Join us at the 37th Annual FIRST Conference

Level Up Your Analytics

June 22, 2025 from 08:30-1230

Mike Cunningham, R&D Program Manager, Center for Threat-Informed Defense

Suneel Sundar, Director, Research and Development, Center for Threat-Informed Defense

In this workshop, participants will explore the relationships between sensors and advanced detection strategies. This session is designed for cybersecurity professionals seeking to enhance their technical acumen in building robust, adaptable detection capabilities.

The workshop begins with a detailed exploration of sensors, event IDs, and data sources, focusing on how to leverage them to align organizational telemetry with adversary techniques as outlined in MITRE ATT&CK. Participants will learn to assess sensor coverage, identify telemetry gaps, and prioritize sensor deployment for maximum visibility.

Building on this foundation, the session transitions to a methodology for developing resilient detection analytics that withstand adversary evasion. Attendees will gain hands-on experience in creating detection logic that spans from basic event-level indicators to high-fidelity, behavior-based detections at the top of the Pyramid of Pain.

Through guided exercises, participants will apply these principles to map real-world sensor data to ATT&CK techniques and develop analytics that are robust against adversary change. The workshop concludes with a demonstration of how these concepts come together to detect and respond to adversary behaviors, validating the effectiveness of the strategies discussed.

Key Takeaways:

• Learn to identify and address telemetry gaps to optimize threat detection coverage.
• Gain practical skills in creating resilient detection logic that withstands adversary evasion techniques.
• Develop a systematic approach to aligning detection engineering efforts with real-world adversary behaviors for enhanced security outcomes.

Measure, Inform, and Mature your Enterprise Defense

June 22, 2025 from 13:30-17:30

Mike Cunningham, R&D Program Manager, Center for Threat-Informed Defense

Suneel Sundar, Director, Research and Development, Center for Threat-Informed Defense

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. This workshop equips participants with the skills and tools needed to evaluate and enhance their team’s TID maturity. This workshop is specifically designed for team leads, managers, and decision-makers responsible for shaping and driving their organization’s security practices.

The session begins with an exploration of what TID is—and what it is not. Through interactive exercises, participants will identify practical examples of TID and assess how these align with their organization’s SOPs.

The workshop then dives into the three dimensions of TID:

1. Cyber Threat Intelligence (CTI)
2. Defensive Measures
3. Testing & Evaluation

Attendees will evaluate their team’s application of each dimension and measure their maturity level using a structured approach. Practical, open-source tools and hands-on challenges for each dimension will provide insights for improvement.

Finally, the session introduces the Inform model, a framework designed to represent TID markers as a score. This score allows team leads and managers to track progress over time, prioritize resources effectively, and communicate improvements to stakeholders.

Key Takeaways:

• A clear framework for understanding and articulating TID principles.
• Tools to measure and assess team performance across TID dimensions.
• Practical strategies for implementing improvements using open-source resources.
• This workshop provides the strategic and technical foundations that leaders need to operationalize TID, build stronger teams, and drive measurable security outcomes.