Back to Talks 2026
Workshopintermediate

Threat Actors: Gotta Catch 'Em All

Recon Village @ DEF CON 34August 6-9, 2026

Friday, August 7 · 12:40 PM – 3:10 PMRecon Village Workshop Area

Abstract

Your mission: Stop chasing single indicators and start profiling the actual behavior of the adversary. From cybercriminals to state-sponsored actors, every threat group leaves a unique operational blueprint. Whether you are an OSINT hobbyist or an experienced cyber intelligence analyst, come ready to dissect real-world attack behaviors, translate data into actionable insights, and master the art of OSINT-powered TTP research.

This hands-on workshop explores the world of cyber threat actors and the open-source intelligence (OSINT) methodologies used to unmask their behavioral patterns. Rather than focusing strictly on fleeting indicators of compromise (IoCs) like file hashes or IP addresses, participants will learn how to extract, analyze, and profile an adversary's true Tactics, Techniques, and Procedures (TTPs).

Through interactive, real-world case studies, attendees will learn how to analyze public incident reports, open intelligence repositories, and external datasets to map out an actor's operational playbook. Using frameworks like MITRE ATT&CK and the Diamond Model, participants will practice pivoting from technical data to strategic threat profiles—equipping them with the research skills needed to predict and counter adversarial behavior without ever needing an enterprise budget.

Workshop Structure:

Module 1: Foundations of Threat Intelligence & Actor Profiling

The Threat Landscape: Definitions and categories of actors (APTs, cybercriminals, hacktivists, insiders).

Understanding Adversarial Motivation: Moving beyond what happened to why and how actors select their targets and techniques.

Intelligence Categorization: Differentiating between Strategic, Operational, and Tactical/Technical intelligence, and how TTP research feeds all three.

Module 2: The Analytical Frameworks

MITRE ATT&CK Deep Dive: Navigating the matrix, understanding sub-techniques, and avoiding common mapping pitfalls.

The Diamond Model: Connecting the four core nodes (Adversary, Capability, Infrastructure, Victim) to tell a complete campaign story.

The Pyramid of Pain: Understanding why tracking TTPs inflicts the maximum cost on the adversary compared to trivial indicators.

Module 3: Dissecting the Data (Case Study Analysis)

Deconstructing DFIR Reports: Walking through real-world incident examples (e.g., Gootloader campaigns, ransomware operations) to extract behavioral indicators from public write-ups.

Safe Analysis Practices: Utilizing basic web-based OSINT tools (urlscan.io, Browserling, CyberChef) to safely evaluate delivery mechanisms and landing pages without compromising investigator safety.

Module 4: Live TTP Research (Group Exercise)

The Scenario: Groups are given an initial, ambiguous threat brief or a raw dataset from a recent campaign.

The Analysis: Using open-source resources, teams will collaborate to identify the actor's threat components (who, what, where, when, how, why).

The Playbook: Teams will map their findings into the MITRE ATT&CK Navigator, build a comprehensive threat intelligence profile, and present their adversarial playbook to the room.

Prerequisites

  • Laptop, curiosity, and a willingness to learn.

Speakers

Marcelle Lee
Marcelle Lee

Cybersecurity Unicorn 🦄

Marcelle is security practitioner but also an educator at heart, and has delivered numerous talks and workshops on a variety of topics. Marcelle brings over twelve years of experience in cybersecurity, and her journey has taken her through some of the most elite teams in the field, including Secureworks Counter Threat Unit (CTU) and the Equinix Threat Analysis Center (ETAC). She's a security consultant, threat researcher, educator, and intel analyst with deep expertise in cyber threat intelligence, digital forensics, intrusion analysis, security operations, and technical writing. She has contributed to both government and private sector initiatives, bringing a well-rounded perspective to cyber defense and threat research. Before transitioning into cybersecurity, Marcelle led operations and managed complex projects across various industries. She is an active leader in the cyber community, serving on boards and working groups such as the Women’s Society of Cyberjutsu. She is also an enthusiast of cyber competitions, both as a builder and participant. Marcelle holds numerous industry certifications, including CISSP, GCFA, GCIA, GCIH, GPEN, GISF, GSEC, GCCC, C|HFI, C|EH, PenTest+, CASP+, Security+, and Network+. She has earned four academic degrees, including a Master’s in cybersecurity. Her contributions have been recognized with honors such as the Chesapeake Regional Tech Council Women in Tech (WIT) Award and the Volunteer of the Year award from the Women’s Society of Cyberjutsu. https://linktr.ee/marcellelee

View full speaker profile →
Will Thomas

Senior Threat Intelligence Advisor at Team Cymru

Working in Threat Hunting and Cyber Threat Intelligence for over 7 years.

View full speaker profile →