Learn real-world cyber security skills from active industry experts in Anaheim. Save $150 thru 12/18.

London, United Kingdom | Mon, Jan 13 - Sun, Jan 19, 2020
Live Event starts in 29 Days

Threat Hunting & IR London - Summit & Training 2020 Agenda

January 12-13 | London, UK

Sunday Jan 12th - 2019
18:00-20:00pm Pre-Reg, Networking & Welcome Reception
Monday Jan 13th - 2019
8:30am-9:30am Registration and Coffee

Welcome and Introduction by Co-Chairs

Rob Lee, SANS DFIR Curriculum Lead and Threat Hunting Summit Co-Chair
David Szili, SANS Instructor

9:45am-10:45 Keynote - Session to be announced

10:45-11:15 Networking Break
11:15am-11:45 am

Session to be announced

Katie Nickels, MITRE ATT&CK Threat Intelligence Lead & SANS Instructor

11:45am- 12:15pm

‘Hunting for Malware in Memory’

Memory injection techniques have become ubiquitous. Yet knowledge about the techniques and methods by which they can be detected remains low.The presentation will dig into commonly observed in memory attack techniques and detection methods, along with the challenges presented at doing so at scale. Additionally, it will examine how sophistication of memory injection attacks varies widely given their popularity, the steps that advanced attackers are now taking to evade existing detection capabilities and predictions into what memory injection attacks will look like in the future.

Arran Purewal, Senior Threat Hunter, F-Secure Countercept

12:15-13:15 - Lunch

How do you do Incident Response for your Azure Active Directory?

Few customers have a rich set of incident response and compromise recovery processes when it comes to their Windows Server Active Directory. Even fewer have matured this process to include Azure Active Directory. This is a big problem, as more and more resources are moving to the cloud. It’s not a matter of if a compromise happens, it’s a matter of when. In this talk, we will focus on some newly developed guidance from Microsoft on how to do incident response and compromise recovery for Azure Active Directory. This guidance includes attack detection and remediation, recovery steps and recommendations to prevent common attacks from happening in the first place.

Ian Parramore, Principal PM Manager, Microsoft


How to automate response with M365

Many organizations have invested deep in Office 365 and the full Microsoft 365 suite. More and more workloads are moved to the cloud and old processes and routines will be hard to use in the new cloud-based world.In this session Mattias and Stefan will guide youhow to automate your response and they will cover both cloud and on-prem workloads.From live response on internet-based devices to automated remediation actions in your cloud services.You will learn how to use the tools your organization already invested in

Mattias Borg, Principal Security Advisor | CEH,OneVinn AB
Stefan Schörling, Principal Security Advisor


‘Evolving the Hunt’

As a major U.S. retailer with a strong cybersecurity focus, Target has long had a functional, mature threat hunting program. When David Bianco took over responsibility for the hunting program in early 2019, leadership’s key question was “How can we do even better?” But what does “better” mean for a hunting program, and how do you get from where you are now to where you want to be? In this presentation, we’ll talk about coming into an existing threat hunting program, prioritizing areas for improvement, and then implementing those improvements to make a great hunting program even better. Attendees will learn the key functions of a threat hunting program and how to evaluate the current hunting program maturity level, set an appropriate maturity improvement goal, identify and prioritize possible program changes to support the desired improvements, and understand how and why these efforts work (or don’t work!).

David Bianco, Principal Engineer, Cybersecurity at Target and Cat Self, Lead Information Security Analyst at Target
Cat Self, Lead Information Security Analyst at Target

14:45-15:15 Networking Break

Mandiant IR: Grab Bag of Attacker Activity

We have carefully selected case studies from Incident Response engagements that we have worked on over the last year. You will gain an insight into creative tactics, techniques and procedures (TTPs) seen across the globe, and how we have detected advanced attackers in enterprise environments. Hear about nation state attackers and crime groups such as the newly promoted APT41, publicly known as WINNTI and tracked by Mandiant since 2012, how they have adapted more recently in 2019, as well as other groups we are responding to.

Mitchell Clarke - Incident Response Consultant, UK&I, Mandiant
Tom Hall - Principal Consultant, Incident Response, Mandiant
15:45pm-16:15pm Cloud based Threat Hunting

Simon Vernon, Security Researcher, SANS Institute
16:15pm - 16:45pm

Enhancing the cyclic Threat Hunting process using attacker methodologies and automation

This presentation will walk through some incident data examples from the Palo Alto Networks SOC team - both for network and endpoint - with related Threat Intelligence data from Unit 42 to show how aspects of this cyclical process can be automated to quickly identify and remediate an issue reducing the time an adversary is in the organisation. Attendees will learn about Adversary and automation playbooks, and how they can be used to improve the efficacy of Threat Hunting programs, especially as these leverage existing toolsets and gain visibility into the organisation’s network.

Alex Hinchliffe, Threat Intelligence Analyst, Palo Alto Networks

16:45-17:00pm Closing Remarks by Co-Chairs followed by Networking Drinks