Final Week to get an iPad Pro or Surface Pro with Online Training!

Rocky Mountain 2017

Denver, CO | Mon, Jun 12 - Sat, Jun 17, 2017
This event is over,
but there are more training opportunities.

Welcome Threat Hunters, Phishermen, and Other Liars

  • Rob Lee
  • Monday, June 12th, 7:15pm - 9:15pm

Over the past few years, a new term has continually popped up in the IT Security community called "Threat Hunting." While the term seems like it is a new thing, it is the reason all of us joined IT Security in the first place. We "Find Evil." While I was at Mandiant and in the US Air Force, "Finding Evil" was our tagline while we were on engagements.

The concept and root idea of Threat Hunting is nothing new. When I first started in IT Security back in the late 90s, my job was to find threats in the network. This led to automated defenses such as Intrusion Detection Systems, monitoring egress points, logging technology, and monitoring the defensive perimeter hoping nothing would get in. Today, while the community is trying to identify intrusions, threat hunting has evolved to be something a bit more than the loose definition of "Find Evil" primarily due to the massive amount of incident response data currently collected about our attackers. This data has evolved into Cyber Threat Intelligence.

It is hard to simply "Go Find Evil" but if armed with a bit of CTI in the mix -or essentially what you might be looking for, or what your adversaries are likely interested in, it makes the hunt more targeted. These indicators are used to great effect when used properly and proactively against a threat group. Threat hunting has improved the accuracy of threat detection due to the fact that we can focus our searching on the adversaries exploiting our networks - Humans hunting humans. Even with knowing where to look, tools are now being introduced to help make hunting more practical across an enterprise.

This talk was put together to outline what exactly "Threat Hunting" means and will step you through exactly what threat hunting is and how it works.


Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Lunch & Learn: Short presentations given during the lunch break.
Monday, June 12
Session Speaker Time Type
General Session - Welcome to SANS Keith Palmgren Monday, June 12th, 8:00am - 8:30am Special Events
Welcome Threat Hunters, Phishermen, and Other Liars Rob Lee Monday, June 12th, 7:15pm - 9:15pm Keynote
Tuesday, June 13
Session Speaker Time Type
Dissecting various real-world DGA variants Sean Ennis, Senior Systems Engineer, Cybereason Tuesday, June 13th, 12:30pm - 1:15pm Lunch and Learn
Soc-as-a-Service: All the Benefits of a Security Operations Center without the High Costs of a DIY Solution James McCarthy, Systems Engineer, Arctic Wolf Networks Tuesday, June 13th, 12:30pm - 1:15pm Lunch and Learn
Women's CONNECT Event Hosted by SANS COINS program and ISSA WIS SIG Tuesday, June 13th, 6:00pm - 9:15pm Special Events
Quality not Quantity: Continuous Monitoring's Deadliest Events Eric Conrad Tuesday, June 13th, 7:15pm - 8:15pm SANS@Night
Anti-Ransomware: How to Turn the Tables G. Mark Hardy Tuesday, June 13th, 8:15pm - 9:15pm SANS@Night
Wednesday, June 14
Session Speaker Time Type
How to Become a SANS Instructor Eric Conrad Wednesday, June 14th, 12:30pm - 1:15pm Lunch and Learn
SANS Graduate Program - Prospective Student Social Wednesday, June 14th, 5:15pm - 7:15pm Special Events
So, You Wanna Be a Pentester? Adrien de Beaupre Wednesday, June 14th, 7:15pm - 8:15pm SANS@Night
Collecting and Exploiting Your ''Private" Internet Data using OSINT Micah Hoffman Wednesday, June 14th, 8:15pm - 9:15pm SANS@Night
Thursday, June 15
Session Speaker Time Type
Internet of Things (IoT) and Embedded Device Security Research - A Primer Billy Rios Thursday, June 15th, 7:15pm - 8:15pm SANS@Night