Agenda

All sessions will be based on actual events and the experiences of our expert teams during real-world incidents.

We present a maxed-out agenda with interesting sessions to choose from - select your preferred talks below. If you want to mix it up a bit, there will be enough time to switch rooms between sessions.

Sessions in either Swedish or English. Flag indicates language used 🇸🇪 🇬🇧.

Morning Keynote

Welcome to Filmstaden at Hötorget in Stockholm.

You'll be greeted by a Truesec colleague at the registration desk and will have coffee and a light breakfast before we get started. Welcome!

We start the day with an inspiring keynote on how Truesec uses Threat Intelligence in its daily operations and what we learn from penetration testing, Red Team assignments, and Incident Response. What do we see on the horizon? What are the trends?

Speaker: Markus Lassfolk with Guests

It's time to choose which session you would like to attend from the two tracks.

Enjoy a short break, grab a cup of coffee, and choose which track you want to attend.

Morning Breakout Sessions

One extremely important task for our forensic investigators is to build a timeline. The timeline explains the entire cyber attack: where it started, what happened, what was done, if data was stolen, which account was used, which account was created, how many backdoors there are, who’s behind it, what malware is being used, etc. You’ll learn the importance of the timeline and what you should prepare and do to ensure forensics investigators have the best chance of finding patient zero.  

Speakers: Alexander Andersson and Rasmus Grönlund

EDR is the new black, which means AV is needed, but EDR is more important. However, the threat actors have access to the same tools you have and validate anything that belongs to the default rule set. How do you detect someone who’s living off the land, using your tools, and not any malicious programs? That’s something you can improve using "Custom Rules."

In this session, you’ll learn from our experts in the field how threat actors can evade detection during an attack and how to apply the concept of custom detections effectively to improve your detection capabilities on top of what the tooling can offer out of the box.

Speakers: Carlo Alberto Scola and Fabio Viggiani

Enjoy a coffee break, grab a cup of coffee, and choose which track you want to attend next.

Ask the speakers anything in our Experts Corner, experience our Cyber War Room, or visit our partners in the exhibit.

A classic infrastructure is often easy to manage; it’s also very easy to attack, and when attacked, the time to full ransomware is practically nothing. Even if you have the best SOC in the world, they won’t make it in time. In this session, you’ll not only learn how to isolate and segment accounts using tiering and PAWs, but you’ll also learn how to protect the management interfaces. So, if a threat actor (TA) enters your environment, it will take a very long time before they can do anything, and that gives you plenty of time to discover them in your SOC. 

Speaker: Mikael Nyström and Peter Löfgren

One very important task is to validate your environment. We call that a health check; during a health check, you’ll discover what’s great and what’s not so great. The check often covers a large portion of the infrastructure, like Active Directory, Azure, and Office 365, down to the configuration of individual servers. This way, you can improve and strengthen your defense. In this session, you’ll learn the most common issues we see while performing health checks.

Speakers: Pontus Grönlund och Viktor Hedberg

It's time to choose which session you would like to attend from the two tracks.

Enjoy a short break, grab some water, and choose which session you want to attend.

Have you ever interacted with a logfile from a external facing system using cli tools like, cat, grep, tail or awk using a terminal emulator?

Well then this talk is for you!

Logs are a vital component for maintaining application reliability, performance, and security. They serve as a source of information for developers, security teams, and other stakeholders to understand what has happened or gone wrong within an application. However, logs can also be used to compromise the security of an application by injecting malicious content.

In this presentation, we will explore how ANSI escape sequences can be used to inject, vandalize, and even weaponize plaintext logfiles of modern applications. We will revisit a vulnerability class thats been dormant for over two decades, dig into old terminal injection research and log tampering techniques from the 80-90s, and combine them with new features. With the pure intention to create chaos and mischief in the modern cloud cli’s, mobile, and feature-rich DevOps terminal emulators of today. Shine some light on the consequences, and learn how and why we should avoid passing on malicious escape sequences into our logfiles. To ensure that users acutally can trust the data inside their logs.

Join us on this “not so black and white,” but rather quite colorful ANSI adventure and learn how to prevent a forensic nightmare.

Speaker: STÖK

VMware vCenter Server and VMware ESXi are attractive targets for ransomware attacks. In this session we will show you how to proactively protect them against getting attacked by ransomware gangs and how to detect attacks before they encrypt your ESXi hosts and VMs. Using experiences and examples from multiple real-life successful and unsuccessful ransomware incidents, we will explore and explain the frequently used attack paths, protection recommendations, and forensic detection techniques.

Speaker: Anders Olsson

Lunch Session

Enjoy a long lunch in the exhibit area and listen to our partner's panel discussion in Salong 1 or in the livestream.

We invite our strategic partners to a panel -  Microsoft, Vectra and Crowdstrike. 

Starting at 12.40.

Bring your lunch and join us in Salong 4! 

Moderator: Mats Hultgren

Afternoon Breakout Sessions

Clients should be managed; this applies to mobile phones as well as Windows devices. Modern management is very different from the classic style. The new era is all about protecting identity and data. In this session, youll learn how Office 365 and Intune should be configured to allow users to work without being victimized by cyber attacks.

Speaker: Peter Löfgren

Windows Server needs some form of management, and using Remote Desktop could be a dangerous task since credentials can be exposed. The secure way is to use Azure, more specifically Azure Arc, which will give you EDR, etc. You also need monitoring of your DCs. In this session, you’ll learn how to get Defender for identity and password protection and how to configure AD sync securely

Speakers: Mikael Nyström and Viktor Hedberg

It's time to choose which session you would like to attend from the two tracks.

Enjoy a short break, grab some water, and choose which session you want to attend next.

Companies have moved to the cloud to benefit from all the new possibilities and increase their security. However, while the cloud solves some issues, it also opens up new challenges that must be addressed. In this session, youll learn how to secure your cloud solutions, what to look for in a cloud provider, and how to ensure you don’t fall victim to widespread attacks. Simply put, how do we secure our cloud posture?  

Speakers: Markus Lassfolk and Mikael Nyström

Learn how to benefit from your Azure investments and run workloads on prem when you don’t want to utilize the cloud or require performance and cost control. In this session, you’ll learn how to build your own on-prem solution with commodity hardware and software. With a hybrid setup, you can do management and leverage functionality from Azure to get the full benefits of cloud while keeping your data on premises.  

Speakers: Anders Axhake and Jörgen Brandelius

Grab a cup of coffee and something sweet and hang out in the exhibition area. Ask the Experts anything, and experience our Cyber War Room.

Threat intelligence is about understanding our adversaries, the cybercriminals. Once you understand cyber criminals, you can understand cyber-attacks and how they are carried out. Finally, you can see the connections between the criminal ecosystem of services, products, and threat actors. In this presentation, we'll look at one of the more fundamental components of the ecosystem, the initial access vector. This is the phase where threat actors establish persistence in your environment. We'll look closer at how valid credentials play an ever-so-important role in carrying out cyber attacks and what you can do to anticipate attacks and more efficiently protect your business.

Speakers: Christoffer Strömblad, Jolina Pettersson

Let's face it; if you’re an admin, you have all the keys the bad guys want. In this session, you’ll learn how to protect your credentials so only YOU can use them. You’ll learn how to protect the control plane (AD/AAD) and use delegated permissions for everyone using a tiered access model; it’s time to step up. Not only do credentials need to be protected, but you also need to use the right tools, like RSAT, Windows Admin Center, and Server Manager, and stop using Remote Desktop, or as we also like to call it, “Ransomware Deployment Protocol.” 

Speakers: Alexander Mattsson and Peter Löfgren

It's time to choose which session you would like to attend from the two tracks.

Enjoy a short break, grab some water, and choose which session you want to attend next.

Administrative tiering is the practice of securing administrator accounts and ensuring that your credentials are not exposed in the wrong place. In this session, you’ll learn that it doesn't have to take months to implement, but you'll see hands on how to implement tiering in your Active Directory and Azure Active Directory, why it matters, and the common pitfalls. Did you know that our implementation of tiering is what saved a 15,000-person company from being fully encrypted? The threat actor never managed to gain Domain Admin access before they were stopped.

Speaker: Ted Molin and Viktor Hedberg

Most backup solutions will cover things like hardware, overwritten files, flooding, fire, etc. For the last four years, I’ve been working in CSIRT, and so far, what the customers hoped for didn’t work at all. 

In this session, you'll learn what’s important in the design of a modern backup solution to protect against modern threats. 

Speakers: Mikael Nyström

It's time to choose which session you would like to attend from the two tracks.

Enjoy a short break, grab some water, and choose which session you want to attend next.

In most attacks, there is some custom code; if we can decompile it, we can see exactly what it does, what persistence it creates, how it encrypts the files, how it calls home, and in some lucky cases, we even know the name of the person behind the code. In this session, you’ll observe how our reverse-engineering masterminds do their magic.  

Speakers: Nicklas Keijser and Alexander Andersson

When Single Sign On was introduced, it was amazing, yet still, SSO is the Number One reason attackers are able to seek and destroy everything in a very short time. In this session, you’ll learn how to prevent this using isolation and separation. At the same time, hybrid is the way forward; therefore, you’ll also learn how to connect all this to various solutions like Azure Backup, Azure Monitoring, Azure AD, etc., and still be secure. 

Speakers: Hasain Alshakarti and Mikael Nyström

After Event Mingle

For you attending onsite, our partner Vectra would like to invite you for a burger and beer.

  • Time: 5.30 pm
  • Place: Barrels, Smålandsgatan 22
  • Pop by the Vectra AI stand to collect your voucher!

Limited number of seats - 50! First come, first serve!

End of Event!