Cyber Threat Intelligence Summit Solutions Track 2021

  • Friday, 22 Jan 2021 9:00AM EST (22 Jan 2021 14:00 UTC)
  • Speakers: Robert M. Lee, Taylor Wilkes-Pierce, Fayyaz Rajpari, Daniel Bates, Brandon Hoffman, Tanner Payne, Ben Greenbaum, Jerry Caponera, Chris Jacobs, James Perry, Peter Rydzynski, Dragos Gavrilut, Michael-Angelo Zummo, Sumukh Tendulkar

You will earn 4 CPE credits for attending this virtual event

Event Overview

The collection, classification, and exploitation of knowledge about adversaries - collectively known as cyber threat intelligence (CTI) - gives security practitioners information superiority that is used to reduce an adversary's likelihood of success. Responders and defenders leverage accurate, timely, and detailed threat intelligence to monitor new and evolving attacks and subsequently adapt their security posture.

Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders. During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat.

Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.

This forum will explore various CTI topics through invited speakers while showcasing current capabilities available today. Presentations will focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today.


9:00 - 9:15 AM EST - Event Welcome

9:15 - 10:00 AM EST - Keynote

10:05 - 10:15 AM EST - FOR578 - Cyber Threat Intelligence Update and Move to 6 Days

Rob M. Lee, @RobertMLee, Chairperson, SANS Institute, @SANSInstitute

This presentation will go over what's new in the 2021 update for FOR578 - Cyber Threat Intelligence. It will also focus on recent events and the application of cyber threat intelligence to them. Additionally, the course has moved from a 5 day course to a 6 day course to include a final capstone for students to work on which will be detailed in this webcast.

10:15 - 10:50 AM EST - Get Your Bits Together (or Don't): Monolithic vs Federated Data Structures for Threat Intelligence

Ben Greenbaum, @secintsight Technical Leader, Cisco, @Cisco

When meeting an organization's need to leverage multi-source bulk threat intelligence and local security context, the traditional approach has been to start by collecting it all into one place. This is the foundation for entire security product categories such as SIEMs, TIMPs, and even to some extent SOAR and XDR. The other option of course is to leave it where it was generated, and use it from there via APIs or other transports. Are there significant advantages to one over the other? Join Ben Greenbaum from Cisco's SecureX team as he explores this topic and what it means for the effectiveness of tools that generate and/or rely on Threat Intelligence at scale.

10:50 - 11:25 AM EST - A Product Approach to your Threat Intelligence Practice: Increase Investment and Outcomes

Chris Jacob, Vice President of Threat Intelligence Engineering, ThreatQuotient, @ThreatQuotient

As a threat intelligence practitioner, you likely have a good idea of the value you and your CTI team bring to your organization. But does the rest of the security organization? Do the executives? Does the C-Suite? '

CTI teams that take a 'product ' approach in which organization stakeholders are customers for contextualized intelligence can see increased investment in their operation and stronger holistic security outcomes. How are you delivering value to your customers? Do you have a way to receive customer feedback and improve your product?

In this presentation we will learn how to:

  • Highlight the value CTI already brings to the organization.
  • Increase value of existing technology and human resources through robust integrations
  • Effectively receive and implement feedback that'strengthens a CTI process

11:25 AM - 12:00 PM EST - From the Front Lines ' Incident Response at Scale

James Perry, Senior Director and Global Head of Incident Response, CrowdStrike, @CrowdStrike

Stories of CrowdStrike incident response engagements and how we have changed the model for how companies respond to a breach. Learn the methods CrowdStrike uses to disrupt and ultimately remove bad actors from networks.

12:00 - 12:15 PM EST - Break

12:15 - 12:50 PM EST - Correlating Threat Intelligence with CTIM

Daniel Bates, Technical Solutions Architect, Cisco Umbrella, @CiscoUmbrella

Today's complex threat landscape requires a comprehensive, structured approach to modeling and responding to threat intelligence. Join us as we explore the Cisco Threat Intelligence Model (CTIM) and discover how it enables automated collection, evaluation, and analysis of cyber threat intelligence, leading into orchestrated response actions across a wide range of deployed services and applications.

12:50 - 1:25 PM EST - Turning Data into Actionable Threat Intelligence

Dragos Gavrilut, Director, Cyber Threat Intelligence Lab, Bitdefender, @Bitdefender

Fayyaz Rajpari, Sr. Director, Product Management, Recorded Future, @RecordedFuture

As security operations teams struggle with increasingly sophisticated adversaries exploiting more and more vulnerabilities in today's organizations, Threat Intelligence is often touted as the key to proactivity. 'How can they extract the most value from Threat Intelligence and use it in a way that enables security teams and security leaders to look beyond the latest alert, or vulnerability announcement?

In this session, we explain what actionable Threat Intelligence means for security teams and how we can obtain it. We highlight Bitdefender's proprietary threat data collection and enriching processes as well as discuss how RecordedFuture further leverages the threat data, converting it into actionable threat intelligence for their customers.

1:25 - 2:00 PM EST - Post Mortem: The First 72 Hours of SUNBURST Threat Intelligence Research

Tanner Payne, Senior Sales Engineer, ExtraHop, @ExtraHop

On December 13, 2020 when the SolarWinds Orion SUNBURST backdoor vulnerability was disclosed, the entire security community sprung into action. The attack had potential to do immense damage, and everyone worked tirelessly to respond fast. FireEye and ExtraHop were among the first to release SUNBURST associated domains and IP addresses to be used for threat intel, forensic investigation, and response.

This session will cover:

  • Background on the SUNBURST attack and how it was so stealthy and hard to detect
  • How ExtraHop uncovered new threat intelligence for use in investigating and responding to SUNBURST
  • Why internal network traffic is such a strong data source for detecting and responding to supply chain attacks like SUNBURST.

2:00 - 2:10 PM EST - Break

2:10 - 2:45 PM EST - Are you ready for Intelligent SOC?

Brandon Hoffman, CISO, Head of Security Strategy, NetEnrich, @Netenrich

The Security Operations Center (SOC) is under attack like never before, from both inside and out. Endless threats and alerts, analyst fatigue, too few resources, and a chronic lack of executive support top today's list of challenges. Intelligent SOC from Netenrich right-sizes investments to transform the inefficiencies, skills gaps, and budget constraints that undermine the traditional SOC. 'Invoked by experts, Intelligent SOC solves today's problems (and tomorrow's issues) better and faster by going beyond the SIEM 'and even beyond AI'to combine threat intelligence (TI), attack surface management (ASM), and pay-as-you-grow SOC-as-a-Service. Join us to hear how this expansive approach transforms your security investments and operations into better ROI and safer outcomes 'in hours or days versus weeks, months, or years.

2:45 - 3:20 PM EST - Key Functionalities of a Modern Cyber Threat Intelligence Program

Jerry Caponera, Vice President of Cyber Risk Strategy, ThreatConnect, @ThreatConnect

Cyber threat intelligence (CTI) represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. But not all cyber threat intelligence platforms and programs are created equal.

Today, world-class CTI platforms and programs need to incorporate risk into all levels of the discussion in order to serve as decision and operational support platforms for cybersecurity professionals at all levels. Risk imbued programs 'provide a clear understanding of where to focus resources and efforts, break down process silos, unite teams, and integrate security technologies through automation and orchestration. '

This presentation will outline the game-changing benefits of integrating Risk, Threat, and Response into your CTI program. We will explore each element in detail.

  • Risk - Why it is necessary and possible to scope the risk scenarios that matter most to your business from a financial perspective
  • Solve the challenge of prioritization and demonstrate security ROI to the business
  • Threat- Manage the threat landscape with a priority view into the risk scenarios that matter most to your business
  • Leverage quantification to provide a real world understanding of threat
  • Continually improve security with feedback loops to both security and operations
  • Response - Unify and streamline processes
  • Focus response efforts on risks that matter most to the business
  • Leverage automated playbooks to enable smarter, faster SOC mitigations and incident response, Orchestrate response across the entire security technology stackVP Cyber Risk Strategy

3:20 - 3:30 PM EST - Break

3:30 - 4:05 PM EST - SUNBURST: DGA or DNS Tunneling?

Peter Rydzynski, Threat Analysis Lead, IronNet, @IronNet

While much of the reporting about the SUNBURST malware describes its use of DGA for command and control, we must consider whether 'true ' DGA behavior was at play. Could it really be DNS Tunneling? There is a subtle difference -- but this difference could have a significant impact on how we identify behaviors and start to discern the adversary's possible next steps. Where do we go from here?

4:05 PM - 4:40 PM EST - Agile Threat Intelligence for the Modern Threatscape

Sumukh Tendulkar, Product Marketing Sixgill, @CyberSixgill

Michael-Angelo Zummo, Cyber Threat Intelligence Analyst Sixgill, @CyberSixgill

Today's security organizations cannot effectively manage the huge amount of data points they need to digest. Whether you are a financial institution trying to cope with the volumes of leaked credit cards or an enterprise hoping to prevent a data breach - the current approach is becoming obsolete. We will introduce the CI/CP (Continuous Investigation/Continuous Protection) approach to preemptively block threats, reduce time-to-intel, and maximize your security systems ' effectiveness. Sumukh and Michael-Angelo will illustrate how organizations can transform their cybersecurity programs to overcome today's challenges with a live use case of tracking a threat actor through cutting-edge technology.

4:40 - 5:15 PM EST - Going from Open Source Intelligence to Threat Intelligence with DomainTools Iris

Taylor Wilkes-Pierce, @tw_pierce, Sr. Sales Engineer, DomainTools, @DomainTools

DNS OSINT can give us a wealth of information about adversary activity. Collecting this data at scale and leveraging it properly is a challenge. In this session we will cover some key considerations when assessing malicious infrastructure: infrastructure providers, infrastructure tenancy, domain registration patterns and more. We'll use the DomainTools Iris dataset to explore turning OSINT into actionable threat intelligence, along with integrating this data with your SOC tools to build a repeatable process that can scale with your needs.

5:15 PM- 5:30 PM EST - Wrap-Up

Cyber Threat Intelligence Summit & Training '

Summit: January 21-22 | Training: January 25-30

The Cyber Threat Intelligence Summit brings together leading experts and analysts for in-depth threat intelligence talks, world-class SANS training, DFIR NetWars, and exclusive virtual networking opportunities! This event will provide you with specific analytical techniques and capabilities, through case studies and firsthand experience, that can be utilized to properly create and maintain threat intelligence in your organization.

Explore a diverse range of topics, including:

  • Incident response workflows, from detection to recovery
  • Security in the supply chain: upstream, midstream, and downstream
  • Ever-flattening architecture and the security effects
  • Security key performance indicators (KPIs) and dashboards
  • Security Operation Centers (SOCs) for the new integrated enterprise

View Summit Agenda & Register