Last Day to Get a MacBook Air, Surface Pro 7, or $350 Off with OnDemand - Register Now!

Threat Hunting & IR Summit 2020 - Live Online

Virtual, US Eastern | Thu, Sep 10 - Sat, Sep 19, 2020

We've made the decision to convert this training event into a Live Online event. Threat Hunting & Incident Response Summit will now take place online Thursday, September 10, and Friday, September 11. The two-day Summit will include live-streamed expert talks, Q&A sessions, and virtual networking opportunities.

The courses below will now take place online beginning on Monday, September 14, using software to stream live instructors to all registered students during the scheduled classroom hours (Eastern Time). This alternate training format will allow us to deliver the cybersecurity training you expect while keeping you, our staff, and our instructors as safe as possible.

Your registration for a Live Online course includes electronically delivered courseware, live streaming instruction by a SANS instructor, course labs, and four months of online access to course recordings.

Threat Hunting & Incident Response Summit Agenda

Live Online | September 10 - 11

Confirmed talks include:

Notify Me When This Agenda Goes Live

External Threat Hunters are Red Teamers

This talk will introduce a relatively new concept in Threat Hunting by explaining how external threat hunters use similar techniques to Red teamers to create a repeatable hunting model through the use of an intermediary payload system to provide insight, awareness, and action.

Applying Fraud Detection Techniques to Hunt Adversaries

Nicole Hoffman @threathuntergrl, Threat Research Analyst, Shadowscape

Like information security professionals, fraud analysts are inundated with data and often experience alert fatigue. As a former fraud analyst, I was often wasting time chasing false positives and I felt as though I wasn’t making a difference. By incorporating a proactive approach, I was able to identify a larger amount of fraudulent activity. In this presentation, I would like to discuss how the proactive techniques I utilized as a fraud analyst can be successfully applied to hunting cyber adversaries. Some of the techniques include behavioral analytics, data visualization, and cultivating an adversarial mindset. The presentation will discuss financial crimes, but it is first and foremost a hunting story.

New Tools for Your Threat Hunting Toolbox

Mark Baggett @MarkBaggett, Owner, Indepth Defense; Senior Instructor & Author, SANS Institute

Join Mark Baggett as he discusses new tools and some new features of older tools that enhance your threat hunting capability. This short one hour talk will provide you with the insight you need to begin hunting for Phishing domains and Command and Control channels on your networks. We will discuss the installation and configuration of tools that will have you threat hunting in no time.

A Tale of Two Hunters: Practical Approaches for Building a Threat Hunting Program

Peter Ortiz, Director of Global Solution Services, Strategic Advisor, Cybereason

This talk is for CISOs, SOC Managers, and threat hunting visionaries who want to build or mature their threat hunting programs and presents two different examples of what good looks like.

Read any cyber security related article or talk to any security vendor and you‚€™ll see the ‚€œthreat hunting‚€ as a cue to knowing you have a hyper mature team. So how do you mature a threat hunting team? This is a tale of two teams: One built with a scrappy attitude, dreams of greatness and a desire to transform company culture towards cybersecurity while another was with cutting edge tech, a need to go faster, and give clients the insights they deserve.

This presentation shows two approaches to maturing an existing team of analysts, one which began from having the methodology and the other which grew from having the tools, and the different approaches to fostering both teams towards understanding threats so they can explain the business impact to reduce risk.

Started from the Bottom: Exploiting Data Sources to Uncover ATT&CKģ Behaviors

  • Jose Rodriguez @Cyb3rPandaH, Consultant for MITRE, JVT Advisors
  • Jamie Williams @jamieantisocial, Lead Cyber Adversarial Engineer, The MITRE Corporation

The world is full of adversaries, malware, and other baddies that want to do harm. Fortunately, as defenders we have home-field advantage, which comes with a wealth of data that can help us identify threats lurking in our environment. But are we fully recognizing all of the potential in our data? Can we confidently answer seemingly simple questions like: what is process monitoring; how does data about processes relate to other system events generated during a breach; are adversaries still needles in our haystacks?

This talk will be a practical illustration of how we can avoid the typical cat and mouse games by modeling the data sources defined in ATT&CK to recognize, track, and even predict the malicious scent of adversaries. We will use lab experiments where we emulate real-world threat behaviors to demonstrate how a data-driven hunt approach can help you get inside the adversary‚€™s head and rewire your existing logs into a rich trail of evidence.

Hunting Immaturity Model

Mangatas Tondang @tas_kmanager, Security Specialist, Bell Canada

So you are a SOC team lead and you finally hire your first threat hunter, great!.. or not! Do you really know what they should do? Do they really know what they should do? Is your personal research on threat hunting good enough? What about reality, will it disturb your dream of a perfect threat hunting program?

With the Hunting Maturity Model (HMM) available out there to track your progress on the threat hunting program, it's easy to see the next thing you need to do to achieve the next maturity level. But what if you feel your hunt team is mature and you (or even worse, management!) don't see any impacts in the company? No real alert ever fired? Too many alerts fired daily? Confusion on the SOC floor when the alert fired? Hunt team can't explain the detection they've made? Am I going to lose my job?

That's why I made this Hunting Immaturity Model (HIM). This model will track some of the most dangerous traps and pitfalls that hunt teams see in the real world. We will have different levels of immaturity, their unique symptoms and signs, and ways you can avoid these pitfalls in your workplace.

Why learn from your own mistakes when you can learn from someone else mistakes!

Machine Learning Meets Regex Rule Engine: how to build your own domain name rule engine and enable the deployment of statistical models

David Rodriguez, Technical Lead, Cisco Systems

From Snort to Yarra to Zeek (formerly known as Bro), network traffic rule engines have an important role in a threat hunter’s incident response toolkit. In this talk, we’ll discuss the fundamentals of a rule engine and how to build your own by focusing on the core ability to apply regular expressions in complex sequences on domain names found in DNS traffic. We’ll focus on a new sequence capability based on linear combinations of individual regular expressions extending a traditional rule engine to act as a linear model. Using a snapshot of a couple million newly seen domains from Cisco Umbrella’s global resolver fleet, we will explore the capabilities of this rule engine to identify malicious domains used in phishing attacks along with benign whitelist domains that can be eliminated from ongoing investigation and help eliminate false positives. We’ll discuss how the small research team at Cisco Umbrella bootstrapped a rule engine- 1) building brute force permutations of high-value brand names for monitoring, 2) harvesting malicious substring neighborhoods in known phishing domains, 3) clustering lexically similar domains and extracting the lexical pattern in the form of a regex, and lastly 4) enabled the deployment of statistical models, all within one framework. In closing, we’ll discuss how we built a serverless framework to backtest all our rules, enabling the replay of millions of events, along with the process we use for vetting and deciding when a rule is ready for production deployment.

In summary, attendees will learn fundamental concepts of a rule engine and how to build your own. We’ll discuss how to bootstrap a vanilla rule engine with thousands of patterns to provide a base level of threat detection, without much manual work, by leveraging open source intelligence. Then, we’ll discuss how to deploy your first statistical model with the framework. Lastly, we’ll discuss how a small team can take this knowledge and gain confidence and transparency into the efficacy of the rule engine using a serverless framework for backtesting- minimizing ops work and keeping the team focused on threat hunting.

Threat Hunting and the Platypus - Why Information Modeling is Essential, yet Challenging

Jason Keirstead, Chief Architect, Threat Management, IBM Security

Building your threat management practice around a sane cybersecurity information architecture is essential. Without one, the security information that one must work tends to not look the same, be stored in different places, in different formats, and is accessed with disparate, different APIs and different proprietary detection languages. Also, without a model to organize your data against, doing threat hunting becomes very hard, and building detection analytics, machine learning, and AI models become extremely difficult.

Often, practitioners like to pretend that this problem can be solved with a simplistic detection-swiss-army-knife approach. However, defining a robust information architecture is not simple. Just as there are too many cybersecurity tools, there are also now too many data models, each with their own pros and cons. Even after you gravitate to a model, mapping data from tools to models is not simple, and often fraught with challenges.

In this talk we will explore what a cybersecurity information architecture looks like, and why it is so important. We will go over what data models are currently gaining traction in industry, why, and explore best practices around how to map data to models and develop analytics on top of them, and how you can avoid common pitfalls in your information architecture rollout.

We will also talk about a Platypus.

From One Sec Guy to the Team that Saved the CISO’s Day

Diego Mariano, CISO, Albert Einstein Hospital

This case study will focus on how to build a threat hunting team from scratch and with just one early career professional in the area of information security. Mariano will present methods, frameworks, and techniques used to structure the team, convince the company of the importance of the subject, scale the team, define goals, objectives and purpose, difficulties presented by the team for venturing into a new domain of knowledge, overcoming these difficulties and keeping the team motivated, escalating the performance and, finally, saving the day.


Check back often as we update the agenda, and enjoy some of the highlights from the 2019 Summit:

Classifying Evil: Lessons from Hunting Human Traffickers
Sherrie Caltagirone, Executive Director, Global Emancipation Network

Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
David J. Bianco, Principal Engineer – Cybersecurity, Target
Cat Self, Lead Information Security Engineer, Target

Well, What Had Happened Was…Lessons Learned From a Nation-State Adversary
Todd Mesick, Lead Forensic Analyst, Precision CastParts
Brian Moran, Digital Strategy Consulting, BriMor Labs

My “Aha!” Moment - Methods, Tips, & Lessons Learned in Threat Hunting
John Stoner, Principal Security Strategist, Splunk

Once Upon a Time in the West: A Story on DNS Attacks
Ruth Esmeralda Barbacil, Cyber Intelligence Analyst, Deloitte
Valentina Palacin, Cyber Intelligence Analyst, Deloitte