Welcome to the Secureworks Global Threat Intelligence Summit
4 October 2023 9:00–14:00 EDT 14:00–19:00 BST
The State of Today’s Threat
Blinded by STARLIGHT: Exploring a Constellation of Ransomware Groups Sponsored by China
BREAK
Clop and the Zero-day Extortions
WhatsApp CEO Fraud Targets Executives
Cybersecurity in the Boardroom: An Executive’s Guide to Presenting Trends
Azure and Office 365: A Year in Discoveries
Threat Intelligence-fueled Investigations: How Taegis™ Better Protects its Customers
Detection Research Retrospection
BREAK
KEYNOTE: Defend Your Frontiers with Collaborative Cybersecurity Defense
Close & Thank You
09:55
WhatsApp CEO Fraud Targets Executives
When the CEO emails you about an important, confidential M&A deal, demanding your urgent help, what do you reply? Criminals are taking advantage of some of our best business instincts in a carefully crafted campaign of audacious fraud that mostly flies under the radar, outside corporate security controls. We’ll examine some real-world fraud attempts and their red flags.
Blinded by STARLIGHT: Exploring a Constellation of Ransomware Groups Sponsored by China
Ransomware and cybercrime groups operating from China are an understudied topic. But they are no less of a threat to your business. This session will explore their activities using ransomware as cover for espionage — as well as groups focused on traditional profit goals.
KEYNOTE: Defend Your Frontiers with Collaborative Cybersecurity Defense
Join Jen Easterly, Director of CISA, and Wendy Thomas, Secureworks CEO, in a thought-provoking fireside chat as they share the rising imperative for cyber defense through collaboration. As threats grow and attack surfaces expand, today's security responsibility extends beyond the CISO, to Boards, CEOs, and other business decision-makers. Jen and Wendy will share real world stories as well as strategies that can fortify organizational defenses by ensuring a united front against modern cyber challenges. Learn why the future of cybersecurity is collaborative.
Azure and Office 365: A Year in Discoveries
In this panel discussion, three of Secureworks recognized Microsoft Most Valuable Researchers (MVR) will highlight some of their interesting vulnerability findings reported to Microsoft over the past year.
Security Crossfire: Diverse Perspectives on Today's Threats
Terry McGraw, VP Global Cyber Threat Analysis, Secureworks (Moderator)
Neil Clauson, Regional CISO, Mimecast
David Willis, VP and Head of Technology Integrations, Netskope
Jacob Benjamin, Director of International Consulting Services, Dragos
Join threat researchers and experts across different organizations of Mimecast, Dragos, Netskope, and Secureworks to discuss and highlight their perspective on today’s threat looking across the entire IT and OT landscape. Through this panel the team will identify common patterns and tactics but also differences as they each drill into their focus area of expertise.
Clop and the Zero-day Extortions
GOLD TAHOE made headlines earlier this year by extorting hundreds of victims, after exploiting a zero-day vulnerability in a file transfer solution. Keith Jarvis, the cybercrime lead in Secureworks Counter Threat Unit™, will discuss this global incident. Learn the history of this group and how to mitigate their attacks.
Threat Intelligence-fueled Investigations: How Taegis™ Better Protects its Customers
Learn how to turn threat Intelligence into actionable cyber defense. The Secureworks Counter Threat Unit (CTU™) is leading the fight in turning an up-to-the-minute understanding of the threat into actionable detections in Taegis.
Detection Research Retrospection
In this session, Dr. Clay Moody, Senior Director of Detection Research at Secureworks, will highlight where Detection Research work and advancements in the Secureworks Tactic Graphs™ Engine, together with new countermeasures, have aided in the early indications of threat actor behavior in customer environments.
The State of Today’s Threat
Join Don Smith, Vice President of Threat Research, as he sets the stage for the Secureworks Global Threat Intelligence Summit, embarking on a captivating journey through the world of cyber threats. Learn how the latest dangers are, in fact, timeless villains — e-criminals, ransomware, and hostile state actors. Learn proven ways to outsmart them with cutting-edge defenses.
WATCH now
Rafe Pilling
Director of Intelligence,
Threat Research
10:00
Jen Easterly
Director of the Cybersecurity and Infrastructure Security Agency (CISA)
Wendy Thomas
Chief Executive Officer
09:25
09:05
Don Smith
Vice President, Threat Research
Mike Aiello
Chief Technology Officer
09:00
Marc Burnard
Senior Security Researcher, Threat Research
10:10
Keith Jarvis
Senior Security Researcher, Threat Research
10:25
Dr. Nestori Syynimaa
Senior Principal Security Researcher, Detection Research
10:40
Joosua Santasalo
Senior Principal Security Researcher, Detection Research
11:00
Chris Yule
Director of Threat Research
11:15
11:20
Dr. Clay Moody
Senior Director of
Detection Research
11:35
Alexandra Rose
Director of Government Partnerships
Stacy Leidwinger
Vice President of Brand & Portfolio Marketing
11:50
register now
Tony Gore
Security Researcher
Sponsor Panel
Security Crossfire: Diverse Perspectives on Today’s Threats
Cybersecurity in the Boardroom: An Executive's Guide to Presenting Trends
How can you effectively communicate cybersecurity trends to the corporate boardroom? In this session, we’ll explore strategies for translating complex technical insights into actionable business decisions, enabling better cyber-aware leaders in a fast-evolving cyber threat landscape.
October 4, 2023 | 9:00–12:00 ET | 14:00–19:00 BST
VIEW On-DEMAND SESSIONS
WATCH NOW
VIEW ON-DEMAND SESSIONS
Live Sessions
Qakbot Takedown: How We Track(ed) Qakbot
On-Demand Sessions
Into the Abyss: Shining a Light on the Dark Web
The Wartime Cyber Threat: Bluster or Blitz?
The Masquerade Ball: Iran's Faux Criminal and Hacktivist Groups
From Indicator to Trusted Knowledge: Pathways and Processes to Empowered TI
Ransomware: Assessing the Threat
How North Korea Has Capitalized on Supply Chain Weaknesses
Own the Router, Own the Network
Illuminating BRONZE SILHOUETTE
We Need to Talk About China
We Need to Talk About China
China is one of the big players on the global stage when it comes to cyber espionage. This is something we've heard about at almost every cybersecurity conference for more than 15 years. Yet, is it accurate to say "China" is hacking our governments and commercial organizations? What does it mean to say that "China" is stealing our secrets or our company’s intellectual property?
Join Mark Osborn, malware technical lead for Chinese APT, as he unravels some of the main players in China and examines some of the threat groups we track as BRONZE code-names. You will learn about the types of incidents Secureworks consultants respond to and look in detail at how the stealthiest of attacks are being conducted right now. If you are interested to know what the threat to your organization looks like, and what you should be doing about it, this is a talk you should attend.
From Indicator to Trusted Knowledge: Pathways and Processes to Empowered TI
Indicators come to Secureworks via five main sources: incident response engagements, Secureworks botnet emulation framework, researcher investigations, directly from trusted third parties and as part of open-source research. In this presentation, Rebecca Taylor will discuss the pathways the these indicator types take to get them from raw data through to trusted and applied knowledge in Secureworks platforms and tools. They will discuss Secureworks Threat Intelligence Management System and its associated processes and rules that support indicator transition. Additionally, they will discuss how such critical TI knowledge is used and applied in Taegis, and how this goes on to best protect, detect and respond to threats and risks.
Into the Abyss: Shining a Light on the Dark Web
Delve into the enigmatic world of cybercrime as we explore the dark web and its hidden corners with esteemed Secureworks researcher Frank Hackett. Witness how our CTU-HUMINT researchers actively monitor initial access brokers, discover novel malware strains, and engage with threat actors. Learn how our research feeds into Taegis, bolstering defenses against evolving threats. Moreover, Frank will unveil the emergence of AI on the underground, offering a glimpse into how battles will evolve in the trenches of the internet's seedy underbelly.
The Masquerade Ball: Iran's Faux Criminal and Hacktivist Groups
Since the Iran-Iraq war of the 1980s, Iran has preferred indirect confrontation through proxies, either created or adopted, to conduct kinetic and intelligence operations against regional adversaries. That same strategy carried over into the development of their offensive cyber capabilities, first through the adoption of the indigenous amateur hacker and defacement community to conduct attacks, and later in the routine fabrication of criminal and hacktivist personas to claim responsibility for attacks. In this talk Rafe Pilling, Director of Intelligence in the Secureworks Counter Threat Unit, will reveal some of the personas and group identities that Iranian groups have been using in the last 12 months.
Security Crossfire: Diverse Perspectives on Today's Threats
Terry McGraw, VP Global Cyber Threat Analysis, Secureworks (Moderator)
Neil Clauson, Regional CISO, Mimecast
David Willis, VP and Head of Technology Integrations, Netskope
Jacob Benjamin, Director of International Consulting Services, Dragos
Join threat researchers and experts across different organizations of Mimecast, Dragos, Netskope, and Secureworks to discuss and highlight their perspective on today’s threat looking across the entire IT and OT landscape. Through this panel the team will identify common patterns and tactics but also differences as they each drill into their focus area of expertise.
The Wartime Cyber Threat: Bluster or Blitz?
As the Ukraine conflict continues, so does an active array of noisy and sometimes disruptive threat actors. But how real is the threat of DDoS disruption or nation state compromise to your organization? This presentation explores the pro-Russian threat landscape, from hacktivist groups like KillNet and Anonymous Sudan to IRON RITUAL, based on research and IR investigations.
How North Korea Has Capitalized on Supply Chain Weaknesses
North Korean state-sponsored threat groups have successfully compromised various software supply chains to deliver malware since at least 2020. This presentation explores the supply chain attacks attributed to North Korean groups and outlines actor motives, TTPs, and how the attacks have evolved over the years.
Own the Router, Own the Network
Perimeter routers represent the soft underbelly of many organizations, often out with their direct management and visibility. In this talk, Rafe Pilling, Director of Intelligence in the Secureworks Counter Threat Unit, will examine several cases of hackers compromising perimeter infrastructure, and the nefarious uses they put them to.
Qakbot Takedown: How We Track(ed) Qakbot
The CTU had a front-row seat to the recent Qakbot takedown, thanks to our botnet emulation capability. Graham Austin will talk about how we built that capability, how we saw what nobody else did and how law enforcement were able to take down one of the biggest botnets in the world.
WATCH now
Rebecca Taylor
Threat Intelligence
Knowledge Manager
Mark Osborn
China Malware Lead
Frank Hackett
Senior Researcher, HUMINT
Graham Austin
Senior Security Researcher
Tony Adams
Russia Thematic Lead
Rafe Pilling
Director of Intelligence, Threat Research
Sarah Kern
Security Researcher – DRPK & Emerging Threats Lead
Rafe Pilling
Director of Intelligence, Threat Research
Marc Burnard
China Thematic Lead
Tim Mitchell
Cybercrime Intelligence Lead
WATCH NOW
Sponsor Panel
Security Crossfire: Diverse Perspectives on Today’s Threats
Illuminating BRONZE SILHOUETTE
Threat groups that eschew malware and maximize the use of living-off-the-land tactics can be some of the hardest to detect. And they need to be when they are targeting critical infrastructure, government and defense organizations. But despite their elusive nature, BRONZE SILHOUETTE has been discovered multiple times by Secureworks since 2021. In this session, Marc Burnard, Intelligence Lead for Chinese APT research in the Secureworks Counter Threat Unit, takes a deep dive into the threat group, their tactics and how to detect them.
October 4, 2023 | 9:00–12:00 ET | 14:00–19:00 BST
TrueBot v3 Analysis
Rob Pantazopoulos
Malware
Research Lead
The Growing Threat from Infostealers
Aiden Sinnott
Cybercrime Researcher
Ransomware Lightning Talks
Tim Mitchell
Cybercrime Intelligence Lead
Aiden Sinnott
Cybercrime Researcher
Keith Jarvis
Cybercrime Technical Lead
Can't Stop This: It's MFA Bypass Time
Kevin Strickland
Director, Threat Hunting and Emergency Incident Response
Active Directory Root Cause: The Reset Password Conundrum
Martin Kirk
Team lead, Incident Response & Readiness (EMEA)
Pentests You Didn’t Know You Needed
Eric Escobar
Principal Consultant/ Wireless Lead
Is Microsoft Security Sufficient for Your Operations?
To Catch a Hacker: Unconventional Techniques and Traps to Snare a Hacker in Your Network
Eric Escobar
Principal Consultant/ Wireless Lead
Stefan Oancea
Principal Presales Security Architect
Stacy Leidwinger
VP of Brand & Portfolio Marketing
Sponsor Panel
Security Crossfire: Diverse Perspectives on Today's Threats
Terry McGraw
VP Global Cyber Threat Analysis
(Moderator)
Neil Clauson
Regional CISO,
Mimecast
David Willis
VP and Head
of Technology
Integrations,
Netskope
Jacob Benjamin
Director of International Consulting Services,
Dragos
Bringing Cyber Defense Practices into the OT World
Bud Ellis
Product Marketing Manager
Ransomware: Assessing the Threat
In this presentation, Senior Security Researcher Tim Mitchell explores recent trends in the ransomware landscape. Based on observations from Secureworks incident response engagements and a wider analysis of open-source data, he will provide insight into some of the most prolific ransomware groups, the methods by which they gain access to networks, and what we can do about them.
He’ll also take the opportunity to answer questions such as: How impactive are data theft-only extortion attacks? Why has the dwell time between initial access and ransomware deployment reduced so dramatically? And what do public name and shame stats really tell us?
TrueBot v3 Analysis
TrueBot is a downloader that threat actors commonly leverage in targeted intrusions to gain an initial foothold within a victim’s environment and deploy next-stage malware. Intrusions involving TrueBot often result in sensitive data exfiltration and deployment of ransomware. CTU tracking of TrueBot has revealed that development of the malware is highly active. This talk will detail analysis of TrueBot v3, which was first identified in the wild in June 2023. We will also cover aspects of TrueBot's evolution over the past year and highlight code similarities with Cl0p ransomware that might suggest both malware families are developed and operated by the GOLD TAHOE threat group.
Ransomware Lightning Talks
The ransomware threat landscape is agile and in a constant state of flux with new tactics and groups emerging and disappearing, guided by unseen underground market forces. This session will provide a rapid-fire analysis of three key clusters of ransomware operations based on real-world incidents and Secureworks CTU intelligence analysis.
The Growing Threat from Infostealers
Infostealers are playing an increasingly important role in the cybercrime ecosystem, exposing sensitive information such as login credentials, financial details and personal data. This talk will cover some of the most prominent infostealers, as well as the underground economy and supporting infrastructure that has developed around them.
Active Directory Root Cause: The Reset Password Conundrum
A password reset of critical accounts is often insufficient to evict a threat actor from an environment. This talk will outline why a proper response to an Active Directory domain compromise is necessary.
Can't Stop This: It's MFA Bypass Time
A password reset of critical accounts is often insufficient to evict a threat actor from an environment. This talk will outline why a proper response to an Active Directory domain compromise is necessary.In the ever-evolving realm of cybersecurity, the relentless persistence of hackers to bypass Multi-Factor Authentication (MFA) poses an escalating challenge. "Can't Stop This - It's MFA Bypass Time" is a thought-provoking presentation that MFA Security is not enough. This session will provide a comprehensive overview of the latest trends, emerging threats, and proactive defense strategies to empower individuals and organizations alike in the ongoing battle against MFA bypass attempts. Join us for a captivating exploration of this critical cybersecurity topic and gain essential insights to fortify your digital defenses in the face of persistent adversaries.
Pentests You Didn’t Know You Needed
Many corporations and individuals perform annual pentests and security audits. These engagements might check the regulatory box, but they often fall short of identifying the true risk of your organization. Learn about goal-based penetration testing and how it can shape your team’s security posture by answering your lingering questions, such as what happens if my CEO’s laptop is stolen?
To Catch a Hacker: Unconventional Techniques and Traps to Snare a Hacker in Your Network
Hackers are humans (or at least pretty close). In this talk, learn what entices a hacker so you can set your own trap. Setting a few traps of your own such as fake users, honey pots, and network canaries can be an invaluable tool to see who is probing your defenses.
Is Microsoft Security Sufficient for Your Operations?
The question many analysts are being asked when Microsoft’s security tools are being considered: “Is Microsoft Security Sufficient for My Operations?” This is hardly surprising from a security or budgetary viewpoint, as Microsoft’s Office 365, Azure and other licenses include extensive advanced security tools bundled into their overall licensing costs.
In this session, we’ll answer that question as we explore the pros and cons of adopting a Microsoft-first security strategy to consolidate your IT security toolset. Learn what to be aware of when it comes to operationalizing Microsoft’s advanced security.
Bringing Cyber Defense Practices into the OT World
Industrial organizations continue looking to expand their security strategy to include operational technology (OT) environments. This movement is happening quickly: Gartner reports by 2025, 70% of asset-intensive orgs will have converged their security functions.
But how do you introduce good cyber defense practices into the OT world, an area marked with legacy technology that’s passive by design to ensure critical production systems run uninterrupted? Join this session for practical tips industrial organizations can use to build their OT cyber defense strategies.
VIEW LIVE SESSIONS
VIEW LIVE SESSIONS
Sponsor Panel
Security Crossfire: Diverse Perspectives on Today’s Threats
Terry McGraw
VP Global Cyber Threat Analysis (Moderator)
Neil Clauson
Regional CISO,
Mimecast
David Willis
VP and Head of Technology
Integrations, Netskope
Jacob Benjamin
Director of International Consulting Services,
Dragos
Qakbot Takedown: How We Track(ed) Qakbot
The CTU had a front-row seat to the recent Qakbot takedown, thanks to our botnet emulation capability. Graham Austin will talk about how we built that capability, how we saw what nobody else did and how law enforcement were able to take down one of the biggest botnets in the world.
The Growing Threat from Infostealers
Infostealers are playing an increasingly important role in the cybercrime ecosystem, exposing sensitive information such as login credentials, financial details and personal data. This talk will cover some of the most prominent infostealers, as well as the underground economy and supporting infrastructure that has developed around them.
TrueBot v3 Analysis
TrueBot is a downloader that threat actors commonly leverage in targeted intrusions to gain an initial foothold within a victim’s environment and deploy next-stage malware. Intrusions involving TrueBot often result in sensitive data exfiltration and deployment of ransomware. CTU tracking of TrueBot has revealed that development of the malware is highly active. This talk will detail analysis of TrueBot v3, which was first identified in the wild in June 2023. We will also cover aspects of TrueBot's evolution over the past year and highlight code similarities with Cl0p ransomware that might suggest both malware families are developed and operated by the GOLD TAHOE threat group.
Ransomware Lightning Talks
The ransomware threat landscape is agile and in a constant state of flux with new tactics and groups emerging and disappearing, guided by unseen underground market forces. This session will provide a rapid-fire analysis of three key clusters of ransomware operations based on real-world incidents and Secureworks CTU intelligence analysis.
Active Directory Root Cause: The Reset Password Conundrum
A password reset of critical accounts is often insufficient to evict a threat actor from an environment. This talk will outline why a proper response to an Active Directory domain compromise is necessary.
Can't Stop This: It's MFA Bypass Time
A password reset of critical accounts is often insufficient to evict a threat actor from an environment. This talk will outline why a proper response to an Active Directory domain compromise is necessary.In the ever-evolving realm of cybersecurity, the relentless persistence of hackers to bypass Multi-Factor Authentication (MFA) poses an escalating challenge. "Can't Stop This - It's MFA Bypass Time" is a thought-provoking presentation that MFA Security is not enough. This session will provide a comprehensive overview of the latest trends, emerging threats, and proactive defense strategies to empower individuals and organizations alike in the ongoing battle against MFA bypass attempts. Join us for a captivating exploration of this critical cybersecurity topic and gain essential insights to fortify your digital defenses in the face of persistent adversaries.
Pentests You Didn’t Know You Needed
Many corporations and individuals perform annual pentests and security audits. These engagements might check the regulatory box, but they often fall short of identifying the true risk of your organization. Learn about goal-based penetration testing and how it can shape your team’s security posture by answering your lingering questions, such as what happens if my CEO’s laptop is stolen?
To Catch a Hacker: Unconventional Techniques and Traps to Snare a Hacker in Your Network
Hackers are humans (or at least pretty close). In this talk, learn what entices a hacker so you can set your own trap. Setting a few traps of your own such as fake users, honey pots, and network canaries can be an invaluable tool to see who is probing your defenses.
Is Microsoft Security Sufficient for Your Operations?
The question many analysts are being asked when Microsoft’s security tools are being considered: “Is Microsoft Security Sufficient for My Operations?” This is hardly surprising from a security or budgetary viewpoint, as Microsoft’s Office 365, Azure and other licenses include extensive advanced security tools bundled into their overall licensing costs.
In this session, we’ll answer that question as we explore the pros and cons of adopting a Microsoft-first security strategy to consolidate your IT security toolset. Learn what to be aware of when it comes to operationalizing Microsoft’s advanced security.
Bringing Cyber Defense Practices into the OT World
Industrial organizations continue looking to expand their security strategy to include operational technology (OT) environments. This movement is happening quickly: Gartner reports by 2025, 70% of asset-intensive orgs will have converged their security functions.
But how do you introduce good cyber defense practices into the OT world, an area marked with legacy technology that’s passive by design to ensure critical production systems run uninterrupted? Join this session for practical tips industrial organizations can use to build their OT cyber defense strategies.
Ransomware Lightning Talks
Tim Mitchell
Cybercrime Intelligence Lead
TrueBot v3 Analysis
Rob Pantazopoulos
Malware
Research Lead
The Growing Threat from Infostealers
Can't Stop This: It's MFA Bypass Time
Kevin Strickland
Director, Threat Hunting and Emergency Incident Response
Active Directory Root Cause: The Reset Password Conundrum
Martin Kirk
Team lead, Incident Response & Readiness (EMEA)
To Catch a Hacker: Unconventional Techniques and Traps to Snare a Hacker in Your Network
Eric Escobar
Principal Consultant/ Wireless Lead
Pentests You Didn’t Know You Needed
Eric Escobar
Principal Consultant/ Wireless Lead
Is Microsoft Security Sufficient for Your Operations?
Stefan Oancea
Principal Presales Security Architect
Stacy Leidwinger
VP of Brand & Portfolio Marketing
Bringing Cyber Defense Practices into the OT World
Bud Ellis
Product Marketing Manager
Aiden Sinnott
Cybercrime Researcher