SANS DFIR Summit 2022: Solutions Track - DFIR

Level Up with Industry Experts

Enhance your digital forensic investigation by joining SANS experts and co-chairs, Lodrina Cherne and Lee Crognale, as they kickoff a fantastic lineup of the industry's top practitioners!

There has never been a one-size-fits-all approach with DFIR and that is exemplified in the number of niche disciplines that have evolved to include malware analysis, Cloud forensics and IR, mobile device forensics, and threat hunting and intelligence. We rely on certain tools of the trade to make our investigations possible as we comb through ever-increasing datasets, but we continue to research methods that will enable us to do our jobs more efficiently. While we can't always predict where technology will steer us next, we can say with certainty that we will always rely on the cutting-edge research conducted by our peers in this community to further this discipline


We will be awarding a Holy Stone GPS Drone to the 200th person to register for this virtual event. Winners will be announced during the event on August 15th - must be live at the virtual events to win. The winner will be announced via Slack and Zoom.

DFIR Summit Solutions Track


Anomali-logo_lion-wordmark_RGB-color.pngLogoLockup_Horz_RGB_Blue_190103.pngCorelight_Transparent.pngDevo.pngDomainTools_Logo_Color_(1).pngExtraHop Networks logoGigamon-Logo.pngMagnet_Forensics_Horz_RGB.pngPentera Logorapid7.pngsophos logotq_main-logo-color.pngVectra.png

Agenda | Monday, August 15, 2022

Event is broadcast live from Austin, TX and takes place in Central Daylight (CDT) All Times Shown in Central Daylight (CDT) and Eastern Daylight (EDT)



9:45 - 10:00 AM CT
10:45 - 11:00 AM ET

Welcome & Opening Remarks

Domenica "Lee" Crognale, Certified Instructor, SANS Institute
Lodrina Cherne, Certified Instructor, SANS Institute

10:00 - 10:40 AM CT
11:00 - 11:40 AM ET

[Air]Tag You're It!

We're taking a look through location artifacts generated by Apple's AirTag, iOS, and macOS devices within the FindMy application. With Apple’s release of the AirTag and their market share giving them a huge network of devices for the FindMy environment, more and more devices need to be quickly located in cases. This presentation will cover how to quickly identify these FindMy artifacts using Magnet AXIOM to track AirTag, iOS, and macOS devices as well as their last known location from only a single piece of evidence.

Chris Vance, Senior Technical Forensics Consultant, Magnet Forensics

10:45 - 11:25 AM CT
11:45 - 12:25 PM ET

Cybersecurity Incident Response Best Practices

66% of IT managers said they were hit by a ransomware attack in the last year*. In almost three-quarters of these cases, criminals succeeded in encrypting data. While nothing can fully alleviate the stress of dealing with cyberattacks like these, knowing what to do in advance will help you defend your organization. During this talk, our cybersecurity incident response experts will cover:

  • Four common incident response mistakes and how to avoid them
  • The 10 main steps to building an effective incident response plan
  • The role managed detection and response (MDR) services play in supporting your incident response initiatives

*The State of Ransomware 2022

Michael Pertuit, Senior Sales Engineer, Sophos

11:30 - 12:10 PM CT
12:30 - 1:10 PM ET

A Floppy Disk, the Internet, and a Threat Hunter

In order to stop the enemy, you must first understand the enemy. This highly informative history of ransomware ranges from one of the first known attacks to modern techniques attackers use today. You’ll learn how the model has changed from an opportunistic smash-and-grab method to a low-and-slow targeted approach and ransomware-as-a-service. This discussion includes critical information for on premises as well as the cloud.

Peter Steyaert, Senior SE Manager - ThreatINSIGHT, Gigamon

12:15 - 1:15 PM CT
1:15 - 2:15 PM ET


1:15 - 1:55 PM CT
2:15 - 2:55 PM ET

Keep Your Vendors Close and Your Attackers Closer: IR for Software Supply Chain Attacks

Software supply chain attacks have now overtaken phishing as the most common initial intrusion vector (M-Trends). While focus has been on prevention tactics, vendor relationship management, and software bills of materials (SBOMs), there is a gap around incident response. This talk will deliver guidance on:

  • The state of supply chain attack tactics and analysis of real world examples, including enterprise software (SolarWinds), open source (Log4j), and managed services.
  • How this type of attack changes the requirements and timeline for IR and forensic activities.
  • How security teams and incident responders can adapt their practices to this increasingly prevalent style of threat.

Justin Burns, Engineering Manager - Security, ExtraHop

2:00 - 2:40 PM CT
3:00 - 3:40 PM ET

Network Forensics & Incident Response with Open Source Tools

Open source security technologies such as Zeek, Suricata, and Elastic can deliver powerful network detection and response capabilities, and the global communities behind these tools can also serve as a force multiplier for security teams, such as accelerating their response times to zero-day exploits via community-driven detection engineering and intel sharing. This presentation will review popular open source technologies used in network DFIR and cover use cases, integrations, and open source design patterns.

John Gamble, Sr. Director of Product Marketing, Corelight

2:45 - 3:00 PM CT
3:45 - 4:00 PM ET


3:00 - 3:40 PM CT
4:00 - 4:40 PM ET

Integrating DNS Threat Intelligence Across the SOC

SOC teams have a lot of options for SIEM / TIP / SOAR solutions but the need for accurate and timely threat intelligence data is a constant. In this session we will look at the benefits of using our APIs via 3rd party integrations and learn how to:

  • Enable threat hunting and risky domain alerting with turn-key enrichment in your SIEM
  • Uncover threat actor infrastructure and profile threats within your preferred TIP
  • Build playbooks to triage events and take targeted action with domain intelligence in leading orchestration tools

Taylor Wilkes-Pierce, Sales Engineer Lead, DomainTools

3:45 - 4:25 PM CT
4:45 - 5:25 PM ET

Pentera 101: Changing the Game of Offensive Security

This session will walk through a demonstration of Pentera: The Automated Security Validation solution. Organizations over the years have been following a defense in depth model to protect their critical assets. While this strategy makes sense; the tools, processes, and procedures surrounding this initiative have grown significantly. How confident can organizations be that each layer and the enormous effort undertaken is working effectively? Chad will take the time to walk through how Pentera can validate which risks are present, which mitigative efforts are working efficiently, and how security practitioners of all expertise can leverage Pentera both internally and externally to know with certainty how strong the security posture actually is.

Chad Smith, Director of Channel & MSSP, Pentera

4:30 - 5:15 PM CT
5:30 - 6:15 PM ET

Hunting Advanced Threats with Forensic Analysis

As threat actors and their attack methods become increasingly intricate, the demand for more sophisticated threat-hunting and analysis tools has increased. Devo Security Operations enables analysts to conduct sophisticated forensic analyses and rapid threat hunting, with the ability to:

  • Run analyses such as packet capture (pcap) and malware sandbox analysis
  • Upload memory files to a new or ongoing investigation and initiate forensic analysis to detect sophisticated file-less malware, all from a single, easy-to-use UI
  • Parse and match indicators of compromise against threat intelligence to identify potential threats and, automatically run queries across additional data sources to check if the indicator exists in your environment

Join this session to see how Devo Security Operations enable analysts to expedite the investigation and analysis of suspicious IOCs and help mitigate the risk advanced threats pose to your organization.

Vlad Babiuk, Product Manager, Devo

5:15 - 5:30 PM CT
6:15 - 6:30 PM ET