Hunting and Sniper Forensics
- Jason Lawrence
- Thursday, March 14th, 8:15pm - 9:15pm
For years security analysts and practitioners have claimed that: "There are two types of companies in this country, those who know they've been hacked, and those who don't know they've been hacked."
Assuming this assertion is correct, companies need to start approaching incident response in a different way. Incident response teams will need to hunt down the adversary in their network and with sniper precision "take them out". The time has come for a more proactive approach to incident handling and response. To that end this talk will explore the art behind hunting down the "Advanced Persistent Threat" lurking in our networks. Once the adversary has been located phase two of this approach will kick in, and with the precision of a trained sniper, the incident responder will collect the evidence needed to determine the sources of the breach. Furthermore, with sniper forensics the incident handler will not need to sift through Terabytes upon Terabytes of evidence. This limited scoping of the evidence to be collected will enable the response team to focus on the adversary's next target of exploitation.
The first step of this approach is to "hunt"; this process scans through the network searching for deviations from the norm. These deviations can be in the form of auto-run programs that are not part of the corporate gold build for workstations. Other possible indicators include, but are not limited to, workstations communicated directly with one another or irregular DNS queries. Once these deviations have been identified it is time to focus on the hunt and start profiling the adversary's activities on the network.
This talk will walk through both of these phases exposing the audience to a repeatable defensible methodology. This begins with knowing what is normal in your environment and what is a deviation. Many of the most recent breaches took many months to detect; this lack of detection does not necessarily indicate a lack in security controls or compliance. According to Sun Tzu in the Art of War:
"If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."
To that end it is crucial to know your networks and systems, understand and learn the adversary's TTP, hunt down and remove the enemies lurking in your network.
About Jason Lawrence
Jason works for the Dell SecureWorks Corporate Incident Response Team (CIRT) as a Security Analysis Senior Advisor focusing on internal incident response and digital forensics. He has developed processes and procedures to reduce incident impact and cost.
Jason also serves as the President of the Atlanta chapter of the HTCIA and on the board for directors of the Atlanta chapter of the ISSA.
On his off hours Jason enjoys teaching SANS Forensics curriculum as part of the SANS Mentor program. He holds a masterās degree in information security and assurance (MSISA), and numerous security certifications such as: GCFA, GCIH, G2700, CISSP, CHFI, CEH and CISA.
Jason firmly believes that the only way to truly be secure is by educating others, and he lives by this principle. Furthermore, if you take the time and listen, you can learn from anyone, mostly from your students.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Vendor: Events hosted by external vendor exhibitors.
- Lunch & Learn: Short presentations given during the lunch break.
Sunday, March 10
| Session | Speaker | Time | Type |
|---|---|---|---|
| General Session - Welcome to SANS | Dr. Eric Cole | Sunday, March 10th, 8:15am - 8:45am | Special Events |
| There's a reason they're called persistent. | H. Michael Nichols, Technical Product Manager | Sunday, March 10th, 12:30pm - 1:15pm | Lunch and Learn |
| Dream Big | Suliman Al-Mazroua | Sunday, March 10th, 12:30pm - 1:15pm | Lunch and Learn |
| Fortinet Next Generation Firewalls | Infogressive Founder & CEO Justin Kallhoff | Sunday, March 10th, 12:30pm - 1:15pm | Lunch and Learn |
| The Good, the Bad and the Broken | Bill Olson, CISSP - Subject Matter Expert for VM | Sunday, March 10th, 12:30pm - 1:15pm | Lunch and Learn |
| Splunk Lunch & Learn | — | Sunday, March 10th, 12:30pm - 1:15pm | Lunch and Learn |
| Rapid7 Lunch & Learn | Paul Chu | Sunday, March 10th, 12:30pm - 1:15pm | Lunch and Learn |
| APT: It is Not Time to Pray, It is Time to Act | Dr. Eric Cole | Sunday, March 10th, 7:15pm - 9:15pm | Keynote |
| Project Management Approach to Yearly PCI Compliance Validation | Michael Hoehl | Sunday, March 10th, 7:15pm - 7:55pm | Special Events |
| Phish Stories: Technical Intervention when Humans Fail | Rich Graves | Sunday, March 10th, 8:00pm - 8:40pm | Special Events |
| Small Business: The New Target -- What Can They Do? | Robert L Comella | Sunday, March 10th, 8:45pm - 9:30pm | Special Events |
Monday, March 11
| Session | Speaker | Time | Type |
|---|---|---|---|
| Vendor Solutions Expo | — | Monday, March 11th, 12:00pm - 1:30pm | Vendor Event |
| Vendor Solutions Expo | — | Monday, March 11th, 5:00pm - 7:00pm | Vendor Event |
| Social Zombies: Rise of the Mobile Dead | Kevin Johnson & Tom Eston | Monday, March 11th, 7:15pm - 8:15pm | SANS@Night |
| Knock-off Phone Forensics -Some Handsets Aren't What They Appear To Be | Heather Mahalik | Monday, March 11th, 7:15pm - 8:15pm | SANS@Night |
| Please Keep Your Brain Juice Off My Enigma: a True Story | Ed Skoudis & Josh Wright | Monday, March 11th, 7:15pm - 8:15pm | SANS@Night |
| Over-Zealous Social Media Investigations: Beware the Privacy Monster | Ben Wright | Monday, March 11th, 8:15pm - 9:15pm | SANS@Night |
| Introduction to Windows Kernel Exploitation | Stephen Sims | Monday, March 11th, 8:15pm - 9:15pm | SANS@Night |
Tuesday, March 12
| Session | Speaker | Time | Type |
|---|---|---|---|
| How to Become a SANS Instructor | Eric Conrad | Tuesday, March 12th, 12:30pm - 1:15pm | Lunch and Learn |
| Making the GRC Grade - How to Realize Continuous Compliance | Wallace Sann, Director of Systems Engineering | Tuesday, March 12th, 12:30pm - 1:15pm | Lunch and Learn |
| The Evolution of Vulnerability Management | Jack Daniel, Product Manager | Tuesday, March 12th, 12:30pm - 1:15pm | Lunch and Learn |
| The Windows Desktop: A Hackerās Best Friend? It Doesnāt Have To Be. | Derek Melber, Microsoft MVP | Tuesday, March 12th, 12:30pm - 1:15pm | Lunch and Learn |
| APTs As a Threat | Aaron Ansari, Director, Eastern US & Canada | Tuesday, March 12th, 12:30pm - 1:15pm | Lunch and Learn |
| Stop Spear-Phishing and Watering Hole Attacks | Chadd Milton | Tuesday, March 12th, 12:30pm - 1:15pm | Lunch and Learn |
| Women in Technology Meet and Greet | Karen Fioravanti | Tuesday, March 12th, 5:30pm - 6:30pm | Special Events |
| GIAC Program Overview | Jeff Frisk, GIAC Program Director | Tuesday, March 12th, 7:15pm - 8:15pm | Special Events |
| Hacking Your Friends and Neighbors For Fun | Joshua Wright | Tuesday, March 12th, 7:15pm - 8:15pm | SANS@Night |
| Panel - How Do We Secure The Human | Panel Members | Tuesday, March 12th, 7:15pm - 8:15pm | SANS@Night |
| Securing the Kids | Lance Spitzner and Rich Wistocki | Tuesday, March 12th, 8:15pm - 9:15pm | SANS@Night |
| InfoSec in the Financial World: War Stories and Lessons Learned | Bryan Simon | Tuesday, March 12th, 8:15pm - 9:15pm | SANS@Night |
| Open Mic Night | Brought to you by SANS Online Training | Tuesday, March 12th, 8:30pm - 10:30pm | Special Events |
Wednesday, March 13
| Session | Speaker | Time | Type |
|---|---|---|---|
| SANS Technology Institute Open House | Ray Davidson | Wednesday, March 13th, 7:15pm - 8:15pm | Special Events |
| Who's Watching the Watchers? | Mike Poor | Wednesday, March 13th, 7:15pm - 8:15pm | SANS@Night |
| Human Nature and Information Security: Irrational and Extraneous Factors That Matter | Lenny Zeltser | Wednesday, March 13th, 7:15pm - 8:15pm | SANS@Night |
| Why Our Defenses Are Failing Us. One Click Is All It Takes... | Bryce Galbraith | Wednesday, March 13th, 8:15pm - 9:15pm | SANS@Night |
| You Can Panic Now. Host Protection is (Mostly) Dead. | Rob Lee | Wednesday, March 13th, 8:15pm - 9:15pm | SANS@Night |
| "Hall of Shame" Apps in the Apple App Store and Google Play | Tom Eston | Wednesday, March 13th, 8:15pm - 9:15pm | SANS@Night |
Thursday, March 14
| Session | Speaker | Time | Type |
|---|---|---|---|
| Tales from the Crypt: TrueCrypt Analysis | Hal Pomeranz | Thursday, March 14th, 7:15pm - 8:15pm | SANS@Night |
| Finding Unknown Malware | Alissa Torres | Thursday, March 14th, 7:15pm - 8:15pm | SANS@Night |
| Honeypots For Home Use | James Leyte-Vidal | Thursday, March 14th, 7:15pm - 8:15pm | SANS@Night |
| Physical Repair of Mobile Devices - Practical Tips & Tricks For When Good Evidence Gets Broken | Det. Cindy Murphy | Thursday, March 14th, 8:15pm - 9:15pm | SANS@Night |
| Hunting and Sniper Forensics | Jason Lawrence | Thursday, March 14th, 8:15pm - 9:15pm | SANS@Night |
