SANS 2023 Incident Response Solutions Forum

Incident response is an important component to any information security program. When defense controls fail, incident responders are responsible for containing and remediating attacks against your organization. Given the importance of the role of incident response in an organization, it is important to understand the challenges these teams face and support them in their efforts.

The focus of the event is to illustrate the challenges incident responders face, as well as actionable achievable methods we can take to meet these challenges head-on. Leaders, subject matter experts, and practitioners will share their experiences and best-practices when it comes to evolving your organization’s incident response program.

Join in on the action! Connect with fellow attendees and our event chairs in the SANS Solutions Forum Interactive Slack Workspace. Sign in once and you'll be all set for the rest our of 2023 Solutions Forums. We'll see you there!



Devo.pngExtraHop Networks logorapid7.pngVMRay Logo - Dark Blue

Agenda | February 24, 2023 | 10:30AM - 12:15PM EST

Timeline (EST)

Session Details

10:30 AM

Welcome & Opening Remarks

Megan Roddie, Course Author, SANS Institute

10:45 AM

Converging Incident Response and Detection Engineering for Qbot

Traditionally, notable information stealer Qbot (aka Qakbot) was delivered via Macros, but as the tactics of threat actors continue to evolve, it has become increasingly difficult to accurately assess the scope of an incident caused by this prolific malware. In today's post-macro world, attackers use HTML smuggling to deliver Qbot through a chain of executions involving ISO, ZIP, DLL, and LNK files.

In this session, equip yourself with the tools and knowledge needed to respond effectively to Qbot attacks, and learn how to close the loop for better detection and response strategies. We will take you through an in-depth analysis of Qbot threats, providing valuable insights on identifying and confirming an incident quickly. Key takeaways from this session include:

• How to minimize the impact of a Qbot attack on your organization
• How a defense-in-depth approach can keep security teams one step ahead of the evolving threat landscape
• How incident response can inform detection engineering functions to improve overall security.

Ertugrul Kara, Sr. Product Marketing Manager, VMRay

Fatih Akar, Security Product Manager, VMRay

11:20 AM
Quit Fussing Over All those Alerts: Using Automation to Identify Leads

Are you struggling to uncover attacks and rapidly investigate threats? If so, you’re not alone. Today’s SOCs require new approaches to develop and manage their workflows so they can effectively investigate and respond to suspicious activity.

Join Devo as we share ways your security team can augment their capabilities amidst massive data growth, an increasing talent shortage, and constantly evolving threats with:

  • A scalable SIEM solution that ingests all your data with complete visibility
  • Powerful analytics and curated detections that enhance your team's expertise
  • Autonomous alert investigations that identify the root cause of every attack
  • An advanced SOAR that automates and orchestrates threat detection, triage, and incident response

Dan Pistelli, Offensive Security Professional, Devo Technology, Inc.

11:55 AM

Megan Roddie, Course Author, SANS Institute