Get the Skills you need from Home with SANS Online Training - Special Offers Available Now


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Driving a Stake in Advanced Threats (SUNBURST) with the Network.

  • Tuesday, January 26, 2021 at 1:00 PM EST (2021-01-26 18:00:00 UTC)
  • John Smith, Dave Shackleford


  • ExtraHop

You can now attend the webcast using your mobile device!



It has been a time-honored, folklore tradition from Bram Stoker all the way down to "Buffy the Vampire Slayer" that a vampire must FIRST be invited in to enter your home. At the end of 2020, the worst Supply Chain attack in memory meant that 18,000 companies unknowingly invited digital vampires to enter their networks and feast on their intellectual property.

Given that sophisticated actors will continue, how can you use covert countermeasures to flag unusual and malicious behavior, investigate and respond to stop them before they breach your network?

In this talk, we will use the SUNBURST backdoor exploit as a backdrop since the majority of the IOCs were Network visible (Domains, Subdomains and IP Addresses). 

  • How to flag suspicious behavior regardless of its presence on a threat intelligence blacklist or the IOC
  • How Split-Tunnel VPNs have removed C2 visibility from us and the risk that raises
  • How to use the value of the covert, always-on, always watching network

 We will conclude with how to use Network Detection and Response (NDR) as a cross and Endpoint Detection and Response (EDR) as a wooden stake to stop advanced threats.

Speaker Bios

John Smith

John Smith has over twenty years’ experience in IT and Security, including eighteen years as a practitioner before joining ExtraHop. John is a frequent speaker on podcasts and webinars, and has delivered talks at conferences like RSAC and multiple B-Sides events. His experience includes securing and architecting the US Centers for Disease Control's Pandemic Response and Telework solution in 2007 and pioneering data-driven analytics and investigations.

Dave Shackleford

Dave Shackleford, a SANS analyst, senior instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.