Ending Soon! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off thru Dec 11 with OnDemand or vLive Training!

Blue Team Summit & Training 2020

Louisville, KY | Mon, Mar 2 - Mon, Mar 9, 2020
Live Event starts in 85 Days

Blue Team Summit Agenda

Louisville, KY | March 2-3

Blue Team Summit

Check back often as we continue to build a great agenda. Confirmed talks include:

Monday, March 2
9:00-9:15 am
Welcome & Opening Remarks

Eric Conrad @eric_conrad, Fellow, SANS Institute

Seth Misenar @sethmisenar, Fellow, SANS Institute

9:15-10:00 am

Blue Team is Not Just A Job; It’s an Adventure

Marcus J. Carey @marcusjcarey, Enterprise Architect, ReliaQuest; Co-Author, Tribe of Hackers

Otto von Bismarck once said, “Only a fool learns from their own mistakes. The wise person learns from the mistakes of others.” Most blue teamers are graduates of The School of Hard Knocks.

In this talk, Marcus J. Carey will walk you through his journey as a blue teamer who has discovered through trial, error, and by interviewing hundreds of cybersecurity professionals for the Tribe of Hackers book series, how to build effective security models. Marcus will share insights on how to optimize cybersecurity technology, processes, and personnel for optimum impact.

10:05-10:40 am

Creativity, Convergence, and Choices: Security Analyst Thinking Modes

Stef Rand @techieStef, Security Researcher, Applied Network Defense

Chris Sanders @chrissanders88 @ruraltechfund, Founder, Applied Network Defense; Director, Rural Technology Fund

What makes someone a good security analyst? Even analysts who are good at catching bad guys aren’t always very effective at explaining how they do it. The presenters recently sought to better understand the investigation process by exploring how analysts use convergent and divergent thinking in their day-to-day processes. In this session they will present the results from their original research on the role of thinking modes in investigative work, along with strategies for practicing and developing these types of thinking to become a more effective and metacognitively-aware analyst.

10:40-11:05 am

Networking Break

11:10-11:45 am

Cobot Uprising: Smart Automation for Blue Teams

Mark Orlando @markaorlando, Co-Founder & CEO @bionic_sec; Instructor, @SANSInstitute

Despite using more automation than ever before in detection and response operations, organizations continue to be challenged by relatively unsophisticated attacks. Reliable detection requires time-consuming analysis and a level of data aggregation and correlation that is at best an art, and at worst cost-prohibitive. Meanwhile, attackers remain agile and inventive, continually (and rapidly) changing their infrastructure and approach with minimal costs and maximum benefit.

While there are some tasks that computers do far better than humans – such as rote and repetitive tasks and complex calculations – we will always be masters of analysis given our ability for complex thought, decision-making, and visual learning. With the introduction of security automation and orchestration to the defensive tool set, blue teams can now automate some of their investigative playbooks and save precious time. Unfortunately, this capability often drives automation for its own sake and expands tool sets that are already monolithic, rather than actually empowering our humans. Simply doing analysis faster is only a small part of the solution, and not all "improvements" are created equal!

How can we reframe this challenge to alter the calculus of attack and defense? Automation for the sake of doing so is a common trap that can actually degrade our capabilities and waste defensive cycles. However, applying automation in a controlled, strategic manner can be a game changer for defenders. With proper planning and an incremental, product-neutral approach to automation, we can measurably improve our defenses and start leveling the playing field.

11:50 am - 12:25 pm

Cops and Robbers: Simulating Adversary Techniques for Detection Validation

Kyle Champlin, @dishwishy, Senior Manager, Splunk

Tim Frazier @timfrazier1, Senior Security Specialist, Splunk

Your organization spends a lot of time and money on your security program. Shouldn't you be able to show that all of that investment is paying off? Many vendors are offering customers high-quality analytics, but how can you ensure that they are working correctly? What if you had a way to repeatedly emulate common and known adversary tactics, techniques, and procedures in your environment with no formal penetration test required? This presentation will showcase a tactical method for adversary emulation and detection using free tools and open-source projects, including Atomic Red Team from Red Canary, DetectionLab from Chris Long, ThreatHunting from Olaf Hartong, Splunk (Enterprise Trial), and Phantom (Community Edition). We'll show how this framework can simulate techniques, review the events that result, and test your detection capabilities against many techniques in the MITRE ATT&CK framework. The framework even has detailed instructions to spin it up in Amazon Web Services or locally in your environment so that you can start using it as soon as you return to the office.

12:30-1:30 pm Lunch
1:30-2:15 pm

Put Some Power in Your Shell: POSH for Incident Response at Scale

Don Murdoch @BlueTeamHB, BTHb, and Author/Range Officer, Regent University

If your blue team doesn't understand how to do on-system analysis, then it’s game over because the team won't be able to detect the hack or how to find signs of persistence or malicious behavior. Worse, the team won't know how to scale out. Automated tools help, but they depend on your blue team understanding what the data mean. This presentation will go over numerous tools and techniques with PowerShell to perform on-system analysis and script analysis for the enterprise. We’ll also look at how to use other WinRM features to do analysis at scale. The presentation will list out common analysis challenges; go over WinRM setup requirements; review the use of PS-based tools to collect a baseline; demo remote analysis methods (including writing fault-tolerant PS code that tests for connectivity and fails gracefully, and writing job-based PS code for the defender); and examine running remote collection scripts so that you don't have to do all of the heavy lifting.

2:20-2:55 pm

Orchestrating Detection within Security Onion

Josh Brower @DefensiveDepth, Senior Engineer, Security Onion

This presentation will look at how to develop a customized playbook for your organization using the new Playbook tool in Security Onion. Playbook allows you to easily build new detection strategies using Sigma or import plays from other sources. The tool integrates into existing Security Onion tools by automatically creating Elastalert alerts and TheHive Project case templates based on your plays. This helps you document and automate the most important elements of your detection strategies: motivation (what are you looking for?), next steps (how to analyze the results), and the actual search query needed for the Elasticsearch backend.

2:55-3:20 pm Networking Break
3:25-4:00 pm

Cybercrime Markets and Their Effects on Threat Intelligence and Detection

Paul Melson @pmelson, Senior Director – Cybersecurity, Target

Modern cybercrime consists largely of marketplaces where training, tools, services, access, and more are all for sale. However, most public threat intelligence reporting -- and therefore the detection and response focus that it drives -- remains focused on single actor groups. This skews attribution, detection, and response – sometimes with dire consequences. To properly apply an attack lifecycle model and track actors across it, we must first understand these marketplace relationships. This presentation will provide an overview of criminal marketplaces and how they affect the attack lifecycle, and also examine several case studies where cybercrime markets shape how attacks are carried out from beginning to end.

4:05-4:40 pm

Computer Love: Love Letters and Log Analysis

Doug Bryant, Jr., @CyberGent_101, Incident Response Analyst, Black Knight, Inc.; Co-Host, Intrusion Diversity System Podcast

This presentation examines the correlation of communication between human interaction and machine activity based on generated events. Logs and events are the foundation of modern security monitoring, investigation, and forensics. This presentation will discuss log analysis understanding, methods, tools, and techniques. The approach to reviewing logs will be broken down into detecting the problem, finding the likely cause, checking your theory, making an action plan, and reporting your findings. Common security events and incident examples will also be discussed. Reviewing logs is a fundamental and integral aspect of being a security analyst. Logs will always tell a story about events generated over a certain time period in the same way a love letter can tell a story about a moment in time. Security analysts must determine what to look for using the information at hand, and how to develop a proactive approach to monitor security events and remediate threats. Attendees will leave knowing how to tell a better story via analysis and findings based on machine activity communication.

4:45-5:00 pm
Day 1 Wrap-Up
5:00-7:00 pm Blue Team Networking
Tuesday, March 3
9:00-9:45 am

Eric Conrad @eric_conrad Fellow, SANS Institute

9:50-10:25 am

Pushing the SOC Left To Achieve Nash Equilibrium

O'Shea Bowens @SirMuDbl00d, Founder CEO, Null Hat Security

As a defender we've seen the landscape change over the last few years. A shift to cloud, better endpoint detection capabilities, and overall acceptance of leveraging threat intelligence. All these items are advantages for SOC personnel, but how are we incorporating application security? The idea of "shifting left" is based upon secure SDLC, but how do we build detection, response, and monitoring of applications into the SOC? The normal gambit of next-generations firewalls and antivirus products aren't applicable as applications differ from build to build. This talk will focus on building out capabilities to help defenders identify attacks against the application, build detection mechanisms and how to leverage this information for triage.

10:25-10:45 am Networking Break
10:50-11:25 am

Password-less! Can It Be Done?

Joey Cruz, @don_fuego_, Program Manager, Microsoft

Mark Moroczynski, @markmorow, Principal Program Manager, Microsoft

As industries start to move to password-less environments, the benefits are clear but the path to get there is not. Several large enterprises have started their password-less journey and you can too. Learn from their experiences in order to avoid pitfalls and accelerate deployment to enhance your security state. This presentation will provide you with some quick wins and next steps for the short term and a clear strategy for the long term.

11:30-12:05 pm

Pushing the SOC Left to Achieve Nash Equilibrium

O’Shea Bowens, Founder & CEO, Null Hat Security

As a defender we’ve seen the landscape change over the last few years, including a shift to the cloud, better endpoint detection capabilities, and overall acceptance of leveraging threat intelligence. All these items are advantages for Security Operations Center (SOC) personnel, but how are we incorporating application security? The idea of “shifting left” is based on secure SDLC, but how do we build detection, response, and monitoring of applications into the SOC? The normal gambit of next-generation firewalls and antivirus products aren’t applicable because applications differ from build to build. This talk will focus on building out capabilities to help defenders identify attacks against the application, build detection mechanisms, and leverage this information for triage.

12:10-1:15 pm Lunch
1:20-1:55 pm

DevBlue: Applying Software Engineering Practices to Blue Teaming for the Win!

Lucia Coppes, EDR Software Engineer, McAfee

Alejandro Houspanossian, EDR Software Engineer, McAfee

Have you wondered what happens when you get world-class devs and blue team experts in the same team? Meet DevBlue! In this talk, Lucia and Alejandro will share lessons learned in a journey where devs and blue teamers have worked together to create an endpoint detection and response (EDR) product. But please keep reading, this is not a product talk! Rather, through the use of practical examples we want to show you how proven software engineering practices can help you methodically grow your detection capabilities in weekly increments. In particular, we will cover how to set up and manage an engineering blue team (a.k.a. DevBlue) to apply practices such as issue tracking, peer review, unit testing, automated red teaming testing, continuous delivery, operational intelligence mining, post-exploitation tools, purple teaming, and security posture measurement using the MITRE ATT&CK matrix as a reference.

2:00-2:35 pm
Talk to be announced
2:35-3:00 pm Networking Break
3:05-3:40 pm
Talk to be announced
3:45-4:20 pm
Talk to be announced
4:20-4:30 pm
Wrap-Up and Takeaways