Core Netwars Continuous Hones New Skills - FREE with OnDemand Training for One Week Only!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Cyber Threat Intelligence Solutions Forum: Intel-Use Cases for Destructive Scenarios

  • Friday, March 27, 2020 at 8:30 AM EDT (2020-03-27 12:30:00 UTC)
  • Robert M. Lee, Talal Balouch, Scott Register, Kyle Flaherty, Allan Liska, Taylor Wilkes-Pierce


  • Reversing Labs
  • Keysight Technologies, Inc.
  • RecordedFuture
  • DomainTools
  • Cisco Umbrella

You can now attend the webcast using your mobile device!



Cyber threat intelligence has a wide range of use-cases for security practitioners. Over the past few SANS cyber threat intelligence forums we've focused on tactical level insights and lessons learned from the field as well as operational level tracking of threat groups. It is clear though lately there is a trend of destructive scenarios including ransomware cases that hold companies and entire cities hostage. Cyber threat intelligence's use-cases are not always so straight forward for folks on how to leverage intel when the impact is destructive versus simply long term tracking and understanding of adversary motivations, priorities, and capabilities. The SANS Cyber Threat Intelligence Solutions Forum seeks to identify use-cases seen from some of the leading cyber threat intelligence vendors and solutions providers so that they can share their knowledge from the field with the SANS community.

Earn 4 CPE Credit hours for attending this webcast.


8:30am - 9:15am: Keynote: Signs of a Maturing CTI Program and Ways to Influence Them

This presentation will talk through the biggest signs of immature and mature CTI programs and ways to navigate the path to building a well functioning and mature CTI program right sized for your organization. This talk will contain use-cases and practical suggestions for the audience to immediately take into consideration.

Robert M. Lee, SANS Expert and Course Author

9:15am - 10:00am: Sack Ransomware before it Runs Wild across your File Shares!

How to win with Extracted Indicators, YARA hunting and Explainable Threat Intelligence

Ransomware remains a pervasive threat impacting digital business processes, and can be buried amongst the complexity of files and objects entering your organization, or latent within your repositories. Modern day organizations are seeking to improve their detection and response processes for these advanced malware threats simply because the increased breadth of file formats and sizes has presented a significant new challenge that more traditional resources like Sandboxes fail to address. What you might call a "malware blob," these threats are packed deep within data, hidden layers down and sometimes even out of sight from typical detection engines. For human analysts responsible for tracking and responding to these threats, current detection engines offer only a "black box" perspective and the cyber threat intelligence many be challenging to act upon. In other words they provide alerts, but offer little to no context as to what's happening within the "blob" and human analysts struggle to understand and act on the risk they present effectively.

During this presentation, ReversingLabs addresses how to "escape the blob" by deploying modern machine learning techniques and where they would fit in a Security Analysts everyday workflow. Attendees will:

· Walk through a scenario through the lens of a SOC Analyst, and see how to analyze threats buried in "malware blobs" 

· Learn how static analysis has been scaled and automated to provide a global index of Indicators for all files

· Develop an in-depth understanding of how to improve SOC productivity and analyst malware knowledge

Talal Balouch, Security Integration Architect, ReversingLabs

10:00am - 10:30am: Going on the Offensive: Protecting Your Network with Threat Intelligence

When you hear the words "Threat Intelligence", what's the first thing that comes to mind? Back end research? Threat Hunting? It's easy to categorize threat intelligence as a reactive tool - best suited for things like root-cause analysis - but it's so much more than that.

In this presentation, we'll explore an array of practical applications for threat intelligence, including traditional defensive strategies and new offensive strategies that will help you maximize your SecOps team.

Join us to discover how applying threat intelligence can help you:

* Answer the question "Am I more secure today than I was yesterday?"

* Improve the efficiency and effectiveness of Breach and Attack Simulation tools

* Reduce your attack surface by blocking the latest threats

* Prevent DDoS attacks and improve performance with pre-deployment testing

* Maximize your threat hunting capability with real-time insights into botnets, phishing, etc.

* Stay ahead of attackers by researching the latest attack signatures

Kyle Flaherty, B2B Go-to-Market, Keysight Technologies

Scott Register, VP Product Management, Keysight Technologies

10:30am - 11:15am: Proactive Threat Hunting for Ransomware

Ransomware actors are increasingly targeting large organizations in a trend known as "Big Game Hunting." The hope is to extract ever larger ransom demands from these organizations. But, a big game attack has certain requirements that make it possible to detect and stop. Unlike a more traditional ransomware attack, in which the attacker the lands and immediately installs the ransomware, the big game attack requires the threat actor to spend days or weeks learning the network. During that period, there are telltale signs that the attackers leave behind. Using proactive threat hunting combined with threat intelligence an IR or SOC can identify these activities and stop the ransomware attack before any system is encrypted. This presentation will look at indicators ransomware actors are currently using, including Coronavirus and Telework phishing lures that have suddenly increased in use.

Allan Liska, Senior Architect, RecordedFuture

11:15am - 12:00pm: Investigating Real-World Attacks with Domain & DNS-Based Adversary Intelligence

From the novice cyber criminals to sophisticated actors, understanding why and how attackers target systems is critical to defense. Sometimes, though, theres simply not enough time to analyze all the data available. However, by following a structured, practical approach to investigations, you and your team can invest your time and resources where they matter most. Taylor Wilkes-Pierce of DomainTools will use real-world examples of investigative techniques and DNS-based intelligence that exposed campaign infrastructure to demonstrate repeatable investigative pathways to help you proactively strengthen your security posture.

Taylor Wilkes-Pierce, Senior Sales Engineer, DomainTools

12:00pm - 12:15pm: Closing Remarks

Speaker Bios

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Talal Balouch

Talal Balouch is the Security Integration Archtitect for ReversingLabs, focusing on OEM, technology partners and named enterprise accounts. Talal's background includes a hands-on approach to Security Engineering for the most demanding enterprises. He has been awarded the DEFCON Black Badge award, is OSCP, OSCE and CISSP certified, and his experience spans Python, Perl, Golang, Ruby and others. Talal has a degree in Electrical Engineering from Virginia Polytechnic University and a Masters in IS from Boston University. He is also a member of the NovaHackers security group located in Northern Virginia.

Scott Register

Scott has more than 15 years of experience leading product management operations for global technology companies. He holds B.S. and M.S. degrees in computer science from Georgia Institute of Technology and also served as a member of the research faculty.

Kyle Flaherty

Kyle is a B2B Go-to-Market Executive focused on the security industry. From software startups to publicly-traded security analytics powerhouses, Kyle focuses on bringing the value of technology to those who need it most. He also enjoys long walks on the beach, at a socially-responsible distance.

Allan Liska

Allan Liska is an intelligence analyst at Recorded Future. Allan has more than 15 years’ experience in information security and has worked as both a blue teamer and a red teamer for the intelligence community and the private sector. Allan has helped countless organizations improve their security posture using more effective and integrated intelligence. Allan is also one of the organizers of BSides Bordeaux and has presented at security conferences around the world. He is the author of The Practice of Network Security, Building an Intelligence-Led Security Program, and Securing NTP: A Quickstart Guide and the co-author of DNS Security: Defending the Domain Name System and Ransomware: Defending Against Digital Extortion.

Taylor Wilkes-Pierce

Senior sales engineer at DomainTools with more than 10 years of experience in technology sales with stops at Verizon, Amazon and Virtuozzo along the way to DomainTools. Although Taylor loves all things InfoSec, he has a fond spot for container virtualization, software defined storage and basketball.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.