Blue Team Summit & Training 2020 - Summit Agenda"/>
Register by tomorrow to save $300 on cutting-edge cyber security training at SANS Miami 2020!

Blue Team Summit & Training 2020

Louisville, KY | Mon, Mar 2 - Mon, Mar 9, 2020
Live Event starts in 103 Days

Blue Team Summit Agenda

Louisville, KY | March 2-3

Blue Team Summit

Check back often as we continue to build a great agenda. Confirmed talks include:

Creativity, Convergence, and Choices: Security Analyst Thinking Modes

Stef Rand @techieStef, Security Researcher, Applied Network Defense

Chris Sanders @chrissanders88 @ruraltechfund, Founder, Applied Network Defense; Director, Rural Technology Fund

What makes someone a good security analyst? Even analysts who are good at catching bad guys aren’t always very effective at explaining how they do it. The presenters recently sought to better understand the investigation process by exploring how analysts use convergent and divergent thinking in their day-to-day processes. In this session they will present the results from their original research on the role of thinking modes in investigative work, along with strategies for practicing and developing these types of thinking to become a more effective and metacognitively-aware analyst.

Cobot Uprising: Smart Automation for Blue Teams

Mark Orlando @markaorlando, Co-Founder & CEO @bionic_sec; Instructor, @SANSInstitute

Despite using more automation than ever before in detection and response operations, organizations continue to be challenged by relatively unsophisticated attacks. Reliable detection requires time-consuming analysis and a level of data aggregation and correlation that is at best an art, and at worst cost-prohibitive. Meanwhile, attackers remain agile and inventive, continually (and rapidly) changing their infrastructure and approach with minimal costs and maximum benefit.

While there are some tasks that computers do far better than humans – such as rote and repetitive tasks and complex calculations – we will always be masters of analysis given our ability for complex thought, decision-making, and visual learning. With the introduction of security automation and orchestration to the defensive tool set, blue teams can now automate some of their investigative playbooks and save precious time. Unfortunately, this capability often drives automation for its own sake and expands tool sets that are already monolithic, rather than actually empowering our humans. Simply doing analysis faster is only a small part of the solution, and not all "improvements" are created equal!

How can we reframe this challenge to alter the calculus of attack and defense? Automation for the sake of doing so is a common trap that can actually degrade our capabilities and waste defensive cycles. However, applying automation in a controlled, strategic manner can be a game changer for defenders. With proper planning and an incremental, product-neutral approach to automation, we can measurably improve our defenses and start leveling the playing field.

Cops and Robbers: Simulating Adversary Techniques for Detection Validation

Tim Frazier @timfrazier1, Senior Security Specialist, Splunk

Your organization spends a lot of time and money on your security program. Shouldn't you be able to show that all of that investment is paying off? Many vendors are offering customers high-quality analytics, but how can you ensure that they are working correctly? What if you had a way to repeatedly emulate common and known adversary tactics, techniques, and procedures in your environment with no formal penetration test required? This presentation will showcase a tactical method for adversary emulation and detection using free tools and open-source projects, including Atomic Red Team from Red Canary, DetectionLab from Chris Long, ThreatHunting from Olaf Hartong, Splunk (Enterprise Trial), and Phantom (Community Edition). We'll show how this framework can simulate techniques, review the events that result, and test your detection capabilities against many techniques in the MITRE ATT&CK framework. The framework even has detailed instructions to spin it up in Amazon Web Services or locally in your environment so that you can start using it as soon as you return to the office.

Put Some Power in Your Shell: POSH for Incident Response at Scale

Don Murdoch @BlueTeamHB, BTHb, and Author/Range Officer, Regent University

If your blue team doesn't understand how to do on-system analysis, then it’s game over because the team won't be able to detect the hack or how to find signs of persistence or malicious behavior. Worse, the team won't know how to scale out. Automated tools help, but they depend on your blue team understanding what the data mean. This presentation will go over numerous tools and techniques with PowerShell to perform on-system analysis and script analysis for the enterprise. We’ll also look at how to use other WinRM features to do analysis at scale. The presentation will list out common analysis challenges; go over WinRM setup requirements; review the use of PS-based tools to collect a baseline; demo remote analysis methods (including writing fault-tolerant PS code that tests for connectivity and fails gracefully, and writing job-based PS code for the defender); and examine running remote collection scripts so that you don't have to do all of the heavy lifting.

Orchestrating Detection within Security Onion

Josh Brower @DefensiveDepth, Senior Engineer, Security Onion

This presentation will look at how to develop a customized playbook for your organization using the new Playbook tool in Security Onion. Playbook allows you to easily build new detection strategies using Sigma or import plays from other sources. The tool integrates into existing Security Onion tools by automatically creating Elastalert alerts and TheHive Project case templates based on your plays. This helps you document and automate the most important elements of your detection strategies: motivation (what are you looking for?), next steps (how to analyze the results), and the actual search query needed for the Elasticsearch backend.

Cybercrime Markets and Their Effects on Threat Intelligence and Detection

Paul Melson @pmelson, Senior Director – Cybersecurity, Target

Modern cybercrime consists largely of marketplaces where training, tools, services, access, and more are all for sale. However, most public threat intelligence reporting -- and therefore the detection and response focus that it drives -- remains focused on single actor groups. This skews attribution, detection, and response – sometimes with dire consequences. To properly apply an attack lifecycle model and track actors across it, we must first understand these marketplace relationships. This presentation will provide an overview of criminal marketplaces and how they affect the attack lifecycle, and also examine several case studies where cybercrime markets shape how attacks are carried out from beginning to end.

To get a taste of the type of dynamic presentations and speakers you’ll see at the 2020 Blue Team Summit, check out this sneak peek video and recent cyber defense Summit talks :

Unconventional Logging and Detection - Justin Henderson

Build it Once, Build it Right: Architecting for Detection - Eric Conrad

Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework - John Hubbard