raised fears about the security and loss of
integrity of genetic data. Research has demonstrated that we are on the verge of
having the internet run through our bodies and that we will soon be another end
device in the larger world of IOT. Consider the consequences of a malicious
actor launching a biocyber attack that executed a DDOS of your brain or another
vital organ. It is imperative to immediately implement Comprehensive INFOSEC at
the molecular level to protect individual privacy, thwart malicious actors, and
help prevent errors and accidental mutations in genetic data that could result
in false diagnoses or incorrect treatment plans, potentially risking patients'
lives.
|
16:00 - 16:30 |
Human augmentation for offensive cyber operations,
Mr. Len Noe (CyberArk,
US)
Transhumans, individuals enhanced with technological augmentations, are now a
reality. Historically, these enhancements were viewed either medically, aiding
those with disabilities, or as cyborgs in speculative fiction. However,
advancements in Brain-Computer Interfaces (BCI), SMART technologies, and
consumer products have blurred the lines between the physical and biological,
transforming human capabilities and interactions.
Today, transhumans are not just concepts from science fiction but present significant cyber threats to modern security controls. These augmented humans can execute sophisticated cyber attacks, such as URL redirections, phishing, smishing, and man-in-the-middle (MiTM) attacks, using technology embedded within their bodies. Traditional security measures are inadequate against such advanced threats, necessitating a rethinking of our defensive strategies. The presence of transhumans requires a paradigm shift in cybersecurity, demanding new strategies and technologies to defend against their unique and evolving threats. This presentation will demonstrate various cyber attacks initiated by implants, including MiTM attacks, phishing, smishing, and automated Linux attacks, highlighting the urgent need for layered security solutions. Recognizing and addressing the cybersecurity implications of transhumans is crucial for safeguarding our society in this new era of human evolution. |
16:30 - 17:00 |
Cybersecurity in Health: Threats, challenges and ENISA’s
contribution, Ms. Maria Papaphilippou (ENISA, GR)
1. Policy framework for cybersecurity in health
2. Cybersecurity threat landscape for the health sector 3. ENISA’s contribution in the health sector |


Agenda
01 OCT
Workshops and Trainings
Registration for the "CyberChess 2024" conference and the
workshops and trainings on October 1 is separate. Please remember that you can register for
either one full-day workshop OR one morning and one afternoon workshop. Note that seats are limited!
Registration for workshops and training sessions will be open until September 13.
Workshops and training sessions are free of charge, and coffee breaks and lunches are included!
Morning Workshops
08:00 - 08:30 | Registration |
Room | |
08:30 - 12:30 | Data science for incident responders working with data leaks [ENG], Mr. Éireann Leverett, Mr. Lorenzo Nicolodi | GAMMA II | |
The goal of this workshop is to provide to participants practical experience on how
data science can be applied to data leaks and how the gained knowledge can be used
to both strengthen the infrastructure and make the incident response phase more
efficient and effective.
We will first take a look at how data can be programmatically acquired both on
clearnet and on Tor (you can't evaluate data you don't have) and we will then move
to some exercises leveraging Python, Jupyter notebooks and Panda library to see how
these can be invaluable tools for practicing skills and for uncovering elusive
evidence (e.g. attackers' TTPs).
Last but not least, we will see how similar skills can be transfered to a connected
but different domain, i.e. the tracking of cryptocurrency addresses used for
malicious activities.
Type of the workshop: technical
Level: intermediate
Prior knowledge necessary: The participants are expected to have basic Python
and networking knowledge. You may participate regardless, but we may not be able to
help you as much as we might like due to time constraints.
Personal equipment necessary: Bring your own laptop with the possibility to
install software (like Python and its packages). If you want to avoid doing this on
your main machine, using a VM is also fine.
We suggest you to join the workshop with the latest version of Python3 already
installed, together with your preferred text editor / Python3 IDE. If you don't have
one, we suggest Microsoft Visual Studio Code, together with the Python extension.
|
|||
08:30 - 12:30 | GOing Beyond C: An Introduction to Reverse Engineering Go Malware [ENG], Mr. Max Ufer, Mr. Sebastian Tauchert (Fraunhofer FKIE) | KSI | |
Modern compiled programming languages such as Go are increasingly accepted by
developers because of their benefits over C/C++, including a more straightforward
syntax, memory safety, easy concurrency implementations, and cross-platform support.
Unfortunately, these same benefits are also attracting malware authors, resulting in
a surge of go-written malware in recent years. Reverse engineering Go binaries pose
significant challenges due to their static linking and diverse calling conventions
across different Go versions. Moreover, these binaries handle strings differently
from C/C++, and exhibit increased complexity resulting from compiler-inserted code
that handles advanced concepts such as garbage collection and goroutines.
In this workshop, we want to provide an introduction to reverse engineering malware
that was written in Go. Initially, we will provide an overview of the Go programming
language along with its distinct features. We will then demonstrate how different Go
concepts are translated to machine code and how they can be recognized and
comprehended during reverse engineering. Subsequently, we will present tools that
can assist in reversing Go binaries and provide guidance on how to apply them, based
on real-world malware samples.
Type of the workshop: technical
Level: intermediate
Prior knowledge necessary: Participants should have a basic understanding of
assembly and reverse engineering of x86/x64 binaries.
Personal equipment necessary: Participants should bring a laptop that is
capable of running a VirtualBox virtual machine with at least 4GB Ram. VM download:
TBA
|
|||
10:00 - 12:30 | Chess training [ENG], Mr. Normunds Miezis (Riga Chess Federation), Ms. Dana Reizniece-Ozola (International Chess Federation) | EPSILON | |
10.00-10.30 Chess training: theoretical lecture on the game of chess with Latvian
chess Grandmaster Normunds Miezis
Normunds Miezis is a Latvian chess player and Grandmaster. He has held the title of
International Grandmaster since 1997 and has been a long-time leader of the Latvian
national chess team.
10.30-12.30 Simulation game with a Women's Grandmaster Dana
Reizniece-Ozola.
Dana Reizniece-Ozola is a Latvian chess player and former politician. She has served
as a member of multiple convocations of the Saeima (Latvian Parliament), as well as
the Minister of Economics and the Minister of Finance. At the beginning of 2021,
Dana Reizniece-Ozola resigned from her position as a member of the Saeima to become
the Managing Director and Deputy Chair of the Board of the International Chess
Federation (FIDE).
|
|||
09:00 - 12:30 | Nacionālās kiberdrošības likuma prasības – kā sagatavoties? [LV], Mr. Mihails Potapovs (Aizsardzības ministrija) | LAMBDA | |
The workshop will focus on the implementation of the National Cybersecurity Law,
which officially came into effect on September 1, 2024. This law is designed to
incorporate the provisions of the NIS2 Directive, aimed at establishing a high
common level of cybersecurity across the European Union. It outlines baseline
cybersecurity requirements for both essential and important entities, as well as
sets out national requirements for critical Information and Communication Technology
(ICT) infrastructure.
During the workshop, participants will closely examine the key legal provisions of
the new legislation, and engage in discussions regarding the upcoming Cabinet
Regulations that will specify the baseline cybersecurity requirements. This will
provide attendees with a comprehensive understanding of the law’s implications and
the practical steps necessary for compliance.
Please note that the workshop will be conducted in Latvian.
|
Afternoon Workshops
13:00 - 13:30 | Registration |
Room | |
13:30 - 17:30 | Threathunting with VT [ENG], Jose Luis Sanchez Martinez (VirusTotal) | GAMMA II | |
Threat hunting is one of the most powerful techniques to proactively uncover and
neutralize threats. While it has traditionally been a blend of science and
intuition, we witnessed a surge of innovative tools and techniques that can
significantly enhance its effectiveness. In this hands-on workshop, we will explore
how to effectively use new and traditional techniques including: Identify, monitor
and get full context of malicious campaigns. Effective semi-automated YARA
generation. Netloc hunting. Similarity analysis. Understanding and leveraging AI
engines for code analysis. Tackling large datasets.
Throughout the workshop, you will engage in practical exercises and real case
studies, equipping both seasoned and new hunters with practical knowledge to find
and monitor all kinds of real threats.
Type of the workshop: technical
Level: intermediate
Prior knowledge necessary: Basic knowledge about VirusTotal.
Personal equipment necessary: Laptop, VirusTotal account created and
confirmed once received confirmation email.
|
|||
13:30 - 15:00 | Cybercrime Investigation Workshop [ENG], Ms. Or Lev, Ms. Irina Nesterovsky (KELA) | KSI | |
In this workshop, participants will use a cybercrime investigations tool to track
and investigate cybercriminals and their activities, aliases and TTPs. They will
also get the opportunity to inspect how their organizations are already exposed to
cybercriminal activities and learn of the ways to prevent further compromise. The
workshop is designed to arm investigators with knowledge and insights on recent
cybercriminal threats, the tricks to track cybercriminals and to leverage this
knowledge to defend and investigate. No technical or CTI skills are
required.
Level: beginner
Prior knowledge necessary: Registered participants will receive a link to the
workshop materials prior to the workshop.
|
|||
13:30 - 17:30 | Chess tournament [ENG], Riga Chess Federation | EPSILON | |
Since the chess games will be played on digital chess boards, the matches will be
broadcast online and displayed on a screen in the chess tournament room.
Chief Arbiter: Vairis Kurpnieks (International Category Arbiter)
|
Full Day Workshops
08:30 - 09:00 | Registration |
Room | |
09:00 - 17:00 | Practical drone forensics [ENG], Mr. Wayne Burke (Cyber2Labs, US) | BETA | |
The workshop will begin with a detailed technical overview of the Drone / UAV eco
system with major components. Then we will proceed with how, what and why for Drone
forensics and incident response.
Type of the workshop: technical
Level: beginner
Prior knowledge necessary: Entry level IOT / robotics hardware and
software
Personal equipment necessary: Laptop and mobile phone / tablet
|
|||
09:00 - 17:00 | Building OpenShield - personal DNS Threat Intelligence with DNS Firewall [ENG], Armīns Palms (CERT.LV) | GAMMA I | |
Course attendee will gain practical skills on building powerful DNS Threat
Intelligence system with active DNS protection using open source solutions. Name of
the solution: OpenNameShield To build OpenNameShield, the full day workshop will
provide following basic knowledge on following topics:
- Docker - OpenNameShield is a docker-ized project. Advantages of using docker will
be explained as well as key commands of docker.
- BIND9 - DNS server set-up and configuration. It is planned to set up operational
DNS server during workshop.
- RPZ - aka DNS Firewall. Basics on zone creation to block certain domain will be
provided.
- ELK - Elasticsearch and Kibana set-up.
- mmnormalize – usage of rsyslog Log Message Normalization Module will be explained
to ensure parsing of incoming log-file
- python3 – development of scripts that will enrich the incoming log-file. How to
feed OpenNameShield with suspicious/ harmful domains.
- REDIS – this is important to ensure that external system limitations are not
exceeded. It will be shown how to decrease outgoing requests using REDIS.
As a result OpenNameShield system will be developed where together with
participants:
- The system will be enriched with suspicious/ harmful domains that are to be
blocked.
- DNS blocking will be checked in real-life.
- DNS threat-hunting will be performed to identify suspicious domains.
- Identification of infected devices will take place based on the statistics of
blocked DNS.
OpenNameShield system development includes usage of vast array of open-source
solutions. Participants will attain excellent base level knowledge for own future
project development as well as general creation of awareness on how such solutions
operate.
Type of the workshop: technical
Level: beginner
Personal equipment necessary: Please install docker on you computer. Be sure
that command "docker run hello-world" will work for you. Optional, but strongly
advised, install "Visual Studio Code" also.
|
|||
09:00 - 17:00 | Security Analyst Workshop - Navigation to Investigation [ENG], Mr. Marvin Ngoma (Elastic, SE) | TAU | |
[The second half of the workshop will be conducted as a Threat Hunting CTF to
enhance the gained knowledge in a competitive manner.]
Join us for an enlightening hands-on workshop which is aimed at providing
participants with common workflows and analysis that a security analyst would
leverage daily. This workshop is divided into four modules detailing Data Navigation
and Visualization, Guided Investigation with Elastic, Threat Detection and
Investigation and Dark Radiation Investigation and a roundup sample Ransomware
Investigation.
The workshop focuses on "a day in the life of an analyst", Real data, real
workflows, and investigating threat actor activity.
Workshop Takeaways:
Ability to leverage the Elastic Security for Incident Response.
Ability to understand common workflows for cyber security tasks.
Ability to create security focused visualizations.
Ability to take a proactive approach with Elastic Security.
Ability to apply comprehensive incident response with a case management
workflow.
Type of the workshop: technical
Level: intermediate
Prior knowledge necessary: Eyes on Glass, Analyst Experience with Elastic
Security or other SIEM Solutions. An understanding of current security operations
procedures. An understanding of currently available data sources, desired
integrations (other SIEM, SOAR).
|
Escape Room
A Security Awareness Adventure - Escape Room "Hack The Hacker" will be available
two days - 01 & 02 October. Each session lasts 2h. Registration for the "CyberChess 2024" conference
and Escape Room is separate!
01 & 02 OCT | Please arrive 10 minutes
early |
Room | |
10:30 - 12:30 | Hack The Hacker | SIGMA | |
A Security Awareness Adventure:
Your company suffers from ransomware attack. The mission of your team is to discover
the code that revokes the encryption executed by the malicious software. Together
with up to 6 other people you have to search the hacker's den for hidden hints and
clues. In order to find them and to solve all the puzzles you have to turn into
hackers yourselves. Outwit the hacker and save your organisation!
Duration of each session is 2h and consists of theoretical and practical part.
Hack The Hacker is all about password security. Participants learn why we use
passwords and about the risks that come with passwords, both through social
engineering and technical attacks (like brute forcing.) The game leads to a deep
understanding of the importance of creating strong passwords and storing them
safely.
Type of the workshop: educational adventure
Level: beginner
Prior knowledge necessary: none
Personal equipment necessary: none
|
|||
13:30 - 15:30 | Hack The Hacker | SIGMA | |
A Security Awareness Adventure:
Your company suffers from ransomware attack. The mission of your team is to discover
the code that revokes the encryption executed by the malicious software. Together
with up to 6 people you have to search the hacker's den for hidden hints and clues.
In order to find them and to solve all the puzzles you have to turn into hackers
yourselves. Outwit the hacker and save your organisation!
Duration of each session is 2h and consists of theoretical and practical part.
Hack The Hacker is all about password security. Participants learn why we use
passwords and about the risks that come with passwords, both through social
engineering and technical attacks (like brute forcing.) The game leads to a deep
understanding of the importance of creating strong passwords and storing them
safely.
Type of the workshop: educational adventure
Level: beginner
Prior knowledge necessary: none
Personal equipment necessary: none
|
|||
16:00 - 18:00 | Hack The Hacker | SIGMA | |
A Security Awareness Adventure:
Your company suffers from ransomware attack. The mission of your team is to discover
the code that revokes the encryption executed by the malicious software. Together
with up to 6 people you have to search the hacker's den for hidden hints and clues.
In order to find them and to solve all the puzzles you have to turn into hackers
yourselves. Outwit the hacker and save your organisation!
Duration of each session is 2h and consists of theoretical and practical part.
Hack The Hacker is all about password security. Participants learn why we use
passwords and about the risks that come with passwords, both through social
engineering and technical attacks (like brute forcing.) The game leads to a deep
understanding of the importance of creating strong passwords and storing them
safely.
Type of the workshop: educational adventure
Level: beginner
Prior knowledge necessary: none
Personal equipment necessary: none
|
02 OCT
The cybersecurity conference CyberChess 2024
The CyberChess conference is a cornerstone of cybersecurity events within the Baltic states. It brings together a diverse array of security stakeholders, experts, ISPs, domain industry representatives, and other interested parties to discuss and examine the latest trends, issues, and innovations in cybersecurity.
More than 50 speakers from nearly 20 countries will share their research and experiences in the following cybersecurity-related areas:
- protection of critical information and infrastructure;
- Cyber threat intelligence;
- Ransomware, its triage, and defense;
- Medicine, nanotechnology, and bio-hacking;
- Artificial intelligence and machine learning;
- Alliances and their importance in strengthening security in the Euro-Atlantic area (from strategic, operational and legal perspectives).
Bringing together over 500 attendees on-site and engaging with over 3000 participants online, the conference serves as a dynamic platform for fostering collaboration, knowledge exchange, and networking among Baltic cybersecurity professionals.
"Throughout the past few years we have seen growth in attacks, their sophistication as well as
in the level of political support and importance of cybersecurity. This makes events such as
CyberChess an important platform not only for knowledge sharing but also establishing new
partnerships."
/B.Kaškina, CERT.LV General manager/
OMEGA HALL | |
---|---|
08:00 - 09:00 | Registration & Coffee
|
09:00 - 10:30 | OPENING PLENARY :: Moderator: Mr. Oskars Priede |
09:00 - 09:10 | Keynote, Mr. Andris Sprūds, Minister of Defense (MoD, LV) |
09:10 - 09:15 | Opening remarks, Ms. Baiba Kaškina (CERT.LV, LV) |
09:15 - 09:30 | Keynote, Mr. Rolands Heniņš (NCSC, LV) |
09:30 - 10:00 |
Utilizing botnet tracking for enabling disruptions: The
Grandoreiro story, Mr. Robert Lipovsky (ESET, SK)
Replicating specific samples to understand the inner workings and network structure of a
botnet has several limitations. A more versatile approach involves developing a platform
of parsers that can automate botnet tracking by processing malware samples, extracting
relevant information, and directly communicating with its command and control (C&C)
servers. While the main downside is having to maintain such parsers, the benefits are
invaluable – full control over the execution, extraction of any required data, and the
ability to fake requests to C&C servers, to name a few. For large botnets, with
thousands of samples, this is an extremely effective approach.
Botnet tracking data has repeatedly proven invaluable to law enforcement. It helps them understand the extent of the botnets they are investigating and maps the botnet’s network infrastructure, which is crucial for taking steps to dismantle the botnet and arrest its operators. We utilized this technique to help successfully take down Trickbot in 2020, Zloader in 2022 and, most recently, Grandoreiro in January 2024. We will demonstrate the full power of botnet tracking and how we utilize it for fully automatic processing of thousands of samples of more than 50 different botnets daily. We will provide specific examples of data our tracking system produces, the large variety of features it offers, and how the system’s outputs can be made actionable. We will illustrate how we utilized these outputs to help the Federal Police of Brazil disrupt the Grandoreiro banking trojan early this year. |
10:00 - 10:30 |
Practical Active Cyber Defense and Threat Hunting, Mr. Varis Teivāns
(CERT.LV, LV)
What is Threat Hunting? Threat hunting proactively identifies potential threats and
compromised devices within a network, enabling quicker responses to cyber-attacks.
CERT.LV leads EU cybersecurity threat hunting, collaborating with the Canadian Armed
Forces and Latvian allies. Since 2022, we’ve analyzed over 140,000 devices across 31
Latvian organizations, detecting advanced persistent threats (APTs) in 25% of them. With
Latvia and its neighbors frequently targeted by Russian APT groups and hacktivists,
threat hunting is critical to preemptively identifying and mitigating attacks. You will
learn more about our discoveries and the most recent developments in threat hunting.
|
10:30 - 11:00 |
Coffee break
|
ALFA HALL | Moderator: Dr. Bernhards 'BB' Blumbergs |
11:00 - 11:45 |
Drone Tactical Forensics and Incident Response, Mr. Wayne Burke
(Cyber2Labs, US)
During this high energy presentation we will cover fundamental Drone Forensics
and the importance for law enforcement, emergency / security personnel and all
professionals responsible for managing various aspects of Drone operations.
Coupled with effective techniques for data extraction methods: onboard storage,
data acquisition. Analyzing flight logs and telemetry data with a tear-down to
identify all core drone components.
|
11:45 - 12:30 |
IoC asessment and analysis, Mr. Richard Weiss
(Mandiant / Google, DE)
In a world of rising atomic indicators, we have to research and implement
scalable, repeatable, and fast methods of handling indicators: it is essential
to understand the actual and future situation in the cybersecurity field to
derive actionable knowledge. The process starts with selection, preprocessing,
and selection of the data. Often these fields are handled quickly, but we will
take time to discuss and demonstrate the advantages of those steps accordingly
to have a good understanding of advantages and resource savings. The usage of
tagging, clustering, and adding additional meta information to the indicators
and creating compound structures will help cybersecurity professionals to re-use
those in different focus fields of cybersecurity.
|
12:30 - 13:30 |
Lunch |
13:30 - 14:15 |
The future of vulnerability management is
predictive, Mr. Éireann Leverett (Concinnity-risks, UK)
Vulnerability management and patching prioritization are undergoing a
revolution. Prediction and forecasting have become rich research arenas, and
we'll present an assortment of those advances, some of which are ours. We are
moving to a world where vulnerabilities can be foreseen, and exploits
anticipated. Even exploitation events in specific networks aren't immune to
quantification, and we expect this to advance quickly. Why wait for zero days
when the future of vulnerability management is getting away from reaction and
moving towards predictive risk. I share my experience writing the vulnerability
forecasts for FIRST.org, and running the Vuln4Cast conference.
|
14:15 - 15:00 |
From AI to Emulation: Innovations and Applications,
Mr.
Jose Luis Sanchez Martinez (VirusTotal, ES)
During the session we will see how, through the use of AI and behaviors
extracted from sandboxing and intelligence services such as VirusTotal,
emulations can be created that help different teams such as blue teams,
detection engineering teams and purple teams to improve the gaps in
detection.
We will take several examples to see the different results we have obtained, the pros and cons and how this approach can be improved in the future. We will share the results obtained and also the tools and techniques that we have used to carry out this research. |
15:00 - 15:30 |
Coffee break
|
15:30 - 16:15 |
Advanced Threat Hunting: Leveraging AI and ML for
Large-Scale Log Analysis, Mr. Marvin Ngoma (Elastic, SE)
In today's cybersecurity landscape, the ability to efficiently parse and analyze
large volumes of log data is crucial for effective threat hunting and incident
response. This in-depth tech talk will explore the cutting-edge mechanics and
practical approaches employed by Elastic to facilitate advanced threat detection
and mitigation. We'll delve into how Elastic's solutions leverage machine
learning (ML) and artificial intelligence (AI) to automate the analysis of log
files, enabling real-time insights and proactive security measures.
The session will cover key aspects such as the architecture and scalability of
Elastic's platform, best practices for integrating ML models into your threat
hunting workflows, and practical case studies demonstrating the effectiveness of
these techniques in real-world scenarios. Attendees will gain a deeper
understanding of how to utilize Elastic's powerful tools for large-scale data
ingestion, correlation, and anomaly detection, ultimately enhancing their
organization's cybersecurity posture. Whether you're a security analyst, data
scientist, or IT professional, this talk will provide valuable insights into
harnessing the full potential of Elastic for comprehensive threat hunting
operations.
|
16:15 - 17:00 |
The Role of AI in Enhancing SOC Capabilities, Mr. Artur Bicki
(Energy Logserver, PL)
Building and maintaining a SOC is costly and challenging, especially with 24/7
operations. Energy Logserver's AI engine helps by analyzing massive data volumes
and eliminating the need for specialized mathematical expertise. While
traditional SIEM systems rely on static rules, our AI extends this by detecting
unknown behaviors, both in numbers and text. The AI module uses dedicated
dictionaries to understand log sources, highlighting anomalies in real-time.
While AI accelerates detection, it requires high-quality data and informed
usage, paving the way for Security Data Analysts to enhance SOC teams.
|
BETA HALL | Moderator: Ms. Dana Ludviga (CERT.LV, LV) |
11:00 - 11:30 |
The power of persuasion: advocacy that transforms
cybersecurity practices, Ms. Cornelia Puhze (Switch, CH)
This presentation explores how cybersecurity professionals can become effective
advocates for security within their organisations. It emphasises the importance
of non-technical skills, particularly the ability to translate complex
cybersecurity concepts into language and context that resonate with the specific
stakeholders addressed. Through storytelling and targeted communication, these
advocates can illustrate the critical role of cybersecurity in managing
enterprise risks and supporting business objectives.
Attendees will learn actionable strategies to enhance their advocacy efforts, ensuring that cybersecurity is recognised as a fundamental component of organisational strategy and risk management. The session will also discuss recruitment and training strategies to build a robust cybersecurity workforce, emphasising advocacy skills that enable professionals to effectively lobby for the integration of cybersecurity into organisational strategy and risk management. |
11:30 - 12:30 |
Encouraging Transparency and Stopping the Blame
Game, Ms.
Merike Kaeo (Double Shot Security, EE)
Reporting security incidents and breaches has historically been a matter of
reporting as little as possible due to concerns about regulatory ramifications
and negative media hype. Internal to an organization, leaders often question the
resources spent on cybersecurity controls when breaches still exist. This
session will utilize stories to showcase examples where transparency has been a
priority when reporting cybersecurity incidents to regulators, organizational
leaders and customers. Strategies are illustrated for working with
organizational leaders to make effective risk management decisions where
cybersecurity controls are shown to be a business enabler with associated risks
that depend on the organization’s risk tolerance levels and eliminate the
surprise of breaches.
Attendees will learn how to foster industry change to encourage cybersecurity incident transparency and break down the barriers that still exist in policy and regulatory frameworks to incentivize more timely reporting. The session will also detail strategies to meet cybersecurity reporting requirements stipulated in varying global laws and regulations, such as the NIS2. |
12:30 - 13:30 |
Lunch
|
13:30 - 14:00 |
The path from initial access to ransomeware attack -
connecting the dots between accesses being sold in the underground communities
to ransomeware attacks., Ms. Or Lev (KELA, IL)
In recent years, there has been a significant increase in cybersecurity
incidents initiated through valid credentials of victim company assets.
Ransomware attacks, in particular, have caused severe financial and operational
damage, and in some cases, even the loss of human lives. This session will
explore the "reaction chain" leading to such attacks, tracing it from account
credentials sold on underground platforms, to advertisements by Initial Access
Brokers, and ultimately to ransomware deployment. We will present real-life
examples and discuss effective strategies to prevent these attacks.
|
14:00 - 14:40 |
Negotiation beats manipulation, Mr. Matthias Herter
(MSH Advice & Training, CH)
Modern cyber extortion follows a pattern that seeks a transactional solution to
the caused crisis in the shortest possible time and without unnecessary
communication. The obvious solution is payment in electronic currency for the
criminals and the decryption of data or termination of criminal activities for
the victims. The victims rarely have the resources and skills to do anything
about these crimes other than either give in to the demands or suffer major
damage. One of the offenders' most effective weapons is the fear and shame of
the victims, the conveyed feeling of powerlessness and the domination of
communication. In this respect, little has changed historically in the general
dynamics of blackmail. However, despite this demonstrated power imbalance,
communication with the perpetrators is one of the keys to counteracting modern
cyber extortion. The presentation shows which negotiation methods private
individuals, security service providers and law enforcement agencies can use to
counter the strategies of criminals and provides recommendations that will serve
as a decisive contribution to the prevention of cyber extortion. The title
"Negotiation beats manipulation" stands for the approach that utilises the
potential of communication to develop alternative solutions.
|
14:40 - 15:00 |
Our journey in navigating Obstacles and Evaluating the
Worth of Cybersecurity Insurance, Mr. Roberts Pumpurs (ALTUM, LV)
Ransomware was one the main challenges civil companies were fighting against in
2023. There are hundreds of solutions that are promising to mitigate the
possible risks, but for me it was interesting to see how about insuring the
risks and what are the possibilities in a relatively small country, as Latvia to
do it. So the story is all about how we did, what we did and is it worth baying
a insurance.
|
15:00 - 15:30 |
Coffee break
|
15:30 - 16:00 |
Analysis and forecasting of exploits with AI, Mr. Roman Graf
(Deloitte, AT)
In this talk we address questions, such as: Why is Cyber Security important?
What is the current cyber threat landscape? How have particular attack vectors
evolved in the past? Which cyber threats are most important at the moment? Which
cyber threats could be important in the future? How to protect against it?
Protection organizations against increasing number of cyber-attacks has become as crucial as it is complicated. To be effective in identifying and defeating such attacks, cyber analysts require novel threat modelling methodologies based on information security and AI techniques that can automatically recommend protection measures. We propose custom simple explainable on-site approach to recommend most significant threats. Our goal is to provide solution that could extract attack vector features, find related correlations with aggregated knowledge base in a fast and scalable way, and to automate recommendation of additional attack vectors and protection measures. Our effective and fast threat analysis method is based on artificial intelligence and can support security experts in threat modelling, security budget planning, and allow them to quickly adopt suitable protection measures for current and future periods. In this talk, we evaluate AI similarity search and recommendation technologies as a system for threat modelling facilitation and assess its accuracy and performance. This approach should reduce the number of manual research activities and increase organization’s security. We demonstrate how the presented techniques can be applied to support security experts to plan an organization’s protection strategy. |
16:00 - 16:30 |
How to Create a Cyberspace Operations Artificial
Intelligence Avatar, Mr. Michael Price (ZeroFox, US)
It is now possible to create a cyberspace operations artificial intelligence
avatar. The avatar can be created by combining numerous AI-based capabilities,
including: Speech-To-Text (STT), Large Language Models (LLM), Text-To-Speech
(TTS), multi-modal LLMs for image generation, generative AI models for lip
syncing and so on. These AI-based capabilities can
be combined with traditional cyberspace operations capabilities to create the
desired avatar. In effect, the human operator can speak to an avatar
conversationally, issuing voice commands and receiving voice responses spoken by
a human-like avatar presented to the user within a software application.
A software controller can be implemented that leverages LLMs to interpret commands and to generate and execute plans. Output can then be relayed back to the user. This can be used, for example, to support Offensive Cyber Operations (OCOs), whereby the human user instructs the avatar to attempt to exploit a vulnerable host within a victim’s cyber attack surface. There are many other possibilities as relates to both offense and defense as well. |
16:30 - 17:00 |
(NO LIVE STREAM) The process
of blocking malicious SMS and other forms of phishing, Mr. Szymon Sidoruk
(CERT.PL, PL)
Last year Polish parliament has passed the Act of Combating Abuse in Electronic
Communications, which includes attempt to fight with malicious SMS. I'll show
how we do it and how it fits into our existing anti-phishing workflow.
|
17:00 - 20:30 | Social event, Main Lobby |
03 OCT
OMEGA HALL | |
---|---|
08:00 - 09:00 | Registration & Coffee
|
09:00 - 10:30 | OPENING PLENARY :: Moderator: Mr. Oskars Priede |
09:00 - 09:25 |
Unified Cyber Culture, MGen. Dave R. Yarker (Canadian Cyber Forces, CA)
1. Bridging the technological gap between allied nations;
2. Keeping an open mind and seeing cooperation opportunities despite differences; 3. Overcoming obstacles for a common benefit and reaching joint objectives. |
09:25 - 09:55 |
Navigating the rapidly evolving cyber threat landscape: A view
from the NATO Cyber Security Centre, Mr. Luc Dandurand (NATO Communications and Information
Agency, CAN)
This session will explore the challenges and opportunities that the NATO Cyber Security
Centre (NCSC) faces in a fast-changing world. It will discuss strategies to increase
readiness, sustain excellence, and ensure NATO continues to operate at the speed of
relevance.
|
09:55 - 10:25 |
Supply Chain and Cyber-physical System Protection, Mr. Egons Bušs (LMT, LV)
Convergence of supply chains and cyber-physical systems (CPS) has become more pronounced
than ever. As industries increasingly rely on interconnected devices and automation, the
security of these integrated networks is paramount. The supply chain, once considered a
linear process, now represents a complex web of suppliers, manufacturers, and
distributors, all connected through CPS technologies.
The heightened interconnectivity has unfortunately expanded the attack surface for cyber threats. Adversaries are exploiting vulnerabilities not just in individual systems but across entire supply chains. Incidents of cyber-attacks disrupting manufacturing processes, altering product specifications, or even causing physical damage have underscored the urgent need for robust protection mechanisms. To address these challenges, organizations are adopting a multi-faceted approach to security. Zero Trust Architecture (ZTA) has gained traction, emphasizing that no user or device should be automatically trusted, whether inside or outside the network perimeter. This model mandates continuous verification of every access request, significantly reducing the risk of unauthorized intrusion. Enhanced visibility and transparency across the supply chain are also critical. Businesses are investing in advanced monitoring tools and collaborating closely with suppliers to ensure compliance with security standards. The use of blockchain technology for tracking and authenticating products throughout the supply chain is emerging as a viable solution to prevent tampering and counterfeiting. Regulatory bodies are stepping up efforts to establish comprehensive guidelines for CPS and supply chain security. In conclusion, protecting supply chains and cyber-physical systems requires a holistic strategy that combines advanced technologies, strict compliance, and collaborative efforts among all stakeholders. As we navigate through 2024, the organizations that prioritize and invest in these protective measures will be better positioned to mitigate risks and ensure operational resilience. |
10:30 - 11:00 |
Coffee break
|
OMEGA HALL | Moderator: Mr. Oskars Priede |
11:00 - 11:30 |
(NO LIVE STREAM) russian
cyber focus on destroying Ukrainian energy sector, Mr. Serhii Barabash
(UA)
This presentation is intelligence view on russian attacks against energy sector
of Ukraine.
|
11:30 - 12:00 |
Verify-Fix-Verify: closing the loop boosts your cyber
resilience - a case study of network leaks, Mr. Mikko Kenttälä
(SensorFu, FI) and Mr. Robert Valkama (Fortum, FI)
We will walk you through how focused testing of network segregation, a
fundamental security control, can reap unexpected benefits on improving the
overall OT security posture on other fronts as well.
|
12:00 - 12:30 |
Guardians of the Network: Key Security Events and Insights
from the Mobile Frontier, Mr. Toms Užāns (LMT, LV)
The presentation will explore notable security events observed by LMT across
three critical domains: physical security, mobile security, and cybersecurity.
We will discuss the mitigation efforts implemented to address these security
challenges, sharing valuable insights and lessons learned from our experiences.
This presentation aims to equip attendees with a deeper understanding of the
multifaceted security landscape and the proactive comprehensive measures
necessary to safeguard against potential threats.
|
12:30 - 13:30 |
Lunch |
13:30 - 14:30 |
Strengthening the European cybersecurity ecosystem
Moderator: Mr. Mihails Potapovs (MoD, LV) Panelists: Ms. Ingrīda Tauriņa (EU Agency for Cybersecurity, LV), Dr. Roberto Cascella (European Cyber Security Organisation), Mr. Lauri Tankler (Estonian Information System Authority (RIA), EE)
The panel discussion will focus on strengthening the European cybersecurity
ecosystem by fostering the development of the European cybersecurity competence
community. Emphasizing collaboration among public and private institutions,
academic entities, and NGOs, the dialogue will explore strategies to promote
cooperation within this community. The discussion will address the importance of
exchanging best practices, implementing joint activities and projects, and
enhancing collaborative efforts to tackle cybersecurity challenges effectively.
Participants will share insights on how to bolster support mechanisms and
frameworks that facilitate seamless engagement across various sectors,
ultimately aiming to create a resilient cybersecurity environment in Europe.
|
14:30 - 15:00 |
Building bridges in Cyber: the EU CyberNet journey and
global impact, Mr. Lauri Aasmann (Information System Authority
(RIA), EE)
The presentation highlights the collaborative aspect of the EU CyberNet, the
challenges and successes in building a community of cyber experts, and the
global benefits, including the work in Latin America and the Caribbean.
|
ALFA HALL | Moderator: Dr.Bernhards 'BB' Blumbergs |
11:00 - 11:45 |
GOing Beyond C: An Introduction to Reverse Engineering Go
Malware, Mr. Max Ufer (Fraunhofer FKIE, DE)
Modern compiled programming languages such as Go are increasingly accepted by
developers because of their benefits over C/C++, including a more
straightforward syntax, memory safety, easy concurrency implementations, and
cross-platform support. Unfortunately, these same benefits are also attracting
malware authors, resulting in a surge of go-written malware in recent years.
Reverse engineering Go binaries pose significant challenges due to their static
linking and diverse calling conventions across different Go versions. Moreover,
these binaries handle strings differently from C/C++, and exhibit increased
complexity resulting from compiler-inserted code that handles advanced concepts
such as garbage collection and goroutines.
In this talk, we want to provide an introduction to reverse engineering malware
that was written in Go. We will provide an overview of the Go programming
language along with its distinct features. We will then demonstrate how
different Go concepts are translated to machine code and how they can be
recognized and comprehended during reverse engineering. Subsequently, we will
present tools that can assist in reversing Go binaries and provide guidance on
how to apply them, based on real-world malware samples.
|
11:45 - 12:30 |
TA577 Walked just past You: Indirect Syscalls in Pikabot
, Mr.
Patrick Staubmann (VMRay, AT)
In late 2023, the notorious Pikabot loader reappeared after a break of several
months. Its reappearance, coupled with striking similarities in its delivery
chain with QBot suggests its role as a replacement family used by threat group
TA577. Pikabot's reputation for being evasive precedes it, but its latest
variant introduces a new level of sophistication, with techniques attempting to
bypass AV, EDR, and even sandboxes. The integration of indirect syscalls has
left security products grappling with detection challenges, as hooks, commonly
used in EDRs and sandboxes, won't be enough to inspect the inner workings of
such samples during execution.
Our talk aims to delve deep into the world of Pikabot, sharing insights, pitfalls, and thoughts gathered from analysis and tracking. We'll provide an exhaustive analysis of Pikabot's loader module, dissecting its obfuscation and evasion techniques in detail. With a special focus on the intricacies of indirect syscalls, we'll explore how this technique successfully circumvented many sandboxes and how our proof-of-concept reimplementation demonstrates how many more enhanced indirect syscall techniques malware developers could already have in their arsenal. Furthermore, as Pikabot's operation have been shutdown via Operation Endgame, we'll speculate on future developments and trends in evasion techniques, offering practical recommendations for effectively detecting and mitigating such and similar threats. |
12:30 - 13:30 |
Lunch |
13:30 - 14:15 |
(NO LIVE STREAM) Lucky
Leaks: 400 million file paths are worth a thousand words, Mr. Lorenzo Nicolodi
(Microlab.red, IT)
We spent the last two years collecting and studying the content provided by
ransomware gangs on their DLS (Data Leak Site), more often than not hidden by
the Tor network. We discovered that the list of the files inside the leaks can
provide plenty of information about the gang's TTP, the impact for the victim
and the most effective countermeasures. The victim's privacy is preserved,
because we don't look at the content of the leak itself, except in specific
circumstances we have a chance of getting the TTPs.
|
14:15 - 15:00 |
Federated Learning Approaches to Bolstering Cyber-Physical
Systems Resilience, Dr. Delwar Hossain (NAIST, JP)
The lecture covers security issues in modern automobiles and Industrial Control
Systems and proposes Deep Learning, Federated Learning-based solutions to
address them. The CAN bus system used in modern cars lacks basic security
features, making it susceptible to attacks such as DoS, Fuzzing, and Spoofing.
Similarly, the Modbus RS-485 protocol used in smart meters lacks authentication
and encryption mechanisms, making it vulnerable to attacks. As a countermeasure,
an intrusion detection system (IDS) using the Federated Learning (FL) approach
can effectively detect malicious activities and ensure data protection from
intruders. The structured presentation covers topics ranging from the security
challenges of automotive and ICS systems to the development of AI-based IDS,
autonomous driving model resiliency, using Federated Learning.
The lecture is structured as follows:
- Security issues of modern automotive and ICS systems
- Proposed defense verification platform for the CAN bus system
- Development of a deep learning, Federated Learning-based IDS
- Development of automotive and Modbus attack datasets and AI-based IDS
- Attacker Localization with Machine Learning in RS-485 Industrial Control
Networks.
|
BETA HALL | Moderator: Ms. Dana Ludviga (CERT.LV, LV) |
11:00 - 12:30 |
DNS on steroids
Moderator: Ms. Dana Ludviga (CERT.LV, LV) Panelists: Ms. Katrīna Sataki (NIC.LV, LV), Mr. Kirils Solovjovs (Possible Security, LV), Ms. Iveta Skujiņa (NIC.LV, LV), Mr. Kristians Meliņš (NIC.LV, LV), Mr. Helmuts Meskonis (Domain Summit Ltd, UK)
In this engagement session, we will delve into the dynamic world of the Domain
Name System /DNS/ and its evolving landscape. We will cover traditional DNS, the
introduction of new generic Top-Level Domains /gTLDs/, and their impact on the
domain name market. We'll discuss the benefits and challenges these changes
bring for businesses and consumers, as well as the potential for innovation in
areas like decentralized internet addressing.
Panelists and the audience will also explore critical cyber security and legal
issues that average internet users should be aware of.
|
12:30 - 13:30 |
Lunch
|
13:30 - 14:00 |
Grow Your Own SOC, Ms. Merle Maigre (eGA,
EE)
How to organize and consider the many functions in cybersecurity operations
centers (SOCs)? Sharing some best practice that can be applied to SOCs - from
empowering the SOC to carry out the desired functions, to growing quality staff,
prioritising incident response, and engaging with stakeholders and constituents.
|
14:00 - 14:30 |
(NO LIVE STREAM) Rescue
Operations in Cyber Warfare: Cloudflare's hands-on experience in Ukraine, Mr. Maxim
Matskul (Cloudflare, UK)
Join us for an insightful talk where Maxim Matskul, Cloudflare's Sales Director
for Central and Eastern Europe, CIS countries, and Israel, will share invaluable
lessons learned from the frontlines of cybersecurity during geopolitical crises.
Based on his team's hands-on experience in Ukraine during the 2022 Russian
invasion and other projects across Eastern Europe, this presentation will offer
a rare look into how critical infrastructure has been kept operational amidst
some of the most sophisticated and relentless cyberattacks of our
time.
Attendees will gain an inside perspective on the real-time defense mechanisms
deployed to protect companies in various industries. Maxim will also expose
common missteps organizations make when setting up their cybersecurity
frameworks, which can leave them vulnerable in critical moments. In addition,
the talk will deliver actionable recommendations for building a resilient,
multi-layered cybersecurity approach tailored to the modern threat
landscape.
Whether you're in IT, cybersecurity, or management, this presentation is a
must-attend for anyone looking to stay ahead of evolving threats and safeguard
their organization’s digital infrastructure. Don’t miss this opportunity to
learn from a leader at the forefront of the global cybersecurity landscape!
|
14:30 - 15:00 | Game of Drone! Field insights from the war in
Ukraine, Mrs. Gabrielle Joni Verreault
(Universite de Montreal, CA)
As technology continues redefining modern warfare's landscape, its impact
extends beyond the battlefield to involve civilians in unprecedented ways. This
presentation, "Game of Drone! Field Insights from the War in Ukraine," offers a
unique perspective grounded in firsthand experiences from the front lines of the
conflict. It explores the critical intersection of technology, ethics, and
civilian involvement, drawing from the presenter's extensive fieldwork in
Ukraine.
The session will explore the challenges and legal ambiguities that arise when
civilians, driven by a desire to support Ukraine, engage in activities ranging
from ethical hacking to drone operations. Key areas of focus will include the
blurred lines between civilian and combatant roles in cyber operations, the
ethical dilemmas inherent in these initiatives, and the broader implications of
these efforts within the framework of International Humanitarian Law.
Beyond the technical and legal analysis, the presentation will offer insights
into the presenter's unique stance on security, informed by a background in
public health and a deep commitment to human well-being. This perspective is
rooted in a care-oriented and reduction-of-harm approach, emphasizing the
importance of ethical considerations and the responsible use of technology in
conflict zones.
Attendees will gain a nuanced understanding of the ethical and legal
considerations essential for aligning technological skills with the needs on the
ground in a responsible and impactful manner. This discussion is particularly
relevant for ethical hackers, technologists, and those interested in the
practical and ethical dimensions of civilian participation in modern conflicts.
|
15:00 - 15:30 |
Coffee break
|
15:30 - 17:00 | CLOSING SESSION :: Moderator: Mr. Oskars Priede |
15:30 - 16:00 |
Countering generative AI disinformation: a Ukraine
experience, Mr. Dmytro Plieshakov (Osavul, UA)
The presentation will cover the most recent AI-powered techniques used by hostile actors
to plan, create and disseminate disinformation campaigns. It will also focus on how AI
and Large Language Models can used by the defenders community to protect the information
environment from hostile activities.
|
16:00 - 16:25 |
Tailoring security systems for the AI era, Mr. Dmitrijs Ņikitins (Tet,
LV)
This presentation will explore the significant transitions within the IT industry over
the past decades, focusing on the integration of advanced AI technologies that have
transformed traditional security measures. And highlight how cybersecurity must evolve,
incorporating AI not only as a tool but also as an integral part of the strategic
framework.
Looking ahead, we will explore predictions for the next decade, emphasizing how
advancements like quantum computing might influence cybersecurity. This presentation is
designed to equip audience with the knowledge and tools necessary to adapt your security
strategies effectively in anticipation of these developments.
|
16:25 - 16:40 |
Why we play with Security, Hack the Hacker the Escape Room,
Ms. Jessica (Switch, CH)
In this talk, we explore how serious games can reshape the way we address the human
element in information security. CyberChess participants have the opportunity to
experience “Hack the Hacker: The Escape Room” first hand and learn how interactive,
game-based scenarios can engage participants. These immersive experiences, from escape
rooms to other serious games, spark curiosity, encourage teamwork, and lead to a
fundamental shift in mindset towards security.
|
16:40 - 17:00 | Conference end ceremony |