Top Cybersecurity Instructors and Best Offers of the Year Available Now - Learn More!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SOLARWINDS – A SANS Lightning Summit

  • Thursday, February 04, 2021 at 12:00 PM EST (2021-02-04 17:00:00 UTC)
  • Rob Lee, Katie Nickels, Mark Bristow, Evan Dygert, Michael Murr, John Hubbard, Dr. Johannes Ullrich

You can now attend the webcast using your mobile device!



This hour and a half long Lightning Summit will feature six different 10-minute talks from SANS instructors across various disciplines.

It has been over a month since SolarWinds made public that it was breached and a backdoor known as SUNBURST had been inserted into its flagship product. During the last month, the information security community has come together to share and learn about how to defend against this attack. In this SANS Lightning Summit, SANS instructors will present lightning talks summarizing some of the key lessons learned.

The compromised SolarWinds Orion platform is at the heart of many organizations. It monitors and manages enterprise infrastructure. The platform has full access to all managed assets. This made the backdoor attackers introduced into SolarWinds Orion a worst-case scenario supply chain attack. The attack started as early as March, but was not detected until December which provided ample time for attackers to roam and compromise the networks managed by SolarWinds Orion.

You will learn: 

  • about the larger concern of supply chain attacks
  • how others have approached it (good and bad)
  • what you may have missed about SolarWinds/Sunburst
  • what it means to have a trust compromise and how to recover
  • how you are able to protect yourself or detect compromise

Talks include:

Overview and Intro - Rob Lee FOR508 Advanced Incident Response Author and Instructor

  1. KEY CTI Takeaways - - Katie Nickels FOR578 Cyber Threat Intelligence Instructors
  2. Hunting and incident response key takeaways from the field - Mark Bristow ICS515: ICS Active Defense and Incident Response Instructor
  3. Takeaways from SolarWinds Malware Analysis and why it is important - Evan Dygert FOR610 Malware Analysis Instructor
  4. Best and Worst organizational approaches to SolarWinds/SunBurst Incident (Detection, Response, Remediation). Rating effective hunting approaches for SolarWinds. - Mike Murr
  5. Blue Team Approaches in Preventing and Detection of SolarWinds in the Future - John Hubbard SEC450: Blue Team Fundamentals: Security Operations and Analysis Author and Instructor
  6. Beyond SolarWinds: What we need to learn about supply chain attacks NOW. - Dr. Johannes Ulrich Internet Storm Center Lead

SolarWinds/Sunburst Panel with all 6 Speakers and moderator for 30 min at the end.


Rob Lee

Katie Nickels

Mark Bristow

Evan Dygert

Mike Murr

John Hubbard

Dr. Johannes Ullrich

Speaker Bios

Rob Lee

Rob Lee is the curriculum lead and author for digital forensic and incident response training at the SANS Institute. With more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response, he provides consulting services in the Washington, D.C. area. Before starting his own business, Rob worked with government agencies in the law enforcement, defense and intelligence communities as a lead for vulnerability discovery and exploit development teams, a cyber forensics branch, and a computer forensic and security software development team. He also worked for a leading incident response service provider and co-authored Know Your Enemy: Learning About Security Threats, 2nd Edition.

Katie Nickels

Katie @likethecoins is the Principal Intelligence Analyst for Red Canary. She has worked on cyber threat intelligence (CTI), network defense, and incident response for nearly a decade for the U.S. Department of Defense (DoD), MITRE, Raytheon, and ManTech. She also serves as an instructor for the SANS FOR578: Cyber Threat Intelligence course, enabling her to share her passion for CTI more broadly. Katie hosts SANS Threat Analysis Rundown (STAR), a popular monthly webcast series that discusses the current threat landscape and cyber threats. She is also the Program Manager at Cyberjutsu Girls Academy (CGA), a program for teenage girls that seeks to inspire exploration and learning in cybersecurity and STEM.

Mark Bristow

Mark Bristow, a SANS instructor for ICS515: ICS Active Defense and Incident Response, is Branch Chief for Cyber Defense Operations at the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), using his expertise in incident response (IR), industrial control systems, network monitoring and defense to support national security interests. Before that, Mark was Chief of the ICS Cyber Emergency Response Team (ICS-CERT) incident response. He also worked for CSRA and Securicon, supporting a variety of private and public sector clients. Mark has been involved in high-profile IR efforts, including the Ukrainian power grid attack, intrusions into U.S. election infrastructure and Russian attempts to access the U.S. power grid.

Evan Dygert

Evan Dygert is a consultant (Dygert Consulting, Inc.) with over 30 years of experience in software development in areas including compilers, databases, finance, insurance, computer networking and security, and software security. He is experienced in many computer languages including Java, Pascal, C/C++, assembly language, and Python. Since 2005, Evan has also performed digital forensics, computer security and expert witness work. Evan has written expert reports, affidavits, and declarations and testified in multiple depositions, a federal hearing, and a trial. Evan has presented at BSides Orlando, SANS@Night, OWASP AppSec USA and the (ISC)2 Security Congress. He has earned 15 GIAC certifications, including the prestigious GSE. In addition he holds the CISSP, CCE, and CEHv8 certifications. Evan enjoys teaching others about security and mentors local high school CyberPatriot teams. His teams have competed in the CyberPatriot National Finals three times. Evan earned a B.S. in Computer Science from Brigham Young University, an MBA from Rollins College, and has completed the coursework for a Ph.D. in Computer Information Systems and will earn his Ph.D. upon completion of the dissertation.

Michael Murr

Mike is a consultant with Social Exploits LLC, a consulting firm specializing in the human element of security. Mike has performed digital investigations, incident response, malware analysis, and penetration tests for the government and private sectors. His teaching experience includes SEC401, SEC504, SEC560, FOR408, FOR508, and FOR610. On the human side, Mike has experience in elicitation, interviewing, and interrogation. He is also trained and certified in the use of the Facial Action Coding System (FACS).

John Hubbard

John is a Security Operations Center (SOC) consultant and speaker, a Certified SANS instructor, and the course author of 3 SANS courses: SEC450: Blue Team Fundamentals - Security Operations and Analysis, MGT551: Building and Leading Security Operations Centers, and SEC455: SIEM Design & Implementation. John also teaches additional SANS Blue Team courses such as SEC511: Continuous Monitoring and Security Operations, and SEC555: SIEM with Tactical Analytics. Through his years of experience as a Lead Cyber Security Analyst and SOC Manager for a major pharmaceutical company with over 100,000 employees and global operations, John has developed real-world, first-hand knowledge of what it takes to defend an organization against advanced cyber-attacks. Read more about John here.

Dr. Johannes Ullrich

As chief research officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also enjoys blogging about application security tips.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.