Think Like a Hybrid Attacker Solutions Forum 2023

  • Wednesday, 04 Oct 2023 11:00AM EDT (04 Oct 2023 15:00 UTC)
  • Speaker: Matt Bromiley

Today’s cyberattacks use any means necessary to gain access. As enterprises continue to shift to hybrid and multi-cloud environments, embrace digital identities, digital supply chains, and ecosystems — SOC teams are continuously faced with more. More attack surface for attackers to exploit and infiltrate. More methods for attackers to evade defenses and progress laterally. More noise, complexity and hybrid cloud attacks and incidents. 


Join our “Think Like a Hybrid Attacker” forum, where our team of security researchers, data scientists, and security analysts will showcase industry-leading research, emerging attacker tradecraft and the effective AI-driven methodology needed to keep pace with hybrid attackers. You’ll gain practical insights and have the path toward unmatched resilience, SOC modernization, and agile response to advanced attacks.  


Forum Highlights:  

  • Discover Industry-Leading Research: Dive into the world of security research, where we'll uncover the methods and tools used by cybersecurity experts to anticipate and dissect potential threats to stay ahead of breaches. 
  • Deconstruct Attack Tradecraft: Step into the shoes of an attacker as we break down real-world attack scenarios. Understand the tactics, techniques, and procedures employed by malicious actors to infiltrate and compromise organizations. 
  • Defend the Hybrid Attack Surface: Explore how real hybrid cloud attacks can be stopped with the right AI-driven approach. 

Connect with fellow attendees and our event chairs in the SANS Solutions Forum Interactive Slack Workspace Sign in once and you'll be all set for the rest of our 2023 Solutions Forums. We'll see you there!


Thank You To Our Sponsor!


Agenda | October 4, 2023 | 11AM - 2PM EDT

Save your seat now!

Schedule (EDT)



Welcome and Opening Remarks

Matt Bromiley, Certified Instructor, SANS Institute


Identity: The Attackers Lynchpin in the Hybrid Enterprise

In 2022 Vectra monitored over 1 million cloud identities across the globe. This visibility, combined with independent research, has unveiled the types of attacks and techniques attackers are currently using. In this session, we will report on the active techniques used to progress attacks against SaaS applications, including M365 and identity providers, so that you will be better prepared to stop future attacks.

John Mancini, Group Product Manager, Vectra AI


Lightning Round: Attacker Tradecraft: State-Sponsored Spear-Phishing with the Lazarus Cybercrime Group

During this lightning session, we'll dive into Lazarus Group techniques that target employees at pharmaceutical companies — a common theme throughout the pandemic in an attempt to steal proprietary patent information. This attack highlights that trend where an employee at a Global 500 company was targeted through social media to ultimately gain initial access.

Payam Farazi, Director, Security Engineering, Vectra AI


Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization

Attackers target Microsoft identities for access to applications and SaaS platforms, exploiting native functions over vulnerabilities. Nobelium, linked to SolarWinds, uses native tools like Federated Trusts for ongoing tenant access. This session will reveal an attacker leveraging another native function, enabling persistent access to a Microsoft cloud tenant using lateral movement and other tactics. This vector exploits misconfigured Cross-Tenant Sync, letting attackers breach connected tenants or establish rogue configurations.

Arpan Sarkar, Technical Engineer - Threat Hunting, Vectra AI


Lightning Round: Attacker Tradecraft: How Volt Typhoon Deploys "Living Off the Land" Techniques

Volt Typhoon emphasizes gathering information such as user credentials to assist with Live Off The Land (LOTL) techniques to maintain access. The actor attempts to leverage any privileges available on compromised devices and extract data to an AD account with attempts to authenticate to other devices on the network. Join our lightning session to learn more.

Payam Farazi, Director, Security Engineering, Vectra AI


The Art of Red Teaming: Best Practices and Insights

Choosing the right security assessment method can be intimidating as your attack surface grows. Penetration testing assesses vulnerabilities comprehensively, while red teaming provides a targeted, no-holds-barred approach. During this session, our experts will explore the role for both methods and their importance in securing your hybrid environments.

Tom D'Aquino, Director, Security Validation, Vectra AI

Matt Bromiley, Certified Instructor, SANS Institute




Bridging the Gap in Current Cloud Threat Detection Tools - Meet the DeRF

Introducing the DeRF (Detection Replay Framework) — a solution addressing gaps in cloud threat detection integration. Existing tools often lack flexibility and extensibility for evolving use cases and custom attack techniques. DeRF's key design choices include segregating infrastructure deployment and attack execution permissions, catering to expanding capabilities and user roles. It's highly extensible — featuring built-in attack techniques and easy customization via YAML files —without altering core functionality. Embrace DeRF to enhance cloud threat detection and seamlessly adapt to evolving security needs.

Kat Trexler, Principal Security Researcher, Vectra AI


Lightning Round: Attacker Tradecraft: Hybrid Cloud Attack Simulation Using a Zero-Day Exploit

As a leading R&D company specializing in advanced materials, FictoTech’s high-value intellectual property makes them a prime target for cyberattacks. This attack was initiated through a zero-day exploit that was left unpatched in an on-premises marketing server, where IT does not control software updates.

Payam Farazi, Director, Security Engineering, Vectra AI


Fighting Fire with Fire: How LLMs are Used to Attack and Defend Enterprises

During this session, we'll discuss the dual role of Language Model Machines (LLMs) in cybersecurity and how LLMs act as both assailants and protectors of enterprises, fundamentally reshaping security practices. Join us as we discuss the offensive and defensive applications of LLMs, shedding light on their transformative impact on cybersecurity.

Sohrob Kazerounian, Distinguished AI Researcher, Vectra AI

Matt Bromiley, Certified Instructor, SANS Institute


Keynote Session: Stopping Hybrid Attacks with Integrated Attack Signal

In the era of hybrid enterprises, SOC teams are constantly faced with more: More attack surface to cover. More alerts to manage. More analyst workload, burnout and turnover. But that doesn't have to be your story. During this session, we’ll show you how to break this daunting spiral of more to achieve SOC modernization and hybrid attack resilience.

Kevin Kennedy, Senior Vice President - Product, Vectra AI


Closing Remarks

Matt Bromiley, Certified Instructor, SANS Institute