Agenda | 8:30 AM - 5:30 PM EDT
Kickoff & Welcome
Chloé Messdaghi, SANS Chair
Predicting the Next Attack: The Power of Cyber Threat Intelligence Together with MITRE ATT&CK
How TTPs help connect the dots between a sea of IoCs and the adversary groups behind them.
MITRE ATT&CK has practical and strategic applications across various security functions when security tooling and processes are mapped to the framework. Visualizing threats through the MITRE ATT&CK framework makes it easier for security practitioners to determine and communicate the highest priority threats they face and optimize actions to mitigate them. Gain a strategic advantage through key programmatic benefits of MITRE ATT&CK and combine tools for a more secure environment.
Greg Fischer, Sr. Director Product Solutions, Anomali
Shifting ATT&CK Left to Enable Automated, Risk-Based Security Controls in Development
ATT&CK is most commonly used in runtime to identify and counter adversary actions, but did you know that it can also be used in development to manage risk even before insecure apps are deployed? This session explores an approach that leverages ATT&CK in development to establish automated guardrails in DevOps pipelines to identify risks such as policy violations and breach paths early, assess the risk and impact of exploit, prevent deployment of risks that exceed a threshold of risk defined by the security team, and provide development teams with a risk-based, prioritized list of necessary remediations. This will drive better security outcomes by enabling security teams to recognize the highest-risk findings and effectively communicate with development and operational teams.
Om Moolchandani. Co-founder & CTO, Accurics
Avoid Excessive IAM Permissions in the Cloud
Misconfigurations in IAM permissions in the cloud are by far the most used vector by attackers to compromise and expand their control over a hacked account. The cloud vendors offer hundreds of cloud IAM permissions to customers to fine-grain their access to the environment. However, do we have all the permissions granted updated and under control? Are we sure we are applying the least privileges principle to save us from potential compromise? Visibility across all permissions granted in our cloud environment is fundamental to be aware of what is in place and respond to over-privileged access.
In this session we will:
Stefano Chierici, Security Researcher, Sysdig
Evalidate Your ATT&CK Readiness Against APT *.*
Endpoint controls are evaluated quarterly by MITRE Engenuity’s team against one of the most famous & sophisticated APT groups. From different tactics and techniques leveraged by the adversary and endpoint control’s ability to prevent and/or detect. But what if you can e-validate your control, against all MITRE ATT&CK tactics & techniques, automatically, on your data, continuously, in a safe by design approach. Would you do it…?!
Why "Evalidate" b/c I'm referring to the evaluate and validate (play of words).
*.* in code means everything. not just APT28
and a short abstract
Maor Franco, Senior Director, Pentera
Closing Threat Detection Gaps with Open XDR
Early and accurate detection of threats is still a challenge for security teams: hindered by an unfavorable Signal-to-Noise ratio, false positive alerts and lack of visibility, attacks are still being missed. Using multiple security domains, such as Endpoint, Cloud, and Identity also requires having in-house expertise in order to facilitate both domain-specific detection and complex, cross-domain attack detection, thereby avoiding detection-silos.
When trying to understand the nature and extent of attacks, the MITRE ATT&CK framework provides an abstraction layer that acts as a common language in the security community, unlike, for instance, the ambiguity of APT names coined by various vendors. Used correctly, the MITRE ATT&CK framework is an excellent baseline for early threat detection and response, as well as community-wide collaboration.
Hunters’ open Extended Detection and Response (XDR) solution extracts high-noise threat signals and alerts from existing security data, and automatically maps them to MITRE ATT&CK techniques across surfaces. The Hunters platform enables organizations to know, out-of-the-box and in real-time, what kind of threat coverage they have for their data sources and which detection capabilities they have for each data source mapped onto specific TTPs.
Join this session to learn:
Inbar Raz, VP Research, Hunters
Diversify and Conquer: Building and Managing Successful CyberTeams
Successful organizations know it's important to build diverse teams, but how can you ensure you're hiring from the most diverse pool? And once you've developed a diverse team how can you support inclusion and respect to keep that team effective and engaged? In this panel we bring together a group of experts in the cybersecurity field who represent a wide variety of backgrounds and approaches. Together we'll talk through dimensions of diversity including educational, experiential, racial, and neuro. And we'll share examples of how you and your organization can thrive with a powerfully diverse workforce.
Chloé Messdaghi, SANS Chair
Neutralizing Breach Paths Early with Infrastructure as Code and ATT&CK
Threat modeling is a critical security activity that too often relies on manual interviews, assessments, and enforcement. With DevOps accelerating delivery of software, how can security teams effectively manage risk if they rely on manual processes? Do the same approaches that accelerate development also present opportunities to improve the scalability and efficiency of security?
This session demonstrates how security teams can leverage open source tools, Infrastructure as Code, and the MITRE ATT&CK framework, to build accurate threat models early in the development process, identify breach paths, and implement security controls to neutralize breaches before the app is ever deployed.
Om Moolchandani, Co-Founder & Chief Technology Officer, Accurics
Actor-Based Gap Analysis and the MITRE ATT&CK Framework
One of the challenges with threat intelligence involves the lack of attribution and relevancy when compared to one’s environment. For example, it might be hard to synthesize the qualitative and quantitative threat intelligence being curated in context when reading an article or incident report. Even harder is trying to apply the intelligence to the MITRE ATT&CK Framework to determine whether the contents of the article represent an area in your security posture that is covered or needs to be addressed. This gap analysis is necessary for continuous reevaluation of your overall security posture, which provides for the perceivably unattainable “strategic intelligence” component of your CTI program. Join us for a walkthrough as we answer the question: Can we determine gaps in our security posture by evaluating the techniques a specific threat actor uses against us?
Gordon Collins, Product Manager, Anomali
Are Mitigations Keeping up With the Explosion in ATT&CK Techniques Development?
As the techniques that threat actors leverage continue to evolve, it’s concerning to see that the tools defenders rely on to secure their organizations have not changed at the same pace. This is not a good indication of defenders’ abilities to secure their organizations over the long term, especially given their reliance on mitigation strategies that still lack protection against unknown threats.
Join Morphisec CTO Michael Gorelik as he examines the difference in changes between techniques and mitigations in the MITRE ATT&CK Framework, and the breach prevention steps you can take instead to ensure your infrastructure remains protected in the face of the ever-changing threat landscape.
You can expect to learn about:
Michael Gorelik, Chief Technology Officer, Morphisec
Combatting Ransomware with MITRE ATT&CK and Uptycs
Ransomware continues to dominate the threat landscape, affecting organizations of all sizes and industries. Ransomware variants use a diverse set of tactics and techniques described in the MITRE ATT&CK framework, targeting both Windows and Linux platforms. In this session, Amit Malik and Abhijit Mohanta from the Uptycs Threat Research team will show how the behavior of ransomware such as Ryuk and NotPetya maps to the ATT&CK framework. Join us to learn:
Amit Malik, Head of Threat Intelligence & Research, Uptycs
Scaling TTP-Based Detections to the Enterprise
TTP-based detections, such as expressed by the MITRE ATT&CK framework and leveraged by most Endpoint Detection & Response (EDR) solutions, have several advantages over yesterday’s IoC-based approach. However, many implementations suffer due to an over-reliance on mass-collections being required before data interrogation. This disconnect between where the data lives, and where detections are conducted present other challenges and limitations as well.
In this session, we will discuss:
Anthony Di Bello, Vice President, Strategic Development, OpenText
Navigating the Dark Corners of Social Engineering Attacks and How to Combat Advanced Phishing and Ransomware Surge
In recent years, attackers have successfully infiltrated organizations through highly sophisticated social engineering techniques that exploit human behavior and vulnerabilities, and lead to some of the worst data breaches in history.
In this fireside chat, we'll take you through some of the most sophisticated, real world email social engineering attacks found by Tessian’s Threat Intelligence Team, including spear phishing and vendor account takeover. See real-life examples of how these threats infiltrate organizations and how you can move your organization left of breach by stopping them early in the MITRE ATT&CK framework.
Robert Slocum, Director, Tessian
MITRE ATT&CK Framework Panel
Organizations have adopted the MITRE ATT&CK framework to help manage cyber risks and increase the effectiveness of their security efforts. While most organizations recognize the value, many are unsure about which specific steps they should take to benefit from applying the MITRE ATT&CK framework fully.
Operationalizing telemetry and threat intelligence as part of the MITRE ATT&CK framework can also empower security teams and equip analysts with the context needed to detect malicious activity and make faster, more accurate decisions. This enables an organization to reduce investigation and remediation times while strengthening security posture to help prevent future attacks.
The focus of this panel will be on how to improve security by using MITRE ATT&CK, and how to increase resiliency by mapping security control gap analysis with the framework. It will explore lessons learned while utilizing the framework, new aspects to the framework, and the latest developments for applying the framework to the cloud.
Chloé Messdaghi, SANS Chair
Keynote: Diversify and Conquer
Turn diversity into power.
Joined by Nicola Whiting, Alyssa Miller, Natasha Barnes, and Seema Kathuria, Diana Kelley will lead this enlightening panel discussion and share how organizations can thrive with a powerfully diverse workforce.
Attend this engaging and thought-leading keynote by registering for a level on day 2 of SANS Cyber Solutions Fest 2021.
Level MITRE ATT&ACK® Framework with Chloé Messdaghi
Chloé Messdaghi will be leading Level MITRE ATT&ACK® this October! See what you can expect from attending this track.
Cybersecurity Solutions for Today's Challenges
The 2nd annual SANS Cyber Solutions Fest aims to connect cybersecurity professionals of all levels with the latest solutions, tools, and techniques to combat today's cybersecurity threats.
- Featuring 4 unique levels: Threat Hunting & Intel, SOC & SOAR, MITRE ATT&ACK®, and Cloud Security
- Network in real-time with over 30 sponsors and learn from top industry experts
- Join interactive panel discussions, discover job opportunities, compete in games for multiple prizes, and more