BSides Leeds 2026

Sat 13th June 2026 – Cloth Hall Court Leeds

2026 Speaker – Denis Legezo

DIY CTI: You don't have to wait for vendors all the time to get fresh IoCs

Speaker card with photo of Denis Legezo and the text 'I'm speaking on Track 2, Sat 13th June'

Track 2 – 10:50am

Denis Legezo – Cyberproof, Senior threat hunter

Bio

Denis Legezo is a security researcher focused on threat intelligence, threat hunting, and reverse engineering. He spent nine years with Kaspersky GReAT and then three years as a security researcher at Yandex before joining CyberProof. Based in London, he now focuses on defensive security research and engineering, with a strong emphasis on threat-hunting-driven development

Talk Abstract

Commercial CTI feeds and reports are great at telling you what everyone already knows. But how far can you get if you treat them as just one more data source and build your own hunting pipeline on top?

In this talk I’ll show how to go from VirusTotal IoC streams and TI reports to a lightweight “DIY CTI” stack that actually surfaces things your vendors haven’t published yet. The core idea is simple: combine external data (VT IoC Stream, Feedly IoC extracts) with your internal telemetry, then use an intermediate subset database as the hunting arena

I’ll walk through a real example where, over two evenings, I found several previously unreported domains for an APT actor by cross‑referencing VT ITW domains and actor‑tagged reports against local telemetry. The implementation is intentionally straightforward:

Sources: VT IoC Stream, Feedly, etc Enrichers: ITW domains by file hash, actors by domain, Whois/creation dates, etc Outputs: a CSV/SQLite subset that KQL/SPL queries in your SIEM can hit directly

We’ll look at the Python pipeline architecture (sources, enrichers, outputs), config design for adding new feeds cheaply. The emphasis is on “good enough to run at home or in a small team”, not on recreating a full vendor platform

Participants will learn: – a reusable pattern for treating CTI feeds as raw material – a working example of intermediate‑DB‑driven hunting that speeds up daily work

Intended Audience

The talk is aimed at threat hunters, CTI analysts and security engineers who are comfortable with basic scripting and want to go beyond “consume the feed” towards “challenge the feed”

How NSFW is this talk?

(How spicy is your talk in chilli's?)

No such content

Social Media