Thursday May 04, 2023
09:00 Registration and Morning Coffee: Powered by Mint Security
09:45 Opening Words, Tomi Tuominen
10:00 Luck, Timing and a Nice Cup of Tea: Essential tools in surviving a cyber attack
Andrew Jones
Royal Holloway University
11:00 Coffee: Powered by Thinkst Canary
11:30 What I Learned from Attackers in the Past 20 Years
Antti Tikkanen
Snap Inc
12:30 Lunch
13:30 Evolution of open source intelligence: what lies ahead?
Veli-Pekka Kivimäki
Finnish Security and Intelligence Service (SUPO)
Have U Been Invited? My Journey to Find and Chain macOS Vulns
Mikko Kenttälä
14:30 Break
14:50 Not a Generative AI talk
Mark D
15:50 Closing Words for the 1st day, Tomi Tuominen
16:00 Cocktails & Networking: Powered by Nixu
17:45 Cocktails & Networking ends
18:00 Dinner: Powered by WithSecure
21:00 Dinner ends

Friday May 05, 2023
09:30 Morning Coffee: Powered by Thinkst Canary
10:00 Closing the gap: IR expectations and Technical Reality
Guy Barnhart-Magen
11:00 Coffee: Powered by Mint Security
11:20 Defending DevOps with Deception
Jacob Torrey
Thinkst Canary

12:20 Lunch
13:20 OSDP auditing for red teamers and facility managers
Knud Hojgaard
DoSing Azure Active Directory
Nestori Syynimaa
14:20 Coffee: Powered by Unknown sponsor
14:40 Forward to the Past and Back to the Future - Cybercrime in 2022/2023
Sami Laiho
15:40 Closing Words, Tomi Tuominen
16:00 Conference Ends

Luck, Timing and a Nice Cup of Tea: Essential tools in surviving a cyber attack

Andrew Jones @ Royal Holloway University

Based on his experience as CISO for Maersk Line during the NotPetya attack of 2017, Andy will provide a first hand account of what it felt like to be at the sharp end of what has been described as the single most expensive computer security event in history. He will examine the attack from a human and business perspective but will primarily explore some of the technical elements that made the attack so deadly and recovery so hard.

Andy Jones is a senior visiting lecturer in cyber security at Royal Holloway University of London. He has previously held CISO positions at Maersk and Unilever, headed the security function for a large UK supermarket and worked in technical roles for a major airline. He has also worked as a researcher for the Information Security Forum. He has considerable speaking experience across the globe. Partially retired from industry he is now studying sound engineering, just for fun.

What I Learned from Attackers in the Past 20 Years

Antti Tikkanen @ Snap Inc

I'll talk about the things that real-world attackers have taught me in the past 20 years. I've had the pleasure of facing state-sponsored attackers, criminals, highly skilled malware authors, and teenagers with too much time on their hands. They've taught me lessons that I use in my daily work, defending companies and individuals. This talk will go through my most memorable encounters with threat actors, my most embarrassing mistakes, and biggest learnings.

Antti Tikkanen currently works at Snap Inc, leading a team of security engineers focusing on detection&response, forensics and incident management. Before this, Antti was in the Google TAG (Threat Analysis Group) team, spending his time building large-scale analysis systems and tracking state-sponsored attackers. Almost 20 years ago while working at F-Secure, he helped build the best rootkit scanner ever, F-Secure Blacklight.

Evolution of open source intelligence: what lies ahead?

Veli-Pekka Kivimäki @ Finnish Security and Intelligence Service (SUPO)

Open source intelligence (OSINT) has been transformed by mobile internet, social media, and commercial space-based capabilities. Emerging AI applications are promising another major step forward in the field. This presentation will discuss what's possible today with OSINT, and what lies ahead.

Veli-Pekka Kivimäki is a Senior Analyst with the Finnish Security and Intelligence Service (Supo). He is also an adjunct lecturer in Geospatial Intelligence (GEOINT) at the Johns Hopkins University, and a visiting lecturer on open source intelligence (OSINT) at the University of Jyväskylä. Previously, he served at the Finnish Defence Research Agency, and in various R&D roles at Nokia and Microsoft. Mr. Kivimäki's core research areas are the evolution of OSINT, and how technology impacts national security. Before his work in government, he was one of the original members of the award-winning Bellingcat Investigation Team.

Not a Generative AI talk

Mark D @ VD

In 2018 the scene was set for a corporate adventure the likes of which were unlikely at best. In the latest installment of this demi-decade-spectacle Mark will recount tales from the trenches of 2020 to present(ish) day. There will be pirates, pangolins, procurement, possibly placebos and power supplies, all whilst trying to keep business, and some "other things", running whilst the threat landscape looked the weirdest it ever has.

Things didn't get less adverse after the last time Mark presented at T2. Having spent the last few years in a very similar way to everyone else managing how to do what we do whilst telling people they are on mute.

Have U Been Invited? My Journey to Find and Chain macOS Vulns

Mikko Kenttälä @ SensorFu

This is a story about my journey to find logic bugs in macOS. During 2020 - 2022 I found a bunch of them and reported three major vulnerabilities from macOS. I will explain my methodology to find them and walk you through an exploit chain that compromises users' sensitive data with zero click.

This latest chain starts with a zero-click vulnerability that I found in macOS Calendar. It allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This will lead to arbitrary code execution.

Some of the patches are still coming so unfortunately I can not disclose the full vulnerability chain yet. Instead, I will concentrate more on the first part of the vulnerability chain.

Additionally I may add some spices from previous vulnerability chains.

Since I remember, I have hacked, built and broken stuff, and that landed me a career in cybersecurity over 10 years ago. I have done technical security audits, hunted bug bounties, and now also built security products as CEO of SensorFu. Hacking still makes me happy, I enjoy blue and red teaming in exercises, and I am interested in defending electronic freedoms and privacy in our digital society.

Closing the gap: IR expectations and Technical Reality

Guy Barnhart-Magen @ Profero

Effective incident response is a critical component of any cybersecurity strategy. However, slow incident response can present significant challenges for cybersecurity professionals. In this presentation, we will explore the technical complexities that contribute to slow incident response and provide practical insights into improving response times. We will delve into the nuances of threat detection and containment, highlighting the technical difficulties involved in accurately identifying and mitigating threats. We will also address the importance of efficient and effective communication between teams, emphasizing the need for clear lines of responsibility in a multi-team and multi-organization environment. Through real-world examples and case studies, we will illustrate the consequences of slow incident response and provide practical insights into leveraging automation and other advanced technologies to speed up incident response times. Overall, our presentation will challenge attendees to view slow incident response through a technical lens, emphasizing the critical role of technical expertise and advanced technologies in effective incident response. Attendees will leave with actionable insights to improve their incident response capabilities and overcome the technical challenges of slow incident response.

With nearly 25 years of experience in the cyber-security industry, Guy held various positions in both corporates and startups. As the Co-Founder and CTO of the Incident Response company Profero, his focus is making incident response fast and scalable, harnessing the latest technologies and a cloud-native approach. Most recently, he led Intel’s Predictive Threat Analysis group, which focused on securing machine learning systems and trusted execution environments. At Intel, he defined the global AI security strategy and roadmap. In addition, he spoke at dozens of events on the research he and the group have done on Security for AI systems and published several white papers on the subject. Guy is the BSidesTLV chairman and CTF lead, a Public speaker in well-known global security events (SAS, t2, 44CON, BSidesLV, and several DefCon villages, to name a few), and the recipient of the Cisco “black belt” security ninja honor – Cisco’s highest cybersecurity advocate rank. He started as a software developer for several security startups and spent eight years in the IDF. After completing his Electrical Engineering and Applied Mathematics degrees, he focused on security research in real-world applications. He joined NDS (later acquired by Cisco). He led the Anti-Hacking, Cryptography, and Supply Chain Security Groups (~25 people in USA and Israel).

Defending DevOps with Deception

Jacob Torrey @ Thinkst Canary

You’ve turned your zero-trust up to 11, and your CI/CD pipeline is bigger and better than Colonial’s. What more can you do to prepare your networks in advance of an intrusion? How can you increase the likelihood of detecting adversaries in their organization? Honeypots have played a crucial role in detecting actual attacks over the years. This talk presents case studies where honeypots or honeytokens worked to detect unauthorized activity, despite all the other defensive products deployed. Additionally research that is specifically looking at how you can maximize deception in cloud-native and CI/CD-first environments is highlighted.

This talk will present the motivation, design, and primitive building blocks, for several practical honeypots and tokens. It covers ideas for cloud workloads and containers, as well as tokens for CI/CD pipelines, documents, API Keys, and database files.

Attendees will learn practical tips for how to integrate honeypots and honeytokens, with existing response tools, such as endpoint, network and cloud based architectures. Attendees will come away with new insights about where best to deploy honeypots, to increase detection and response opportunities. Additional takeaways include novel ideas for using multiple layers of tokens to lay tripwires in their environments to gain visibility into attacker movement.

Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more. When not in front of the computer, he enjoys trail running, volunteering as a firefighter/EMT, and hiking with his family.

OSDP auditing for red teamers and facility managers

Knud Hojgaard @

Open Supervised Device Protocol is an access control communications standard designed to allow door controllers (on the secure side of a door) to communicate with devices such as card readers on the insecure side, in a secure manner. This presentation walks through how it works, how to interface with devices, and most importantly how to review implementations and deployments for security issues where possible, using some randomly selected OSDP capable devices as case studies.

Knud does information security stuff (for clients) at He enjoys crossing trust boundaries, particularly the ones where digital and physical converge.

DoSing Azure Active Directory

Nestori Syynimaa @ Secureworks

Azure Active Directory (Azure AD) is used by over 90% of Fortune 500 organisations as their Identity and Access Management service. Even though Azure AD is commonly seen as a safe platform, it is a large and complex service with many optional security features. This talk will cover how some of these features enable Denial of Service (DoS) attacks against Azure AD.

DoS attacks can be performed with various permissions, ranging from Global and On-Prem Administrators to regular users. In this demo-packed session, I’ll show how these attacks can be performed using AADInternals toolkit.

Dr Nestori Syynimaa is one of the leading Azure AD / M365 experts in the world and the developer of the AADInternals toolkit. He has worked with Microsoft cloud services for over a decade and has been MCT since 2013, MVP since 2020, and awarded Microsoft Most Valuable Security Researcher for 2021. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit. Before moving to his current position, Dr Syynimaa worked as a CIO, consultant, trainer, researcher, and university lecturer for almost 20 years.

Dr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom, Black Hat USA, Europe, and Asia, Def Con, and RSA Conference.

Forward to the Past and Back to the Future - Cybercrime in 2022/2023

Sami Laiho @ Adminize

Join Sami Laiho, Chief Research Officer of Adminize, for a look back in to what 2022 changed in the Security Threat Landscape and to hear his predictions on what will the future have in store for us. Sami has been architecting and consulting Security concepts for 20+ years for customers ranging from few seats to more than half a million.

Sami Laiho is one of the world's leading professionals in the Windows OS and Security. Sami has been working with and teaching OS troubleshooting, management, and security since 2001. Sami's session was evaluated as the best session in TechEd North America, Europe and Australia in 2014, and Nordic Infrastructure Conference in 2016, 2017, 2019, 2020 and 2022.

At Ignite 2018 Sami's sessions were ranked as #1 and #2 out of 1708 sessions!! This was the first time in the history of the conference that anyone has been able to do this!

Sami is also an author at PluralSight and the conference chair of the TechMentor and "Cybersecurity and RansomWare Live!" conferences in US.

More info at: