DFIR Summit Solutions Track

In a field that is advancing every day due to OS and app upgrades, attackers, and coordinated threats, forensic and incident response (IR) professionals need to be constantly learning and challenging assumptions. A single examiner may be looking into ransomware and data destruction one day and missing persons the next. Whether to support business continuity or ensure personal safety, examiners need exposure to new and novel techniques for investigating a wide variety of data sources and require vetted solutions that help find answers - fast.

Examiners today are aware that no single tool will fulfill all of their digital forensic and incident response (DFIR) collection, analysis, and reporting needs. Examiners need to understand the best solutions for day-to-day work and when to employ specialist tools to paint an accurate picture of activity when writing reports.

DFIR Summit Solutions Track.jpg

Platinum Sponsors - Featured Speakers From

DomainTools-trans-med_(4).pngCisco_Umbrella_Transparent.pngBitdefender-Logo-BW-web.pngMagnet_Forensics_Horz_RGB.pngDevo.pngCorelight_Transparent.pngsophos-logo-strapline-center_rgb-1.pngopentext-logo.pngPentera LogoCado_Security_Logo_Transparent.png

Silver Sponsors

ExtraHop_Networks-logo.pngPalo_Alto_Networks.pngGigamon-Logo.pngAnomali_Logo_FullColor_RGB_2021_(002).pngGrayShift-HORZ_1C_300DPI.jpgVectra.png

Agenda

Time

Description

10:00 - 10:15 AM ET

Welcome & Introduction


Mari DeGrazia, SANS Certified Instructor

10:15 - 10:50 AM ET
Identifying and Leveraging DNS Abuse with DomainTools Iris


When adversaries register malicious domains for C2 servers, phishing servers, and payload servers, the choices they make when it comes to registration, hosting, certificates, mail servers and more can be useful in determining their targets and discovering a fuller picture of their operations in DNS. This can help defenders by increasing the speed at which they can assess and act on this activity.

In this session attendees will learn how to use DomainTools Iris to:

  • Identify attacks while they are still in the setup stage
  • Take a single element, like a domain name, and pivot on it to discover a broader map of adversary infrastructure
  • Monitor for new activity matching adversary patterns in DNS

Taylor Wilkes-Pierce, Senior Sales Engineer, DomainTools

10:50 - 11:25 AM ET
Ransomware Under Review: Leveraging Cloud Investigations when data is the hostage

In 2020, criminals took ransomware from a relatively simple crime that kicks off in an email message to a complex threat that originates – and deploys – in the cloud. This radical change demands a new approach to digital forensics and how we use vast amounts of cloud-based data, logs, and other clues to analyze and understand these dangerous, expensive attacks. In Ransomware under review: Leveraging cloud investigations when data is the hostage, join Keith Manville, Cisco’s own security architect, as he explores how cloud-based ransomware attacks happen today -- and the data needed to understand them.

Keith Manville, Technical Solutions Architect, Cisco Umbrella

11:25 AM - 12:00 PM ET
Threat Intelligence in the Mobile Space

Have you ever wondered what the mobile threat landscape looks like through the eyes of a research lab from a cybersecurity company with hundreds of millions of sensors? This talk will provide a glimpse into what we see on a day-to-day basis. From your usual spear-phishing, password stealers and even ransomware on mobile to complex APTs, detection evasion, and APT C2 servers.

Alex Jay Balan, Security Research Director, Bitdefender

12:00 - 12:10 PM ET

Break
12:10 - 12:50 PM ET
Digital Forensics and the Enterprise Cloud: A Panel Discussion

The cloud: enterprise data is inevitably headed there. In fact, 81% of enterprises have at least one application or a segment of their computing infrastructure in the cloud today compared to only 51% ten years ago.

Join us as we delve into a panel discussion about the cloud and its role in digital forensics. Our panel of cloud experts will share their thoughts about:

  • How cloud services like Slack and cloud platforms like Azure and AWS offer examiners new evidence sources & artifacts to leverage in their investigations
  • What forensic tasks are well-suited performing in the cloud, and which ones are still best performed on-prem
  • What Legal or security challenges you should be aware of when performing investigations that involve data in the cloud
Moderator:

Jessica Hyde, Director of Forensics, Magnet Forensics

Panelists:David Cowen, SANS Certified Instructor
Jamie McQuaid
, Technical Forensic Consultant, Magnet Forensics
Kirk Arthur
, Sr. Director, WW Public Safety and Justice, Microsoft

12:50 - 1:00 PM ET
Break
1:00 - 1:35 PM ET
Hunting Advanced Threats with Forensic Analysis

As threat actors and their attack methods become increasingly intricate, the demand for more sophisticated threat-hunting and analysis tools has increased.

The latest release of Devo Security Operations enables analysts to conduct sophisticated forensic analyses and rapid threat hunting, with the ability to:

  • Run analyses such as packet capture (pcap) and malware sandbox analysis
  • Upload memory files to a new or ongoing investigation and initiate forensic analysis to detect sophisticated file-less malware, all from a single, easy-to-use UI
  • Parse and match indicators of compromise against threat intelligence to identify potential threats and, automatically run queries across additional data sources to check if the indicator exists in your environment

Join this session to see how Devo Security Operations enable analysts to expedite the investigation and analysis of suspicious IOCs and help mitigate the risk advanced threats pose to your organization.

Jason Mical, Global Cybersecurity Evangelist, Devo

1:35 - 2:10 PM ET
Exploiting NDR to Cultivate Decision Advantage

As defenders, we deploy or develop a number of policies, procedures, tools and technologies to support our risk management strategy while struggling to maintain situational awareness. The regular outputs of detection and response activities rarely cross functional boundaries and result in missed opportunities to translate learnings into institutional memory. With an ever-evolving threat landscape, including the transformation to a hybrid work model; the power of decision and ultimately Decision Advantage is the most valuable tool in cyber-defense. In this talk, Bernard Brantley will discuss the exploitation of data-centric NDR as the coalescence point for tactical and operational outputs and, as a pathway to cultivating strategic decision advantage.

Bernard Brantley, CISO, Corelight

2:10 - 2:45 PM ET
Exploring Incident Response: Four Common Mistakes

Responding to a critical cyber incident can be an incredibly stressful and intense time. While nothing can fully alleviate the pressure of dealing with an attack, understanding these key tips from incident response experts will help give your team advantages when defending your organization. In this session, you will hear about the biggest lessons everyone should learn when it comes to responding to cybersecurity incidents, with practical advice from real-world experts who have who have responded to thousands of cybersecurity incidents.

Seth Geftic, Director, Endpoint Security Group, Sophos

2:45 - 3:00 PM ET

Break
3:00 - 3:35 PM ET
Conducting Modern Digital Investigations in a Remote Workforce

COVID-19 forced many businesses to new work-from-home models, complicating the task of corporate investigators to investigate employee devices for evidence of insider threat, HR issues, or other internal investigations. Traditional endpoints have hardware limitations, and processing extreme volumes of evidence can cause unwanted delay. Investigators can now push evidence to the cloud for quick, efficient processing, alleviating the need for numerous forensic workstations. Learn how to process digital evidence, both on-prem and in the cloud, for complete and accurate findings.

This session will cover how to:

  • Connect to cloud environments and perform one-to-one collections from cloud-based repositories.
  • Create and queue remote collection jobs for target machines that are off-network, such as a laptop computer connecting from a remote location.
  • Share case data for secure collaboration with external stakeholders that enables access to case data.
  • Conduct discrete investigations, without disrupting employee productivity.

James Kritselis, Senior Solutions Consultant, OpenText

3:35 - 4:10 PM ET
Death, Taxes, & Ransomware: Make the Inevitable, Avoidable

With all the recent headlines, it seems the risk of ransomware has become an added certainty to the daily lives of Cybersecurity personnel. Adversaries are automating the initial stages of the cyber attack lifecycle in order to identify the best bang for their buck. How do organizations with limited resources even keep up? Adding another tool to the defensive stack just isn't enough. How do you know it will reliably stand up against an actual threat? In this session, I will speak to specific techniques in identifying ransomware threats at different layers of the defensive stack that will help reduce risk & impact. Finally, we leverage the Pentera platform to automate a holistic view, emulating actual attacks to measure the resilience of all our efforts.

Arif Khan, Senior Director, NA Technical Services, Pentera

4:10 - 4:45 PM ET

Buff Your Cloud Game

Data is moving to the cloud at exponential rates and where data goes, cyber attackers follow. With this uptick in cloud-based attacks, incident responders need to conduct cloud forensics more frequently. But cloud breaches are hard. And a thorough investigation requires cloud data in addition to host-based data for full contextual awareness. Join James Campbell and Al Carchrie, life-long digital forensics incident responders with decades of experience fighting sophisticated state-based hackers and cybercrime groups. In this session, you’ll learn how to marry traditional host-based forensics with cloud data to buff your cloud game.

James Campbell, CEO & CO-Founder, Cado SecurityAl Carchrie, Head of Solution Management, Cado Security

4:45 - 5:00 PM ET
Wrap-Up

Mari DeGrazia, SANS Certified Instructor