Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Tactical Detection Summit

Scottsdale, AZ | Tue, Dec 4 - Tue, Dec 11, 2018
This event is over,
but there are more training opportunities.

Summit Agenda

Summit agenda

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Tuesday, December 4
9:00-9:15 am
Opening Remarks & Introductions

Justin Henderson (@SecurityMapper), Summit Co-Chair & Certified Instructor, SANS Institute
John Hubbard (@SecHubb), Summit Co-Chair & Certified Instructor, SANS Institute

9:15-10:00 am

Build it Once, Build it Right: Architecting for Detection

Defensible networks are designed to prevent and detect computer attacks, and are hardened at every layer. Per Richard Bejtlich, defensible networks "can be watched" and "limit an intruder’s freedom to maneuver." For example: modern malware often attempts to steal credentials and move laterally via tools such as WMIC, PSExec, and PowerShell. Most host-based firewalls can block (and log) based on applications such as PSExec. Prudent organizations use host-based firewalls to block and log network connections initiated by these tools from "regular" user desktops, and only allow authorized use from system administration drop boxes.
This talk focuses on designing a defensible security architecture that limits an intruder's ability to maneuver, and creates logs when it is successful in doing so. Specific examples will be provided that prevent recent malware such as Petya, NotPetya, SamSam, and others. We will provide an actionable list of techniques that prevent and detect the deadliest events that occur during virtually every successful breach.

Eric Conrad (@eric_conrad), Fellow, SANS Institute

10:00-10:35 am

Unconventional Logging and Detection

Log collection and detection go hand in hand, yet both are difficult. Are you allowed to deploy a log agent or not? Can you change system settings to generate the logs you need? The problem is the answer may be no to both questions. Even if the answer is yes, some detection capabilities cannot be done with standard logging and collection.

All is not lost. Windows, Linux, Unix, and Mac systems all have unconventional methods of log collection and detection that augment standard processes. This talk focuses on using alternative methods such as PowerShell, Python, or built-in binaries to generate custom logs and covers multiple use cases on what detection techniques those logs provide. Example: ARP cache poisoned? How about a detection technique that produces zero logs until it happens and then generates and ships off the record directly to your platform of choice.

Justin Henderson (@SecurityMapper), Systems and Security Architect, GSE # 108, Cyber Guardian Red/Blue; Summit Co-Chair

10:35-11:00 am Networking Break
11:00-11:35 am

Rapid Data Analysis Thunderdome: Many Visualizations Enter; Only One Leaves Alive!

We're going to virtually throw lots of models on the wall and see what sticks! All too often we forget the role of luck and happenstance in data analysis. This is a crude idea, done well-ish. Rather than spend cycles trying to develop the perfect dashboard, why not generate several dozen and pick which ones work best? Using one set of data, this tool generates dozens of visualizations, and lets you select the ones that are more meaningful to you.

Mick Douglas (@BetterSafetyNet), Managing Partner, InfoSec Innovations; Certified Instructor, SANS Institute

11:35 am - 12:10 pm

Wreck SIEM Noise: How to Build and Measure Effective Alerting

Security Incident Event Managers are prone to intense noise and alert fatigue. Focusing our limited resources on prioritized alerts is a key to success. This talk will share successful tactical concepts including initial approach, simple analysis techniques anyone can do, use case life-cycle and effective metrics to maintain success. While stepping through real life experiences, the talk will also discuss how these techniques convert information into intelligence and how these operations weave into engineering, content development, and architecture.

Frank Angiolelli (@fnksec), Strategic Consultant, Foundstone

12:10-1:30 pm

Lunch & Learn

BGP Hijacking by Example

Kevin Tyers, Technologist, LKDM

1:30-2:05 pm

The Tools of Tactical Detection: The Toolchain and Techniques That Power the Modern SOC

John Hubbard (@SecHubb), Summit Co-Chair, SANS Institute

Craig L. Bowser (@reswob10), Sr. Security Engineer, Dept. of Energy
Justin Henderson (@SecurityMapper), Instructor & Course Author, SANS Institute
Dave Herrald (@daveherrald), Staff Security Strategist, Splunk

2:05-2:40 pm

Machine Learning in Cybersecurity: Fact, Fantasy, and Moving Forward

In the last several years we have seen personal assistants like Alexa, self-driving cars, and automated foreign language translation all made possible by machine learning. Looking for new investment opportunities, the venture capital community has turned its attention to machine learning in cyber and is investing millions of dollars into the sector. Now, nearly every product advertises machine learning, which has led to confusion between what’s real and what’s marketing. This talk will demystify machine learning in cyber, separating fact from fantasy. We will discuss what machine learning is, why it is particularly challenging in cyber, and how to design machine learning applications that will have the biggest impact for your business.

Dan Liebermann, Lead Associate – Advanced Analytics, Booz Allen Hamilton

2:40-3:00 pm Networking Break
3:00-3:35 pm

Case Study: Detection with MITRE ATT&CK in the Energy Sector

The time before an adversary is detected continues to be excessive, averaging 6-12 months. Are you comfortable with an adversary having 180 days to pillage your data and have free reign? The MITRE ATT&CK framework was created to help aid defenders and significantly reduce dwell time (the time an adversary is on the network before being detected). The framework takes an “Assume Breach” stance, meaning you’ve already been compromised you just haven’t discovered it yet, and introduces detection methods to detect post-compromise tactics and techniques. This talk will focus on an introduction to the MITRE ATT&CK Framework and integration of open-source tools to increase cyber defenses and ensure your Blue Team can detect post-compromise techniques.

Christian Kopacsi (@1nf0s3cp1mp), Manager - Cyber Security Incident Response Team, Consumers Energy

3:35-4:10 pm

What's In a (User) Name? That Which we Call a Kevin...

I know, "kevin logged in from klaptop" is, well, boring. Why do we still give those useless logs to our analysts and admins? In a world with Active Directory, LDAP, and management databases, why should an analyst have to query five different systems to find out that "kevin" is in human resources but logging into a computer from payroll? The answer is: we should not!

Gather round as we talk about one of my favorite types of log enrichment, where we key on user names and machine names to save analysts time and make searching, alerting, and reporting faster and more useful for everyone. There may even be a bit of Python provided for those wanting to play at home.

Kevin Wilcox (@kmwilcox_), Information Security Specialist, Appalachian State University

4:10-4:45 pm

The Top 5 Things to Know About Azure Active Directory Logs

If you aren't leveraging your Azure Active Directory logs, you are missing a large part of your organization’s picture. This session will cover the fundamentals of the Azure AD logs, how to integrate these into your existing SIEM systems, and key events to look for that may indicate a compromise in your environment.

Mark Morowczynski @markmorow, Principal Program Manager, Microsoft

4:45-5:00 pm

Day 1 Wrap-Up & Closing Remarks

Justin Henderson (@SecurityMapper), Summit Co-Chair & Certified Instructor, SANS Institute
John Hubbard (@SecHubb), Summit Co-Chair & Certified Instructor, SANS Institute

6:00-8:00 pm Tactical Networking and Poolside Analytics (Reception)
Day 2

9:00-9:45 am

From Automation to Analytics: Simulating the Adversary to Create Better Detections

Security teams have more detection tools at their disposal than ever before, yet most are still struggling to find even the most basic malicious activity occurring in their environments. Building effective detection analytics requires realistic data and the ability to iterate quickly in a rapid analytic development cycle. In this talk, we will introduce a full lifecycle attack simulation and analytics development environment featuring the MITRE ATT&CK framework and the Atomic Red Team project using Splunk and Splunk Phantom mapped to an imaginary APT group, Taedonggang. We will focus on how security teams can use such a system to rapidly develop and share new detection analytics. Links to all components referenced in the talk will be provided, including a cloud-based dataset that can act as a playground for users who want to see the results of the activity. All use of the commercial software will be limited to free/Enterprise trial/Community editions.

Dave Herrald (@daveherrald), Staff Security Strategist, Splunk
Ryan Kovar (@meansec), Senior Security Architect, Splunk

9:45-10:20 am

Using Open Source Tools for Data Analytics: Learning from a Corpus of Endpoint Snapshots

It is a common practice among security analysts to take snapshots from different systems for further analysis. To that purpose, there are few tools that work in a similar manner: they work as proxies of a set of operating system calls that are executed, whose logs and outputs are captured, then parsed and, finally, transferred to a central location. An example of such tool is rastrea2r, an open source tool that executes around 20 windows commands, captures their output, and stores those logs on a central repository. Usually, snapshot tools capture the processes a system is currently running, all cached DNS queries, part of the web history, etc. The resulting information is usually referred as endpoint snapshot.

One endpoint snapshot contains information particular to one machine, but a few hundred is in fact a powerful source of friendly intelligence. Defining a notion of similarity among snapshots and using it for clustering them can answer many key questions.

Gabriel Infante-Lopez, Principal Engineer, McAfee

10:20-10:40 am Networking Break

10:40-11:15 am

Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion

While endpoint threat monitoring tools are powerful, many lack ways to quickly and efficiently recover evidence of deleted information. This deleted information may include evidence of staging tools, exfiltration files and malware that attackers clean up as they go. How can you track an attacker through your environment if they are cleaning up after themselves? Learn how to pull back and leverage two files on the system, the MFT and the NTFS Index Attribute, to discover evidence of deleted files. Once an attacker’s favorite staging location is known, this technique can be scaled up and automated to sweep an environment to locate and analyze evidence of deleted files.

Mari DeGrazia (@MariDeGrazia), Director, Incident Response, Kroll
Scott Hanson, Director, Kroll

11:15-11:50 am

Keeping Up with the Joneses: SIEM Rules Edition

Keeping up with the evolving landscape of threats and attacker techniques can feel like an uphill battle. Many environments leverage a SIEM to perform log correlation and analysis, and keeping rules current is a challenge. To combat the burden of "keeping up with the Joneses" SIEM rules, this presentation will detail a new initiative to develop, share, and assess the latest and greatest in alerting logic—the Threat Alert Logic Repository (TALR). TALR is a repository of approved SIEM rules, designed for quick and easy translation into the SIEM tool of your choice. This repository will be publicly hosted and serve to keep SIEM engineers and analysts up-to-date on alert logic.

Attendees will gain a comprehensive overview of TALR and understand how to incorporate it into their cyber environments as a way to remain on the cutting edge of alerting logic.

Nick Ascoli, Consultant, Security Risk Advisors

Kevin Foster, Manager, Security Risk Advisors

11:50-1:1:15 pm Lunch

1:15-2:00 pm


Data Science and Domain Expertise

Data science is the capability to automatically find needles in a haystack. Yet some needles are good, some are evil, and others are just plain confusing. This panel is a discussion on the impact of applying domain expertise to data science and whether one can exist without the other.

Moderator: Justin Henderson (@SecurityMapper), Systems and Security Architect, GSE # 108, Cyber Guardian Red/Blue; Summit Co-Chair


Gabriel Infante-Lopez, Principal Engineer, McAfee

Kristen Quade @BlueTeamQuade, Data Scientist, NERC

Austin Taylor (@HuntOperator), Director of Cybersecurity R&D, IronNet Cybersecurity; Community Instructor, SANS Institute

2:00-2:35 pm

Sharing is Caring: Improving Your Detection Capability with the Sigma Framework

To succeed in cyber defense, the blue team needs to start sharing, the problem is our tools aren't doing us any favors. Vendor lock-in and incompatible signature storage formats make import and export of SIEM rules across products difficult, hindering our ability to share with the community. What if there was another way? The Sigma framework is a new effort from Florian Roth and Tomas Patzke that aims to solve this problem. It works by defining a new, generic signature format that is easy to use and allows anyone to convert rules to work with their own SIEM, and it could be a major step forward in solving this problem. This talk will discuss how Sigma works, how it can help you write better and more maintainable detection rules, and why I think it is an important step forward for the blue team.

John Hubbard (@SecHubb), Summit Co-Chair & Certified Instructor, SANS Institute

2:35-3:00 pm Networking Break

3:00-3:35 pm

Measure Your Bad Self: The SIEMquel

Here's an obvious statement: Without logs, a SIEM is practically useless.

But unhealthy logs are worse than no logs at all. Sick logs lead to false feelings of security (because alerts don't fire due to missing logs from some machines), longer investigations (because critical logs were not collected), and misleading reports (because missing data skews calculations). A previous talk by Carson Zimmerman discussed the importance of measuring your data ("Measure your bad self" SANS SOC Summit 2018). In this talk I am going to build on his talk by showing how to apply the concepts and theories he lays out to your SIEM. This talk will cover the definition of healthy logs and sick logs, the four areas we need to measure our logs, and practical methods for measuring and monitoring.
Craig L. Bowser (@reswob10), Sr. Security Engineer, Dept. of Energy

3:35-4:10 pm

Users as a Data Source: Are You Leveraging Security-Aware Employees in Your Detection Strategy?

After years of users being trained to report phishing emails, they are now providing great intel that you didn’t even have to pay for. Are you using it to search for badness in your environment – sending it to your SIEM – or to your data lake? Are you sharing those free IOCs with your Threat Intel teams that are trying to protect your brand? Pushing the IOCs to your endpoints to protect your assets when they’re off your network?

Tonia Dudley, Director, Cofense

4:10-4:45 pm

Applied Data Science and Machine Learning for Cybersecurity

Determining which machine learning algorithm to use and where to use it can be difficult.
This talk will discuss various machine learning classifiers that you can use for popular attack
techniques and provide steps to operationalize the results in your investigation.

Austin Taylor (@HuntOperator), Director of Cybersecurity R&D, IronNet Cybersecurity; Community Instructor, SANS Institute