Skip to main content

CCCC 2022 Presentations

Using SIE Europe pDNS for Hunting Phishing and Smishing attacks

Paul Vixie, AWS Security
Peter Kruse, CSIS

Technical level: Medium

Incident response as goes for smishing, vishing and phishing attacks becomes more and more important both for individuals and businesses. In the times of Covid19, smishing attacks have increased massively and so has the complexity of the attacks.
With the power of passive DNS we are able to detect and track hostile domains and both block them and use them as IoCs and as part of incident response. These attacks can hit key employees in all kind of businesses as well as private people.
This presentation will look at how pDNS can be used as part of the ongoing incident response toolkit. We shall also dive into some of the commercialized phishing kits, and how they manage to circumvent the Danish solutions NemID and MitID for various types of fraud.

Deadly Ransom – Attacks on Hospitals of All Sizes and Shapes

Jasper Bongertz, G DATA Advanced Analytics

Technical level: Low

Ransomware attacks are a big problem. Any company, any business, and IT infrastructure can potentially become the next victim of organized crime groups demanding to be paid to provide a tool for decrypting the files they kidnapped. And few targets are as vulnerable or as critical as hospitals. This talk covers a number of cases of ransomware attacks on hospitals, including the why, the gory (not bloody, though) details, and the facepalms.

A Deep Dive Into Ransomware Attack

Anton Kalinin, CSIS

Technical Level: High

In this talk we will dive into the investigation of one of our incidents from the initial attack to recovery from the incident. The topic will cover technical details including malware reverse engineering, writing decryptor for encrypted files and data recovery.

Secrets from the JOES – An Incident Response Autonomous Enrichment

Ido Naor, Security Joes

Technical Level: Medium

While spending a lot of time with creatures the infosec world refer to as EDRs, we’ve learned that they lack detections that leave their host (the organizations) open to major cyberattacks, as it relies on them to be its last frontier. Attack vectors of that nature (such as Webshells) are too often being used to bypass machine learning capabilities and lead to a fully blown security breach. Manually tuning every the EDR, generating rules and workflows is a long and tedious task. To speed up that process, we built a small engine we refer to as Autonomous Enrichment. Its main role is to analyze incidents and find accurate threat similarities (TTPs) to increase prevention capabilities. In this talk we will share what is enrichment, why is it needed and how you as an organization or company can boost your security solutions.

Silent Threat: Addressing Compromised Accounts to Decrease Exposure to Fraud

Aubrey Surgers, David Johnson, U.S. Postal Inspection Service 

Technical level: Low

This presentation will be a case study based on USPS[.]com accounts which were recovered or found to be for sale on various dark web markets. We will discuss the controlled buy of a few of these accounts, followed by analysis of the purchased accounts in an attempt to determine the remaining accounts listed for sale on the dark web. We will discuss partnering with USPS to protect the customer and business by taking action on the identified accounts for sale on the dark web. We will also discuss the need to address dormant accounts in order to lower the exposure of the customer and the merchant in the event of future account takeovers or compromises.

Resilience through Intelligence

Staffan Truvé, Recorded Future

Technical level: Low

To build a resilient cyber security system, intelligence is key; both to understand the current threat landscape and to see how trends are leading to new threat scenarios in the future. This talk will focus on the different use cases throughout the security organization, with examples from current events. We will also discuss how automation of the “intelligence cycle” allows for more comprehensive intelligence collection and analysis at speed and at scale.

Convergent Megatrends: Energy, Sustainability and Cybersecurity

Christian Venderby, Vestas


If we are to meet global climate goals, the global installed capacity of wind energy must grow from around 700  GW today, to around 8000 GW by 2030. To ensure a strong foundation is in place to support this growth, the digitalisation of renewables assets is rapidly increasing. Our networks of intelligent, connected devices are becoming larger and more complex, demand for remote asset management is growing, and the possibilities to make service solutions more efficient with digital innovation are more exciting than ever before. As these trends rapidly converge, how should business owners prepare for the cyber security threats that come with them? And how can a global organisation be effectively mobilised to respond under threat? Christian Venderby, Executive Vice President and Chief Service Officer at Vestas shares his insights. 

Ransomware Attacks: The Power of Uniting Technical & Negotiation Efforts

Jan Kaastrup, CSIS
Michael Sjøberg, Delta Crisis Management

Technical Level: Low

This presentation will give the audience a unique insight into the different stages of a Conti ransomware attack.
It will reveal how sophisticated the ransomware attacks have become, and why communication with the perpetrator is paramount to stay in control.
Further, it will give an exclusive insight into how the perpetrator’s mind works.
This presentation has never been shown to the public before.

How Threat Intelligence Can Help Build Resilient Organisations

Dr Douglas Haywood, Tesco Bank

Technical level: Low

In recent years, resilience has become an important topic among many organisations as they strive to manage risks to their key services.  More than ever, the ability to prepare for and respond proactively to threats in a fast moving world need to be informed by what is on the horizon and in the external environment.  We are also operating in increasingly interconnected organisations where risks to supply chains and technologies are often shared.  This presentation will share learnings and experience from developing threat intelligence capabilities in a number of organisations and how intelligence can help to inform and manage risks to resilience.

The Anatomy of an Incident Response Case

Michael Bisbjerg, CSIS

Technical Level: Low

What goes on when you’ve been hacked, and what happens in the upcoming Incident Response? This talk recounts experiences made during past engagements that CSIS has had in the past, and which teachings they can provide.

What does an IR look like, and what goes on behind the scenes?
Which procedures are used, which steps are taken, and which steps you definitely shouldn’t take?
What does a timeline for an IR typically involve?

Supportive community as facilitator of positive change

Nilma Abbas, Zealand – Academy of Technologies and Business


Gender gap in the STEM area has been one of the major issue, both in education and among IT professionals. The attempt to bridge that gap is quite challenging, considering the low number of females applying for (and even less, finishing) their education in IT. We will explore how supportive community can fuel the change, by inspiring women to pursue education in IT and motivating and empowering them to continue their professional growth and development.

A Threat Intelligence Journey into the New Dark Web

Stefan Tanase, CSIS

Technical Level: Low/Medium

As cyber-criminals continue to strive for increased resilience of their financial, social and technical infrastructure, the new dark web emerges as an opportunity for threat intelligence gathering. This talk will look at the evolution of the dark web, from the perspective of a cyber threat intelligence team and will tell the story of how CSIS is leveraging the new dark web to proactively hunt for fresh, high-confidence and actionable data.

The True Measures of Success

Marko Jung, The LEGO Group


Digital Transformations often focus on external, customer facing aspects of a business but how do we create or modify internal processes, experiences, and culture in the information security domain? Marko will take you along on his journey to apply concepts of a digital transformation to the LEGO Group’s Counter Threat Unit to improve efficiency, value, and innovation and his thoughts on how to measure success in the context of the Unit’s detection and response mandate.

How Should We Prepare for NIS2

Frederik Stengaard Mehlsen, Fellowmind


The NIS2 directive was passed in May 2022. Critical infrastructure sectors now have until the end of 2023, to comply with the new guidelines for a common security level across the European union. This session will help you get an understanding of what this means for your Incident response procedures and digital resilience requirements.

        CSIS Security Group A/S, Vestergade 2B, 4th floor, 1456 Copenhagen