【ATT&CK】ATT&CKV14版本10月31日发布

        The October 2023 (v14) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v14 are a large expansion of detection notes and analytics to Techniques in Enterprise, a minor scoping change to Enterprise resulting in coverage of Financial Theft and Voice Phishing, structured Detections in Mobile, and the (re-)addition of Assets to ICS. An accompanying blog post describes these changes as well as improvements across ATT&CK's various domains and platforms.

       This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

       This version of ATT&CK contains 760 Pieces of Software, 143 Groups, and 24 Campaigns. Broken out by domain:

• Enterprise: 201 Techniques, 424 Sub-Techniques, 141 Groups, 648 Pieces of Software, 23 Campaigns, 43 Mitigations, and 109 Data Sources

• Mobile: 72 Techniques, 42 Sub-Techniques, 8 Groups, 108 Pieces of Software, 1 Campaign, 12 Mitigations, and 15 Data Sources

• ICS: 81 Techniques, 13 Groups, 21 Pieces of Software, 52 Mitigations, 3 Campaigns, 14 Assets, and 34 Data Sources

Release Notes Terminology

• New: ATT&CK objects which are only present in the new release.

• Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)

• Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)

• Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)

• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)

• Revocations: ATT&CK objects which are revoked by a different object.

• Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.

• Deletions: ATT&CK objects which are no longer found in the STIX data.

Techniques

Enterprise

New Techniques

• Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.0)

• Account Manipulation: Additional Container Cluster Roles (v1.0)

• Content Injection (v1.0)

• Credentials from Password Stores: Cloud Secrets Management Stores (v1.0)

• Exfiltration Over Web Service: Exfiltration Over Webhook (v1.0)

• Financial Theft (v1.0)

• Hide Artifacts: Ignore Process Interrupts (v1.0)

• Impair Defenses: Disable or Modify Linux Audit System (v1.0)

• Impersonation (v1.0)

• Log Enumeration (v1.0)

• Masquerading: Break Process Trees (v1.0)

• Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0)

• Obfuscated Files or Information: LNK Icon Smuggling (v1.0)

• Phishing: Spearphishing Voice (v1.0)

• Phishing for Information: Spearphishing Voice (v1.0)

• Power Settings (v1.0)

• Remote Services: Direct Cloud VM Connections (v1.0)

• System Network Configuration Discovery: Wi-Fi Discovery (v1.0)

Major Version Changes

• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.2→v2.0)

• Impair Defenses: Disable or Modify Cloud Logs (v1.3→v2.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.1→v1.2)

• Access Token Manipulation: Token Impersonation/Theft (v1.1→v1.2)

• Account Manipulation (v2.5→v2.6)

• Additional Cloud Credentials (v2.5→v2.6)

• Additional Cloud Roles (v2.2→v2.3)

• Additional Email Delegate Permissions (v2.0→v2.1)

• Device Registration (v1.1→v1.2)

• SSH Authorized Keys (v1.2→v1.3)

• Acquire Infrastructure (v1.2→v1.3)

• Adversary-in-the-Middle (v2.2→v2.3)

• Application Layer Protocol: File Transfer Protocols (v1.0→v1.1)

• Application Layer Protocol: Web Protocols (v1.1→v1.2)

• Archive Collected Data: Archive via Utility (v1.2→v1.3)

• Boot or Logon Autostart Execution: Print Processors (v1.0→v1.1)

• Boot or Logon Autostart Execution: Winlogon Helper DLL (v1.0→v1.1)

• Boot or Logon Autostart Execution: XDG Autostart Entries (v1.0→v1.1)

• Boot or Logon Initialization Scripts (v2.1→v2.2)

• Brute Force: Credential Stuffing (v1.3→v1.4)

• Brute Force: Password Guessing (v1.4→v1.5)

• Brute Force: Password Spraying (v1.3→v1.4)

• Cloud Service Dashboard (v1.1→v1.2)

• Command and Scripting Interpreter: Windows Command Shell (v1.2→v1.3)

• Compromise Client Software Binary (v1.0→v1.1)

• Compromise Infrastructure (v1.3→v1.4)

• Create Account (v2.3→v2.4)

• Cloud Account (v1.3→v1.4)

• Domain Account (v1.0→v1.1)

• Local Account (v1.2→v1.3)

• Create or Modify System Process: Systemd Service (v1.3→v1.4)

• Create or Modify System Process: Windows Service (v1.3→v1.4)

• Credentials from Password Stores (v1.0→v1.1)

• Data Destruction (v1.1→v1.2)

• Data from Cloud Storage (v2.0→v2.1)

• Data from Network Shared Drive (v1.3→v1.4)

• Deobfuscate/Decode Files or Information (v1.2→v1.3)

• Direct Volume Access (v2.0→v2.1)

• Email Collection (v2.4→v2.5)

• Remote Email Collection (v1.1→v1.2)

• Event Triggered Execution: Screensaver (v1.1→v1.2)

• Exfiltration Over Other Network Medium (v1.1→v1.2)

• Exfiltration Over Web Service (v1.2→v1.3)

• Exfiltration to Cloud Storage (v1.1→v1.2)

• Exfiltration to Code Repository (v1.0→v1.1)

• Exploitation for Credential Access (v1.4→v1.5)

• Exploitation for Defense Evasion (v1.3→v1.4)

• File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.1→v1.2)

• Forced Authentication (v1.2→v1.3)

• Forge Web Credentials (v1.3→v1.4)

• Hide Artifacts: Email Hiding Rules (v1.2→v1.3)

• Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0→v1.1)

• Impair Defenses (v1.4→v1.5)

• Disable Windows Event Logging (v1.2→v1.3)

• Disable or Modify Tools (v1.4→v1.5)

• Downgrade Attack (v1.1→v1.2)

• Indicator Blocking (v1.2→v1.3)

• Indicator Removal: Clear Network Connection History and Configurations (v1.0→v1.1)

• Indicator Removal: Clear Windows Event Logs (v1.2→v1.3)

• Ingress Tool Transfer (v2.2→v2.3)

• Inhibit System Recovery (v1.2→v1.3)

• Input Capture: Keylogging (v1.1→v1.2)

• Inter-Process Communication: Dynamic Data Exchange (v1.2→v1.3)

• Lateral Tool Transfer (v1.2→v1.3)

• Masquerading (v1.5→v1.6)

• Masquerade Task or Service (v1.1→v1.2)

• Match Legitimate Name or Location (v1.1→v1.2)

• Modify Authentication Process: Multi-Factor Authentication (v1.0→v1.1)

• Modify Cloud Compute Infrastructure (v1.1→v1.2)

• Modify Registry (v1.3→v1.4)

• Native API (v2.1→v2.2)

• Network Service Discovery (v3.0→v3.1)

• Network Share Discovery (v3.1→v3.2)

• Network Sniffing (v1.4→v1.5)

• Non-Application Layer Protocol (v2.2→v2.3)

• OS Credential Dumping: LSASS Memory (v1.2→v1.3)

• OS Credential Dumping: NTDS (v1.1→v1.2)

• OS Credential Dumping: Security Account Manager (v1.0→v1.1)

• Obfuscated Files or Information (v1.4→v1.5)

• Embedded Payloads (v1.0→v1.1)

• HTML Smuggling (v1.0→v1.1)

• Phishing (v2.3→v2.4)

• Spearphishing Link (v2.4→v2.5)

• Phishing for Information (v1.2→v1.3)

• Spearphishing Link (v1.4→v1.5)

• Process Discovery (v1.3→v1.4)

• Process Injection: Dynamic-link Library Injection (v1.2→v1.3)

• Process Injection: Process Hollowing (v1.2→v1.3)

• Reflective Code Loading (v1.0→v1.1)

• Remote Access Software (v2.1→v2.2)

• Remote Service Session Hijacking: RDP Hijacking (v1.0→v1.1)

• Remote Services (v1.3→v1.4)

• Distributed Component Object Model (v1.2→v1.3)

• Remote Desktop Protocol (v1.1→v1.2)

• SMB/Windows Admin Shares (v1.1→v1.2)

• SSH (v1.1→v1.2)

• Windows Remote Management (v1.1→v1.2)

• Remote System Discovery (v3.4→v3.5)

• Resource Hijacking (v1.3→v1.4)

• Scheduled Task/Job: At (v2.0→v2.1)

• Scheduled Task/Job: Scheduled Task (v1.3→v1.4)

• Scheduled Task/Job: Systemd Timers (v1.1→v1.2)

• Shared Modules (v2.1→v2.2)

• Software Deployment Tools (v2.1→v2.2)

• Subvert Trust Controls: Install Root Certificate (v1.1→v1.2)

• System Binary Proxy Execution: Rundll32 (v2.1→v2.2)

• System Network Configuration Discovery (v1.5→v1.6)

• System Owner/User Discovery (v1.4→v1.5)

• System Services: Service Execution (v1.1→v1.2)

• Taint Shared Content (v1.3→v1.4)

• Trusted Developer Utilities Proxy Execution: MSBuild (v1.2→v1.3)

• Unsecured Credentials: Credentials In Files (v1.1→v1.2)

• Unsecured Credentials: Credentials in Registry (v1.0→v1.1)

• Use Alternate Authentication Material: Pass the Hash (v1.1→v1.2)

• Valid Accounts: Cloud Accounts (v1.5→v1.6)

• Valid Accounts: Domain Accounts (v1.3→v1.4)

• Valid Accounts: Local Accounts (v1.3→v1.4)

• Windows Management Instrumentation (v1.3→v1.4)

Patches

• Cloud Service Discovery (v1.3)

• Event Triggered Execution: PowerShell Profile (v1.1)

• Forge Web Credentials: SAML Tokens (v1.2)

• Forge Web Credentials: Web Cookies (v1.1)

• Masquerading: Masquerade File Type (v1.0)

• Masquerading: Rename System Utilities (v1.1)

• OS Credential Dumping: Cached Domain Credentials (v1.0)

• Replication Through Removable Media (v1.2)

• Steal Application Access Token (v1.2)

• Steal Web Session Cookie (v1.2)

• System Binary Proxy Execution: Compiled HTML File (v2.1)

• Use Alternate Authentication Material: Application Access Token (v1.5)

• Use Alternate Authentication Material: Web Session Cookie (v1.3)

Mobile

New Techniques

• Application Versioning (v1.0)

• Data Destruction (v1.0)

• Exploitation for Client Execution (v1.0)

• Masquerading (v1.0)

• Match Legitimate Name or Location (v1.0)

• Phishing (v1.0)

• Remote Access Software (v1.0)

Minor Version Changes

• Call Control (v1.1→v1.2)

• Command and Scripting Interpreter (v1.1→v1.2)

• Unix Shell (v1.1→v1.2)

• Download New Code at Runtime (v1.4→v1.5)

• Drive-By Compromise (v2.1→v2.2)

• Dynamic Resolution (v1.0→v1.1)

• Domain Generation Algorithms (v1.0→v1.1)

• Exfiltration Over Alternative Protocol (v1.0→v1.1)

• Exfiltration Over Unencrypted Non-C2 Protocol (v1.0→v1.1)

• Exfiltration Over C2 Channel (v1.0→v1.1)

• Impair Defenses: Prevent Application Removal (v1.1→v1.2)

• Ingress Tool Transfer (v2.1→v2.2)

• Input Injection (v1.1→v1.2)

• Lockscreen Bypass (v1.2→v1.3)

• Obfuscated Files or Information (v3.0→v3.1)

• Replication Through Removable Media (v2.0→v2.1)

• Web Service (v1.2→v1.3)

• Bidirectional Communication (v1.1→v1.2)

• Dead Drop Resolver (v1.1→v1.2)

• One-Way Communication (v1.1→v1.2)

Patches

• Credentials from Password Store (v1.1)

• Exploitation for Privilege Escalation (v2.1)

• Hijack Execution Flow: System Runtime API Hijacking (v1.1)

• Location Tracking: Impersonate SS7 Nodes (v1.1)

• Non-Standard Port (v2.1)

ICS

Minor Version Changes

• Block Command Message (v1.0→v1.1)

• Modify Controller Tasking (v1.1→v1.2)

• Modify Parameter (v1.2→v1.3)

• Modify Program (v1.1→v1.2)

• Service Stop (v1.0→v1.1)

Patches

• Activate Firmware Update Mode (v1.0)

• Adversary-in-the-Middle (v2.0)

• Alarm Suppression (v1.2)

• Automated Collection (v1.0)

• Block Reporting Message (v1.0)

• Block Serial COM (v1.1)

• Brute Force I/O (v1.1)

• Change Credential (v1.0)

• Change Operating Mode (v1.0)

• Command-Line Interface (v1.1)

• Commonly Used Port (v1.1)

• Connection Proxy (v1.1)

• Damage to Property (v1.1)

• Data Destruction (v1.0)

• Data from Information Repositories (v1.2)

• Data from Local System (v1.0)

• Default Credentials (v1.0)

• Denial of Control (v1.1)

• Denial of Service (v1.1)

• Denial of View (v1.1)

• Detect Operating Mode (v1.0)

• Device Restart/Shutdown (v1.1)

• Drive-by Compromise (v1.0)

• Execution through API (v1.1)

• Exploit Public-Facing Application (v1.0)

• Exploitation for Evasion (v1.1)

• Exploitation for Privilege Escalation (v1.1)

• Exploitation of Remote Services (v1.0)

• External Remote Services (v1.1)

• Graphical User Interface (v1.1)

• Hardcoded Credentials (v1.0)

• Hooking (v1.2)

• I/O Image (v1.1)

• Indicator Removal on Host (v1.0)

• Internet Accessible Device (v1.0)

• Lateral Tool Transfer (v1.1)

• Loss of Availability (v1.0)

• Loss of Control (v1.0)

• Loss of Productivity and Revenue (v1.0)

• Loss of Protection (v1.0)

• Loss of Safety (v1.0)

• Loss of View (v1.0)

• Manipulate I/O Image (v1.1)

• Manipulation of Control (v1.0)

• Manipulation of View (v1.0)

• Masquerading (v1.1)

• Modify Alarm Settings (v1.2)

• Module Firmware (v1.1)

• Monitor Process State (v1.0)

• Native API (v1.0)

• Network Connection Enumeration (v1.1)

• Network Sniffing (v1.0)

• Point & Tag Identification (v1.1)

• Program Download (v1.1)

• Program Upload (v1.0)

• Project File Infection (v1.0)

• Remote Services (v1.1)

• Remote System Discovery (v1.1)

• Remote System Information Discovery (v1.1)

• Replication Through Removable Media (v1.0)

• Rogue Master (v1.2)

• Rootkit (v1.1)

• Screen Capture (v1.0)

• Scripting (v1.0)

• Spearphishing Attachment (v1.1)

• Spoof Reporting Message (v1.2)

• Standard Application Layer Protocol (v1.0)

• Supply Chain Compromise (v1.1)

• System Firmware (v1.1)

• Theft of Operational Information (v1.0)

• Transient Cyber Asset (v1.2)

• Unauthorized Command Message (v1.2)

• User Execution (v1.1)

• Valid Accounts (v1.1)

• Wireless Compromise (v1.2)

• Wireless Sniffing (v1.1)

Software

Enterprise

New Software

• ANDROMEDA (v1.0)

• AsyncRAT (v1.0)

• BADHATCH (v1.0)

• Disco (v1.0)

• KOPILUWAK (v1.0)

• NightClub (v1.0)

• Pacu (v1.0)

• QUIETCANARY (v1.0)

• QUIETEXIT (v1.0)

• RotaJakiro (v1.0)

• Sardonic (v1.0)

• SharpDisco (v1.0)

• Snip3 (v1.0)

• ngrok (v1.2)

Major Version Changes

• OSX_OCEANLOTUS.D (v2.2→v3.0)

• Uroburos (v1.0→v2.0)

Minor Version Changes

• AdFind (v1.2→v1.3)

• Agent Tesla (v1.2→v1.3)

• Arp (v1.1→v1.2)

• BITSAdmin (v1.3→v1.4)

• BlackEnergy (v1.3→v1.4)

• BloodHound (v1.4→v1.5)

• Cobalt Strike (v1.10→v1.11)

• Conti (v2.1→v2.2)

• CrossRAT (v1.1→v1.2)

• Dridex (v2.0→v2.1)

• Emotet (v1.4→v1.5)

• Empire (v1.6→v1.7)

• Fysbis (v1.2→v1.3)

• GoldMax (v2.1→v2.2)

• Imminent Monitor (v1.0→v1.1)

• Impacket (v1.4→v1.5)

• KillDisk (v1.1→v1.2)

• LaZagne (v1.4→v1.5)

• Mimikatz (v1.7→v1.8)

• NETWIRE (v1.5→v1.6)

• Net (v2.4→v2.5)

• Nltest (v1.1→v1.2)

• OSX/Shlayer (v1.3→v1.4)

• Ping (v1.3→v1.4)

• PsExec (v1.4→v1.5)

• Pupy (v1.2→v1.3)

• Ragnar Locker (v1.1→v1.2)

• Regin (v1.1→v1.2)

• Revenge RAT (v1.1→v1.2)

• Rubeus (v1.0→v1.1)

• Ryuk (v1.3→v1.4)

• TrickBot (v2.0→v2.1)

• WarzoneRAT (v1.0→v1.1)

• certutil (v1.3→v1.4)

• esentutl (v1.2→v1.3)

• jRAT (v2.1→v2.2)

• netstat (v1.1→v1.2)

• njRAT (v1.4→v1.5)

Patches

• BlackCat (v1.0)

• Calisto (v1.1)

• Carbanak (v1.1)

• Doki (v1.0)

• Industroyer (v1.1)

• LockerGoga (v2.0)

• PUNCHBUGGY (v2.1)

• PUNCHTRACK (v1.1)

• PowerSploit (v1.6)

Revocations

• Ngrok (revoked by ngrok) (v1.1)

Mobile

New Software

• BOULDSPY (v1.0)

• Chameleon (v1.0)

• Escobar (v1.0)

• Fakecalls (v1.0)

• FlyTrap (v1.0)

• Hornbill (v1.0)

• Sunbird (v1.0)

ICS

Minor Version Changes

• BlackEnergy (v1.3→v1.4)

• KillDisk (v1.1→v1.2)

• Ryuk (v1.3→v1.4)

Patches

• Industroyer (v1.1)

• LockerGoga (v2.0)

Groups

Enterprise

New Groups

• FIN13 (v1.0)

• MoustachedBouncer (v1.0)

• Scattered Spider (v1.0)

• TA2541 (v1.0)

• Volt Typhoon (v1.0)

Major Version Changes

• APT29 (v4.0→v5.0)

• FIN7 (v2.2→v3.0)

• FIN8 (v1.3→v2.0)

• Indrik Spider (v2.1→v3.0)

• Turla (v3.1→v4.0)

• Wizard Spider (v2.1→v3.0)

Minor Version Changes

• APT32 (v2.6→v2.7)

• Confucius (v1.0→v1.1)

• Dragonfly (v3.1→v3.2)

• LAPSUS$ (v1.1→v1.2)

• Magic Hound (v5.1→v5.2)

• Sandworm Team (v3.0→v3.1)

• SilverTerrier (v1.1→v1.2)

Patches

• APT37 (v2.0)

• Ajax Security Team (v1.0)

• Darkhotel (v2.1)

• Kimsuky (v3.1)

Mobile

New Groups

• Confucius (v1.1)

• MoustachedBouncer (v1.0)

Minor Version Changes

• Sandworm Team (v3.0→v3.1)

ICS

Major Version Changes

• FIN7 (v2.2→v3.0)

• Wizard Spider (v2.1→v3.0)

Minor Version Changes

• Dragonfly (v3.1→v3.2)

• Sandworm Team (v3.0→v3.1)

Campaigns

Enterprise

New Campaigns

• 2015 Ukraine Electric Power Attack (v1.0)

• C0026 (v1.0)

• C0027 (v1.0)

Minor Version Changes

• Operation Dream Job (v1.0→v1.1)

Mobile

ICS

New Campaigns

• 2015 Ukraine Electric Power Attack (v1.0)

Assets

ICS

New Assets

• Application Server (v1.0)

• Control Server (v1.0)

• Data Gateway (v1.0)

• Data Historian (v1.0)

• Field I/O (v1.0)

• Human-Machine Interface (HMI) (v1.0)

• Intelligent Electronic Device (IED) (v1.0)

• Jump Host (v1.0)

• Programmable Logic Controller (PLC) (v1.0)

• Remote Terminal Unit (RTU) (v1.0)

• Routers (v1.0)

• Safety Controller (v1.0)

• Virtual Private Network (VPN) Server (v1.0)

• Workstation (v1.0)

Mitigations

Enterprise

Minor Version Changes

• Application Developer Guidance (v1.0→v1.1)

Mobile

New Mitigations

• Antivirus/Antimalware (v1.0)

Minor Version Changes

• Application Developer Guidance (v1.0→v1.1)

Patches

• Interconnection Filtering (v1.0)

ICS

Minor Version Changes

• Authorization Enforcement (v1.0→v1.1)

• Human User Authentication (v1.0→v1.1)

Patches

• Access Management (v1.0)

• Account Use Policies (v1.0)

• Antivirus/Antimalware (v1.0)

• Application Developer Guidance (v1.0)

• Application Isolation and Sandboxing (v1.0)

• Audit (v1.0)

• Boot Integrity (v1.0)

• Code Signing (v1.0)

• Communication Authenticity (v1.0)

• Data Backup (v1.0)

• Disable or Remove Feature or Program (v1.0)

• Encrypt Network Traffic (v1.0)

• Encrypt Sensitive Information (v1.0)

• Execution Prevention (v1.0)

• Exploit Protection (v1.0)

• Filter Network Traffic (v1.0)

• Limit Access to Resource Over Network (v1.0)

• Limit Hardware Installation (v1.0)

• Minimize Wireless Signal Propagation (v1.0)

• Multi-factor Authentication (v1.0)

• Network Allowlists (v1.0)

• Network Intrusion Prevention (v1.0)

• Network Segmentation (v1.0)

• Operating System Configuration (v1.0)

• Out-of-Band Communications Channel (v1.0)

• Password Policies (v1.0)

• Privileged Account Management (v1.0)

• Redundancy of Service (v1.0)

• Restrict File and Directory Permissions (v1.0)

• Restrict Library Loading (v1.0)

• Restrict Registry Permissions (v1.0)

• Restrict Web-Based Content (v1.0)

• Software Configuration (v1.0)

• Software Process and Device Authentication (v1.0)

• Static Network Configuration (v1.1)

• Supply Chain Management (v1.0)

• Update Software (v1.0)

• User Account Management (v1.0)

• User Training (v1.0)

• Validate Program Inputs (v1.0)

• Vulnerability Scanning (v1.0)

Contributors to this release

• Aaron Jornet

• Adam Lichters

• Adam Mashinchi

• Ai Kimura, NEC Corporation

• Alain Homewood

• Alex Spivakovsky, Pentera

• Amir Gharib, Microsoft Threat Intelligence

• Andrew Northern, @ex_raritas

• Arad Inbar, Fidelis Security

• Austin Herrin

• Ben Smith, @ezaspy

• Bilal Bahadır Yenici

• Blake Strom, Microsoft Threat Intelligence

• Brian Donohue

• Caio Silva

• Christopher Peacock

• Edward Stevens, BT Security

• Ford Qin, Trend Micro

• Giorgi Gurgenidze, ISAC

• Goldstein Menachem

• Gregory Lesnewich, @greglesnewich

• Gunji Satoshi, NEC Corporation

• Harry Kim, CODEMIZE

• Harun Küßner

• Hiroki Nagahama, NEC Corporation

• Itamar Mizrahi, Cymptom

• Jack Burns, HubSpot

• Janantha Marasinghe

• Jennifer Kim Roman, CrowdStrike

• Joas Antonio dos Santos, @C0d3Cr4zy

• Joe Gumke, U.S. Bank

• Joe Slowik - Dragos

• Joey Lei

• Juan Tapiador

• Liran Ravich, CardinalOps

• Manikantan Srinivasan, NEC Corporation India

• Martin McCloskey, Datadog

• Matt Green, @mgreen27

• Michael Raggi @aRtAGGI

• Mohit Rathore

• Naveen Devaraja, bolttech

• Noam Lifshitz, Sygnia

• Olaf Hartong, Falcon Force

• Oren Biderman, Sygnia

• Pawel Partyka, Microsoft Threat Intelligence

• Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd

• Pooja Natarajan, NEC Corporation India

• Sam Seabrook, Duke Energy

• Serhii Melnyk, Trustwave SpiderLabs

• Shailesh Tiwary (Indian Army)

• Shankar Raman, Gen Digital and Abhinand, Amrita University

• Sunders Bruskin, Microsoft Threat Intelligence

• Tahseen Bin Taj

• Thanabodi Phrakhun, @naikordian

• The DFIR Report

• Tim (Wadhwa-)Brown

• Tom Simpson, CrowdStrike Falcon OverWatch

• Tristan Madani (Cybereason)

• TruKno

• Uriel Kosayev

• Vijay Lalwani

• Will Thomas, Equinix

• Yasuhito Kawanishi, NEC Corporation

• Yoshihiro Kori, NEC Corporation

• Yossi Weizman, Microsoft Threat Intelligence