|9:00 am - 9:15 am ET ||Track 1 & Plenary |
Welcome & Introductions
|9:15 am - 10:00 am ET ||Track 1 & Plenary |
Keynote: Cobalt Strike Threat Hunting
Cracked versions of Cobalt Strike have rapidly become the attack
tool of choice among enlightened global threat actors, making an appearance in
almost every recent major hack, including SolarWinds, the massive Hafnium
attacks targeting Microsoft Exchange servers, and a majority of recent
ransomware attacks. The use of Cobalt Strike is unsurprising as it provides an
all-in-one framework for mounting large scale network penetrations with an
unparalleled amount of flexibility. The bad news is Cobalt Strike can be
extremely stealthy. However, the good news is a known threat inevitably provides
detection opportunities for defenders, and, currently, there is no larger known
threat. Using examples taken directly from an actual enterprise-wide attack
used in the SANS FOR508 class, this presentation will demonstrate Cobalt Strike
based attacks from both the attacker and defender perspectives. Attendees will
gain insight into how Cobalt Strike operates and artifacts left behind via many
of its common attack techniques, leaving with a range of practical detections
that can be immediately put to use during incident response and threat hunting.
|10:05 am - 10:40 am ET ||Track 2 |
To the Moon! The Cyber Kill Chain Meets Blockchain
The professionalization of the criminal underground has led to attack sophistication where everything from access, malware, credentials, C2 domains -- the soup to nuts of an attack-- is up for sale in bitcoin. We have found blockchain-level evidence that shows the amount of value flowing between bad actors is increasing rapidly. Darknet marketplaces are increasingly connecting threat actors with the tools and infrastructure to scale their attacks. Due to the transparency of blockchains, we can map out the entire Kill Chain and the players and markets that underpin it. We can see the times when threat actors are purchasing malware-as-a-service with cryptocurrency, using money laundering infrastructure, purchasing exploits on darknet markets or simply using the markets to launder money. It can be visualized, investigated, correlated with other data sets, and yes, -- even attributed. In this presentation we will walk through the Netwalker ransomware takedown and other case studies of how blockchain forensics has enriched cybersecurity investigators' threat intelligence, identified precursors to attack, emerging threats, and centers of gravity for disruption.
|10:05 am - 10:40 am ET ||Track 1 & Plenary |
Automating Google Workspace Incident Response
Incident responders require a toolset and resources that allow them to efficiently investigate malicious activity. In the case of Google Workspace, there are an increasing number of subscribers, but resources to assist in the analysis of security incidents are lacking. For this reason, the goal of the research behind this presentation is was to develop a tool that expands on Google’s default administrative capabilities with the intent of providing value to incident responders. Through providing both additional context and purposeful views, incident responders can more quickly identify malicious activity and respond accordingly. This tool has been released publicly and this presentation will discuss the limitations of Google Workspace's existing response capabilities, demonstrate the new tool's functionality and its benefits, and discuss additional areas of coverage needed.
Megan Roddie, Cyber Threat Researcher, IBM; SANS.edu Master's Candidate
|10:40 am - 10:50 am ET ||Track 1 & Plenary |
|10:50 am - 11:25 am ET ||Track 1 & Plenary |
EZ Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions
Learn what EvtxECmd and SQLECmd Maps are, what RECmd Batch
Files are, what KAPE Targets/Modules are, how to make them (very briefly), and
how to ensure you're keeping KAPE/EZ Tools up to date to benefit from all the
open source contributions that occur in the associated GitHub repositories.
|10:50 am - 11:25 am ET ||Track 2 |
What Air Disaster Investigations Teach us About Computer Forensics
While many people look to CSI forensics as a model for computer forensics, there is much to be learned about how to conduct successful investigations from other disciplines. The National Transportation Safety Board (NTSB) investigates the most dramatic and high-profile technological failures – plane crashes. This talk will run through techniques used by the NTSB in their investigations of air disasters, and how we can apply those principles to computer forensics investigations.
Tony Drake, Senior Engineer, Security Intelligence, Intercontinental Exchange (ICE)
|11:30 am - 12:05 pm ET ||Track 1 & Plenary |
Terabytes of Exchange logs got you down? Need to look for 100 IP
addresses but haven't got 100 hours? This talk will discuss how to optimize
systems for log searching, and cover a variety of command-line tools, including
Stroz Friedberg's open source multipattern grep tool, Lightgrep. We'll also
demonstrate techniques for generating histograms and other statistics from logs
to discover interesting patterns of attacker behavior, and how to enrich events
with external data sources. You'll leave with handy techniques for slicing and
dicing the biggest of logs with ease.
|11:30 am - 12:05 pm ET ||Track 2 |
Order of Volatility in Modern Smartphone Forensics
When dealing with modern smartphone devices, both Android and iOS, we often rely on native communication protocols (for example, ADB on Android and iTunes Backup service on iOS) to extract data and we often need to interact "live" with the device to allow communications. As mentioned since 2002 in the RFC 3227 "When collecting evidence you should proceed from the volatile to the less volatile". The aim of this presentation is to show how to leverage native Android and iOS communication protocols to extract as much data as possible, in the proper order.
|12:05 pm - 1:10 pm ET ||Track 1 & Plenary |
|1:15 pm - 1:50 pm ET ||Track 1 & Plenary |
Panel: Validating Evidence for Courtroom Testimony
Mobile forensics is a complex field that is ever changing. With the amount of data recovered from each device, the plethora of tools available and the lack of time we experience as investigators, understanding when and how to validate forensic artifacts recovered from mobile devices is necessary. In this panel, experts from the field with discuss their recommendations for when verification and validation are needed. When is it acceptable to use more than one tool for an answer and when do you have to create test data or dive deeper? When you put your name on a report, you want to be able to stand behind it with confidence. We are here to help with that.
|1:55 pm - 2:30 pm ET ||Track 1 & Plenary |
A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
In 2019, the FBI estimated that the global loss of Business Email Compromise (BEC) attacks amounted to a staggering 26 Billion USD. As a response to the ongoing threat my team and I developed an extensive but non-exhaustive guide for any cyber security professional conducting a BEC investigation. In this highly practical presentation I will use real life cases of BEC attacks that I have worked on and show you the latest methods threat actors use to compromise an email environment. I will also show you how you can use our guide to structure your detection and response covering the various phases of a BEC attack to give you a change of spotting a threat actor before it is too late. After this presentation you will want to start checking your own email environment for threats.
|1:55 pm - 2:30 pm ET ||Track 2 |
Stringlifier: An Open Source Tool for Random String Classification
While shifting from traditional log analysis towards a data science-based approach, security professionals often battle with complex random strings in logs/commands/codes, which makes statistical analysis cumbersome. For example, can you differentiate between 7f41suf9312, 32185544-ABC3123-9845678, GCEFi519719312? These could be passwords, API keys or hashes. Stringlifier is an open-source tool that assists in categorizing such strings. It leverages machine learning to distinguish between normal and random character sequences and it provides fine-grained classifications to assist professionals in characterizing strings in raw text. During this presentation we will have a series of hands-on exercises on how to sanitize your data, process/classify random strings, and identify leaked credentials in public repositories.
|2:30 pm - 2:50 pm ET ||Track 1 & Plenary |
|2:50 pm - 3:25 pm ET ||Track 1 & Plenary |
Breaches Be Crazy
Incident response is becoming difficult to manage in the era of large-scale breaches involving tens or even hundreds of compromised systems. Outdated techniques often leave responders spending countless hours simply imaging devices, losing precious time for analysis and actual investigation. We plan to discuss how we perform forensics analysis at scale across many systems using the triage acquisition tool Velociraptor coupled with the collaborative analysis tool Timesketch. This approach closes the gap from initial response to detailed analysis, by many hours, if not days for large breaches. Our approach is unique in that we have fully automated the entire process, all the way up to producing a multi-system timeline for the analyst. We'll give a deep dive on the fast and effective technique we've developed that takes even a large-scale IR from triage to analysis within a short number of hours.
|3:15 pm - 4:30 pm ET ||Track 2 |
DFIR 101: Digital Forensics Essentials
Whether you're new to the field of digital forensics, are working in an entirely different role, or are just getting into cybersecurity, this session will help you on your way. Kathryn Hedley, one of the co-authors of SANS FOR308: Digital Forensics Essentials, will get you started by explaining what digital forensics really means, what digital evidence is and where to find it, how digital forensics can assist your organization, and more.
Whether the Summit talks so far have you feeling overwhelmed or energized, this session will step back and introduce you to some of the fundamental concepts in digital forensics.
|3:30 pm - 4:00 pm ET ||Track 1 & Plenary |
The Summit chairs and speakers will re-convene for an informal chat about their takeaways from the day's sessions. This is a great time to ask any lingering questions you have!