Following the previous blog post on the Main Track on Day 2, this article highlights the Workshops and Lightning Talks of JSAC2025.

Workshop

Handling Threat Intelligence: Techniques of Consuming and Creating Threat Intelligence

Speaker: Tomohisa Ishikawa, Tatsuya Daitoku, Hiroyuki Tomiyama (Tokio Marine Holdings, Inc.)
Slides (Japanese)

Tomohisa, Tatsuya, and Hiroyuki provided a workshop on threat intelligence, giving systematic explanations from the fundamentals to practical applications.

They first introduced the core concepts of threat intelligence. Threats are characterized by 3 factors, intent, capability, and opportunity, and intelligence can be understood from 2 perspectives: data format and process. In addition, the speakers emphasized the importance of 4 key attributes for effective threat intelligence: accuracy, audience-focused approach, actionability, and adequate timing.

Following the theoretical groundwork, the workshop moved into more practical topics, focusing on Tactical and Operational Intelligence. Regarding Tactical Intelligence, for those who work at SOCs, they explained how to use IoC effectively for prevention, detection, and response. They took a structured approach that begins with gathering data through OSINT and SIGINT, followed by evaluating, analyzing, and enriching collected IoCs, and finally applying and distributing YARA and SIGMA rules. Furthermore, the speakers discussed the effectiveness and limitations of IoCs. While IoCs can detect and prevent industry-specific, non-signature threats, their validity is short-lived, usually ranging from hours to days. As IoCs lose effectiveness over time, the speakers emphasized the importance of automating processes through scripts with the consideration to the volume and freshness of IoC data, as well as utilizing them with proper contextual understanding.

In the Operational Intelligence section, the presenters explained how security architects, administrators, and SOC staff can use threat intelligence to comprehensively understand attacker profiles and methods, for the purpose of improving organizational security. They also covered the use of MITRE ATT&CK framework for analyzing TTPs and MITRE D3FEND framework for structuring defensive strategies. Using these insights, they discussed how to build defensive architecture based on the “Prevent what you can be prevented, detect what you cannot be prevented, and hunt what you cannot be detected“ principle. The speakers also outlined a systematic threat analysis process, beginning with the collection of OSINT and SIGINT, followed by the creation of threat scenarios, which are then applied to purple teaming and threat hunting exercises. On the topic of threat hunting, they stressed the importance of developing testable hypotheses from 4 perspectives, hypothesis, object, procedure, and evaluation, which allows active discovery of threats that bypass existing security measures. Additionally, they introduced the Summit The Pyramid (STP theory) as a way to improve detection robustness. They explained how to evaluate and improve detection rules from two aspects: accuracy (high detection precision and reproducibility) and resilience (the ability to resist attacker evasion over time).

In conclusion, the speakers addressed the significance of sharing threat intelligence. They pointed out that individual organizations have limitations in intelligence gathering and that sharing information through intelligence communities is essential. They also discussed the importance of sharing information appropriately using TLP and representing intelligence reliability through confidence levels and estimative language.

Malware Config Extraction at Scale – building Malware Analysis Pipelines

Speaker: Michał Praszmo (CERT Polska)
Slides (English)

Michał provided a workshop on a tool developed through years of malware analysis projects at CERT Polska, which automates the extraction of configuration information from malware.

First, he introduced MWDB, a repository designed for malware analysis. MWDB is a highly scalable system designed with automated analysis. Its features include core object types for storing malware, configuration, and other data, as well as secondary objects that allow tags, comments, and attributes. It also offers flexible search capabilities through Lucene queries. In addition, automation through CLI, Python API, and REST API is also supported.

Next, he discussed malduck, a Python module for malware analysis. It supports commonly used analysis helper functions, such as encryption, compression algorithms, memory dump, PE/ELF file operations, and configuration extraction engine. He explained how the tool uses YARA rules for pattern matching, extracting distinct malware details like C2 server URLs from the matched parts.

Finally, he introduced Karton, a distributed malware processing framework. Karton combines MWDB and malduck to build analysis pipelines. He explained how each service plays its role, automating malware classification, archive extraction, and configuration data extraction. He also mentioned that the framework has been used for analyzing phishing reports and other purposes than malware analysis.

During the hands-on session, participants began with the basics of MWDB and gradually deepened their understanding of the tool. Practical exercises included filtering malware with tags, viewing malware details and understanding hierarchical structures, searching for similar configurations, and handling blobs—all based on real-world malware analysis scenarios.

The tools are available in the following GitHub repository below:
MWDB：https://github.com/CERT-Polska/mwdb-core
Malduck：https://github.com/CERT-Polska/malduck
Karton：https://github.com/CERT-Polska/karton

Introduction to Analyzing Malware Anti-Analysis Features Using IDA and Ghidra Plugin

Speaker: Takahiro Takeda (LAC Co., Ltd.)
Slides for Ghidra Users (English)
Slides for IDA Users (English)

Takahiro gave a workshop on AntiDebugSeeker, a tool designed to automatically identify anti-debugging features in malware.

First, he discussed that if analysts encounter anti-debugging features during their malware analysis, their work can be disrupted, which makes it difficult to pursue their objectives such as identifying communication endpoints. He explained that AntiDebugSeeker was developed to address this challenge: the tool helps prevent analysis interruptions and supports the efficient continuation of malware analysis.

Next, the speaker described two key features of AntiDebugSeeker: extracting anti-debugging APIs potentially used by malware and extracting anti-debugging features that cannot be identified by API calls alone, triggered through specific keywords. He also noted that for packed malware, running the tool after unpacking and adjusting the import address table can significantly improve the effectiveness of the analysis.

During the demonstration, the speaker used a real malware sample to show more detailed usage of AntiDebugSeeker. He explained that the displayed results include memory-related information and identified functions that have anti-debugging features. He also demonstrated other features that helps to streamline the analysis process, such as jumping to specific functions based on the extraction results and checking the details of detection rules.

The hands-on session started with analysis of a basic anti-debugging feature, followed by more complex ones, and then detailed analysis of process behavior. The speaker also showed how to customize the AntiDebugSeeker configuration file to implement new detection rules, using the malware feature to detect VMware environments as an example.

Finally, he highlighted the tool‘s high customizability of the detection rules, demonstrating that it can adapt to new anti-analysis techniques and allow users to add their own detection rules.

The tool is available on the GitHub repository below:
IDA version: https://github.com/LAC-Japan/IDA_Plugin_AntiDebugSeeker
Ghidra version: https://github.com/LAC-Japan/Ghidra_AntiDebugSeeker

Lightning Talk

Introduction to MITRE ATT&CK Utilization Tools by Multiple LLM Agents and RAG

Speaker: Atsushi Sada
Slides (English)

Atsushi delivered a presentation focusing on the utilization of LLMs in cyber security, particularly highlighting disarmBot tool, which was developed using the MITRE ATT&CK framework.

DisarmBot, designed with Microsoft‘s OSS AI agent framework AutoGen, operates as a system where multiple AI agents work collaboratively. First, the speaker discussed the rapid advancements in LLM and AI technology, stressing the importance of using these technologies in security and incident response fields.

He continued by explaining the key features of the AutoGen framework. The bot includes 3 execution patterns: Two Agent Chat, Sequential Chat, and Group Chat. For disarmBot, the Group Chat mode was selected, making it possible for multiple agents to dynamically discuss with each other from various perspectives. He also described the core components of the disarmBot system, which include five specialized agents working in harmony:

1. Attacker Side: Analyzes from the attacker‘s perspective, referencing Red Team TTPs for discussion.
2. Defender Side: Provides insights from the defender‘s viewpoint, incorporating Blue Team TTPs for discussion.
3. OSINT Specialist: Gathers and summarizes online information for further discussion.
4. Skeptics: Offers critical perspectives on statements made by other agents.
5. Solution Architect: Integrates all agent insights to propose a final solution.

The speaker also discussed the technical implementation of the DISARM TTP framework, which draws inspiration from the MITRE ATT&CK design principles. This framework, created to describe and understand misinformation incidents, is structured hierarchically with phases, tactics, techniques, tasks, and mitigations. It provides a comprehensive viewpoint that incorporates both Red and Blue Team perspectives. To use this framework effectively, disarmBot adopted an architecture that incorporated the following factors:

• RAG (Retrieval-Augmented Generation) for efficient information search
• Chroma DB for building a vector database
• DISARM TTP framework documents
• OpenAI API or Azure OpenAI API
• Operation environment on Discord Platform

In conclusion, the speaker emphasized the importance of user responsibility when using the responses generated by the bot. He also noted that this proactive tool could be adapted for other purposes, such as penetration testing or DFIR, through database or prompt replacements.

disarmBot is available in Japanese, English, and Chinese on the GitHub repository below:
https://github.com/ultra-supara/disarmBot

So Far and Yet so Close: A Story of Collaboration in Cybersecurity Field between Japan and Spain

Speaker: Masato Ikegami (Canon IT Solutions Inc.), Josep Albors (ESET Spain)
Slides (English)

Masato and Josep delivered a joint presentation on the commonalities of cyber attacks in Japan and Spain, highlighting the importance of cooperation between the two countries despite their geographical distance.

The session began with an overview of trends in information-stealing malware observed in both Japan and Spain. They noted that many attack campaigns occurred nearly simultaneously in both countries, with a particularly significant peak observed in Spain in mid-November. This spike was attributed to the higher popularity of events like Christmas sales and Black Friday in Spain, which attackers target to launch their campaigns.

Next, the speakers shared the case of Emotet, one of the most prominent information-stealing malware campaigns in both countries in the past. They discussed that Emotet spread primarily via email. Although the practice of sharing documents via password-protected ZIP files (PPAP) was once considered unique to Japan, similar attacks exploiting this method were also observed in Spain.

Regarding fake websites, the speakers pointed out that these scams were often detected earlier in Spain. They argued that this trend is attributed to the large Spanish-speaking Internet user base and the relatively lower costs of localization.

They also touched upon tech support scams, which were first observed in Spain in 2012. Initially, these scams involved basic websites with Spanish language only, but over time, phone-based tech support frauds in both Spanish and English were also detected. The speakers noted that such scams have become increasingly sophisticated, incorporating a variety of techniques. They also pointed out that similar tech support scams have been observed in both Japan and Spain.

Finally, the speakers emphasized the importance of international threat intelligence sharing. They cited the cooperation agreement signed in February 2024 between JPCERT/CC and INCIBE as a specific example of such collaboration, as well as the ongoing efforts to share threat information using the MISP platform. They stressed that enhancing cyber security through international cooperation while considering the unique regional contexts is essential.

Awards

At JSAC 2025, we recognize outstanding sessions that have shared valuable information with the audience. The Excellent Presentation Award (formerly known as the Best Speaker Award) is based on the highest ratings of “Excellent“ (very satisfied) from participant surveys. The Special Recognition Award is determined through discussions by the CFP Review Board. The presentations selected for these awards are as follows:

Excellent Presentation Award
Title: Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts
Speaker: Yusuke Niwa, Satoshi Kamekawa, Shuhei Sasada (Itochu Cyber & Intelligence)

In this presentation, the results of an investigation into countermeasures and investigative techniques for the latest cyber threats were shared, and its practical applicability was highly valued.

Comments from the awardees:

Attackers are always trying to stay one step ahead of us. As a blue team, we must face this harsh reality and continue to defend by trial and error, no matter how challenging the task may be.

Our presentation, while sharing the insights gained so far, does not provide perfect solutions. However, it is the persistent effort to tackle challenges and the steady pursuit of answers that serves as the backbone of advanced security strategies. Many aspects of the topics covered were still unknown, but by developing hypotheses from multiple perspectives and rigorously testing them, we were able to track the footsteps of attackers. We also engaged in numerous discussions on investigative methods and countermeasures. We are truly honored that the outcome of our efforts has been highly valued.

In the field of cyber security, individual knowledge and efforts are crucial, but the most important thing is collaboration and combining our strengths. Around us, there may be many overlooked clues and signs that could hold valuable insights. Recognizing these signs and gaining insights from them may lead to significant discoveries, ultimately forming the key to developing new countermeasures.

We believe that sharing and deepening small “seeds“ uncovered in this way among analysts is the essence of the JSAC‘s mission. Ultimately, these efforts will contribute to the overall improvement of cyber security in society.

Special Recognition Award
Title: Observation of phishing criminal groups related to illegal money transfers and Mizuho Bank ‘s countermeasures -Fighting against phishing site malware ‘KeepSpy ‘-
Speaker: Tsukasa Takeuchi, Takuya Endo, Hiroyuki Yako (Mizuho Financial Group)

This presentation was highly valued for providing insights from a case study of countermeasures by an organization that became a target of phishing attacks, which is a topic that has not been widely disclosed before.

Comments from the awardees:

Hiroyuki Yako  
I am deeply honored to receive such a prestigious award at the outstanding platform of JSAC. I sincerely thank everyone who has supported me. I believe this achievement is the result of our collective efforts with the many members involved. Moving forward, I am committed to strengthening our collaborative defense efforts with organizations that share the same challenges in combating phishing.

Tsukasa Takeuchi  
I am grateful for the opportunity to present at the public stage of JSAC and for receiving this valuable award. This presentation was made by three of us, but it would not have been possible without the cooperation of numerous team members and related departments. I would like to extend my sincere thanks to all those involved in helping us reach this point. The threat of not only phishing but also cyber crime continues to grow, and we will continue to contribute proactively to crime prevention in this field.

Takuya Endo  
I have been listening to presentations at JSAC since its beginning, and it has always been my dream to present as a speaker one day. I am truly honored to have had that opportunity fulfilled and to receive such a distinguished award. This achievement was made possible by the cooperation and support of our entire team, and I am sincerely grateful to all the members I worked with. We will continue our relentless efforts in addressing phishing, and we appreciate your continued support and encouragement moving forward.

Additionally, JSAC recognizes individuals who have consistently delivered exceptional presentations over the years with the Hall of Fame. It is granted to those who have received the Excellent Presentation Award or Special Recognition Award 3 times, celebrating their outstanding contributions to the field. The inductees are also granted invitation to JSAC every year.

Hall of Fame inductee in 2025:
Inductee: Shuhei Sasada (Itochu Cyber & Intelligence)

Comments from the Inductee:

I am deeply honored to receive the title of Hall of Fame inductee. I would like to take this opportunity to express my sincere gratitude. I truly believe that this achievement is made possible by the support of my colleagues and everyone who has helped me along the way. With this gratitude in my heart, I will continue to strive diligently, and I look forward to your ongoing support.

In Closing

We would like to thank all the speakers and participants of JSAC2025 as well as everyone who read the series of article on the event.

Daiki Ishihara (Translated by Takumi Nakano)