2018 CTI-EU | Bonding EU Cyber Threat Intelligence

The main objective of the CTI-EU event is to bring experts, researchers, practitioners and academics together to promote the dialogue and envision the future of Cyber Threat Intelligence (CTI) as a key cybersecurity practice.

2018 CTI-EU | Bonding EU Cyber Threat Intelligence
Nov 05, 2018 09:00 AM to Nov 06, 2018 05:00 PM
Crowne Plaza Hotel in Brussels

Add to calendar
Add to vCal, Add to iCal

To download the presentation deck for each talk please click here.

The event will take place from November 5th to 6th in the Crowne Plaza Hotel in Brussels, Belgium. The event will be free of charge.


05 November 2018

08:30 - 09:00

  • Registration

09:00 – 10:30

  • Welcome address

Louis Marinos (EU Agency for Network and Information Security - ENISA)

  • Introduction, organisational issues

  • AI in CTI: A Practical Approach

Gerd Rademann (IBM)

- Cybersecurity with IBM Watson

10:30– 12:30

  • CTI Capability and Maturity Model

Richard Kerkdijk (TNO)

- CTI Capability Framework

Marco Lourenco (ENISA)

- CTI Maturity Model


  • CTI Capability Framework
  • Contents of a CTI maturity model
  • Demand of maturity models in various types of organisations (high capability, medium and low capability)
  • Steps in assessing CTI needs (Nirvana goal, CTI 101, etc.)
  • CTI Tradecraft
  • CTI dissemination and finalized products
  • Misinformation Campaigns

Victoria Bains (Univ. of Oxford)

- Misinformation, Fake News and Content Policing: An Operational Problem of Distinction

Ilias Chantzos (Symantec)


  • Cybersecurity relevance of misinformation campaigns
  • Types of threats and impact in various misinformation campaigns (events, elections, personal, etc.)
  • Comparison/scope of known activities (US, FR, EU, others)
  • Current work/research on misinformation campaigns (techniques, methods, measures, etc.)

12:30 – 13:30

  • Lunch


13:30 – 15:00

  • CTI in the European Commission - Panel Discussion

Moderator: Aikaterini Poustourli (DG Home)

Marios Thoma (EEAS)

Ioannis Ascoxylakis (DG Connect)


15:00 – 15:15

  • In Conferance Room Coffee Break

15:15 – 17:00

  • Threat Landscaping Trends, Good Practices and CTI Tools

Andreas Sfakianakis (CTI expert)

- Let's make CTI great (again): a 5-year lookback in CTI

Piotr Kijewski (ShadowServer)

- ShadowServer Project

Jörg Abraham (EclecticIQ)

- EclecticIQ Fusion Center


  • Current trends in TL (nature and scope of vertical TLs, guidance based on TL such as TIBER-EU, etc.)
  • Workflow within the organisation w.r.t. CTI
  • Interaction models based on TL (TL provision, TL requests, interaction with teams, feedback loops)
  • Applicability of classic intelligence approaches to CTI
  • Advances in mining of open source intelligence and social media intelligence
  • TL and Risk Management (modelling, risk and impact analysis, threat intelligence consumption appetite)

06 November 2018


  • Welcome Back

09:00 – 10:30

  • Active Cyber Defence

Tejas Patel (Kudo Dynamics)

- Active Cyber Defense

Stavros Lingris (CERT-EU)

- CTI and Active Defence: definitions, goals, advantages, techniques and tools

David Barroso (Countercraft)

- Tool up your threat hunting capabilities with active defense


  • Available Active Cyber Defence definitions and models
  • Active Cyber Defence attack and defence frameworks
  • Threat hunting techniques in Active Cyber Defence
  • Available Active Cyber Defence approaches (US vs. UK vs. other approaches)
  • Team interaction models in Active Cyber Defence
  • Legal aspects of Active Cyber Defence

10:30 – 10:45

  • In Conferance Room Coffee Break

10:45 – 12:30

  • CTI Standardization

Trey Darley (New Context)

Christian Doerr (Tudelft Univ.)

Frank Downs (ISACA)


  • Current developments in standardisation (STIX, OWASP, MITRE, SANS, etc.)
  • Review of the standards (adoption of various standards)
  • Current trends in standardisation activities

12:30 – 13:30

  • Lunch

13:30 – 15:00

  • Innovative actions in CTI

Maarten Bras (European Central Bank - ECB)

- Enhancing the cyber resilience of the financial sector by Threat Intelligence based Ethical Red Teaming - TIBER-EU

Panagiotis Kikiras  (European Defence Agency - EDA)

- CTI Research Landscape

Georgios Chatzichristos (EU Agency for Network and Information Security - ENISA)

- Open-CSAM - Inf. aggregator and reporting tool using AI and Natural Language Processing


  • Research dimensions
  • Reviewing methodologies from the ML, AI perspective to create CTI
  • Collective optimization techniques for cyber investigation and threat hunting (e.g. tanking into account think tank of criminal values)
  • Competing hypothesis methodology (from traditional intel)
  • Citizen in focus towards involving citizens in the defence (methods of CTI transfer to the citizens)
  • Understanding future trends (e.g. threat automation, convergence and distribution)

15:00 – 15:15

  • In Conferance Room Coffee Break

15:15 – 17:00

  • CTI Trends and Developments  - Panel discussion

Moderator: Christian Doerr (Tudelft Univ.)

Salvador Llopis Sanchez  (European Defence Agency - EDA)

Isidoros Monogioudis (Digitalshadows)

Ilias Chantzos (Symantec)

  • Concluding Remarks

Louis Marinos (EU Agency for Network and Information Security - ENISA)

CTI-EU is a two days event for cybersecurity practitioners and enthusiasts to debate the future of CTI. A space for short, carefully prepared talks and demonstrations to foster learning and provoke conversations will be considered. The typical presentation should be an up to 20-minute talk by a single presenter. No panels or Q&As with audience will be permitted. Between talks, participants are invited, on opt-in basis, to participate in small discussion groups during “open forum” breaks.

ENISA would like to offer the opportunity to non-profit organizations/activities in the area of Cyber Threat Intelligence, such as EU Horizon 2020 projects, national academic research and developments projects, open source communities, etc. to disseminate their work through this event. This can be achieved by means of posters, flyers, tool demonstrations etc.

Interested organizations are encouraged to contact ENISA to express their interest, together with some information about the dissemination material (short description of the item to be presented, relevance to CTI, method of presentation, particular presentation requirements). ENISA will review this material via the ENISA Threat Landscape Stakeholder Group and will inform the organizations about the acceptance of their presentation. The review of the material is considered as a filter for the relevance and quality of the submissions but also for the spatial availabilities at the venue of the event.

The event is organized in cooperation with:



This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies