SANS Summit Highlights: Cyber Defense

  • Thursday, 08 Apr 2021 3:00AM EDT (08 Apr 2021 07:00 UTC)
  • Speakers: Mark Baggett, Mark Morowczynski, Will Oram, Gabriel Currie, Christopher Lopez

SANS is bringing to you its first free highlights event following the 2020 Cyber Defense Summit in a shortened version that allows you to watch revelant, actionable presentations delivered by the very best in the Defense field. If you didn't register last year and simply want to watch the summit highlights, you can see it all in this pre-recorded broadcast.

Defending against attacks is an ongoing challenge with new threats emerging all the time. Are you looking to level up your blue team skills? Do you want to enhance your current skill set and become even better at defending your organization? Are you looking for the latest ways to mitigate the most recent attacks?


Opening Remarks - Chris Crowley

New Tools for Your Threat Hunting Toolbox

Mark Baggett @markbaggett, Senior Instructor, SANS Institute

Join Mark Baggett as he discusses new tools and some new features of older tools that enhance your threat hunting capability. This short talk will provide you with the insight you need to begin hunting for Phishing domains and Command and Control channels on your networks. We will discuss the installation and configuration of tools that will have you threat hunting in no time.

Hiding in the Clouds: How attacks can use applications for sustained persistence and how to find it

Yochana Henderson, Program Manager, Microsoft

Mark Morowczynski @markmorow, Principal Manager, Microsoft

Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don't understand how these work and where to look. What's the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You'll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.

Ransomware Defenses and Response: Minimizing Risk of an Increasing Threat

Gabriel Currie @gabrielcurrie, Senior Cyber Security Manager, PwC

Will Oram @willoram, Senior Cyber Security Manager, PwC

Human-operated ransomware is growing cyber threat that has seriously impacted a number of major organizations and dominated recent news headlines. In this type of attack, hands-on-keyboard operators gain initial access, compromise privileged accounts, and deploy ransomware as widely as possible. The human-element of these attacks allows the most critical infrastructure within an organization to be targeted, often resulting in significant and long-term disruption. In this talk we will present the key cyber defense techniques required to effectively and efficiently prevent and respond to human-operated ransomware attacks.

Resource Smart Detection with Yara and OSQuery

Saurabh Wadha, Security Solutions Engineer, Ubtycs

Traditional filehash malware detection is relatively easy to circumvent as threat actors easily morph code to create "new" variants, rendering old IOC's useless. YARA, uses a different approach. Its rules match to small segments of code within the malware, making traditional as scanning everything can be expensive. This is where osquery comes in, it can tell us exactly which files have been executed, and therefore which files to scan. Even if a file has not been executed, osquery can use an alternative approach - creating whitelists from golden images - to identify unrecognized binaries. This session will provide an introduction to three open source tools: JA3, YARA, and osquery; and the benefits of using them.

Asking Questions and Writing Effectively

Christopher Lopez @L0Psec, Security Analyst, Tanium

Understanding how to adequately ask questions through the course of an investigation is critical for an analyst. This talk will demonstrate how our questions adhere to the scientific method and how to use these questions to drive an investigation. As we compile answers for our various questions we will then cover how to compose your findings into a report as communications for leadership.

Closing Remarks - Chris Crowley