Real World Enterprise Incident Response w/ Kansa
- Robert Adams, Master's Degree Candidate
- Tuesday, April 25th, 8:15pm - 8:55pm
Thanks to its nearly universal availability and tools like Empire and PowerSploit, attackers are increasingly adopting PowerShell to move around corporate networks; shouldn't your defenders have tools to help them leverage the same benefits when hunting them?
Kansa is an open-source incident response framework, written in PowerShell, designed to empower blue teamers to expedite response efforts. The framework provides a platform to collect forensic data from multiple machines across your environment in parallel and the included modules cover many of the most common artifacts left behind by initial compromise, lateral movement, persistence, staging, and exfiltration. It is also infinitely customizable and extensible to meet the needs of a specific investigation since the entire tool is open source and written in PowerShell. This talk will touch on the basic architecture of Kansa, then dive into specific case studies detailing its use in both workstation and datacenter environments.
Speaker Bio: Robert is a Security Analyst at Microsoft. He is extraordinarily passionate about automation, and loves tackling complex problems with a variety of tools, including PowerShell. Robert's career was jump-started in 2006 when he joined the Navy as a Cryptologic Technician. Robert is a Master's Degree candidate in SANS Technology Institute's Information Security Engineering program. He holds a number of industry certifications, including the CISSP, GSEC, GCIA, GCIH, and GPEN.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Monday, April 24
| Session | Speaker | Time | Type |
|---|---|---|---|
| General Session - Welcome to SANS | Bryan Simon | Monday, April 24th, 8:00am - 8:30am | Special Events |
| Exploitation 101: Stacks, NX/DEP, ASLR and ROP! | David Hoelzer | Monday, April 24th, 7:15pm - 9:15pm | Keynote |
Tuesday, April 25
| Session | Speaker | Time | Type |
|---|---|---|---|
| Steganography - The Hidden Threat | Kevin Fiscus | Tuesday, April 25th, 7:15pm - 8:15pm | SANS@Night |
| Security Configuration at Scale - An Introduction to Ansilble | Patrick Neise, Master's Degree Candidate | Tuesday, April 25th, 7:15pm - 7:55pm | Master's Degree Presentation |
| Real World Enterprise Incident Response w/ Kansa | Robert Adams, Master's Degree Candidate | Tuesday, April 25th, 8:15pm - 8:55pm | Master's Degree Presentation |
Wednesday, April 26
| Session | Speaker | Time | Type |
|---|---|---|---|
| (Am)Cache Rules Everything Around Me | Eric Zimmerman | Wednesday, April 26th, 7:15pm - 8:15pm | SANS@Night |
| Securing the Enterprise with Cyber Threat Hunting | Michael C. Long, Master's Degree Candidate | Wednesday, April 26th, 8:15pm - 8:55pm | Master's Degree Presentation |
Thursday, April 27
| Session | Speaker | Time | Type |
|---|---|---|---|
| The Node Situation | Moses Hernandez | Thursday, April 27th, 7:15pm - 8:15pm | SANS@Night |
