Core of Tech Archieven - ONE Conference

Red is the New Blue

“Purple teaming is rapidly becoming the best approach to validate controls, measure cybersecurity resilience, and improve Security Operations. It is stepping up as go-to tool for Threat Informed and “continuous” as-sessments. This talk will demystify Purple Teaming discussing how it should be—stripping away the commercial fluff that’s built up after years—and propose a model that […]

Inside NCSC’s CTI Team: Tracking Threat Actors Targeting the Netherlands

“From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving. In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) offers a rare behind-the-scenes look at how they investigate […]

Edge Devices: Your network blindspot

Edge devices are often a black box: limited transparency, minimal monitoring, and when compromised, they offer a direct stepping stone into your internal network. Precisely because signs of an attack are barely noticeable, breaches are often detected too late. And every time a new zero-day vulnerability emerges, swift and targeted investigation is essential—but in practice, […]

Hunting at scale, identifying Internet connected OT devices

Have you ever been on an Internet safari? Join us on an expedition into the world of internet-connected OT-devices! We’ll introduce you to our OT Big Five and share fascinating cases we have encountered. We’ll also explore the motivations behind our research, how the NCSC identifies OT-devices at scale using repeatable methods, and the legal […]

Modernizing Threat Detection: The Future of the Dutch National Detection Network in the NIS2 Era

As part of the NIS2 program, we are making major steps in modernizing the National Detection Network (NDN). Traditionally focused on network sensors within the central government, the NDN is now being expanded to support new technologies, including detection capabilities in cloud environments. We’re also making the NDN scalable, enabling all NIS2-covered organizations to share […]

So Long, and Thanks for All the Phish: A Rare Look Behind the Scenes of a Global Phishing-as-a-Service Operation

This session unveils the inner workings of Darcula, the largest phishing-as-a-service (PhaaS) operations active globally. Through meticulous investigation, we trace Darcula’s infrastructure, from its impersonation of 236 brands to the 30.000+ active phishing domains and 884000+ stolen cards uncovered. This behind-the-scenes journey combines forensic analysis and opensource intelligence (OSINT). The audience will gain rare insights […]

Threat From The Inside: eBPF Used by Malware

eBPF (extended Berkeley Packet Filter) is a powerful and mysterious technology in the Linux kernel. As its name suggests, it was originally created for network packet filtering. However, it evolved into a more general-purpose mechanism to observe and manipulate kernel behavior. What could go wrong? We will not pick on eBPF because it is not […]

Turning Malware Against Itself for Proactive Defense

What if the key to stopping malware was hidden inside the malware itself? In this talk, we will explore the concept of malware vaccines—leveraging the techniques malware uses for self-preservation to turn the tables on attackers. By analyzing how malware checks its execution environment—whether through sandbox evasion, mutex creation, process enumeration, or infection markers—we can […]

Tracking the North Korean B-Team Persistent Threat (BPT)

Since early 2025, Fox-IT has been tracking a cluster of activity linked to the Contagious Interview campaign, involving the malware families known as BeaverTail, InvisibleFerret, and OtterCookie. This talk provides a behind-the-scenes look at our threat intelligence methodology for tracking this campaign and actor. We’ll demonstrate our investigation approach, showing how we first manually investigate […]

Inside a CTI investigation

In July 2024, the Security Operations Centre (SOC) of the Dutch Tax and Customs Administration identified a domain that appeared to be associated with a certificate belonging to the Dutch Tax and Customs Administration. After a quick analysis, we determined it wasn’t our infrastructure, but now we had to figure out what was causing the […]