Learn real-world cyber security skills directly from top industry experts during SANS Live Training events. Explore options.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Speeding Up Triage and Incident Response By Speaking to Malware

  • Monday, May 01, 2017 at 1:00 PM EDT (2017-05-01 17:00:00 UTC)
  • Todd O'Boyle

You can now attend the webcast using your mobile device!



In order for an attacker to steal from you, they need persistent access. This means ensuring their C2 is reliable and resilient to takedown. Thats the main reason why over 90% of malware uses DNS for command & control and exfiltration.* The good news is that this persistence is something we can use against the attackers in order to find their accesses and then improve how we respond. In this session geared toward security operators and incident responders, Todd O'Boyle of Strongarm will explain a new approach that goes beyond simply blocking and dropping malware C2. Attendees will learn how to speak malware. A critical and important step of knowing how to respond to a threat is being able to communicate with it to understand where its operating and what it is trying to do. Maintaining a connection with the infected device offers critical information that saves analysts time and accelerates the time to resolution. Attendees of this session will learn how speaking malware can eradicate an infection by using the malwares own communications against the attacker.

To learn more on this topic, attend the 10th annual SANS Digital Forensics & Incident Response (DFIR) Summit & Training. This training event brings together the most influential group of experts, the highest quality training, and the greatest industry networking opportunities in one place. Over the course of this eight-day training event, you'll enjoy:

  • Highly technical digital forensics and incident response presentations from the industry's top practitioners during the two-day Summit
  • Nine SANS DFIR courses to choose from to advance your training, build your arsenal of defenses, and learn how to better protect your organization
  • The opportunity to network with fellow attendees at receptions and community-building events
  • A DFIR NetWars tournament to sharpen your skills and solve incident-related challenges

Speaker Bio

Todd O'Boyle

Todd O'Boyle is a co-founder and CTO at Strongarm where he helps small and midsize businesses protect themselves from attack. Prior to Strongarm, Todd spent 15 years at The MITRE Corporation, providing technical support to the defense department and the intelligence community. Todd has a BS in Computer Science from Purdue University.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.