SANS Rocky Mountain Fall is Live Online! Join us Nov 2-7 MT for 17 interactive courses + NetWars. Save $300 thru 10/7.

Cyber Defense Forum & Training - Live Online

Virtual, US Central | Fri, Oct 9 - Sat, Oct 17, 2020


Friday, October 9
Times are US CDT
9:00-9:10 am

Welcome & Opening Remarks

Chris Crowley @CCrowMontance, SANS Institute
Justin Henderson @SecurityMapper, SANS Institute

9:10-9:45 am

Keynote

Taking Your Detection Program to the Next Level




Carson Zimmerman, Senior Security Services Engineering Lead, Microsoft

We’ve gotten really good at collecting piles of data. Our customers send us plenty of it and they think every event from every device is being monitored. Are they? Our customers are harnessing an exploding set of cloud and non traditional IT. Past approaches of “slap a sensor on it and call it good” are no longer sufficient. We need to more carefully measure our monitoring coverage, make better use of the data we collect, and ensure our detection program is healthy. In this presentation, Carson will describe the five essential elements of a successful SOC monitoring and detection program: planning, customer engagement, leveraging commodity capability, custom detection creation, and measuring detection effectiveness.

9:45-9:55 am Break
9:55-10:15 am

Automating Threat Hunting on the Dark Web and other nitty-gritty things

Apurv Singh Gautam @ASG_Sc0rpi0n, Student Researcher, Georgia Institute of Technology

What's the hype with the dark web? Why are security researchers focusing more on the dark web? How to perform threat hunting on the dark web? Can it be automated? If you are curious about the answers to these questions, then this talk is for you. Dark web hosts several sites where criminals buy, sell, and trade goods and services like drugs, weapons, exploits, etc. Hunting on the dark web can help identify, profile, and mitigate any organization risks if done timely and appropriately. This is why threat intelligence obtained from the dark web can be crucial for any organization. In this presentation, you will learn why threat hunting on the dark web is necessary, different methodologies to perform hunting, the process after hunting, and how hunted data is analyzed. The main focus of this talk will be automating the threat hunting on the dark web. You will also get to know what operational security (OpSec) is and why it is essential while performing hunting on the dark web and how you can employ it in your daily life.

10:20-11:00 am

Metrics on Steroids: Improving SOC Maturity using the SOC-CMM

Rob van Os, Product Owner of the Cyber Defense Center, de Volksbank

Cyber criminals are getting increasingly sophisticated and capable, resulting in high-impact security breaches across the globe. Building a SOC helps organizations increase their resilience to these cyberattacks and decreases their time to detect- and respond to security incidents. But simply having a SOC in place provides insufficient assurance of high quality cyber defense. The SOC needs to keep up with the latest threats and invest heavily in extending and improving its capabilities while achieving the appropriate maturity level for their operations. In order to track the SOCs progress, metrics are required. The SOC-CMM provides an extensive yet comprehensive framework for measuring the capability maturity level of your SOC. Using the outcome of a SOC-CMM assessment, a roadmap for improvement can be created. In this presentation, the SOC-CMM and its application will be explained, and positioned in a modern approach to monitoring and response.

11:00-11:10 am Break
11:10-11:30 am

XDR - The Hidden Pitfalls of Evaluation and Deployment

Steve Turner @beingageek, Director – Cyber Defense Architecture, Prudential
Ben Tyminski @Ben_tym, Senior Security Architect, Prudential

The hardships and lessons learned of shifting legacy security tools/processes to XDR. We'll cover the evolution of security policies and procedures while extending and coordinating defenses across the enterprise to ensure security gaps are filled and not created. We'll talk about the available XDR telemetry and visibility and how to incorporate that into a already mature SOC process.

11:35-11:55 am

And Then There Were None (More False Positives): Writing Better EDR Detections

Dan Banker, Threat Response Team Lead, Motorola Solutions

Is it possible for any security product to work properly out of the box? My experience is that a newly-deployed security tool will bury analysts in false positive alerts, leaving them with the task of either whitelisting them (which can leave the org open to false negatives), or tuning them for fidelity. Endpoint Detection Response (EDR) tools such as Carbon Black, Crowdstrike, and Symantec EDR are no exception. This problem is exacerbated in organizations with large populations of system admins and developers. Both these groups perform daily activities that trip alarms designed to find malicious activity. For example, encoded Powershell is often seen as an IOC, but system admins love it. I'll go over several cases, and demonstrate how to use parent processes, child processes, command-line options, and other techniques to raise the fidelity of your alerts.

11:55 am - 1:00 pm Lunch
1:00-1:20 pm

Resolve Security Alerts with Adaptive Intelligence and Guided Response

Peter Luo @DTonomyInc, Founding CEO, DTonomy

The volume, complexity and sophistication of cyber threats continues to increase at an alarming and exponential rate. Today, manually intensive and repeatable tasks and processes can’t scale, leaving security analysts overwhelmed and fatigued. In some cases, serious threats are potentially overlooked or not handled in a timely fashion; every day that a threat goes undetected can lead to serious risk and repercussions. Many companies have been deploying SOAR or plan to deploy SOAR to automate repetitive security tasks. In this talk, we would like to share what SOAR can not do and why we need AI to provide adaptive intelligence and dynamically guided response to ensure well-rounded alert response, continuously optimize your SOC process and reduce mean time to response. Last but least we will talk about the criteria for a good/practical AI system for SOC center.

1:25-1:45 pm

Analysis 101 for Incident Responders

Kristy Westphal, VP, CSIRT, MUFG Union Bank

You have a theory about something you have found while roaming the network or conducting your own hackfest, but how do you go about proving it? This workshop will be a hands-on journey deep into the world of analysis. While analysis is a bit of an art form, there are methods that can be applied to make it less of a gut feeling and more of a scientific approach to support your hypothesis. From network forensics to log analysis to endpoint forensics and malware analysis, we will review numerous quick methods to gain context over the data you have gathered and apply critical thinking in an attempt to find the answers. Sometimes, the answers weren’t meant to be found, but we’ll also discuss how to make the best of any conclusion that you reach.

1:50-2:10 pm

Hiding in the clouds:How attackers can use applications for sustained persistence and how to find it

Yochana Henderson, Program Manager, Microsoft
Mark Morowczynski @markmorow, Principal Program Manager, Microsoft

Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look.  What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.

2:10-2:20 pm Break
2:20-2:40 pm

Ransomware Defense and Response: Minimizing Risk of an Increasing Threat

Gabriel Currie @gabrielcurrie, Senior Cyber Security Manager, PwC
Will Oram @willoram, Senior Cyber Security Manager, PwC

Human-operated ransomware is a growing cyber threat that has seriously impacted a number of major organisations and dominated recent news headlines. In this type of attack, hands-on-keyboard operators gain initial access, compromise privileged accounts, and deploy ransomware as widely as possible. The human-element of these attacks allows the most critical infrastructure within an organisation to be targeted, often resulting in significant and long-term disruption.
In this talk we will present the key cyber defence techniques required to effectively and efficiently prevent and respond to human-operated ransomware attacks.

2:45-3:05 pm

Building the Better Playbook: Techniques to Improve Repeatability

Don Murdoch @BlueTeamHb, Senior Cyber Security Engineer, BCBSA

We often hear "follow the playbook" but what makes playbook? This presentation will go over the components of a playbook, their creation and maintenance, how playbooks are used in IR Simulation and other governance programs, and a host of supporting tools that improve playbook usage like BitBucket, Jira, Splunk, and Confluence.

3:10-3:30 pm

Asking Questions and Writing Effectively

Christopher Lopez @L0Psec, Security Analyst, Tanium

Understanding how to adequately ask questions through the course of an investigation is critical for an analyst. This talk will demonstrate how our questions adhere to the scientific method and how to use these questions to drive an investigation. As we compile answers for our various questions we will then cover how to compose your findings into a report as communication for leadership.

3:30-3:40 pm Break
3:40-4:00 pm

Resource Smart Detection with YARA and osquery

Saurabh Wadhwa, Security Solutions Engineer, Uptycs

Traditional filehash malware detection is relatively easy to circumvent as threat actors easily morph code to create "new" variants, rendering old IOC's useless. YARA, uses a different approach. Its rules match to small segments of code within the malware, making traditional morphing techniques ineffective. The challenge can be knowing which files to scan with YARA, as scanning everything can be expensive. This is where osquery comes in, it can tell us exactly which files have been executed, and therefore which files to scan. Even if a file has not been executed, osquery can use an alternative approach - creating whitelists from golden images - to identify unrecognized binaries. This session will provide an introduction to three open source tools: JA3, YARA, and osquery; and the benefits of using them.

4:05-4:25 pm

New Tools for your Threat Hunting Toolbox

Mark Baggett @MarkBaggett, Senior Instructor, SANS Institute

Join Mark Baggett as he discusses new tools and some new features of older tools that enhance your threat hunting capability. This short talk will provide you with the insight you need to begin hunting for Phishing domains and Command and Control channels on your networks. We will discuss the installation and configuration of tools that will have you threat hunting in no time.

4:25-5:00 pm

Panel

Ask Us (Almost) Anything About Cyber Defense

Chris Crowley @CCrowMontance, SANS Institute
Justin Henderson @SecurityMapper, SANS Institute
Forum Speakers

The Forum agenda covers a ton of information in a very short time! Here's your chance to re-visit talks from earlier in the day and re-connect with some of your favorite speakers. Have your questions ready, so you can catch up and crystallize the knowledge from this whirlwind day of talks.