Get an iPad mini, ASUS ZenScreen LED Monitor, or $350 Off with OnDemand Training thru 5/19


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Six Steps to Effective ICS Threat Hunting

  • Friday, November 22, 2019 at 1:00 PM EST (2019-11-22 18:00:00 UTC)
  • Tim Conway, Marc Seitz, Dan Gunter


  • Dragos, Inc.

You can now attend the webcast using your mobile device!



On November 22 Dragos Principal Threat Analysts Dan Gunter and Marc Seitz will be joined by Tim Conway, Technical Director - ICS and SCADA Programs at SANS, to introduce a 6-step ICS threat hunting model. They'll demonstrate how to apply it to real-world threat hunting scenarios, pinpoint adversary behavior patterns, and stop ICS threats from going undiscovered.

What You'll Learn:

  • Why proactive threat hunting is necessary for ICS cybersecurity defense
  • How to complete effective threat hunting
  • What adversary behavior patterns look like
  • How to apply the model to real world threat hunting scenarios
  • How to measure the effectiveness of threat hunts

Speaker Bios

Tim Conway

Technical Director - ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Marc Seitz

Industrial Hunter, Dragos Threat Operations Center

Mark coordinates industrial control system cyber test lab functions and performs ICS threat hunting services for Dragos customers.

He designs and implements innovative simulated industrial environments to provide a safe and realistic training and attack simulation experience for internal and external analysts. He also conducts onsite vulnerability assessments and threat hunting services. Marc studied Cyber Operations while at the United States Naval Academy where he was exposed to a wide variety of topics including networking, programming, legal, and cyber warfare.

Dan Gunter

Director, Research & Development, Dragos Threat Operations Center

Dan Gunter is a Principal Threat Analyst and discovers, analyzes and neutralizes threats inside of ICS/SCADA networks. He performs threat hunting, incident response, and malware analysis mission for the industrial community. Previously he served in a variety of Information Security roles as a Cyber Warfare Officer in the US Air Force and as a technical advisor on security and acquisition issues. Dan is a graduate of the Department of Defense’s elite Computer Network Operations Development Program (CNODP) and the Air Force Research Lab’s Advanced Course in Engineering Cyber Security Boot Camp (ACE). He has spoken at Blackhat, Shmoocon and local information security events.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.