STAR Live Streaming Series

Hosted by Katie Nickels
STAR Webcast Series


The SANS Threat Analysis Rundown (STAR) is an all-new live streaming series that brings you the inside scoop on what you need to know about cyber threats. Hosted by SANS Instructor Katie Nickels, this series will bring you different voices from around the community to ensure you're up-to-date on what's happening in the threat landscape so you can take action.

Every day, analysts track what adversaries are doing and how we can better protect our networks based on that - but it's often overwhelming to track everything. STAR will let you hear from the people who do this on a daily basis and break down that information to let you take action on it in your own organization. STAR will approach threats from all angles, and you'll get different takes each month. Some months we'll focus on specific adversaries or malware, and some we'll focus on a broader view like industry targeting.

This is an all-new webcast series from SANS focused on:

  • Actionable information about current threats
  • Bringing together different perspectives from the community
  • Highlighting opinions of experts who track threats daily

Important Developments in Ransomware Trends and Exploitation of Major Vulnerabilities

Friday September 24th, 2021
Guest Speaker: Kevin Holvoet
Read this episode's Blog for important links and resources

Archived Sessions

Kaseya VSA attack - July 27, 2021

Katie is joined by John Hammond, Senior Security Researcher at Huntress Labs. Katie and John will chat about the recent Kaseya VSA attack that deployed REvil ransomware, including the latest updates on what happened and what defenders should think about for future potential attacks like this one.

Ransomware - June 30, 2021 

Katie and Ryan chat about open sources they use to track the many threats in the ransomware ecosystem, including malware families that commonly lead to ransomware.

Read this episode's Blog for important links and resources 

Dissecting BadBlood: an Iranian APT Campaign

April 29, 2021

In this webcast, the speakers went over:

  • Characteristics of a credential phishing campaign by TA453
  • Challenges in attributing the activity
  • Use of the Analysis of Competing Hypotheses technique to consider targeting
  • Best practices to use when analyzing threats
  • And much more!

Making sense of SolarWinds through the lens of MITRE ATT&CK(R)

March 04, 2021

In this webcast, speakers went over:

  • A useful central repository for tracking reporting related to the SolarWinds compromise
  • A deep-dive into cloud techniques used by adversaries
  • New TTPs from the SolarWinds incident and related activity
  • Strategies for hunting techniques and procedures of interest
  • And much more!

Quantifying Threat Actor Assessments

January 28, 2021

In this webcast, speakers went over: 

  • How existing risk assessment methodologies don’t adequately assess human threats 
  • Factors to consider when assessing threats, including intent, capability, willingness, and novelty 
  • Examples of how the Threat Box methodology can be used to quantitatively assess actors 
  • And much more!

Behind the Scenes of Law Enforcement and Private Industry Cooperation

December 16th, 2020

In this webcast, speakers went over:
  • The challenges of tracking adversary infrastructure at scale and approaches to tackle this
  • Takedowns of the Andromeda, Trickbot, and Windigo botnets
  • Details of Trickbot campaigns and trends
  • What it's like to cooperate with law enforcement and the importance of building trust
  • And much more!

Making Order out of Chaos: How to Deal with Threat Group Names

November 30th, 2020

In this webcast, speakers went over:
  • The reasons for creating groups and approaches to clustering
  • Why group naming is so complex
  • How the community has approached group names and challenges with these approaches
  • Practical ways that teams can better track overlaps between groups
  • And much more!

Spooky RYUKy: The Return of UNC1878

October 28th, 2020

In this webcast, speakers went over:

  • How they've clustered and tracked various uncategorized groups behind RYUK ransomware
  • The average "Time to RYUK" from when the operators gain access to when they encrypt data
  • How the Mandiant team categorizes activity using UNC (standing for UNCategorized threat)
  • The detailed Tactics, Techniques, and Procedures used by UNC1878, including initial access, credential targeting, and lateral movement
  • Patterns observed in RYUK, including it slowing down over the summer and coming back in September 2020
  • Similarities and differences since UNC1878 has returned
  • Detailed detection ideas for Cobalt Strike
  • And much more!

The Value of Commercial Threat Intelligence Sources

September 15th, 2020

Two researchers presented their peer-reviewed paper on commercial threat intelligence sources, published recently at USENIX Security 20. They described what the services of two leading vendors consist of, and find that there exists hardly any overlap between their indicator sets - even for specific threat actors - raising the question about coverage. Further, they spoke to 14 professionals who seem to be optimizing not for coverage in their selection of sources, but rather for the time spent by analysts. This session provides empirical insights into the market for commercial threat intelligence and discussion of the implications for professionals.

Becoming the Adversary: Creating a Defensive Lab to Understand the Offense

August 20th, 2020

In this webcast, speakers went over:

  • How you can start setting up your defensive lab, no matter what your experience level is.
  • Ways you can mimic adversaries and then analyze your system to find your activity.

The Only Constant is Change: Tracking Adversary Trends

June 16th, 2020

In this webcast, speakers went over:
  • How events like holidays, global pandemics, or other events might change adversaries daily activities.
  • Key trends and methodology observed in adversaries based on tracking characteristics like malware and infrastructure
  • How these tracking methods can be useful to identify trends as well as limitations to watch out for as you try to derive information about adversaries to improve your teams security and more.

Threat Hunting and the Rise of Targeted eCrime Intrusions

May 26th, 2020

In this webcast, speakers went over:
  • How eCrime intrusion trends have compared to state-sponsored intrusions
  • What hunting leads the CrowdStrike Overwatch team has used to identify activity
  • How looking for unusual process trees can assist in identifying adversaries
  • What notable TTPs the Overwatch team has noticed in significant eCrime intrusions
  • How you can look for TTP "bursts" to reduce false positives and try to stop incidents early
  • And much more!

How Threats are Responding to COVID-19

April 10th, 2020

In this webcast, speakers went over:
  • How threats have shifted in some ways based on the COVID-19 pandemic but remained similar in other ways.
  • What cybercriminals are doing on the dark web, including selling medical supplies and discussing a possible "code of ethics" for not going after certain targets.
  • How phishing themes are frequently focusing on the coronavirus to prey on users' uncertainty and fear.
  • Why analysts should consider taking some new defensive actions like focusing on user awareness, while keeping the defenses that have worked in the past.
  • What the cybersecurity community is doing to try to help all of us better respond to these threats.
  • And much more!

xHunt - An Anime Fan's Attack Campaign in the Middle East

March 25th, 2020

In this webcast speakers went over:
  • What's been happening with threat activity over the past month, including a shift to COVID-19 themes.
  • How analysts from Unit 42 used unique infrastructure and artifact overlaps to identify a campaign they named xHunt - and why they called it a campaign rather than a group.
  • What techniques the actors behind xHunt used, including DNS tunneling, PowerShell, and Exchange Web Services for Command and Control.
  • How analyzing the adversary's tools gave insights into their possible motivations and targeting.
  • When passive DNS analysis can be useful and when to stop pivoting on infrastructure so you don't take clustering too far.
  • And much more!

Cyber Threats To Electric Industry

February 12, 2020

In this webcast, speakers went over:
  • A rundown of recent threats analysts are talking about.
  • How headlines like "the grid is under attack" can be misleading.
  • A breakdown on how "the grid" is a complex set of assets.
  • How to create activity groups by clustering with the Diamond Model to help teams focus on threats.
  • And much more!


Presenter Bio

Katie Nickels

Katie is a SANS instructor for FOR578: Cyber Threat Intelligence and a Principal Intelligence Analyst for Red Canary. She has worked on cyber threat intelligence (CTI), network defense, and incident response for nearly a decade for the DoD, MITRE, Raytheon, and ManTech. Katie hails from a liberal arts background with degrees from Smith College and Georgetown University, embracing the power of applying liberal arts prowess to cybersecurity. With more than a dozen publications to her name, Katie has shared her expertise with presentations at BSidesLV, the FIRST CTI Symposium, multiple SANS Summits, Sp4rkcon, and many other events. Katie is also a member of the SANS CTI Summit and Threat Hunting Summit Advisory Boards. She was the 2018 recipient of the President's Award from the Women's Society of Cyberjutsu and serves as the Program Manager for the Cyberjutsu Girls Academy, which seeks to inspire young women to learn more about STEM. You can find Katie on Twitter @LiketheCoins