This article summarizes the various workshops and lightning talks presented at JSAC2025, following a discussion on the Main Track from Day 2.
Handling Threat Intelligence: Techniques of Consuming and Creating Threat Intelligence
Presented by Tomohisa Ishikawa, Tatsuya Daitoku, and Hiroyuki Tomiyama from Tokio Marine Holdings, this workshop covered the fundamentals and applications of threat intelligence. They defined threats in terms of intent, capability, and opportunity, and outlined two main perspectives of intelligence: data format and process. Key attributes for effective threat intelligence were highlighted, including accuracy, audience focus, actionability, and timeliness.
The workshop provided practical insights on Tactical and Operational Intelligence. Tactical Intelligence usage for Security Operations Centers (SOCs) was emphasized, detailing the lifecycle from data gathering (using OSINT and SIGINT) to applying and disseminating YARA and SIGMA rules for threat prevention. The speakers discussed the limitations of Indicators of Compromise (IoCs), noting their short validity periods and the need for automation in processing these indicators.
In the Operational Intelligence section, they advised on understanding attacker profiles through the MITRE ATT&CK framework to structure defensive strategies. They introduced a systematic threat analysis process and emphasized the importance of hypothesis-driven threat hunting to uncover sophisticated threats.
Malware Config Extraction at Scale
Michał Praszmo from CERT Polska demonstrated tools developed for automated malware analysis. He introduced MWDB, a scalable malware repository, and discussed the malduck library for malware analysis aided by YARA rules. The workshop culminated in a hands-on session that allowed participants to explore real-world scenarios using MWDB and related tools like Karton, a distributed malware processing framework.
Analyzing Malware Anti-Analysis Features Using IDA and Ghidra Plugin
Takahiro Takeda showcased AntiDebugSeeker, a tool designed to automatically identify anti-debugging features in malware. He outlined how it helps analysts continue their work without interruption by extracting relevant API features and identifying other anti-debugging methods. A hands-on demonstration illustrated its application on real malware samples.
MITRE ATT&CK Utilization Tools by Multiple LLM Agents and RAG
Atsushi Sada discussed disarmBot, a tool that employs large language models (LLMs) to enhance cybersecurity incident response. The framework, built on Microsoft’s AutoGen, integrates multiple AI agents to provide perspective from both attackers and defenders while utilizing the MITRE ATT&CK principles. Key components like the Retrieval-Augmented Generation (RAG) were explained, emphasizing the importance of responsible use in cybersecurity practices.
A Story of Collaboration in Cybersecurity Field Between Japan and Spain
Masato Ikegami and Josep Albors highlighted cyber attack trends in both Japan and Spain, drawing attention to the shared experiences of cyber threats like Emotet. The importance of international cooperation, particularly through threat intelligence sharing, was emphasized, referencing a collaboration agreement between JPCERT/CC and INCIBE.
Awards at JSAC 2025
JSAC 2025 recognized outstanding presenters with the Excellent Presentation Award and Special Recognition Award. Yusuke Niwa and his team received the former for their practical insights on cybersecurity investigations. The Special Recognition Award was given to a team from Mizuho Financial Group for their unique perspectives on phishing attacks. A Hall of Fame inductee for 2025 was Shuhei Sasada, honored for his consistent contributions to the event.
In conclusion, the sessions at JSAC2025 showcased a variety of topics aimed at enhancing cybersecurity awareness and collaboration, reinforcing the importance of shared knowledge in combating cyber threats. The contributions of speakers and participants reflect a growing commitment to evolving security practices.