Finding Evil in the Whitelist
- Josh Johnson - Master's Degree Candidate
- Wednesday, September 16th, 7:15pm - 7:55pm
Application whitelisting technologies are extremely effective at reducing the ability for malicious code to run in an environment. For organizations with limited security budgets, built-in Windows features, such as AppLocker and Software Restriction Policies, offer the ability to implement low-cost whitelisting solutions that can significantly reduce the attack surface on Windows endpoints. While lacking centralized management and reporting consoles, these tools can be tested and deployed with limited effort using scripts to collect and analyze logs and Group Policy to manage whitelists.
Even though whitelisting provides greater protection to endpoints, emerging research is highlighting innovative whitelisting bypass techniques, and attackers are adopting new styles to evade this type of control. However, through regular log review and anomaly detection, organizations can detect and respond to these types of sophisticated attacks that are bypassing application whitelisting utilities. When looking for attacks that are bypassing AppLocker specifically, organizations can lean heavily on the use of PowerShell for log collection and automated analysis.
Speaker Bio: Josh Johnson is a Senior Security Analyst working for a retail company in upstate New York. With a computer science background, his responsibilities at work include performing regular application security assessments, WAF and IDS configuration and monitoring, and incident response. Josh is a candidate for the SANS Technology Institute's Master of Science in Information Security Engineering degree.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Vendor: Events hosted by external vendor exhibitors.
- Lunch & Learn: Short presentations given during the lunch break.
- Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Saturday, September 12
| Session | Speaker | Time | Type |
|---|---|---|---|
| GSE Lab Examination | — | Saturday, September 12th, 9:00am - 5:00pm | Special Events |
Sunday, September 13
| Session | Speaker | Time | Type |
|---|---|---|---|
| GSE Lab Examination | — | Sunday, September 13th, 9:00am - 5:00pm | Special Events |
| Registration Welcome Reception | — | Sunday, September 13th, 5:00pm - 7:00pm | Reception |
Monday, September 14
| Session | Speaker | Time | Type |
|---|---|---|---|
| General Session - Welcome to SANS | Dr. Eric Cole | Monday, September 14th, 8:15am - 8:45am | Special Events |
| Women in Technology Meet and Greet | — | Monday, September 14th, 6:15pm - 7:15pm | Reception |
| WHY? | Dr. Eric Cole | Monday, September 14th, 7:15pm - 9:15pm | Keynote |
Tuesday, September 15
| Session | Speaker | Time | Type |
|---|---|---|---|
| Want to be a SANS Instructor? | Eric Conrad | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| An Architecture for Continuous Monitoring and Mitigation | Robert McLean, Systems Engineer, Forescout Technologies | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Raising the Security Bar with Integrated Threat Defense | William Young, Security Sales Engineer, Cisco Systems, Inc. | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Achieving Continuous Security with Your Limited Resources | Dick Faulkner, Vice President of Worldwide Sales, EiQ Networks | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| A Practitioner and Manager's Guide to Optimizing Enterprise Vulnerability Management | Jack Daniel, Tenable Network Security | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Breach Detection 101: What Do Attackers Actually Do In A Network, And How Can You Catch Them? | DT Thompson, Sr. Director Product Management, LightCyber | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Aligning Vulnerability and Privilege Management in the Context of Business Risk | Morey Haber, Vice President of Technology, BeyondTrust | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| ICS Security's Response to Targeted Attacks | Mike Assante | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Making Threat Intelligence Work Better for Security Operations Teams | Allan Thomson, Chief Technology Officer, LookingGlass Cyber Solutions | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Turn on the Lights! Case Studies of Malware in Memory | Tyler Halfpop , Threat Researcher, Fidelis Cybersecurity | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Identity is the New Perimeter | Dean Thompson, VP Technical Services, Centrify Corporation | Tuesday, September 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Evolving Threats | Paul Henry | Tuesday, September 15th, 7:15pm - 8:15pm | SANS@Night |
| Playing with SCADA's Modbus Protocol | Justin Searle | Tuesday, September 15th, 7:15pm - 8:15pm | SANS@Night |
| Using an Open Source Threat Model for Prioritized Defense | James Tarala | Tuesday, September 15th, 7:15pm - 8:15pm | SANS@Night |
| eAUDIT: Designing a Generic Tool to Review Entitlements | Francois Begin - Master's Degree Candidate | Tuesday, September 15th, 7:15pm - 7:55pm | Master's Degree Presentation |
| What's New in Windows 10 and Server 2016? | Jason Fossen | Tuesday, September 15th, 8:15pm - 9:45pm | SANS@Night |
| Card Fraud 101 | G. Mark Hardy | Tuesday, September 15th, 8:15pm - 9:15pm | SANS@Night |
| A History of ATM Violence | Erik Van Buggenhout | Tuesday, September 15th, 8:15pm - 9:15pm | SANS@Night |
| Coding For Incident Response: Solving the Language Dilemma | Shelly Giesbrecht - Master's Degree Candidate | Tuesday, September 15th, 8:15pm - 8:55pm | Master's Degree Presentation |
Wednesday, September 16
| Session | Speaker | Time | Type |
|---|---|---|---|
| Vendor Solutions Expo | — | Wednesday, September 16th, 12:00pm - 1:30pm | Vendor Event |
| Vendor Solutions Expo | — | Wednesday, September 16th, 5:30pm - 7:30pm | Vendor Event |
| DLP FAIL!!! Using Encoding, Steganography, and Covert Channels to Evade DLP and Other Critical Controls | Kevin Fiscus | Wednesday, September 16th, 7:15pm - 8:15pm | SANS@Night |
| iOS Game Hacking: How I Ruled the Worl^Hd and Built Skills For AWESOME Mobile App Pen Test | Josh Wright | Wednesday, September 16th, 7:15pm - 8:15pm | SANS@Night |
| The Crazy New World of Cyber Investigations: Law, Ethics and Evidence | Ben Wright | Wednesday, September 16th, 7:15pm - 8:15pm | SANS@Night |
| Death from Above: Hands-On Drone and IoT Hacking | Josh Wright, Tim Medin, James Lyne, Steve Sims | Wednesday, September 16th, 7:15pm - 9:15pm | Special Events |
| Finding Evil in the Whitelist | Josh Johnson - Master's Degree Candidate | Wednesday, September 16th, 7:15pm - 7:55pm | Master's Degree Presentation |
| Meterpreter without Meterpreter | Mark Baggett | Wednesday, September 16th, 8:15pm - 9:15pm | SANS@Night |
| Hacking Back, Active Defense and Internet Tough Guys | John Strand | Wednesday, September 16th, 8:15pm - 9:15pm | SANS@Night |
| Smartphone and Network Forensics Goes Together Like Peas and Carrots | Heather Mahalik and Phil Hagen | Wednesday, September 16th, 8:15pm - 9:15pm | SANS@Night |
| Live Long and Prosper by Protecting SPoC! | David Belangia - Master's Degree Candidate | Wednesday, September 16th, 8:15pm - 8:55pm | Master's Degree Presentation |
Thursday, September 17
| Session | Speaker | Time | Type |
|---|---|---|---|
| A Methodology for Real-Time Automated Threat and Cyber Attack Detection | Pablo Garcia, Sales Engineer, Vectra Networks | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| "Change the Game -Fight Those who Fight You" | Ronnie Tokazowski., Senior Research Engineer, PhishMe | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Crack the Code: Defeat the Advanced Adversary | Richard Porter, System Engineer, Palo Alto Networks | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Hackers are Equal Opportunity Businessmen: Everyone's a Target | John Thompson, Director, Systems Engineering, ThreatSTOP | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Sophos/Infogressive Lunch and Learn | Justin Kallhoff, CEO and Founder, Infogressive | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Tackling Application Security Challenges Through Progressive Scanning | Michael M. Class, Web Application Security Subject Matter Expert, Qualys | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Anomaly Detection: Boots on the Ground for 21st Century Cyber Warfare | Greg Wessel, COO, Triumfant | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Social Threat Intelligence (STI) | Trevor Welsh Principal Security Strategist, ThreatStream | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| #SecurityisaMyth | Jeff Guilfoyle, Principal SE, Symantec Managed Security Services | Thursday, September 17th, 12:30pm - 1:15pm | Lunch and Learn |
| Debunking the Complex Password Myth | Keith Palmgren | Thursday, September 17th, 7:15pm - 8:15pm | SANS@Night |
| Malware Analysis Essentials using REMnux | Lenny Zeltser | Thursday, September 17th, 8:15pm - 9:15pm | SANS@Night |
Friday, September 18
| Session | Speaker | Time | Type |
|---|---|---|---|
| Making Awareness Stick | Lance Spitzner | Friday, September 18th, 7:15pm - 8:15pm | SANS@Night |
| Securing The Kids | Lance Spitzner | Friday, September 18th, 8:15pm - 9:15pm | SANS@Night |
