Cyber Threat Intelligence Solutions Forum: Intel-Use Cases for Destructive Scenarios

  • Friday, 27 Mar 2020 8:30AM EDT (27 Mar 2020 12:30 UTC)
  • Speakers: Robert M. Lee, Taylor Wilkes-Pierce, Scott Register, Talal Balouch, Allan Liska, Kyle Flaherty

Cyber threat intelligence has a wide range of use-cases for security practitioners. Over the past few SANS cyber threat intelligence forums we've focused on tactical level insights and lessons learned from the field as well as operational level tracking of threat groups. It is clear though lately there is a trend of destructive scenarios including ransomware cases that hold companies and entire cities hostage. Cyber threat intelligence's use-cases are not always so straight forward for folks on how to leverage intel when the impact is destructive versus simply long term tracking and understanding of adversary motivations, priorities, and capabilities. The SANS Cyber Threat Intelligence Solutions Forum seeks to identify use-cases seen from some of the leading cyber threat intelligence vendors and solutions providers so that they can share their knowledge from the field with the SANS community.

Earn 4 CPE Credit hours for attending this webcast.


8:30am - 9:15am: Keynote: Signs of a Maturing CTI Program and Ways to Influence Them

This presentation will talk through the biggest signs of immature and mature CTI programs and ways to navigate the path to building a well functioning and mature CTI program right sized for your organization. This talk will contain use-cases and practical suggestions for the audience to immediately take into consideration.

Robert M. Lee, SANS Expert and Course Author

9:15am - 10:00am: Sack Ransomware before it Runs Wild across your File Shares!

How to win with Extracted Indicators, YARA hunting and Explainable Threat Intelligence

Ransomware remains a pervasive threat impacting digital business processes, and can be buried amongst the complexity of files and objects entering your organization, or latent within your repositories. Modern day organizations are seeking to improve their detection and response processes for these advanced malware threats simply because the increased breadth of file formats and sizes has presented a significant new challenge that more traditional resources like Sandboxes fail to address. What you might call a "malware blob," these threats are packed deep within data, hidden layers down and sometimes even out of sight from typical detection engines. For human analysts responsible for tracking and responding to these threats, current detection engines offer only a "black box" perspective and the cyber threat intelligence many be challenging to act upon. In other words they provide alerts, but offer little to no context as to what's happening within the "blob" and human analysts struggle to understand and act on the risk they present effectively.

During this presentation, ReversingLabs addresses how to "escape the blob" by deploying modern machine learning techniques and where they would fit in a Security Analysts everyday workflow. Attendees will:

Walk through a scenario through the lens of a SOC Analyst, and see how to analyze threats buried in "malware blobs" '

Learn how static analysis has been scaled and automated to provide a global index of Indicators for all files

Develop an in-depth understanding of how to improve SOC productivity and analyst malware knowledge

Talal Balouch, Security Integration Architect, ReversingLabs

10:00am - 10:30am: Going on the Offensive: Protecting Your Network with Threat Intelligence

When you hear the words "Threat Intelligence", what's the first thing that comes to mind? Back end research? Threat Hunting? It's easy to categorize threat intelligence as a reactive tool - best suited for things like root-cause analysis - but it's so much more than that.

In this presentation, we'll explore an array of practical applications for threat intelligence, including traditional defensive strategies and new offensive strategies that will help you maximize your SecOps team.

Join us to discover how applying threat intelligence can help you:

* Answer the question "Am I more secure today than I was yesterday?"

* Improve the efficiency and effectiveness of Breach and Attack Simulation tools

* Reduce your attack surface by blocking the latest threats

* Prevent DDoS attacks and improve performance with pre-deployment testing

* Maximize your threat hunting capability with real-time insights into botnets, phishing, etc.

* Stay ahead of attackers by researching the latest attack signatures

Kyle Flaherty, B2B Go-to-Market, Keysight Technologies

Scott Register, VP Product Management, Keysight Technologies

10:30am - 11:15am: Proactive Threat Hunting for Ransomware

Ransomware actors are increasingly targeting large organizations in a trend known as "Big Game Hunting." The hope is to extract ever larger ransom demands from these organizations. But, a big game attack has certain requirements that make it possible to detect and stop. Unlike a more traditional 'ransomware attack, in which the attacker the lands and immediately installs the ransomware, the big game attack requires the threat actor to spend days or weeks learning the network. During that period, there are telltale signs that the attackers leave behind. Using proactive threat hunting combined with threat intelligence an IR or SOC can identify these activities 'and stop the ransomware attack before any system is encrypted. This presentation 'will look at indicators ransomware actors are currently using, including Coronavirus and Telework phishing lures that have'suddenly increased in use.

Allan Liska, Senior Architect, RecordedFuture

11:15am - 12:00pm: Investigating Real-World Attacks with Domain & DNS-Based Adversary Intelligence

From the novice cyber criminals to sophisticated actors, understanding why and how attackers target systems is critical to defense. Sometimes, though, there's simply not enough time to analyze all the data available. However, by following a structured, practical approach to investigations, you and your team can invest your time and resources where they matter most. Taylor Wilkes-Pierce of DomainTools will use real-world examples of investigative techniques and DNS-based intelligence that exposed campaign infrastructure to demonstrate repeatable investigative pathways to help you proactively strengthen your security posture.

Taylor Wilkes-Pierce, Senior Sales Engineer, DomainTools

12:00pm - 12:15pm: Closing Remarks