Department of Defense Cyber Crime Center (DC3)

TECHEX

Is your “Web of Defense” strong enough to catch today's sophisticated threats?

Welcome to the Fall 2025 DC3 Technical Exchange (TechEx), where we will work together to spin a tighter, more resilient cyber web, enabling faster incident response and catching threats before they infiltrate our systems. Just as a spider relies on every strand of its web, we must leverage all available tools to maintain awareness, responsiveness, and resilience in the face of ever-evolving cyber threats. This collaborative approach is key to catching adversaries already lurking within our systems and preventing future intrusions.

Over the next two days, participants will engage in a wide-ranging series of discussions focused on advancing cybersecurity, safeguarding our shared networks, and enhancing collaboration. We encourage open, thoughtful engagement across all sessions, and look forward to hearing perspectives and insights as we shape the path forward and build a more secure future for all.

At DC3, our mission is to deliver innovative capabilities and world-class expertise in support of the warfighter. We are grounded in the same enduring values that inspired those who came before us with integrity, service, and commitment to a cause greater than ourselves.

Thank you for your continued participation and for your unwavering dedication to national security. We look forward to a dynamic and inspiring TechEx.

AGENDA:

Day 1-Nov 18 | Day 2-Nov 19

ABSTRACTS:

Best Practices | Partner Onboarding | Threats | Tools

AGENDA

Day 1 – Tuesday, November 18, 2025

8:00-9:00 AM

Check in and Registration

9:00-9:30 AM

Housekeeping and Security, Opening remarks - Mr. Black, Deputy Executive Director, Mr. Terry Kalka, DCISE Director

9:30-10:00 AM

DCISE Threat Brief - Brandon LoMonaco, DC3 DCISE

10:00-10:05 AM

Break

10:05-10:50 AM

From Setup to Automation: Insights into OpenCTI and Proactive Threat Defense - Sarah Dlugolecki and Aluor Nyamor, GE Aerospace

10:50-11:00 AM

Break

11:00 AM-11:30 AM

DCISE³+ Azure Firewall: Announcing the Latest Program Integration - John DiGerolamo, Celerium

11:30-11:35 AM

Break

11:35 AM-12:05 PM

The Next-Generation SOC - Christopher Crabtree, ManTech

12:05-1:00 PM

Lunch

1:00-1:30 PM

DPRK IT Workers and Contagious Interview TTPs - Justin Hunt, DC3 OED

1:30-1:40 PM

Break

1:40-2:25 PM

Cracking into Culture: Infusing Cybersecurity into the Culture of our Research Enterprise at GTRI - Eric R. Scott, GTRI

2:25-2:30 PM

Break

2:30-3:00 PM

Expertise on Demand: How the DC3 Cyber Forensics Lab Supports DIB Incident Response - Luke Hoffman, DC3 DCISE

3:00-3:05 PM

Break

3:05-3:35 PM

How I Learned to Stop Worrying and Love Vulnerability Disclosure - John Repici, DC3 VDP

Day 2 – Wednesday, November 19, 2025

8:00-9:00 AM

Check in and Registration

9:00-9:10 AM

Housekeeping and Security, Opening Remarks

9:10-10:00 AM

BYOVD - Matt Fleischer, DC3 DCISE

10:00-10:05 AM

Break

10:05-11:05 AM

Staying (Human) Connected in a High Tech World - "Doc" Margaret Swank, AFOSI

11:05-11:15 AM

Break

11:15 AM-12:15 PM

AI-Driven Incident Response: Friend or Foe? - Leidos

12:15-1:00 PM

Lunch

1:00-1:45 PM

SCRM & Reverse Engineering of Closed-Source COTS - Jason Pyeron, PD Inc.

1:45-1:50 PM

Break

1:50-2:20 PM

MITRE NERVE Incident and IR Lessons Learned - Roman Brozyna, MITRE

2:20-2:30 PM

Break

2:30-3:30 PM

Hyperautomation and the Future of Cyber Incident Response - Patrick Greer and Christie Karrels, Trellix

3:30 PM

Closing Remarks

ABSTRACTS

Best Practices

Expertise on Demand: How the DC3 Cyber Forensics Lab Supports DIB Incident Response

Luke Hoffman, DC3 DCISE

This presentation will focus on malware reverse engineering and system forensic capabilities offered to support DCISE and the Defense Industrial Base (DIB). It will provide an overview of the Electronic Malware Submission (EMS) portal, including discussions of static and dynamic malware analysis and forensic analysis of compromised assets. Furthermore, the session will cover the use of EMS, including Automated Malware Reports (AMRs), the Application Programming Interface (API) for AMRs for multi-file submissions, and the submission tool for malware used in static malware analysis and reporting. Additional capabilities provided by the Cyber Forensics Lab will also be discussed. This is valuable for understanding the tools and services available to enhance malware analysis and incident response capabilities within the DIB.

Staying (Human) Connected in a High-Tech World

Margaret Swank, DAF Office of Special Investigations

As our world becomes increasingly dominated by computers, AI, and virtual interfaces, the impact on our fundamental biological need for human connection and overall resilience requires further analysis. This presentation explores practical strategies for building resilience into your day-to-day work life, specifically aimed at mitigating the isolating effects commonly experienced by professionals in the cyber field.

Cracking into Culture: Infusing Cybersecurity into the Culture of our Research Enterprise at GTRI

Eric R. Scott, Georgia Tech Research Institute

The Georgia Tech Research Institute (GTRI) is leading the way in integrating robust cybersecurity practices into daily research operations. This presentation highlights GTRI's unconventional methods and targeted strategies for weaving cybersecurity into the fabric of their work, resulting in a cyber-centric culture that enhances research integrity and security.

The Next-Generation SOC

Christopher Crabtree, MANTECH

The traditional tiered Security Operations Center (SOC) model, once a pragmatic solution for managing a high volume of security alerts, is no longer sufficient to counter the sophisticated campaigns of today's threat landscape. This model, which segments analysts by skill level, creates significant operational flaws, including a critical talent drain, crippling inefficiencies, and a dangerous lack of accountability.

At MANTECH we've developed and implemented a modern solution: The Cell-Based Security Operations Center (CBS). This model represents a fundamental departure from the tiered approach by organizing teams into specialized, function-based cells that are empowered with end-to-end ownership of investigations. By fostering deep expertise, promoting continuous collaboration, and adopting an agile, investigative paradigm, the CBS model mitigates the systemic failures of its predecessor; provides a more effective, resilient, and adaptable cyber defense posture; and creates an environment to foster human capital, allowing personnel hands on experience beyond the complexity assigned to tiers in a traditional SOC.

MITRE NERVE Incident and IR Lessons Learned

Roman Brozyna, MITRE Corporation

This presentation provides a walkthrough of a real-world incident involving an advanced adversary infiltration, focusing on the organizational lessons learned. While the technical details of the breach were previously made public, this overview emphasizes the event's relevance, the adaptations implemented since, and key takeaways that any organization can apply to improve its incident response plans and overall cybersecurity posture.

AI-Driven Incident Response: Friend or Foe?

Leidos

Artificial intelligence (AI) is rapidly transforming security teams' ability to detect, investigate, and respond to threats, promising faster, smarter responses. However, attackers are also leveraging these same technologies to evade defenses and accelerate their campaigns.

This panel will examine the double-edged sword of AI in incident response, emphasizing the importance of updating workflows, retraining staff, and building robust governance frameworks to prepare for AI integration. Attendees will gain valuable insights into the practical applications of AI, emerging risks, and the essential organizational steps needed to safely and effectively harness its power.

Partner Onboarding

How I Learned to Stop Worrying and Love Vulnerability Disclosure

John Repici, DC3 VDP

This presentation discusses successes and lessons learned from year one of the DIB-VDP program. Topics include narratives on ROI, vulnerabilities and impact, mitigations, vulnerability campaigns, and the demystification of many DIB-VDP misconceptions and concerns.

Threats

BYOVD

Matt Fleischer, DC3 DCISE

This DC3 DCISE brief examines increased use of the Bring Your Own Vulnerable Driver (BYOVD) technique by malicious actors, recent incidents in the Defense Industrial Base (DIB), emerging BYOVD malware threats, and possible mitigation strategies. Drawing on public and non-public information, it summarizes the prevalence and impact of BYOVD in the current threat landscape.

DC3 DCISE Threat Brief

Brandon LoMonaco, DC3 DCISE

The DC3 DCISE threat brief covers recent and current threats to the DIB. Topics include DCISE reporting statistics, high severity CVEs, state-sponsored activity, and ransomware activity. The presentation uses non-public information, where available, to provide greater insight into the threat landscape.

SCRM & Reverse Engineering of Closed-Source COTS: Finding Undisclosed Vulnerabilities and Patching Them

Jason Pyeron, PD Inc.

The increasing importance of Supply Chain Risk Management (SCRM) necessitates forensic analysis of closed-source vendor software that processes Controlled Unclassified Information (CUI). In a recent engagement, a COTS tool used by DoD organizations to store and manage sensitive CUI was analyzed, revealing the use of the outdated FIPS 46-3 cryptographic algorithm and multiple suspected CVEs.

This presentation will detail the reverse-engineering steps used to identify the protection mechanism, assess the risk, and develop a safe hotfix/patch for customers. Focusing on methodology, the talk will cover binary analysis workflows, telemetry, and artifact sources for SCRM analysis; techniques for assessing the operational risk of legacy crypto; vendor coordination and responsible disclosure processes; and the remediation path. Finally, it will present a disclosure checklist and recommendations for policy changes to reduce similar risks across DoD/DIB deployments.

Hyperautomation and the Future of Cyber Incident Response: Speed, Context, & Resilience for the DIB

Patrick Greer and Christie Karrels, Trellix

Cyber incident response in the modern Defense Industrial Base (DIB) is increasingly challenged by adversaries exploiting both IT and OT environments, coupled with defender alert fatigue, talent shortages, and fragmented toolsets. This presentation explores the critical role of hyperautomation—the intelligent orchestration of detection, enrichment, and response across diverse systems—in maintaining mission assurance.

It will examine how defense contractors and agencies can leverage hyperautomation to close response gaps and achieve machine-speed containment. The evolving role of Network Detection and Response (NDR) as a central telemetry source will also be discussed, along with real-world examples of how partner ecosystems, open integrations, and data fusion can drastically reduce dwell time and improve overall resilience within complex, regulated environments.

DPRK IT Workers and Contagious Interview TTPs

Justin Hunt, DC3 OED

This brief will discuss North Korea’s use of IT workers as a global revenue and access vector. It will examine how these operatives conceal their identities, infiltrate legitimate companies, and use campaigns such as Contagious Interview to deliver malware through seemingly routine hiring processes. We will also highlight emerging techniques involving blockchain-based C2 and malicious code repositories, then close with concrete mitigations to help organizations identify, prevent, and respond to these evolving threats.

Tools

DCISE³+ Azure Firewall: Announcing the Latest Program Integration

John DiGerolamo, Celerium Inc.

The DCISE³ program is boosting DIB cyber defense with Celerium's new Azure Firewall integration. This delivers advanced traffic analysis and automated threat blocking within Azure Firewall, complementing existing leading hardware integrations. Given Azure’s critical role in protecting DIB organizations and their sensitive data, this presentation will offer an inside look at the new integration, including early adopter feedback and its impact on DIB security.

From Setup to Automation: Insights into OpenCTI and Proactive Threat Defense

Sarah Dlugolecki and Aluor Nyamor, GE Aerospace

Organizations today need robust, scalable solutions to manage and operationalize threat intelligence.

This presentation will clearly outline the objectives of our session as we explore our journey implementing OpenCTI, an open-source Threat Intelligence Platform (TIP). Attendees will learn practical techniques for streamlining threat data collection, analysis, and dissemination. We will detail key lessons from the setup process, highlight the challenges faced, and share solutions developed to integrate OpenCTI into our existing security ecosystem. The session will focus on automating the fidelity assessment of Indicators of Compromise (IOCs) and their deployment for proactive blocking and alerting. Participants will leave with actionable insights into the technical and operational steps involved in establishing a TIP, including specific strategies for automating IOC validation and deployment.