Cyber Solutions Fest 2022: Threat Hunting & Intelligence

Every year, a new trend or innovation emerges in cybersecurity that gets positioned as the next best thing. Extended detection and response (XDR) solutions are currently making headlines. It was security information and event management (SIEM) in the early years. A few years ago, it was network detection and response (NDR) solutions. But now, everyone is starting to understand the one element of these solutions that must be foundational to any security program: threat intelligence.

Threat intelligence helps organizations make better decisions about defending themselves and their businesses from cyber-based threats. Sure, some organizations bought threat intelligence platforms, and the necessary threat feeds. Still, they're not necessarily seeing all the value threat intelligence can bring because they don't understand how to operationalize it.

Many organizations are not taking advance of the automation and machine learning that can also help them automate and accelerate their threat-hunting programs.

Security practitioners understand the need to become more proactive and starting threat hunting programs to help identify threats before they can do any damage is the most common starting point. The problem is that most security teams are too busy responding to alerts and false positives to do what's needed for a threat-hunting program to be successful.

Whether from an NDR, SIEM, or XDR solution, effective threat-hunting involves leveraging threat intelligence to get ahead of cyber threats. Join us for the 2022 Cyber Solutions Fest - Threat Hunting and Intelligence Track and hear talks on:

  • Enriching alerts with threat intelligence
  • Utilizing XDR to help accelerate your threat-hunting program
  • Operationalizing threat intelligence
  • Automating threat hunting tasks with XDR, NDR, and threat intelligence solutions
  • Identifying the most actionable intelligence for the organization

Click Here to access the event Slack Workspace



Anomali-logo_lion-wordmark_RGB-color.pngCorelight_Transparent.pngendace_vert_logotagline-black-padding[34].pngGigamon-Logo.pngBlack_GN_horizontal.pngHunters_Full_Logo.pngPalo_Alto_Networks.pngPentera LogoRectangular_Logo_-_Digital_(RGB)_-_Recorded_Future.png
BIT Logo

Make a Difference in the Cyber Community

This year, SANS is fortunate enough to partner with the Blind Institute of Technology to make a difference in the cyber community. Currently, 81% of people with disabilities are unemployed. The Blind Institute of Technology (BIT) Academy is committed to changing these statistics by working diligently with their candidates and their corporate partners to place people with disabilities in meaningful careers with a clear path for growth. The services offered through the BIT Academy are complimentary for all of their candidates with disabilities. However, it costs BIT $5,400 for each candidate to go through their 16 week Salesforce and Cisco certification classes. As a 501(c)(3) non-profit organization, they are highly dependent on corporate donations, individual donations, and grants. With a retention rate of 93% of its candidates that are placed in meaningful careers, every $5,400 raised enables them to change a person's life forever.

SANS and BIT would greatly welcome and appreciate your financial support to help them continue to change the lives of people with disabilities.

Attendee Information

Rub virtual shoulders with professionals in your field and zero-in on the most relevant cyber solutions by registering for one of our four topic tracks. This event will bring together cyber security professionals of all experience levels from around the world for this two-day immersion into the latest cyber solutions, tools, and techniques to combat today’s threats.

Take a sneak peek of what you can expect from the experts themselves, when you join us to elevate your cyber skills and solutions know-how.

Continuing Professional Education (CPE) Credits are earned by participation in the event!

  • 6 CPEs are earned each day for attending Cyber Solutions Fest 2022
  • Yes, that's correct. You will earn 12 CPEs total for spending October 13th and 14th with us!

Agenda | October 13, 2022 | 8:30 AM - 5:00 PM EDT

Timeline (EDT)

Session Details

8:30 AM

Kickoff & Welcome

Jake Williams, Senior Instructor, SANS Institute

8:45 AM

Utilizing Intelligence-Driven XDR for Pro-Active Threat Hunting

Security teams are constantly on the lookout for the next hack or vulnerability. With today’s adversaries and attacks becoming more sophisticated, the need for a more proactive approach has never been greater. The problem is that most security teams are stretched thin and overwhelmed, chasing alerts and false positives.

Threat hunting is one of the key activities organizations can utilize to proactively identify threats and look for traces of attackers, past and present, within their environment. Unfortunately, most struggle with visibility and collaboration across silos and the prioritization of threat hunting activities. In addition, they often employ a manual, analyst-centric approach that can be time-consuming and bring fewer results.

In this session, Mark Alba, Anomali Chief Product Officer, will introduce how a threat intelligence-driven XDR solution can help accelerate threat-hunting activities as well as demonstrate how The Anomali Platform can help organizations develop an automated threat-hunting workflow in minutes, enabling them to: 

  • Quickly research a threat hunting hypothesis 
  • Look for evidence of attackers
  • Identify suspected points of a breach for further investigation 

Join the session and start proactively hunting threats with threat intel-driven detection and response.

Mark Alba, Chief Product Officer, Anomali

9:25 AM

Syns of Omission

There are twenty different definitions of threat hunting and ten different ways to do it. Organizations vary from having no presence in their threat hunting framework to multiple full-time hunters, but often many critical pieces are being missed. Threat hunting is a challenge to get right, with many potential pitfalls. There are plenty of things you can do to start a threat hunting program or be inspired to take a fresh look at your current hunting framework.

James Pope, Director of Customer Training, Corelight

10:05 AM


10:20 AM

Pentera 101: Changing the Game of Offensive Security

This session is to walk through a demonstration of Pentera: The Automated Security Validation solution. Organizations over the years have been following a defense in depth model to protect their critical assets. While this strategy makes sense; the tools, processes, and procedures surrounding this initiative have grown significantly. How confident can organizations be that each layer and the enormous effort undertaken is working effectively? Jay Mar-Tang will take the time to walk through how Pentera can validate which risks are present, which mitigative efforts are working efficiently, and how security practitioners of all expertise can leverage Pentera both internally and externally to know with certainty how strong the security posture actually is.

Dan Blankenship, Sales Engineer, Pentera

10:50 AM

All That is Gold Does Not Glitter: Cross Data Source Detection of Golden SAML

The Golden SAML attack takes place through a complex set of steps and allows an actor to abuse the trust between on-premise and cloud components. We will deep dive into the internals of ADFS and the unique properties associated with the attack, while sharing how to efficiently detect it today through cross-correlation of different data sources over enterprise, SaaS and Cloud surfaces in addition to raising research questions about the difficulties of traditional single-surface solutions to detect it.

Yonatan Khanashvili, Threat Hunting Expert, Hunters

11:20 AM

ZTA and Threat Actors; Where Do We Go from Here

NIST SP 800-207 lays out what a Zero Trust Architecture should be like within an enterprise. While doing this they have put clear guidance for the network as place of mistrust. This places the endpoint and the use of IDAM as a source of truth and trust within the infrastructure, as a result EDR has become the main advocated tool for effectiveness to ensure compliance. Does this make EDR the next AV? What about the devices that I cannot run EDR on? Did NIST fail to properly provide guidance for the next generation of network design? All of this and more will be discussed on how the Threat Actors will continue to engage and win in this environment.

Peter Steyaert, Senior Manager, Sales Engineering, Gigamon

11:50 AM


12:00 PM

Technology is the Reasonable Accommodation: Panel

Join us for this one of a kind keynote session taking place at the 2022 SANS Cyber Solutions Fest where Mike Hess & Michael Patellis from the Blind Institute of Technology (BIT) and Meaghan Roper from SANS will be discussing the life-changing career opportunities that are available for blind/visually impaired (BVI) and other professionals with disabilities (PWD).
The BIT Academy is the first global Salesforce certification training model specifically for BVI and PWD students.  Through our partnership with Salesforce, we were able to ensure that critical components of the platform continue to become even more digitally accessible.  Our 16-week official curriculum based courses conclude with official certifications as Salesforce Administrators and Salesforce Developers.  We have also expanded the BIT Academy for Cisco Networking & Cyber Security official certifications.

The BIT Mission & Goals: Blind Institute of Technology™ is a nonprofit organization with boots on the ground across the United States working hard to advance the professional opportunities for people with disabilities. We’re a small, passionate team with a dynamic blend of backgrounds, disabilities, experiences, and motivations, doing whatever we can to get the job done. Our message is that professionals with disabilities possess skills and abilities that corporations have overlooked or have yet to discover.

Mike Hess, Founder and Executive Director, Blind Institute of Technology
Michael Patellis, VP of Corporate Engagement, Blind Institute of Technology
Meaghan Roper, Product Manager of Accessibility, SANS Institute


Afternoon Kick-off

Jake Williams, Senior Instructor, SANS Institute

1:10 PM

Threat Hunting and Intelligence Informed Decision-Making with XDR

Threat hunting has historically been a challenging activity, requiring hunters to manually prioritize potential threats, use expensive & long-running queries, and pivot between multiple tools to gather context. Anomali XDR combines proven intelligence management capabilities with innovative threat detection tools to provide rich context and insights for the SOC, ease the burden of manual prioritization, and accelerate the threat hunting process. Join the Anomali team to explore this in detail, and learn the value of intelligence-led XDR.

Patrick McNaught, Solutions Architect at Anomali

1:30 PM

How Apex Defenders Manage Risk and Threat Hunt With Network Evidence

As new information surfaces about attacker behaviors, defenders are often peppered with questions like “did this affect us?”, “do we have that exposed?”, and “what’s our level of risk around that?” We’ll show you how Apex Defenders easily search Corelight network evidence to answer all those nagging questions in seconds, without deploying a single agent or adding another in-line network tool. Packets don’t lie, so network evidence should be the first thing you check when you need a fast answer.

Mark Overholser, Systems Engineer, Corelight

1:50 PM

Honeypot Investigations: Using Data to Analyze Mass Exploitation Attacks

It’s easier than ever to scan the internet and run exploits opportunistically. At GreyNoise, we run a global sensor network that helps identify mass scanning activity, to separate threats from background noise. But what happens after that? Using medium interaction honeypots can provide additional details about what an attacker is doing. For this talk, we’ve built out a small network that provides additional attack paths to see things like how an attacker operates in a more realistic environment, to better understand the next steps after mass scanning and exploitation, and to understand if an attacker is only trying to compromise the initial host or if additional reconnaissance is being performed once a foothold has been established.

Come join us for this interactive session where you will learn:

  • What does internet scanning traffic look like globally
  • How to identify unusual activity on non-standard ports
  • How to identify automated persistence and escalation techniques
  • What motivates threat actors for conducting these operations
  • What are some techniques to investigate the hosts and data centers that are used as callback hosts

Nick Roy, Sales Engineer, Greynoise Intelligence

2:20 PM

Threat Hunting with Network Data

In this session, Michael Morris and Cary Wright from Endace will look at why continuous packet capture provides such an invaluable resource for hunting down and analyzing network threats. With full packet data at your fingertips from all your security tools, it’s possible to investigate and analyze even advanced threats to conclusively piece together the full scope of an attack in a way that log data and metadata just cannot do. Find out what you can see with packets that you can’t see without them.

Michael Morris, Director Global Technologies Alliances and Business Development, Endace
Christopher Greer, Principal Consultant, Packet Pioneer, Endace

2:50 PM

Using Intelligence to Understand the Convergence of Cyber & Physical Threats

Organizations of all sizes and from nearly every industry are facing a never ending set of challenges when trying to protect their digital and physical assets from adversaries. The use and implementation of threat intelligence is a critical component of today’s modern security teams, and when used to its full potential, it is often the difference between preventing an incident from happening vs. being a victim of a cyber incident. Join Recorded Future to understand how you can leverage external intelligence to understand and protect your entire attack surface.

Jake Munroe, Principal Product Marketing Manager, Recorded Future

3:20 PM


3:35 PM

Threat Hunting 101: Best Practices for Threat Hunting and Investigations

By tricking users, compromising hosts and executing many other underhanded schemes, attackers can infiltrate any organization they set their eyes on. Even the best-protected organizations can fall victim to these skilled and stealthy attackers. So how can you find these hidden adversaries and root them out fast before the damage is done? Join our presentation to learn the latest techniques for more efficient threat hunting and accelerated investigations. You’ll learn how to: Uncover cloud and on-premises threats quickly Investigate alerts swiftly and thoroughly Assess the scope and severity of an attack accurately Turn threat hunting discoveries into automated detection You’ll also get an inside peek into the tools and techniques the Palo Alto Networks Unit 42 team leverage to discover the stealthiest threats. Save your seat now!

Veronika Senderovych, Threat Hunter, Palo Alto Networks

4:05 PM

Adopting an Intelligence-Driven Security Model

Intelligence driven security is the model of the future. Too many organizations today only use cyber threat intelligence in a reactive mode (if at all). But threat intelligence can (and should) drive the way security teams create and tune their controls in the first place. In this session, our panel of industry leaders will discuss how they use threat intelligence to drive their security operations, from architecture, to operations, all the way to response. Bring your questions for our speakers and learn how to change your mindset around threat intelligence from reactive to proactive!

Jake Williams, Senior Instructor, SANS Institute
Steve Benton, VP of Anomali Threat Research, Anomali
Scott Dowsett, Field CTO, Anomali
Mark Overholser, Systems Engineer, Corelight
James Pope, Director of Customer Training, Corelight

4:55 PM


Jake Williams, Senior Instructor, SANS Institute