Two More Days to Get a $400 Amazon Gift Card with qualifying OnDemand course purchase! Don't Miss Out!

Threat Hunting Europe 2020

London, United Kingdom | Mon, Jan 13 - Sun, Jan 19, 2020
This event is over,
but there are more training opportunities.

Threat Hunting & IR London - Summit & Training 2020 Agenda

January 12-13 | London, UK

Sunday Jan 12th - 2020
18:00-20:00pm Pre-Reg, Networking & Welcome Reception
Monday Jan 13th - 2020
8:30am-9:30am Registration and Coffee

Welcome and Introduction by Co-Chairs

Rob Lee, SANS DFIR Curriculum Lead and Threat Hunting Summit Co-Chair
David Szili, SANS Instructor and Threat Hunting Summit Co-Chair


What to Expect When You’re Detecting: Prioritizing Prevalent Techniques

Katie will share some of her recent experiences in ATT&CK, focusing on how ATT&CK is useful for moving toward a threat-informed defence. She is a SANS instructor for FOR578: Cyber Threat Intelligence.

Katie Nickels - Principal Intelligence Analyst, Red Canary, and SANS Instructor​​​​​​​


‘Hunting for Malware in Memory’

Memory injection techniques have become ubiquitous. Yet knowledge about the techniques and methods by which they can be detected remains low.The presentation will dig into commonly observed in memory attack techniques and detection methods, along with the challenges presented at doing so at scale. Additionally, it will examine how sophistication of memory injection attacks varies widely given their popularity, the steps that advanced attackers are now taking to evade existing detection capabilities and predictions into what memory injection attacks will look like in the future.

Arran Purewal, Senior Threat Hunter, F-Secure Countercept

10:45-11:15 Networking Break

Mandiant IR: Grab Bag of Attacker Activity

We have carefully selected case studies from Incident Response engagements that we have worked on over the last year. You will gain an insight into creative tactics, techniques and procedures (TTPs) seen across the globe, and how we have detected advanced attackers in enterprise environments. Hear about nation state attackers and crime groups such as the newly promoted APT41, publicly known as WINNTI and tracked by Mandiant since 2012, how they have adapted more recently in 2019, as well as other groups we are responding to.

Mitchell Clarke - Incident Response Consultant, UK&I, Mandiant
Tom Hall - Principal Consultant, Incident Response, Mandiant

11:45am- 12:15pm

How to detect that your domains are being abused for phishing by using DNS

As a high-profile public-sector organization, the Dutch Tax and Customs Administration deals with criminals claiming to be representatives of the organization and contacting the public with phishing e-mails every day. By using Splunk and RFC’s like, RFC7208 – Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, we have developed a technique to identify phishing attacks that are carried out under the disguise of the Dutch Tax and Customs Administration. This technique is universally applicable. A precondition is access to the DNS logging. By means of this technique, insight can be obtained where the phishing e-mails are sent from and to whom the phishing e-mails are sent. In this talk we will start by explaining which standards are available to increase e-mail security and how we have built an app in Splunk, including dashboard and a wizard to create the necessary DNS records to create visibility.

Karl Lovink – Dutch Tax and Customs Administration
Arnold Hölzel – SMT

12:15-13:15 - Lunch

How do you do Incident Response for your Azure Active Directory?

Few customers have a rich set of incident response and compromise recovery processes when it comes to their Windows Server Active Directory. Even fewer have matured this process to include Azure Active Directory. This is a big problem, as more and more resources are moving to the cloud. It’s not a matter of if a compromise happens, it’s a matter of when. In this talk, we will focus on some newly developed guidance from Microsoft on how to do incident response and compromise recovery for Azure Active Directory. This guidance includes attack detection and remediation, recovery steps and recommendations to prevent common attacks from happening in the first place.

Ian Parramore, Principal PM Manager, Microsoft
Ian Farr - Identity Program Manager, Microsoft


How to automate response with M365

Many organizations have invested deep in Office 365 and the full Microsoft 365 suite. More and more workloads are moved to the cloud and old processes and routines will be hard to use in the new cloud-based world.In this session Mattias and Stefan will guide youhow to automate your response and they will cover both cloud and on-prem workloads.From live response on internet-based devices to automated remediation actions in your cloud services.You will learn how to use the tools your organization already invested in

Mattias Borg, Principal Security Advisor | CEH,OneVinn AB
Stefan Schörling, Principal Security Advisor


‘Evolving the Hunt’

As a major U.S. retailer with a strong cybersecurity focus, Target has long had a functional, mature threat hunting program. When David Bianco took over responsibility for the hunting program in early 2019, leadership’s key question was “How can we do even better?” But what does “better” mean for a hunting program, and how do you get from where you are now to where you want to be? In this presentation, we’ll talk about coming into an existing threat hunting program, prioritizing areas for improvement, and then implementing those improvements to make a great hunting program even better. Attendees will learn the key functions of a threat hunting program and how to evaluate the current hunting program maturity level, set an appropriate maturity improvement goal, identify and prioritize possible program changes to support the desired improvements, and understand how and why these efforts work (or don’t work!).

David Bianco, Principal Engineer, Cybersecurity at Target
Cat Self, Lead Information Security Analyst at Target

14:45-15:15 Networking Break

'Cloud based Threat Hunting'

Simon Vernon, Security Researcher, SANS Institute


Enhancing the cyclic Threat Hunting process using attacker methodologies and automation

This presentation will walk through some incident data examples from the Palo Alto Networks SOC team - both for network and endpoint - with related Threat Intelligence data from Unit 42 to show how aspects of this cyclical process can be automated to quickly identify and remediate an issue reducing the time an adversary is in the organisation. Attendees will learn about Adversary and automation playbooks, and how they can be used to improve the efficacy of Threat Hunting programs, especially as these leverage existing toolsets and gain visibility into the organisation’s network.

Alex Hinchliffe, Threat Intelligence Analyst, Palo Alto Networks

16:15-16:30pm Closing Remarks by Co-Chairs
16:30 - 17:30pm Social - Farewell Drinks