Interactive, live-stream cybersecurity training, August 17 (MDT). Register by tomorrow to save $150.

Baltimore 2016

Baltimore, MD | Mon, Oct 10 - Sat, Oct 15, 2016
This event is over,
but there are more training opportunities.

The Labyrinth: Active Defense through Baselines, Configuration, and Deception

  • Nathaniel 'Q' Quist
  • Wednesday, October 12th, 7:15pm - 7:55pm

The faster they change, the faster they evade detection. How can we compete against the next generation of network invaders, smart malware, and fast-flux C2s? Is it possible to defend against every incident in real-time? What would we need? Strategic sensor placement, network baseline, quantitative network traffic, automated responses, and most importantly, a Labyrinth in which to get lost. Within this session, we will discuss the concept of how a virtual labyrinth, built from a series of virtual systems, sensors, analytic engines, and a centralized collection system, can detect changes within an environment and deliver a solution for defense in real time! Sandwiched between the ISP and the network boundary, this virtual labyrinth forces all traffic to traverse a heavily monitored and baseline environment. Unwitting assailants enter the environment, as they would any other, unaware of the behaviors or expectations within the labyrinth. As they explore the labyrinth, they inadvertently alter the normal flow of expected labyrinth data, allowing a network of sensors to track their every move, record every action, and reveal their tactics, techniques, and procedures. As the assailants move through the labyrinth, defenders are afforded a substantial increase in awareness and a sizable decrease in the time needed to respond to actions. As every action is detected and analyzed in real-time, the time required to place the assailantās actions, processes, and unique signatures within a blacklist is significantly decreased. The Labyrinth unfolds itself in an ever-expanding maze designed to keep assailants unaware of their situation, naturally prompting them to reveal their secrets while leaving the real network lying behind the Labyrinth unaffected and able to defend itself as fast as the Labyrinth can detect the action.

Speaker Bio: Nathaniel "Q" Quist works at LogRhythm as an Incident Response Engineer. He has been working within the Computer Security space for almost ten years, and has worked as a SOC Team Lead, Security Intrusion Analyst, Enterprise Security Engineer, and a Professional Services Consultant within the Government, Military, Enterprise and Start-up organizational levels. He holds a Bachelors of Science in Computer Security and Forensics and is currently working to complete a Masters of Science in Information Security Engineering from The SANS Institute. His professional focus centers on effective Active Defense techniques through network and system forensics, hunting techniques, and malware reversing. He currently holds the GSEC, GCIA, GCIH, and GNFA GIAC certifications, and is currently studying for the GCFA, GREM, and GSE certifications from The SANS Institute.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Monday, October 10
Session Speaker Time Type
General Session - Welcome to SANS Bryan Simon Monday, October 10th, 8:00am - 8:30am Special Events
Evolving Threats Paul Henry Monday, October 10th, 7:15pm - 9:15pm Keynote
Tuesday, October 11
Session Speaker Time Type
Women's CONNECT Event Hosted by SANS COINS program and ISSA WIS SIG Tuesday, October 11th, 6:00pm - 9:15pm Special Events
(Am)Cache Rules Everything Around Me Eric Zimmerman Tuesday, October 11th, 7:15pm - 8:15pm SANS@Night
Running Away from Security: Web App Vulnerabilities and OSINT Collide Micah Hoffman Tuesday, October 11th, 8:15pm - 9:15pm SANS@Night
Wednesday, October 12
Session Speaker Time Type
DLP FAIL!!! Using Encoding, Steganography, and Covert Channels to Evade DLP and Other Critical Controls Kevin Fiscus Wednesday, October 12th, 7:15pm - 8:15pm SANS@Night
The Labyrinth: Active Defense through Baselines, Configuration, and Deception Nathaniel 'Q' Quist Wednesday, October 12th, 7:15pm - 7:55pm Master's Degree Presentation
Resolving Names to Pwned: A Journey to Compromise Russel Van Tuyl Wednesday, October 12th, 8:15pm - 8:55pm Master's Degree Presentation