2026-05-07 –, IFEN room 1, Workshops and Detection Engineering village (Building D)
Threat intelligence is often reduced to reactive IOC lists or superficial color-coded reports. This talk dismantles that paradigm. We will explore the application of Cyber Threat (Counter) Intelligence - CT(C)I - in a geopolitical context, demonstrating how to engineer detections that actively hunt sophisticated adversaries operating both outside and inside your perimeter. Moving beyond standard threats, we dissect the rising trend of APT-backed "remote workers" infiltrating organizations using deepfakes and fabricated histories. We will show you how to weaponize cyber counterintelligence and deploy deceptive defenses to expose the threat, transforming your internal environment into your primary intelligence sensor - detection. Finally, we will outline a modern, graph-based "Detection-as-Code" methodology that replaces static documentation with visual, automated defense logic.
In this talk, we redefine efficient threat intelligence processing and its direct application in advanced detection engineering. We are moving past the era of creating reactive detection rules based on trending IOCs or generating "traffic light" reports that lack real defensive impact.
We will examine high-stakes threat scenarios on a geopolitical scale. By analyzing the laws of cyber deception within CTI reports, we will identify the behavioral errors attackers make and learn how to exploit those flaws for detection.
However, the landscape is evolving. We will analyze scenarios where external adversaries successfully become internal threats—specifically dissecting the tactic of APTs deploying state-sponsored remote workers to infiltrate security companies. This involves advanced deception: deepfakes, synthetic profiles, fabricated employment histories, and the abuse of corporate devices.
When you have a highly trained operative inside, traditional defense fails. This is where Cyber Counterintelligence (CCI) becomes essential. You must counter the adversary's deception with your own deceptive architecture to force them into revealing themselves. And there we will go through a real detection engineering challenge - an identity based detection through all environment.
To operationalize this approach, we must abandon outdated methods. We will explore how to revolutionize your engineering process by replacing static documentation with a visual graph engine. You will learn how to apply a Git-native "Detection-as-Code" workflow that automatically converts visual capability maps into executable SIGMA rules, leveraging MITRE frameworks to design and scale resilient defense logic.
Key Takeaways:
- Shatter the Perimeter Illusion - Realize that sophisticated threats are not just external; they are actively infiltrating organizations as trusted insiders.
- The Necessity of Threat-Informed Defense - Understand that generic monitoring is obsolete; threat-driven detection engineering is the only viable path forward against modern adversaries.
- Operationalize Cyber Counterintelligence - Learn how to use internal telemetry and deceptive tactics to expose sophisticated actors already operating within your environment.
Ondrej Nekovar is an experienced executive manager responsible for the cyber security of critical information infrastructure and the state. His areas of expertise include research into the use of advanced technologies for active cyber defense, deception, detection engineering and cyber counterintelligence.
LinkedIn profile:
https://www.linkedin.com/in/onekovar/