Proactive Defense Against Cyber Operations by China and Russia (CTI & External Hunt & Detection) – 28.5.2026
This workshop combines cyber threat intelligence (CTI) with practical external threat hunting (External Hunt) to enhance intelligence and apply it within detection engineering (Detection) to prevent potential attacks. Participants will first gain an overview of Russian and Chinese cyber operations through an analysis of selected APT groups, their motivations, tactics, and techniques and procedures (TTPs), and will learn the basics of attack attribution using frameworks such as MITRE ATT&CK and the Diamond Model. They will then proceed to practical exercises focused on actively searching for infrastructure (External Hunt) using tools for web scanning, fingerprinting, and pivoting techniques. They will use the intelligence gathered for detection engineering and create their own detection rules (Detection). The workshop thus provides a comprehensive overview of the activities of state-sponsored actors and equips participants with the analytical and practical skills needed to detect and track them.
Detailed description
Part #1 – Cyber Operations by China and Russia: Analysis of APT Actors and the Basics of Attribution (Trained by Cybule.cz)
The first part of the workshop focuses on cyber operations conducted by the Russian Federation and the People’s Republic of China through an analysis of two selected APT groups. Participants will gain an overview of these groups’ motivations, typical targets, and the tactics, techniques, and procedures (TTPs) they employ, based on specific case studies. Emphasis will be placed on understanding the broader geopolitical context of their activities. The workshop will also include an introduction to the attribution of cyberattacks using analytical frameworks such as MITRE ATT&CK, the Diamond Model, the Cyber Kill Chain, and the Alternative Hypothesis (ACH) method. In the practical part of the seminar, participants will practice detecting indicators of compromise (IOCs) and identifying the individual phases of an attack.
Part #2 – External Threat Hunting – Unmasking Adversary Infrastructure (Trained by DCG420.org)
In the second part of the workshop, you will delve into the proactive discipline of external threat hunting, which focuses on identifying and monitoring adversary infrastructure before it is used in an attack. Participants will learn to use tools for scanning the entire internet and specialized techniques to detect command-and-control (C2) servers, phishing sites, and other malicious assets associated with sophisticated threat actors, particularly those attributed to nation-state operations from China and Russia. We will examine key artifacts and pivoting techniques used to map attackers’ networks and understand their operational methodologies.
We will cover the basic use of free versions of tools such as Shodan, Censys, and FOFA, and introduce critical fingerprinting concepts such as JARM. A structured methodology for conducting external hunts will be presented, culminating in a guided use case simulating the tracking of infrastructure potentially linked to Chinese or Russian actors from the first part of the workshop. Participants will leave with actionable techniques and a proactive mindset for external threat hunting.
Part #3 – Forge Your Detection Against Advanced Threats (Trained by DCG420.org)
In the final part of the workshop, we will focus on creating detection rules to counter potential attacks by APT groups. To do this, we will use the open-source tool Hefastos.org, it is an elite detection workbench that replaces static documentation with a Visual Graph Engine. It streamlines security engineering through a Git-native „Detection-as-Code“ workflow, automatically converting visual capability maps into valid SIGMA rules. Assisted by AI and fully integrated with MITRE ATT&CK/D3FEND/ENGAGE, it allows security teams to design, automate, and scale their defense logic visually.
Organizational information
Schedule
8:30 – Registration
9:00 – Welcome
9:10 – 12:00 – Part #1 – Cyber Operations by China and Russia: Analysis of APT Actors and the Basics of Attribution
Coffee break – 10:30 – 10:45
12:00 – 13:00 – Lunch break
13:00 – 14:30 – Part #2 – External Threat Hunting – Unmasking Adversary Infrastructure
Coffee break – 14:30 – 14:45
14:45 – 16:00 – Part #3 – Forge Your Detection Against Advanced Threats
16:00 – Closing Remarks
The workshop begins at 9:00 a.m. (We have a jam-packed schedule, so please be on time)
Q&A
- This workshop is primarily designed for:
- Knowledge prerequisites:
- SOC Analysts
- CTI specialists
- CSIRT members
- Threat hunters
- Detection engineers
- Basic knowledge of CTI (cyber threat intelligence) terminology and concepts.
- Basic understanding of networking (TCP/IP, DNS, TLS/SSL).
- Basic understanding of concepts and tools such as SIEM, antivirus, IDS/IPS, EDR…
- Basic understanding of detection engineering.
- Pre-course requirements:
- What you’ll take away from this course:
- Snacks and lunch
- Lab preparation.
- Hefaistos.org registration – https://forms.gle/NtqPuFc6hJCd69P1A
- Access to the Discord group.
- Digital version of the course materials.
- Hefaistos.org access.
Registration
The training is FREE.
The training is for adult people.
The training is in CZECH language.
If a participant fails to attend the training without providing a valid excuse at least 48 hours before the start of the session, a fee of 100 EUR will be charged.
Czech 
English