35+ Cyber Security Courses at SANS Cyber Defense Initiative® in Washington, DC! Save up to $300 thru 10/16.

Threat Hunting & IR Summit 2019

New Orleans, LA | Mon, Sep 30, 2019 - Mon, Oct 7, 2019
This event is over,
but there are more training opportunities.

David Bianco may have missed his career calling if not for the chance convergence of his interest in computer science, his love of books, and a pesky intrusion. Part of a student system admin team for the computer science department, David had just finished reading Cliff Stoll's The Cuckoo's Egg when his team experienced their own small intrusion. "Even though I didn't know what I was doing AT ALL, I convinced my boss to allow to me to work the investigation and he agreed," says David.

The rest, as they say, is history. Although he made many mistakes along the way (and luckily the intruder wasn't out to do any real damage), David learned a lot through the process and found that he loved the work, even though he didn't yet realize he could make a career out of it.

Since then, David has been involved in information security for more than 20 years, working with Fortune 500 companies, Wall Street firms, public utilities, and major universities on incident detection and response. He credits his early focus on network security with honing his skills in extracting the most information possible from just the network data, before moving ahead to other areas. Today, he's a Principal Engineer for cybersecurity at Target Corporation.

David wanted to be a SANS instructor since he took his first class, Security Essentials, almost 20 years ago. Today, he teaches SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. "There's just something amazingly fun about being able to pull apart network traffic and find out what's really going on!" says David.

Watching students have a lightbulb moment in class, then take that new skill back to their jobs and apply it right away, is one of the reasons David loves to teach. An area of professional focus for David is helping others get their security careers started and learn the technical skills necessary to shine. "I still remember how confusing it sometimes was to have to learn all this stuff for the first time, and I hope that shows in my teaching," he says. And due to the caliber of SANS instructors, "being able to call myself one is a useful benchmark for my own development as well."

In his classes, David teaches students to understand their work beyond the tools. "A good analyst knows how to use their tools, but a great analyst has the knowledge and experience necessary to understand and compensate for their tools' limitations," he says. As an instructor, David's goal is to give each student the technical skills and experience to approach any forensic challenge with confidence.

The biggest challenge David sees students encounter is the sheer number of different protocols and data formats with network forensics, many of which are undocumented (especially the malicious ones). He reminds students that the most important thing is to become comfortable not knowing what you're doing when dealing with many unknowns. Treading the same ground over and over with a spirit of curiosity gives investigators incremental context along the way to find a solution.

David contributes to the security community outside the classroom as well. A number of years ago he created a slide called "The Pyramid of Pain," for an internal presentation, then turned it into a post on his blog: https://detect-respond.blogspot.com. Today, the Pyramid is widely cited as a model for applying Cyber Threat Intelligence (CTI) to detection and response. "I feel really lucky to have been in a position where I had the support to formulate and distill my ideas about CTI into an easily-consumable form, and that they have resonated so well with the security community at large," he says.

In addition to blogging, David is the principal contributor to The ThreatHunting Project and active in the DFIR and threat hunting community, speaking and writing on the subjects of detection planning, threat intelligence, and threat hunting. He has written course material for the SANS Institute, served as a contributing editor for Information Security Magazine, and holds the GIAC GNFA certification.

Still an avid reader, David has a particular interest in the history of technology. Two of his favorite books are The Soul of a New Machine, by Tracy Kidder and The Victorian Internet, by Tom Standage. He's also been known to play the Great Highland Bagpipes on occasion.

Qualifications Summary

  • Principal Engineer, Cybersecurity at Target Corporation
  • More than 20 years of experience working with Fortune 500 companies, Wall Street firms, public utilities, and major universities on incident detection and response
  • Creator of "The Pyramid of Pain," a widely cited model for applying CTI to detection and response
  • Principal contributor to The ThreatHunting Project
  • Former contributing editor for Information Security Magazine
  • Instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • GIAC Network Forensic Analyst (GNFA)

Get to Know David J. Bianco

  • Blog URL: https://detect-respond.blogspot.com

David Bianco Will Be Teaching the Following Course:

Threat Hunting & IR Summit 2019 Instructors