Friday 21st November
8.00pm – Social, Mashed Brewhouse
17 Bridge Street, Aberystwyth
Saturday 22nd November
9.45 – Coffee & Tea
10.00 – Welcome
10.10 – Hidden Threats at Home: Technology-Facilitated Domestic Abuse
Speaker: Josh Roberts, DEWIS Choice
This session uncovers how common digital tools — such as smartphones, smart home devices, and social media — can be misused to monitor, control, or intimidate partners and family members. The talk will explore real stories, research findings, and the growing impact of technology on experiences of domestic abuse.
10.30 – Aberystwyth to Analyst: My Cybersecurity Eras
Speaker: Emma Pitt
Cybersecurity is often seen as a field that demands a focussed career path or early specialisation, with highly technical knowledge. In reality, the most valuable skills often come from unexpected places.
In this talk, I will share my own journey, from studying my undergrad in Internet Computing at University of Wales, Aberystwyth (yes, showing my age!), through a career in Digital Marketing, pivoting into Policing with specialism in OSINT, Digital Forensics and Cybercrime investigation, and finally into my current position in Cyber Incident Response at a global professional services firm.
Using a storytelling framework inspired by Taylor Swift’s constant reinvention of herself and her ‘Era’s’. I will explore four distinct chapters of my professional life:
Debut Era: Aber – where I learnt collaboration, independence, and plenty from my mistakes!
Speak Now Era: Digital Marketing – how I honed skills in online communication, persuasion, and tracking people’s behaviour pre-GDPR (which, in hindsight, sounds suspiciously like phishing…).
Reputation Era: Policing and Cybercrime – my experience of OSINT investigations, the challenges of cybercrime in law enforcement, and the mistakes cyber criminals made that led to prosecutions!
Red Blue (Emma’s Version): My current role in incident response, applying my knowledge and lessons from all previous eras to high-stakes incidents, and where I’m building the next stage of my career.
10.50 – More Coffee & Tea
11.10 – AI powered scammers: four new-ish types of threat
Speaker: Hannah Dee
At the heart of information security is the concept of trust. Is this person the person they claim to be? Is this server safe? Is this connection trustworthy? Generative AI (GenAI) makes all of these questions harder to answer. This talk will introduce four ways in which GenAI could enable threat actors to scam or hack you, your friends, and your families.
Improvements in style and grammar: Phishing will become more plausible. We’ll no longer be able to tell people to look out for typos and grammatical errors as a clue to fraud; emails which look like they come from your bank will be much easier to generate.
Lowering the bar for threat actors: Code generation means that ‘script kiddie’ tools which once took a modicum of tech knowledge are accessible to threat actors with no skills whatsoever. Yes, there are ‘guardrails’ built into popular LLMs to limit nefarious usage,
however, they are easy enough to circumvent.
Personalisation of attacks: Targeted attacks will become more common, as AI is used to tailor attacks to individuals and to companies. Deepfakes will extend impersonation from the
corporate (“this email looks like it came from my bank”) to the personal (“this phone call sounds like my daughter”).
Your ‘own’ AI might get exploited: AI enabled tools (virtual assistants, AI enabled browsers) provide a whole new attack surface. Vulnerabilities have emerged already with AI enabled browsers interpreting text as instructions (‘ignore all previous instructions and do…’) based on malicious text in webpages, and in calendar invites.
What’s next?
What can we do? We as information professionals often have a healthy paranoia about communications. However, we need to engender that in our broader social circle. I’ll finish by making some suggestions of ways we might be able to encourage skepticism in others.
11.30 – Using Owasp Juice shop to learn web app pen testing
Speaker: Aidan Hammond
We explore why it’s so great for beginners and my own experience with a vulnerable web application
11.45 – A $3 Rubber Duck!
Speaker: Thiago Gentles
12.00 – Keynote: Welcome to the Ark Side
Speaker: James John
A real compelling case study where an unknown ransomware actor’s last-minute pivot revealed an entirely different threat group orchestrating the attack. This talk demonstrates how threat hunting analytics and infrastructure tracking techniques uncovered the deception, providing attendees with practical detection engineering methods and actionable insights for identifying threat actor misdirection in their own environments.
12.30 – Forage in Aberystwyth for Lunch
1.30 – Keynote: Poking at Risk
Speaker: James Bore
We talk far too easily about risk being simply likelihood x impact. Even when looking at quantitative models, they focus more on the mathematics and Monte Carlo simulations than the concepts. Risk isn’t that simple – there are different incompatible models, a swathe of metaphors, and a lot of assumptions in our attempts to deal with uncertainty – and which one we choose shapes how we address them.
This deep dive will poke at those assumptions, and expand everyone’s toolkit. We’ll look at different ways of understanding and modelling risk: proximity, velocity, controllability, exposure, and perceived risk. At the same time we’ll look at deeper concepts like Knightian uncertainty, moral hazard, and asymmetric risk. All of them will be anchored to a poker metaphor, tying them to a simple, concrete model of how they interact and where differing scenarios should be approached with different plays.
The aim isn’t to target existing models, but to provide the audience with a wider understanding of the tools available – the different lenses we can use when modelling risk in real-world situations of all kinds. For anyone who’s looked at a risk heatmap and thought “this isn’t right” this session will explain why, and offer better tools for thinking about risk.
2.00 – Please Mind the Gap: Holistic Threat-Driven approach to Closing Detection Blind spots
Speaker: Louise Horn
Detection creation is too often a tick-box exercise or a detection per MITRE technique. This traditional method focuses too much on detecting as soon as possible or everything possible, rather than as effectively as possible. Threat-led holistic detection creation can
provide a template of potential attack vectors, even in a limited form. Concentrating on choke points and high-frequency techniques can balance early detection with a higher probability of detection. The talk is not cutting-edge research; it is simply existing ideas compiled and applied against the ever-present backdrop of internal capability, availability, and business demand.
Covering:
– Traditional detection coverage and why to align to MITRE ATT&CK
– Unified kill chain and why it improves upon the cyber kill chain
– Why is it crucial to apply organisation/industry-aligned threat intel
– Less can sometimes be more with detections
– Defining assumptions and limitations of detections
– Reviewing the capability and capacity to create/deploy detections
– Why environmental vulnerabilities and bottlenecks should not be ignored
2.20 – Introduction to Geometric Representation of Signals
Speaker: Chris Bore
Based on Shannon’s few paragraphs of Communication in the Presence of Noise (where he introduces Sampling Theorem) but with the far more interesting, and usually neglected, idea of spatial reasoning applied to signals: specifically in this talk related to vector/matrix analysis (and more importantly intuitive insights..) into threat and risk analysis in cyber security, by leveraging the innate natural human ability to think in multidimensional space.
2.40 – Tea & Coffee
3.00 – How do Cyber Attacks on Large Corporations and CNI affect us?
Speaker: Soumiya Arulselven
There is an inherent risk of Cyber Attacks that is currently evolving and ever increasing in this modern age of technology. In this rising threat, all large Conglomerates and CNI have become a growing target and in particular the public is put at a greater risk. Millions of us depend on CNI such as the NHS and Corporations such as M&S. If these organisations are hit it can impact our daily lives significantly; not only do we lose their services but our personal data can be put at risk too. But, not through fault of our own.
I dive into two case studies in 2017 covering the WannaCry attack on the NHS and the NotPetya attack on AP-MollerMaersk and how it was so simple to protect us and them from major disruptions; yet the impact was widespread due to a lack of preparation and planning.
Comparing what measures should have taken place beforehand and what changes companies and governments have chosen to implement after these attacks is imperative to protect us in the future.
Based on relevant and openly available information closer to the time it can also be helpful to look into 2025 attacks on M&S and JLR which has faced severe losses this year; looking into whether anything has changed since 2017.
3.20 – AI vs rights: What rights do individuals have if their personal information is used to train AI?
Speaker: Megan Talbot
The GDPR 2016/679 grants individuals rights over how their personaly identifyable information may be used, including the right to rectification and the right to erasure (also sometimes called the right to be forgotten). However Large Language models represent an unusual set of challenges for these rights, as these models “learn” from data, without actually storing it within them. This paper explores the extent to which rights may exist over personally identifyable information used as training data, and what, if anything, can be done if ones data is used in such a model without their permission.
3.40 – Pub or Home
All Day Saturday Workshops
Curious about how a penetration tester tests a website
Vic Harkness
Come along to this workshop to learn the basics of using Burp Suite, a tool commonly used within the industry. If you have your own laptop with you, I’ll help you get up and running with Burp Suite on your device. Don’t have a laptop with you? No worries, I’ll run you through the basics on my own device. Generally interested in learning more about penetration testing/security consulting as a career? I’m happy to chat about my career journey.
Protecting your devices
Iestyn Langstaff
People’s smartphones can provide access to confidential data about them, emails, money and credit cards. They are incredibly useful and versatile but this is the reason that they can be dangerous.
This workshop looks at android devices. We will look at how to check your device for vulnerabilities, how to check for viruses, how to ensure that the device is locked safely, and how to safely surf the web and keep yourself safe.
Lock picking, chat and chill
BSides Lock Picking Crew
Probably the best things you will ever do with a lock and lock pick
Times and the order are subject to change
BSides Aberystwyth 