Cyber Solutions Fest 2021: Level Threat Hunting & Intelligence

  • Thursday, 21 Oct 2021 8:30AM EDT (21 Oct 2021 12:30 UTC)
  • Speakers: Jake Williams, Bernard Brantley, Lindsay Kaye, Scott Scheferman, Menachem Perlman, Peter Steyaert, Nicole Rowe, Art Coviello, Mike Brown, Dylan Davis, Greg Bell, Inon Shkedy, Anoop Kartha, Jesse Munos, Adam Tomeo, Melissa Corp, Mary Roark

You are entering Level Threat Hunting & Intelligence at the SANS Cyber Solutions Fest 2021.

This full-day session will feature DFIR expert Jake Williams and a lineup of invited speakers as they dive into the value of threat hunting and threat intelligence. Just as SIEM is useless without log sources, threat hunting without threat intelligence suffers the same fate and maximum value is not achieved for an organization's environment.

Download a copy of the presentations here!



Accedian LogoCisco Secure LogoCorelight_Transparent.pngCyborg Security LogoEclypsium_Logo_Full_Color.pngendace_vert_logotagline-black-padding[34].pngExtraHop Networks logoGigamon-Logo.pngPalo_Alto_Networks.pngRectangular_Logo_-_Digital_(RGB)_-_Recorded_Future.pngSecZetta_Logo.pngTraceable logo

Agenda | 8:30 AM - 5:30 PM EDT


Session Description

8:30 AM
Kickoff & Welcome

Jake Williams, SANS Instructor

8:45 AM

Exploiting NDR to Cultivate Decision Advantage

As defenders, we deploy or develop a number of policies, procedures, tools and technologies to support our risk management strategy while struggling to maintain situational awareness. The regular outputs of detection and response activities rarely cross functional boundaries and result in missed opportunities to translate learnings into institutional memory. With an ever-evolving threat landscape including the transformation to a hybrid work model; the power of decision and ultimately Decision Advantage is the most valuable tool in cyber-defense. In this talk, Bernard Brantley will discuss the exploitation of data-centric NDR as the coalescence point for tactical and operational outputs and as a pathway to cultivating strategic decision advantage.

Bernard Brantley, CISO, Corelight

9:25 AM

It Started Out with a Phish, How Did It End Up Like This?

Whether your organization’s biggest threat is from ransomware threat actors, APTs or other financially motivated actors, proactive threat hunting focused on TTPs used during all stages of the attack lifecycle is critical.

First, we will discuss how to identify the techniques threat actors are using, focusing on those used during ransomware attacks. We will highlight the opportunities for threat hunters to detect these tools; from initial access, to persistence, to lateral movement, focusing on how to look for malicious behavior occurring before the deployment of the final payload.

Finally, we will talk about how to use Recorded Future Intelligence to create threat hunting packages to look for these TTPs that can be refined and incorporated into your security workflow.

Lindsay Kaye, Director of Operational Outcomes, Recorded Future

10:05 AM


10:20 AM

Hunting Below the Surface

In the context of both threat hunting and threat intelligence, firmware level attacks provide unique advantages to the adversary; ones many organizations are failing to adequately address. Whether via supply chain, firmware updates, malware (both criminal and APT), or insider vectors, there are many vectors for an attacker to take in targeting firmware. What are ways that actors leverage firmware, and how can we prevent and detect such attacks?

Scott Scheferman, Office of CTO, Eclypsium

10:50 AM

A Beginner's Guide to Threat Hunting: Learn the Tips, Tricks and Tools of Hunting

Threat actors constantly seek out new ways to exploit hosts while evading detection. By proactively hunting for threats, you can reduce dwell times and stop adversaries early--before damage is done. Despite their best intentions, though, many security teams today lack the resources and expertise to hunt threats effectively. If your organization plans to develop a threat hunting program or if you're interested in becoming a threat hunter, then be sure to attend this informative webinar.

Join us as seasoned Unit 42 threat hunter Menachem Perlman reveals the secrets to:

  • Uncover hidden threats quickly
  • Investigate alerts quickly and thoroughly
  • Turn threat hunting discoveries into automated detections
  • Build internal, managed, or hybrid threat hunting programs

Menachem Perlman, Sr Mgr, Threat Hunting, Cortex at Palo Alto Networks

11:20 AM
Mind the gaps: Network Data Visibility, SOC Tools and SOC Resources

69% of SOC analyst cite lack of visibility into network traffic as the top reason for ineffectiveness. Join this session to find out why and how SOC teams are eliminating their blind spots, performing TLS traffic inspection and leveraging NDRs as the third leg of their “SOC Triad”. You’ll learn:

  • The role of NDR in the MITRE ATT&CK framework
  • When TLS metadata analysis works, when decryption is needed
  • Different NDR deployment scenarios

Peter Steyaert, Sr SE Manager, ThreatINSIGHT, Gigamon

11:50 AM


12:00 PM

U.S. Cybersecurity Regulation: Fact or Fiction?

As a result of the recent Executive Order, many U.S. federal agencies are trying to quickly determine next steps in their Zero Trust journey. And they are not alone. Organizations around the globe are examining their Zero Trust strategies and wondering if this EO is a precursor for broader legislation and future regulations that could begin to add new layers of accountability to cybersecurity incidents.

During this keynote session, industry experts Art Coviello, former CEO of RSA Security and Mike Brown, Rear Admiral, United States Navy (retired), an authority on our nation’s cybersecurity strategy through this his leadership positions at the Departments of Defense and Homeland Security, will provide insight based on their experience on what to expect from the government, when to expect it, and how these changes will impact cybersecurity professionals.

Nicole Rowe
, CMO, SecZetta

Art Coviello
, former CEO of RSA Security
Mike Brown
, Rear Admiral, United States Navy (Retired)

Live Chat & Questions:
Frank Briguglio
, Public Sector Strategist, SailPoint

1:00 PM

Afternoon Kickoff

Jake Williams, SANS Instructor

1:10 PM

Disrupt Adversary Behavior With Recorded Future and MITRE ATT&CK

Detecting threat behaviors provides opportunities to disrupt adversaries before they can cause harm. When applied properly, the MITRE ATT&CK framework provides a valuable bridge between strategic and operational levels of security intelligence. Combined with Recorded Future’s unique entity ontologies, analysts can surface threat actors, attack methods, and adversary TTPs efficiently.

Dylan Davis, Threat Intelligence Consultant, Recorded Future

1:30 PM

Zeek: a Quickstart Guide

The popularity of open source Zeek (formerly Bro) is soaring, along with the relevance of NDR as a category. In this brief presentation I’ll explain the functions of Zeek, which is a powerful platform for network traffic analysis and behavioral detection. To provide a taste of real-world application, I’ll also walk through a new Zeek script designed to detect the NTLM relay 'PetitPotem'.

Greg Bell, Co-Founder and Chief Strategy Officer, Corelight

1:50 PM

Hunting Down the Top API Security Threats to Your Applications - Live

In this session learn about the top API vulnerabilities and see live how to find them and protect yourself against them. We will explore the OWASP API Top 10 and the new security challenges and strategies to understand the application, how it is changing, and how to detect anomalies to block threats, making businesses more secure and resilient.

Join Inon Shkedy, Co-Leader of OWASP API Top 10 project and Traceable AI Security Researcher, and Anoop Kartha, API Security Evangelist to learn:

  • Why API vulnerabilities are different from traditional web application vulnerabilities
  • Why your traditional application security solutions aren’t enough
  • What are the top vulnerabilities you should be concerned about
  • How to detect and block bad actors from using these vulnerabilities against you

Inon Shkedy, Security Researcher, Traceable AI
Anoop Kartha
, API Security Evangelist, Traceable AI

2:20 PM

Decrypt as if Your Security Depends on it

Recent vulnerabilities, such asProxyShell, PrintNightmare, and ProxyLogon, have been exploited via encrypted protocols. Detection and investigation of encrypted exploit attempts is complicated and often fruitless due to the limitations of log data. Despite this blind spot, organizations continue to implement encryption on their internal networks and the number of threats hiding behind legitimately encrypted traffic continues to grow. Decryption technology has become essential to an organization’s security arsenal, by enabling the detection of malicious activity within encrypted traffic.

In this session, attendees will learn:

  • The differences between out-of-band and Man-in-the-Middle decryption
  • How decryption restores visibility to ITOps and SecOps teams
  • Why network-level record data should be a requirement for SecOps teams

Jesse Munos, Manager, ExtraHop

2:50 PM

Accelerating Your Journey to Threat Hunting Maturity

If you are hunting for things that have already made the news, you are not really threat hunting. When your primary source is automated alerts, you are inevitably getting stuck in the lowest level of threat hunting according to David Bianco's The Cyber Hunting Maturity Model. Organizations all want to achieve the highest level of maturity, and today, there may only be a handful of organizations that actually exist there.

Join Cisco as we discuss the maturation path to threat hunting. We will cover such points as why organizations struggle to begin and mature a threat hunting practice. We will also review the requirements for advancing through each of the five steps including: incorporating threat intelligence, data collection, data analysis, and automation.

By the end of the discussion, participants will have an understanding of strategic planning efforts needed to elevate their threat hunting program.

Adam Tomeo, Manager, Cisco
Melissa Corp
, Security Research Engineering Technical Leader, Cisco

3:20 PM


3:35 PM

Top 5 Things You Need to Improve Threat Hunting

So your organization knows that it is vulnerable and wants to improve how they detect and hunt for threats. Where is the line between detection and hunting? Learn how to choose the right NDR platform for your organization. What can the tools do and when do your people need to get more involved and dig deeper? Identify the key features you need. How can your organization develop the skills you need to use them while having fun? Let the hunt begin.

The top 5 things you need to improve your Threat Hunting are:

  1. Understand your business (What does normal look like?
  2. Key Metadata on traffic (What data is meaningful?
  3. Alerts vs. incidents (How do I Prioritize?
  4. Identify unusual data flows (What direction does evil travel?
  5. Practice (How do I find CTFs and other ways to practice threat hunting?

Mary Roark, CISSP VP of Cybersecurity Strategy, Accedian

4:05 PM

You Can't Threaten Us: Panel

Of course, threat intelligence is useful for so much more than threat hunting, from enabling organizations to understand trends in threat groups, to creating real-time detections, to helping an organization’s analysts contextualize incidents and attempted attacks for stakeholders. But far too often, purchasing threat intelligence platforms and feeds doesn’t provide the organization with the desired value. In part that’s because the value of intelligence is hard to quantify – how do you quantify the return on investment of knowing the tradecraft or indicators used by an attacker before they target your organization? This problem is further complicated by the fact that many orgs struggle to operationalize the intelligence that they buy – sure the list of IOCs sounded great and you heard some use cases, but how will YOU use it?

Jake Williams, SANS Instructor


Bernard Brantley, CISO, Corelight
Greg Bell, Co-Founder and Chief Strategy Officer, Corelight
Lindsay Kaye, Director of Operational Outcomes, Recorded Future
Dylan Davis, Threat Intelligence Consultant, Recorded Future

4:55 PM


Jake Williams, SANS Instructor

Level Threat Hunting & Intelligence with Jake Williams

Guess who's back? Jake Williams is back again for SANS Cyber Solutions Fest and will be leading Level Threat Hunting & Intelligence! See what he has to say about this upcoming session.

Cybersecurity Solutions for Today's Challenges

The 2nd annual SANS Cyber Solutions Fest aims to connect cybersecurity professionals of all levels with the latest solutions, tools, and techniques to combat today's cybersecurity threats.

  • Featuring 4 unique levels: Threat Hunting & Intel, SOC & SOAR, MITRE ATT&ACK®, and Cloud Security
  • Network in real-time with over 30 sponsors and learn from top industry experts
  • Join interactive panel discussions, discover job opportunities, compete in games for multiple prizes, and more