Adversary Detection and Response Solutions Forum

  • Friday, 30 Oct 2020 10:30AM EDT (30 Oct 2020 14:30 UTC)
  • Speaker: Jake Williams

Forum Format: Virtual

Event Overview

The SANS Adversary Detection and Response Solutions Forum brings security vendors that have proven solutions for dealing with cybersecurity threats together with information security professionals seeking current best practices and effective tools for both detecting and responding to adversary threat activity. Practitioners need ways to both detect intrusions and remediate issues quickly. This forum will present carefully curated technologies proven to address these issues.


10:30 - 10:50 AM EDT - Welcome & Keynote

Jake Williams, @MalwareJake, Chairperson, SANS Institute

Organizations are being targeted by increasingly sophisticated cybersecurity threats. Advanced attackers routinely bypass traditional endpoint controls and ubiquitous encryption has rendered other controls (like network intrusion detection systems) more difficult and costly to operate. New solutions are needed that empower the analyst to:

  • Maximize early detection of threats, without relying on fragile signatures
  • Investigate anomalies and rapidly eliminate false positive detections
  • Quickly respond to detected behavior, rapidly remediating threats

The tried and true model of "consolidate the logs and generate an alert" neglects the question of "how do we respond?" While this model certainly isn't dead, many alerts require rapid response. After all, how valuable is an alert if you can't action it in time to make a measurable difference in the outcome?

This isn't just a hypothetical issue either: research has shown that attacker breakout times, the delta between initial access and lateral movement, is decreasing. As such, organizations need to continuously reevaluate not only their monitoring posture, but their response posture as well. An acceptable response time for an alert only a few years ago may be viewed as unacceptable today.

10:50 - 11:25 AM EDT - Trick or Treat: How to Stop Spooky Ransomware Attacks

Irena Damsky, Director of Research - Cortex, Palo Alto Networks, @PaloAltoNtwks

Brock Bell, Breach Response

Ransomware attacks continue to evolve to bypass security and maximize impact. Adversaries are borrowing cyberwarfare techniques such as lateral movement and privilege escalation to infect as many endpoints as possible. Join Irena Damsky and Brock Bell, threat research and breach response experts, as they delve into the scariest ransomware attacks of 2020. 'In this session, they'll explore:

  • Ransomware attacks in the wild, including Sodinokibi ransomware (AKA REvil)
  • Best practices for ransomware prevention, containment, and incident response
  • Technologies and services that can protect your organization

11:25 AM - 12:00 PM EDT - Exploring Adversary Infrastructure for Practical Blue Team Wins

Tim Helming, @timhelming, Security Evangelist, DomainTools, @DomainTools

Michael Schwartz, Director Information Security - Threat Intelligence, Target Corporation, @Target

Defenders can get a lot of traction against emerging campaigns by studying and mapping the infrastructure that adversaries use in existing and future (staged) campaigns. Everything a malicious actor does depends on domains and IP addresses on the Internet, which means that there are always network observables to assist your risk assessment, hunting, and blocking. 'Michael will share how these techniques have helped with incident response, threat hunting, and proactive defenses, while Tim will describe what kinds of data sets can be used in these techniques.

Attendees will learn how to:

  • Quickly assess the risk associated with a domain or IP address--even when it is not in any threat intel feeds
  • Map infrastructure tied to an indicator seen in the protected environment, exposing larger campaigns that may be in the staging phase
  • Build high-confidence indicator lists for creating new detections as well as block rules
  • Stay ahead of emerging threat campaigns

12:00 - 12:10 PM EDT - Break

12:10 - 12:45 PM EDT - Bridging the Divide Between NetOps & SecOps: Learning the Language

Matt Allen, Sr. Solutions Engineer and Certified Ethical Hacker, VIAVI Solutions, @ViaviSolutions

Now, more than ever NetOps and SecOps are finding that they need to work together to identify and resolve security threats. While this is becoming more the norm than the exception, it's important to understand the differences between priorities and the languages they use in their respective disciplines. This session covers those differences and provides insight on how to communicate for effective and efficient teamwork.

12:45 - 1:20 PM EDT - Cloud Threat Detection and Response-as-Code

Saumitra Das, CTO Founder, Blue Hexagon, @bluehexagonai

James Wenzel, Sr. Solutions Architect, Amazon Web Services (AWS), @awscloud

Cloud security significantly benefits from the availability of cloud-native tools that deploy as code reducing the burden of deployment and maintaining security posture while developers and users bring instances, networks and workloads up and down. '

In this online session, AWS and Blue Hexagon will discuss how to use cloud-native tools that deploy and maintain security posture automatically to ensure security and compliance in minutes. We will review how to best combine native AWS tools like Inspector, Config, Guard Duty and Trusted Advisor to ensure best practices and hygiene and how to augment them with Blue Hexagon - an AI-based system that extends security further with deep packet and storage inspection. We will present how this security architecture can be deployed and maintained automatically as the underlying network, storage and compute dynamically evolves. '

Attend this session to learn how to:

  • Assess security exposure for your cloud instances, storage, serverless, virtual networks, Kubernetes and services
  • Deploy security within minutes - hygiene, vulnerabilities, network security, malware, logs and deep inspection
  • Use traffic mirroring to get instant deep visibility about your cloud traffic and assets '
  • Optimize security spend by dynamically altering the inspection

1:20 - 1:30 PM EDT - Closing Statements