Got GIAC? Free GIAC Cert Attempt Included with OnDemand 5 or 6 Day Training thru July 7


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Human Fingerprints in Malware and their Use in Cyber Threat Intelligence

  • Monday, October 28, 2019 at 1:00 PM EDT (2019-10-28 17:00:00 UTC)
  • Robert M. Lee, Tobias Johansson

You can now attend the webcast using your mobile device!



Cyber threat intelligence analysts that look to track specific adversaries can look for the so called human fingerprints of intrusions. These human fingerprints are essentially choices that adversaries make that appear in intrusion data. A specific malware family or specific domain might not be that interesting. But the patterns the adversary has in configuration data, registration information, and more can be a useful data set to cluster intrusions by and create personas. In this webcast attendees will learn about the concept of human fingerprints especially as it relates to the Diamond Model of intrusion analysis. All webcast attendees will receive an early release of the whitepaper on this subject by the presenters.

Speaker Bios

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Tobias Johansson

Tobias is a Cyber Security professional and a SANS alumni holding GIAC GREM, GCTI and GDAT certifications. He has experience from offshore & maritime automation and GIS application development. He holds a Specialist degree from the Swedish Armed Forces.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.