You will earn 4 CPE credits for attending this virtual event
The collection, classification, and exploitation of knowledge about adversaries - collectively known as cyber threat intelligence (CTI) - gives security practitioners information superiority that is used to reduce an adversary's likelihood of success. Responders and defenders leverage accurate, timely, and detailed threat intelligence to monitor new and evolving attacks and subsequently adapt their security posture.
Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders. During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat.
Knowledge about the adversary is core to all security teams. The red team needs to understand adversaries' methods in order to emulate their tradecraft. The Security Operations Center needs to know how to prioritize intrusions and quickly deal with those that need immediate attention. The incident response team needs actionable information on how to quickly scope and respond to targeted intrusions. The vulnerability management group needs to understand which vulnerabilities matter most for prioritization and the risk that each one presents. The threat hunting team needs to understand adversary behaviors to search out new threats.
This forum will explore various CTI topics through invited speakers while showcasing current capabilities available today. Presentations will focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today.
9:00 - 9:15 AM EST - Event Welcome
9:15 - 10:00 AM EST - Keynote
10:05 - 10:15 AM EST - FOR578 - Cyber Threat Intelligence Update and Move to 6 Days
Rob M. Lee, @RobertMLee, Chairperson, SANS Institute, @SANSInstitute
This presentation will go over what's new in the 2021 update for FOR578 - Cyber Threat Intelligence. It will also focus on recent events and the application of cyber threat intelligence to them. Additionally, the course has moved from a 5 day course to a 6 day course to include a final capstone for students to work on which will be detailed in this webcast.
10:15 - 10:50 AM EST - Get Your Bits Together (or Don't): Monolithic vs Federated Data Structures for Threat Intelligence
Ben Greenbaum, @secintsight Technical Leader, Cisco, @Cisco
When meeting an organization's need to leverage multi-source bulk threat intelligence and local security context, the traditional approach has been to start by collecting it all into one place. This is the foundation for entire security product categories such as SIEMs, TIMPs, and even to some extent SOAR and XDR. The other option of course is to leave it where it was generated, and use it from there via APIs or other transports. Are there significant advantages to one over the other? Join Ben Greenbaum from Cisco's SecureX team as he explores this topic and what it means for the effectiveness of tools that generate and/or rely on Threat Intelligence at scale.
10:50 - 11:25 AM EST - A Product Approach to your Threat Intelligence Practice: Increase Investment and Outcomes
Chris Jacob, Vice President of Threat Intelligence Engineering, ThreatQuotient, @ThreatQuotient
As a threat intelligence practitioner, you likely have a good idea of the value you and your CTI team bring to your organization. But does the rest of the security organization? Do the executives? Does the C-Suite? '
CTI teams that take a 'product ' approach in which organization stakeholders are customers for contextualized intelligence can see increased investment in their operation and stronger holistic security outcomes. How are you delivering value to your customers? Do you have a way to receive customer feedback and improve your product?
In this presentation we will learn how to:
11:25 AM - 12:00 PM EST - From the Front Lines ' Incident Response at Scale
James Perry, Senior Director and Global Head of Incident Response, CrowdStrike, @CrowdStrike
Stories of CrowdStrike incident response engagements and how we have changed the model for how companies respond to a breach. Learn the methods CrowdStrike uses to disrupt and ultimately remove bad actors from networks.
12:00 - 12:15 PM EST - Break
12:15 - 12:50 PM EST - Correlating Threat Intelligence with CTIM
Daniel Bates, Technical Solutions Architect, Cisco Umbrella, @CiscoUmbrella
Today's complex threat landscape requires a comprehensive, structured approach to modeling and responding to threat intelligence. Join us as we explore the Cisco Threat Intelligence Model (CTIM) and discover how it enables automated collection, evaluation, and analysis of cyber threat intelligence, leading into orchestrated response actions across a wide range of deployed services and applications.
12:50 - 1:25 PM EST - Turning Data into Actionable Threat Intelligence
Dragos Gavrilut, Director, Cyber Threat Intelligence Lab, Bitdefender, @Bitdefender
Fayyaz Rajpari, Sr. Director, Product Management, Recorded Future, @RecordedFuture
As security operations teams struggle with increasingly sophisticated adversaries exploiting more and more vulnerabilities in today's organizations, Threat Intelligence is often touted as the key to proactivity. 'How can they extract the most value from Threat Intelligence and use it in a way that enables security teams and security leaders to look beyond the latest alert, or vulnerability announcement?
In this session, we explain what actionable Threat Intelligence means for security teams and how we can obtain it. We highlight Bitdefender's proprietary threat data collection and enriching processes as well as discuss how RecordedFuture further leverages the threat data, converting it into actionable threat intelligence for their customers.
1:25 - 2:00 PM EST - Post Mortem: The First 72 Hours of SUNBURST Threat Intelligence Research
Tanner Payne, Senior Sales Engineer, ExtraHop, @ExtraHop
On December 13, 2020 when the SolarWinds Orion SUNBURST backdoor vulnerability was disclosed, the entire security community sprung into action. The attack had potential to do immense damage, and everyone worked tirelessly to respond fast. FireEye and ExtraHop were among the first to release SUNBURST associated domains and IP addresses to be used for threat intel, forensic investigation, and response.
This session will cover:
2:00 - 2:10 PM EST - Break
2:10 - 2:45 PM EST - Are you ready for Intelligent SOC?
Brandon Hoffman, CISO, Head of Security Strategy, NetEnrich, @Netenrich
The Security Operations Center (SOC) is under attack like never before, from both inside and out. Endless threats and alerts, analyst fatigue, too few resources, and a chronic lack of executive support top today's list of challenges. Intelligent SOC from Netenrich right-sizes investments to transform the inefficiencies, skills gaps, and budget constraints that undermine the traditional SOC. 'Invoked by experts, Intelligent SOC solves today's problems (and tomorrow's issues) better and faster by going beyond the SIEM 'and even beyond AI'to combine threat intelligence (TI), attack surface management (ASM), and pay-as-you-grow SOC-as-a-Service. Join us to hear how this expansive approach transforms your security investments and operations into better ROI and safer outcomes 'in hours or days versus weeks, months, or years.
2:45 - 3:20 PM EST - Key Functionalities of a Modern Cyber Threat Intelligence Program
Jerry Caponera, Vice President of Cyber Risk Strategy, ThreatConnect, @ThreatConnect
Cyber threat intelligence (CTI) represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. But not all cyber threat intelligence platforms and programs are created equal.
Today, world-class CTI platforms and programs need to incorporate risk into all levels of the discussion in order to serve as decision and operational support platforms for cybersecurity professionals at all levels. Risk imbued programs 'provide a clear understanding of where to focus resources and efforts, break down process silos, unite teams, and integrate security technologies through automation and orchestration. '
This presentation will outline the game-changing benefits of integrating Risk, Threat, and Response into your CTI program. We will explore each element in detail.
3:20 - 3:30 PM EST - Break
3:30 - 4:05 PM EST - SUNBURST: DGA or DNS Tunneling?
Peter Rydzynski, Threat Analysis Lead, IronNet, @IronNet
While much of the reporting about the SUNBURST malware describes its use of DGA for command and control, we must consider whether 'true ' DGA behavior was at play. Could it really be DNS Tunneling? There is a subtle difference -- but this difference could have a significant impact on how we identify behaviors and start to discern the adversary's possible next steps. Where do we go from here?
4:05 PM - 4:40 PM EST - Agile Threat Intelligence for the Modern Threatscape
Sumukh Tendulkar, Product Marketing Sixgill, @CyberSixgill
Michael-Angelo Zummo, Cyber Threat Intelligence Analyst Sixgill, @CyberSixgill
Today's security organizations cannot effectively manage the huge amount of data points they need to digest. Whether you are a financial institution trying to cope with the volumes of leaked credit cards or an enterprise hoping to prevent a data breach - the current approach is becoming obsolete. We will introduce the CI/CP (Continuous Investigation/Continuous Protection) approach to preemptively block threats, reduce time-to-intel, and maximize your security systems ' effectiveness. Sumukh and Michael-Angelo will illustrate how organizations can transform their cybersecurity programs to overcome today's challenges with a live use case of tracking a threat actor through cutting-edge technology.
4:40 - 5:15 PM EST - Going from Open Source Intelligence to Threat Intelligence with DomainTools Iris
Taylor Wilkes-Pierce, @tw_pierce, Sr. Sales Engineer, DomainTools, @DomainTools
DNS OSINT can give us a wealth of information about adversary activity. Collecting this data at scale and leveraging it properly is a challenge. In this session we will cover some key considerations when assessing malicious infrastructure: infrastructure providers, infrastructure tenancy, domain registration patterns and more. We'll use the DomainTools Iris dataset to explore turning OSINT into actionable threat intelligence, along with integrating this data with your SOC tools to build a repeatable process that can scale with your needs.
5:15 PM- 5:30 PM EST - Wrap-Up
Summit: January 21-22 | Training: January 25-30
The Cyber Threat Intelligence Summit brings together leading experts and analysts for in-depth threat intelligence talks, world-class SANS training, DFIR NetWars, and exclusive virtual networking opportunities! This event will provide you with specific analytical techniques and capabilities, through case studies and firsthand experience, that can be utilized to properly create and maintain threat intelligence in your organization.