This talk explores how the UK's NCSC and FCDO work together to deliver cyber deterrence, illustrated through the UK's July 2025 sanctions package targeting Russia's GRU.

NCSC provides independent, rigorous cyber assessment that underpins the UK's policy response to cyber threats. FCDO leads on diplomatic deterrence and the delivery of these policy responses with the aim of changing adversarial risk calculus and behaviours. This close partnership ensures the UK can respond to cyber threats with proportionate, coordinated and effective measures.

An overview of some practical examples of several attributes of actor attribution.

Amid rising supply-chain attacks and global tensions, it is critical to have better visibility into the firmware of embedded products, either to find vulnerabilities or to detect malware and implants.

However, embedded firmware are inherently hard to reverse engineer because of their lack of debugging symbols and their proximity to the hardware. Analysts repeatedly spend time re-identifying common functions, even when they come from open-source libraries and SDKs.

We present BigSim, a Ghidra BSim portable database pre-populated with thousands of function signatures, designed to facilitate bare-metal firmware reversing by identifying known functions from publicly available SDKs.

In an era where cyber threats evolve faster than most organizations can adapt, effective communication has become a critical component of cybersecurity strategy. Julia Petryk shares key findings from the 2025 Cyber Survey, conducted by Calibrated, which benchmarks how businesses across sectors are preparing, or failing to prepare, for cyber incidents.
Crisis incidents are not just operational disruptions, they are direct threats to brand reputation, with long-term impacts on customer trust, investor confidence, and market position.

Drawing on her experience leading cybersecurity communications and mobilizing PR professionals in high-stakes situations, Julia highlights practical steps for bridging these gaps. She examines how cross-functional planning, message testing, and simulation exercises can make the difference between a controlled response and a public relations disaster.

The talk also considers the human factor—how trust, empathy, and clear language influence public and partner confidence during a breach. Attendees will leave with actionable insights, a clearer understanding of their organization’s readiness level, and a roadmap for making communications as resilient as their technical defenses.

Whether you’re in PR, cybersecurity, or executive leadership, this session equips you with the knowledge to navigate cyber crises with credibility and composure, because in 2025, readiness isn’t just about technology, it’s about trust.

This is the story of a significant cyber breach within a large corporate environment. Our network, much like a vast ocean we thought we commanded, was harbouring a ghost fleet of undocumented and vulnerable systems operating undetected in the deep. We will explore how a single, faint sonar ping, an unusual external DNS query spotted by a curious engineer, was the only clue that something was wrong. Following this weak signal led to the discovery of systemic failures: a profound lack of visibility, internal politics that siloed critical intelligence, and dangerously poor patching practices that left our defences riddled with holes. The session will demonstrate why we can't defend what we can't see and make the case for becoming active sonar operators, nurturing a culture where every team member is empowered to investigate the anomalies that can expose our greatest risks.

TBC

As the pace of digital transformation accelerates, the spectrum of cyber threats is expanding in scale, complexity, and unpredictability. Cyber resilience has therefore become a central concern for national security and international stability. This panel will examine how different perspectives can inform approaches to future challenges, highlighting the role of diverse threat actors, the implications of rapidly evolving technologies, and the broader political and strategic dilemmas of building resilience in an increasingly fragmented world. Looking ahead to the coming decade, the discussion will focus on how governments and alliances can anticipate and adapt to these emerging dynamics.

TBC

Ukraine has become one of the most targeted nations in the cyber domain, with advanced persistent threat (APT) groups persistently testing the resilience of its critical infrastructure.

This talk will highlight the Top 3 cyber groups actively attacking Ukraine, outlining their TTPs. By examining these real-world adversaries, we gain valuable insights into their evolving toolsets and operational goals.

The talk will connect the practices like Threat-Informed Defence and External Attack Surface Management, showing how intelligence on active adversaries directly shapes security prioritization.

This talk presents a behind-the-scenes look at the simultaneous disruption of Lumma Stealer and Danabot, two prominent malware families. Building on our extensive history of takedown operations, we will share insights into how such efforts are executed from the perspective of a private cybersecurity company – what works well, what challenges persist, and how collaboration plays a critical role. We will also explore the distinct operational and strategic differences between disrupting botnet infrastructures and infostealer ecosystems. The revival of Lumma Stealer that followed its takedown highlighted the unique challenges posed by infostealers and underscored the need for approach modification. By comparing these two cases, we aim to provide actionable lessons for future disruption efforts across the industry.

In a world reshaped by AI, trust has become an active attack surface under constant pressure. Deepfakes, synthetic identities, and adversaries exploiting trusted platforms have exposed the limits of traditional defenses. Living Off Trusted Sites (LOTS) attacks occur when services like Microsoft 365, AWS, and Google are weaponized. These threats demonstrate that identity-based Zero Trust and reputation-based security alone are no longer sufficient to handle emerging challenges.

Hackitvim knows trust is not static; it is contested ground. To counter today’s challenges, Zero Trust must evolve into an adaptive, adversary-aware model that reassesses users, devices, content, and data in real time. Phishing-resistant authentication, behavioral access controls, and creative deception strategies are essential for staying ahead. Predictive analytics and contextual security measures enhance precision in defense strategies.

As adversaries leverage AI to outmaneuver defenses, defenders must innovate. Continuous Threat Exposure Management (CTEM) reinforces trust, while strategies like 'negative trust' mislead attackers into exposing themselves. Security must evolve into a proactive, tactical approach that empowers defenders to dictate the terms, leveraging systems that validate every interaction and redefine resilience as the cornerstone of a trusted digital future.

The Covid-19 pandemic and the war in Ukraine have reshaped the way organizations must view risks, showing how rapidly and unpredictably the landscape can shift. For Tet, as both a holder of national critical infrastructure and a key service provider for major clients in Latvia and Ukraine, resilience and adaptability are not just strategic goals, they are daily necessities.

In this session, Tet’s CTO will share how global disruptions have transformed risk perception and crisis preparedness. Rather than focusing on specific incidents, the talk will outline broader lessons: the acceleration of digital dependency, the convergence of physical and cyber threats, and the growing importance of collaboration across sectors and borders.

The audience will gain insights into how leaders can strengthen preparedness and rethink risk management as a dynamic and evolving capability.

In cybersecurity, the biggest disasters often begin with the smallest oversights — like a forgotten domain renewal, a misconfigured DNS record, or poorly managed DNS servers. This presentation introduces three pragmatic laws for improving risk assessment practices, drawing on real-world DNS incidents and the timeless logic of human folly. While NIS2 demands a more structured approach to identifying, assessing, and mitigating cyber risks, it's easy to get lost in complexity and miss what truly matters. Not all threats come from hackers — and that's where Cipolla’s “The Basic Laws of Human Stupidity” offer a valuable lens. They help us uncover hidden dependencies, account for irrational behavior, and rethink the way we approach external service risks.

- Risk-aware business culture: practical and experience-based tips of overcoming existential crises and thriving after misery (first-hand insights from aviation, retail, healht-care and military).

- Risks, threats and vulnerabilities are different, mitigation and response is similar (Resilience Architecture) -> hands on advice.

- Synergy is the answer for unknown unknowns – a region-wide organisation of resilience, example of communities in the Nordics.

Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

Cybercrime, destruction, and other malicious activity often benefits from scaling up attack infrastructure. The ability to rapidly setup and scale nearly identical phishing sites being one such case, where once initial access is obtained it often leads to much worse results. This same scale however, can be used against the threats behind them by creating patterns to detect it as it grows and evolves.

In contrast, APT groups rarely need to scale their destructive infrastructure. They can afford, and often do, segment out their infrastructure into disparate parts for obfuscation. So that only the pieces they wish to reach the public (and thus, be identified to them) are traceable. In practice however, even these sophisticated actors also make mistakes that defenders can capitalize on.

In this TLP: Amber presentation, we will show you how Silent Push tracks APT groups with such tenacity and will focus our presentation here on groups from/linked to Russia, such as: Gamaredon, APT28, and Turla.

This presentation examines the crisis and risk management challenges faced by a printing company during a serious ransomware attack, focusing on leadership decision-making under pressure and stakeholder coordination during operational shutdown. We'll explore how management navigated critical decisions including ransom negotiations, law enforcement engagement, and business continuity activation, while simultaneously managing communication with employees, customers, suppliers, and regulatory authorities. The presentation will include lessons-learned from the whole cyber incident response lifecycle.

In 2025 there has been an alarming increase in the number of social engineering attacks leading to ransomware attacks. In particular, these attacks are targeting outsourced helpdesks, and many of these attacks rely heavily on AI Large Language Models.

For many years, social engineering attacks were largely the realm of western-based ransomware groups, like Scattered Spider or LAPSUS. But, the voice capabilities combined with language fluency of many LLMs has evened the playing field. Any group can now carry out these attacks, using the blueprint laid out by western based threat actors and ransomware groups are finding incredible success.

This talk will look at how these attacks work, why outsourced help desks are particularly susceptible to these attacks and what organizations can do to protect themselves.

This presentation delves into the investigative learnings from tracking and analyzing the network infrastructure supporting industrial-scale pig-butchering (romance baiting), investment, and cryptocurrency scams. We explore the ecosystem enabling these scams, from fraud website templates and malicious Javascript libraries to the tactics, techniques, and procedures (TTPs) leveraged by the threat actors.

Special attention is given to the role of domain registrars and network operators, including how API integrations and cryptocurrency payments are exploited to enable the rapid and large-scale deployment of scam domains.

Through this research, we highlight patterns of abuse, infrastructure overlaps, and the operational indicators that can help defenders detect and disrupt these fraud campaigns more effectively.

The EU and its Member States are stepping up cooperation and investments in cyber defence policy, including by improving management of cyber crisis, enhancing intelligence cooperation on cyber threats, strengthening the cooperation and coordination between military and civilian cyber communities, also by increasing cooperation with partners like NATO.

Panel experts will offer insights into the most pressing tasks for strengthening cyber defence and the challenges of translating policy into coordinated and concrete actions and effective use of instruments and procedures already in place.

The presentation “Building Trust in Digital Age: Certification, Conformity Assessment, and Accreditation” will explore how trust is established and maintained in an increasingly digital and interconnected world. Participants will gain insights into the role of certification, conformity assessment, and accreditation in ensuring cybersecurity, reliability, and confidence in digital solutions.

The operating systems of many proprietary consumer- and enterprise-grade network devices do not allow for easy customization. For example, one cannot simply use SSH to login as a 'root' to modify the software, as this functionality is often unavailable. In this way, device vendors prevent inexperienced users from 'bricking' their devices, and, at the same, time attempt to prevent adversaries from studying the internals and discovering vulnerabilities.

This practice also complicates the lives of vulnerability researchers: it is a 'chicken-and-egg' problem, where, in order to do proper vulnerability research, one must already find a completely new vulnerability that allows for a 'root' access. However, my experience of several years in doing this shows that this may be not that difficult, when using the right techniques.

In this talk, I will discuss my experience in 'rooting' network gateways, routers, and other network equipment, and will demonstrate some of the approaches we use in our team to bootstrap vulnerability research and find critical bugs in these devices. I will use technical bits and pieces from several vulnerability research cycles my team and I performed against vendors such as DrayTek, Sierra Wireless, and [REDACTED]. This talk will be interesting for cybersecurity professionals who are getting started in reverse engineering and vulnerability discovery, as well as for seasoned vulnerability researchers who are looking for some inspiration.

Vulnerability management is a critical component of a security program, especially in open-core environments. This talk explores the end-to-end process, from intake via Bug Bounties or Disclosure P rograms, through triage, root cause analysis, fixes, testing, and disclosure, while addressing the unique transparency challenges of open-core environments.

Using a real-world example, we’ll walk through each step of the process, highlighting the role of automation, AI, and metrics. We’ll also cover tailored practices for critical vulnerabilities and strategies to ensure scalability, security, and community trust.

We trust our vendors a lot, and on paper, they all claim to take cybersecurity seriously. But the real world tells a different story.

How different? I learned it when facilitating a campaign to improve the resilience of Finnish society for the National Cyber Security Center Finland. In the campaign we helped Finnish companies to secure their supply chain in practice. First we helped the participants to identify their supply chain. Then we checked the identified vendors for potential security lapses, reported the issues and offered help in fixing them. Finally our job was to rate the vendors based on their response. I am glad to be able to share anecdotes and statistics about this endeavor, and what has happened since. I will tell you how vendors perform when they learn they have vulnerabilities. I’ll list what are the vendor stereotypes, whether they are awesome, mediocre, or poor performers. I’ll give examples from their heroic efforts to tackle the vulnerabilities to bizarre justifications on why they can be ignored. Finally, I'll give you practical, do-it-yourself tips on how you can be the best vendor for your customers, or how to push your own supply chain to step up and protect you instead of making you more vulnerable.

Cloud storage misconfigurations expose sensitive credentials at an alarming rate. Through systematic scanning of publicly accessible cloud buckets across AWS S3, Google Cloud Storage, and Azure Blob Storage, we discovered 215 instances of leaked secrets including API keys, database credentials, and infrastructure tokens. These exposures grant unauthorised access to critical cloud and third party services and pose significant security risks to organisations worldwide.

Our responsible disclosure process successfully remediated 95 vulnerabilities, with 20 organisations directly confirming their fixes. This study reveals the widespread nature of cloud storage security gaps and demonstrates how proactive security research can drive meaningful improvements in cloud security practices. The findings underscore the urgent need for better configuration management and automated detection in cloud environments.

Is your organization prepared for a cyberattack? Do you know what to do in the event of a ransomware incident or another critical security breach? With increasing regulatory requirements such as NIS2 and DORA, it's essential not only to have the right tools, but above all, to know how to use them effectively and to be prepared for crisis situations.

We should be aware that ransomware and other cyber crises have a negative psychological impact on people, causing fear, stress, paralysis, and other harmful effects. The session focuses on the importance of staying calm during a cyber crisis and following a clear step-by-step plan that was thoroughly practiced in realistic cyberattack exercises.

This session will present the results of the Cyber Soldier project. The project was launched for organizations that — responding to the first version of the NIS directive — were building Security Operations Centers (SOCs) and faced the challenge of quickly preparing staff to correctly detect and respond to incidents. The main requirement was to practically train SOC teams in the use of their existing detection and incident analysis tools, particularly EDR/XDR platforms and solutions for digital forensics and threat hunting.

Currently, the Cyber Soldier project is being developed to meet the requirements of the DORA regulation for the financial sector, which mandates the execution of Red Team tests in production environments, based on actionable cyber threat intelligence.

Description of how NATO executes Maritime Cyber Operations to include real world examples.

Historically, critical national infrastructure was built around availability and the illusion of air-gapped security. That world is gone. The era of isolated, "perfectly secure" systems has ended; everything is now interconnected, interdependent, and vulnerable. We will explore selected Ukrainian CNI and mission-critical systems, and the security measures they had to implement to mitigate russian threats. Details to follow.

In a world where hardware may be sourced from strategic competitors, our greatest vulnerability lies not in the hardware itself, but in the code it runs. Firmware, bootloaders, UEFI environments, and other low-level code-based layers embedded in critical infrastructure are increasingly opaque, remotely updatable, and ripe for exploitation. These “soft roots of trust” have become the stealthy battleground of cyber pre-positioning for nation-state threat actors.

This session explores actionable pathways to reclaim sovereignty over compromised or untrusted devices without resorting to wholesale rip-and-replace strategies. Drawing on firsthand experience advising U.S. federal agencies, energy regulators, and operators, Patrick Miller will outline efforts to develop open-source, re-flashable firmware for critical devices; secure bootloader architectures; and forensic validation methods for embedded systems. He will also examine the growing policy convergence between cybersecurity and industrial sovereignty.

Attendees will leave with an understanding of the risks posed by embedded firmware in imported operational technologies, as well as conceptual mitigation models from Open Source Firmware Programs to device-level reassertion of trust through transparent, verifiable code.

TBC

I will be sharing the reason of why we decided to create our own custom built infra for Mārtiņa CTF and what were the requirements and major choices that we had to make to get to where we are now. While I will be mentioning two fairly well known technologies (CTFd and naumachia), the talk will be focused on our own custom solution running on k3s.

This presentation discusses research on how smaller nations can adopt volunteer-driven cyber defence initiatives to strengthen their national cybersecurity posture. Using the Cyber Defence Unit initiative from Kosovo as a case study, it highlights the engagement of the local IT community in identifying and monitoring leaked data affecting both the public and private sectors. The development of a custom platform—built with open-source technologies to detect and analyse data breaches—will be presented. The session will demonstrate how national cybersecurity efforts can be reinforced through increased community involvement and the strengthening of public-private partnerships, enabling more effective breach detection, information sharing, and coordinated response.

How do you get more people into IT and cybersecurity—and make it approachable? How do you get someone to care about digital hygiene, online safety, and technical know-how without boring them to death? We think: Capture the Flag events. But running one? That's a whole different beast.

This is the story of Mārtiņa–CTF, a grassroots, student-led team-based CTF born in Latvia. We'll take you through how it started: from a scrappy idea into a full-blown competition, engaging around 200 participants. We'll share the whole journey — the wins, the fails, and the lessons learned.

We’ll cover our first attempt and the technical implementation behind it, followed by how we reworked the infrastructure in version two — though we’ll keep it light on deep technical details, as the more detailed tech talk is covered in a separate session.

This talk isn’t just a retrospective — it’s a guidebook for anyone who wants to run CTFs or cyber-related events. Whether you're part of a student group, an NGO, or just an individual who wants to make a difference in digital education, we wish to share our hard-learnt lessons to you.

Come for the memes, stay for the story, and leave with a roadmap built on a lot of trial, error, and stubborn belief that this stuff matters.