SANS Stay Sharp Training Live Online: Quickly sharpen your skills with 1-3 day blue team & cloud courses. Save 25% thru 11/11.

Threat Hunting & IR Summit 2020 - Live Online

Virtual, US Eastern | Thu, Sep 10 - Sat, Sep 19, 2020

Threat Hunting & Incident Response Summit Agenda

Live Online | September 10 - 11

Notify Me With Updates for this Summit

Thursday, September 10
9:00-9:10 am EDT

Welcome & Opening Remarks

Matt Bromiley @_bromiley, SANS Institute
Phil Hagen @philhagen, SANS Institute

9:10-9:50 am EDT

Open NDR and the Great Pendulum

Greg Bell, Co-Founder & Chief Strategy Officer, Corelight

9:50-10:00 am EDT Break
10:00-10:40 am EDT

New Tools for Your Threat Hunting Toolbox

Mark Baggett, @MarkBaggett, Owner, Indepth Defense; Senior Instructor & Author, SANS Institute

Join Mark Baggett as he discusses new tools and some new features of older tools that enhance your threat hunting capability. This short one hour talk will provide you with the insight you need to begin hunting for Phishing domains and Command and Control channels on your networks. We will discuss the installation and configuration of tools that will have you threat hunting in no time.

10:45-11:10 am EDT

Applying Fraud Detection Techniques to Hunt Adversaries

Nicole Hoffman, @threathuntergrl, Threat Research Analyst, Shadowscape

Like information security professionals, fraud analysts are inundated with data and often experience alert fatigue. As a former fraud analyst, I was often wasting time chasing false positives and I felt as though I wasn’t making a difference. By incorporating a proactive approach, I was able to identify a larger amount of fraudulent activity. In this presentation, I would like to discuss how the proactive techniques I utilized as a fraud analyst can be successfully applied to hunting cyber adversaries. Some of the techniques include behavioral analytics, data visualization, and cultivating an adversarial mindset. The presentation will discuss financial crimes, but it is first and foremost a hunting story.

11:10-11:20 am EDT

Break

11:20 am - noon

External Threat Hunters are Red Teamers

David Maynor, @Dave_Maynor, Black Lotus Labs Analysis Lead, Centurylink
Jorge Orchilles, @jorgeorchilles, CTO, SCYTHE

This talk will introduce a relatively new concept in Threat Hunting by explaining how external threat hunters use similar techniques to Red teamers to create a repeatable hunting model through the use of an intermediary payload system to provide insight, awareness, and action.

12:00-12:25 pm EDT

Threat Hunting and the Platypus - Why Information Modeling is Essential, yet Challenging

Jason Keirstead, Chief Architect, Threat Management, IBM Security

Building your threat management practice around a sane cybersecurity information architecture is essential. Without one, the security information that one must work tends to not look the same, be stored in different places, in different formats, and is accessed with disparate, different APIs and different proprietary detection languages. Also, without a model to organize your data against, doing threat hunting becomes very hard, and building detection analytics, machine learning, and AI models become extremely difficult.

Often, practitioners like to pretend that this problem can be solved with a simplistic detection-swiss-army-knife approach. However, defining a robust information architecture is not simple. Just as there are too many cybersecurity tools, there are also now too many data models, each with their own pros and cons. Even after you gravitate to a model, mapping data from tools to models is not simple, and often fraught with challenges.

In this talk we will explore what a cybersecurity information architecture looks like, and why it is so important. We will go over what data models are currently gaining traction in industry, why, and explore best practices around how to map data to models and develop analytics on top of them, and how you can avoid common pitfalls in your information architecture rollout.

We will also talk about a Platypus.

12:25-1:30 pm EDT Lunch
1:30-2:10 pm EDT

A Tale of Two Hunters: Practical Approaches for Building a Threat Hunting Program

Peter Ortiz, Director of Global Solution Services, Strategic Advisor, Cybereason

This talk is for CISOs, SOC Managers, and threat hunting visionaries who want to build or mature their threat hunting programs and presents two different examples of what good looks like.

Read any cyber security related article or talk to any security vendor and you'll see the threat hunting as a cue to knowing you have a hyper mature team. So how do you mature a threat hunting team? This is a tale of two teams: One built with a scrappy attitude, dreams of greatness and a desire to transform company culture towards cybersecurity while another was with cutting edge tech, a need to go faster, and give clients the insights they deserve.

This presentation shows two approaches to maturing an existing team of analysts, one which began from having the methodology and the other which grew from having the tools, and the different approaches to fostering both teams towards understanding threats so they can explain the business impact to reduce risk.

2:10- 2:35 pm EDT

Leveraging Beacon Detection Techniques to Identify Anomalous Logons

Fred Nolte,- Senior Cybersecurity Analyst, Threat Hunting, Target
Nikita Jain, Cybersecurity Analyst, Incident Response, Target
Dante Razo, - Intern, Incident Response, Target
Jacob Alongi, - Intern, Incident Response, Target

Attackers attempting to compromise passwords via brute forcing or password spraying usually do so with the help of automated scripts. Sophisticated versions of these scripts may borrow techniques from C2 frameworks, such as implementing sleep timers and jitter between login attempts. In this talk, we'll walk through how we applied C2 beacon analysis techniques to look for evidence of an adversary performing password spraying.

2:35-2:45 pm EDT Break
2:45-3:25 pm EDT

Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors

Jose Rodriguez @Cyb3rPandaH, Consultant for MITRE, JVT Advisors
Jamie Williams, @jamieantisocial, Lead Cyber Adversarial Engineer, The MITRE Corporation

The world is full of adversaries, malware, and other baddies that want to do harm. Fortunately, as defenders we have home-field advantage, which comes with a wealth of data that can help us identify threats lurking in our environment. But are we fully recognizing all of the potential in our data? Can we confidently answer seemingly simple questions like: what is process monitoring; how does data about processes relate to other system events generated during a breach; are adversaries still needles in our haystacks?

This talk will be a practical illustration of how we can avoid the typical cat and mouse games by modeling the data sources defined in ATT&CK to recognize, track, and even predict the malicious scent of adversaries. We will use lab experiments where we emulate real-world threat behaviors to demonstrate how a data-driven hunt approach can help you get inside the adversary's head and rewire your existing logs into a rich trail of evidence.

3:25-3:50 pm EDT

The SOC Puzzle: Where Does Threat Hunting Fit?

Ashley Pearson, @onfvp, Threat Hunter at USAF Computer Emergency Response Team

Threat hunters, incident responders, malware analysts, and detection engineers are all pieces that come together to form a fully functional Security Operations Center (SOC).

If employed correctly, threat hunters are the linchpin in an organization. A mature threat hunting team is vital to shifting the organization from a reactive posture to a proactive one.

This begs the question: How do you integrate your threat hunting team with traditional SOC roles and pre-established processes? This talk will cover threat hunting methodologies and how they complement the roles and responsibilities of traditional positions within a SOC. Ultimately, we’ll be demonstrating how effectively employing your threat hunters can drastically lower your overall mean time to detect adversaries and respond to incidents.

3:50-4:00 pm EDT Break
4:00-4:40 pm EDT

Big Game Hunting: Major FIN threat joins the targeted ransomware-as-a-Service (RaaS) scene via a Valak partnership

John Dwyer @TactiKoolSec – North American Threat Assessment Lead - IBM X-Force IRIS
Christoper Kiefer, Threat Hunt and Intelligence Analyst - IBM X-Force IRIS


Have you been tracking the development of the Valak malware? If not, you should be. This talk aims to provide an overview of the Valak malware and review a case study of a real world Valak infection that turned into a targeted ransomware incident with ties to well-known FIN threat. Additionally, the speakers will discuss interesting ransomware-as-a-service (RaaS) insight resulting from threat hunting and the incident investigation.
Attendees of this talk will gain an insight into the tactics, techniques, and procedures (TTPs) of the attackers to help build a detection strategy for these types of incidents and the importance of integrating threat intelligence into incident response.

4:45-5:00 EDT

Day 1 Wrap-Up

Matt Bromiley @_bromiley, SANS Institute
Phil Hagen @philhagen, SANS Institute

Friday, September 11
9:00-9:10 am EDT

Welcome & Opening Remarks

Matt Bromiley @_bromiley, SANS Institute
Phil Hagen @philhagen, SANS Institute

9:10-9:50 am EDT

Keynote

Raising the Tide: Driving Improvement in Security By Being a Good Human

David J. Bianco @DavidJBianco, Target; SANS Institute

They say “a rising tide floats all boats” and on the surface you might think the Information Security tide is pretty high: the demand for our services continues to grow, we are well-paid, and every day brings us new and interesting problems to work on. Not all is well in the harbor, though: getting your first job in infosec is hard, we’re subject to high levels of burnout, and many of the ways we communicate with each other can feel like cesspools of gatekeeping and toxic negativity. Yet solving these problems is crucial if we hope to stay afloat.

“But I’m only one person! What can I possibly do to make things better?” Change is always driven by individuals, and it takes surprisingly few of us to make things better! In this session, we’ll discuss three simple things that we can each do to help raise the tide for the entire security industry.

9:50-10:00 am EDT Break
10:00-10:40 am EDT

Hunting Immaturity Model

Mangatas Tondang, @tas_kmanager, Security Specialist, Bell Canada

So you are a SOC team lead and you finally hire your first threat hunter, great!.. or not! Do you really know what they should do? Do they really know what they should do? Is your personal research on threat hunting good enough? What about reality, will it disturb your dream of a perfect threat hunting program?

With the Hunting Maturity Model (HMM) available out there to track your progress on the threat hunting program, it's easy to see the next thing you need to do to achieve the next maturity level. But what if you feel your hunt team is mature and you (or even worse, management!) don't see any impacts in the company? No real alert ever fired? Too many alerts fired daily? Confusion on the SOC floor when the alert fired? Hunt team can't explain the detection they've made? Am I going to lose my job?

That's why I made this Hunting Immaturity Model (HIM). This model will track some of the most dangerous traps and pitfalls that hunt teams see in the real world. We will have different levels of immaturity, their unique symptoms and signs, and ways you can avoid these pitfalls in your workplace.

Why learn from your own mistakes when you can learn from someone else mistakes!

10:45-11:10 am EDT

WinSCP: Yeah You Know Me!

Mari DeGrazia @MariDeGrazia, Another Forensics Blog

There are many ways attackers can move laterally throughout the environment. With some recent changes to Windows 10, the usage of WinSCP can be an attractive tool for attackers to use not only for data exfiltration, but to move laterally throughout the environment. Join me on a trip through the 90s as we cover WinSCP, the artifacts it leaves behind and how to hunt for lateral movement related to it at scale.

11:10-11:20 am EDT

Break

11:20 am - noon

Machine Learning Meets Regex Rule Engine: how to build your own domain name rule engine and enable the deployment of statistical models

David Rodriguez @dvidrdgz, Technical Lead, Cisco Systems

From Snort to Yarra to Zeek (formerly known as Bro), network traffic rule engines have an important role in a threat hunter’s incident response toolkit. In this talk, we’ll discuss the fundamentals of a rule engine and how to build your own by focusing on the core ability to apply regular expressions in complex sequences on domain names found in DNS traffic. We’ll focus on a new sequence capability based on linear combinations of individual regular expressions extending a traditional rule engine to act as a linear model. Using a snapshot of a couple million newly seen domains from Cisco Umbrella’s global resolver fleet, we will explore the capabilities of this rule engine to identify malicious domains used in phishing attacks along with benign whitelist domains that can be eliminated from ongoing investigation and help eliminate false positives. We’ll discuss how the small research team at Cisco Umbrella bootstrapped a rule engine- 1) building brute force permutations of high-value brand names for monitoring, 2) harvesting malicious substring neighborhoods in known phishing domains, 3) clustering lexically similar domains and extracting the lexical pattern in the form of a regex, and lastly 4) enabled the deployment of statistical models, all within one framework. In closing, we’ll discuss how we built a serverless framework to backtest all our rules, enabling the replay of millions of events, along with the process we use for vetting and deciding when a rule is ready for production deployment.

In summary, attendees will learn fundamental concepts of a rule engine and how to build your own. We’ll discuss how to bootstrap a vanilla rule engine with thousands of patterns to provide a base level of threat detection, without much manual work, by leveraging open source intelligence. Then, we’ll discuss how to deploy your first statistical model with the framework. Lastly, we’ll discuss how a small team can take this knowledge and gain confidence and transparency into the efficacy of the rule engine using a serverless framework for backtesting- minimizing ops work and keeping the team focused on threat hunting.

12:00-12:25 pm EDT

Hunting Powershell Obfuscation with Linear Regression

Joe Petroske, Cyber Threat Hunter, Target

Powershell obfuscation is commonly used by adversaries because it allows for native code execution, and it evades static string detection. There’s no way to write static detection for all possible obfuscation techniques. Instead, let’s go hunt for the obfuscation! It turns out that for normal/non-obfuscated Powershell commands, there are strong correlations between the length of a command and the count of various characters in that command. We can use statistical techniques such as Linear Regression to find commands that don’t match our expected correlations, and therefore have a higher chance of being obfuscated. This presentation will demonstrate an effective technique for finding these outliers.

12:25-1:30 pm EDT Lunch
1:30-2:10 pm EDT

SaaS Hunting

Ben Johnson @ChicagoBen, CTO & Co-Founder, Obsidian Security

"The journey will end in SaaS" is a phrase being uttered often in 2020 as CIOs and CISOs race to enable (and safeguard) SaaS applications for better business efficiencies. Yet this is a new area for most security teams, so what should we all be concerned about? This discussion will dive into SaaS hunting and incident response at the conceptual and technical levels and will give attendees practical tips to leave with.

2:10- 2:35 pm EDT

Building a Hunting Program at a Global Scale

Pete Bryan, Senior Software Engineer, Microsoft

Many teams have built hunting programs that are effective and salable for their team and organization. However, with the release of Azure Sentinel the Microsoft Threat Intelligence Center (MSTIC) was tasked with building out a threat hunting framework that could be used by any threat hunter in any organization globally. This framework needed to work regardless of what data an organization had, what their threat model was, and what the skill level of the threat hunters involved. In this talk I will cover the approaches MSTIC adopted in order build this framework using a range of technologies such as Jupyter Notebooks, some of the lessons we learnt along the way, what worked well and what didn’t. Attendees of this presentation will take away techniques and approaches to building a threat hunting framework at a large scale that will apply to large enterprises, or multi-organizational enterprises. They will also take away techniques and technical capabilities for specific threat hunting challenges such as hypothesis development, and data visualization that can be applied to any size of threat hunting operation.

2:35-2:45 pm EDT Break
2:45-3:25 pm EDT

From One Sec Guy to the Team that Saved the CISO’s Day

Diego Mariano, CISO, Albert Einstein Hospital

This case study will focus on how to build a threat hunting team from scratch and with just one early career professional in the area of information security. Mariano will present methods, frameworks, and techniques used to structure the team, convince the company of the importance of the subject, scale the team, define goals, objectives and purpose, difficulties presented by the team for venturing into a new domain of knowledge, overcoming these difficulties and keeping the team motivated, escalating the performance and, finally, saving the day.

3:25-3:50 pm EDT

Hunting Human Operated Ransomware Operators


Ryan Chapman, @rj_chap, Principal Incident Response Analyst, Blackberry; Instructor, SANS Institute

The real threat of ransomware these days lies in "Human Operated Ransomware" attacks, in which we see the deployment of ransomware move to secondary or tertiary objectives. The human operators often focus on enumerating the internal environment in preparation of data exfiltration. By the time the ransomware is deployed, the threat actors have already carried out their initial objectives (and stolen your data!). This talk focuses on finding these operators while they are in your network. Find the operators == stop the ransomware deployment.

3:50-4:00 pm EDT Break
4:00-4:45 pm EDT

Panel
Ask Us (Almost) Anything About Threat Hunting & Incident Response

David J. Bianco @DavidJBianco, Target; SANS Institute
Matt Bromiley @_bromiley, SANS Institute
Phil Hagen @philhagen, SANS Institute

Here's your chance to ask SANS instructors, authors, and Summit advisory board members all your burning questions!

4:45-5:00 pm

Day 2 Wrap-Up


Matt Bromiley @_bromiley, SANS Institute
Phil Hagen @philhagen, SANS Institute