SANS DFIR Summit 2022: Solutions Track - Threat Hunting

Level Up with Industry Experts

Enhance your threat hunting skills by joining SANS experts and co-chairs, Lodrina Cherne and Lee Crognale, as they kickoff a fantastic lineup of the industry's top practitioners!

In a field that is advancing every day due to attackers and coordinated threats, forensic, incident response, and threat hunting professionals need to be constantly learning and challenging assumptions. A single examiner may be hunting APT activity and data destruction one day and missing persons the next. Whether to support business continuity or ensure personal safety, analysts need exposure to new and novel techniques for investigating a wide variety of data sources and require vetted solutions that that help find answers-fast.


We will be awarding a Holy Stone GPS Drone to the 200th person to register for this virtual event. Winners will be announced during the event on August 16th - must be live at the virtual events to win.  The winner will be announced via Slack and Zoom.

Threat Hunting Solutions Track


Anomali-logo_lion-wordmark_RGB-color.pngLogoLockup_Horz_RGB_Blue_190103.pngCorelight_Transparent.pngCyborg Security LogoDevo.pngDomainTools_Logo_Color_(1).pngPalo_Alto_Networks.pngpicnic_primary_id-01.pngrapid7.pngtq_main-logo-color.pngVectra.pngVMRay Logo - Dark Blue

Agenda | Tuesday, August 16, 2022

Event is broadcast live from Austin, TX and takes place in Central Daylight (CDT) All Times Shown in Central Daylight (CDT) and Eastern Daylight (EDT)



9:45 - 10:00 AM CT
10:45 - 11:00 AM ET

Welcome & Opening Remarks

Domenica "Lee" Crognale, Certified Instructor, SANS Institute
Lodrina Cherne, Certified Instructor, SANS Institute

10:00 - 10:40 AM CT
11:00 - 11:40 AM ET

How to Hunt for Cyber Threats Using Network Meta Data and AI

The network metadata the Vectra platform produces can be valuable for threat investigations. Have you wondered how you could make use of same metadata to proactively hunt for threats? In this session, Our analysts will describe techniques to identify three common attacker behaviors in your environment and walk you through the specific workflows for each attack technique, provide best practices for hunting in your own environment, and answer questions about how to threat hunt using the Vectra platform. However, the same methodologies can be applied to network metadata obtained from Stream.

Matt Pieklik, Special Projects Lead - Professional Services, Vectra AI

10:45 - 11:25 AM CT
11:45 - 12:25 PM ET

Eliminating Social Engineering Pathways for APTs

According to the 2022 Verizon Data Breach Investigation report, 82% of data breaches contain a human element. This is unsurprising since humans are seen as soft targets that attackers can manipulate into handing over information or performing a desired action. Advanced Persistent Threat (APT) actors are regularly abusing the human element using social engineering techniques to infiltrate critical national infrastructure. In this talk, we will explore how Russian and other foreign APT actors are successfully using social engineering to advance their cyber-espionage campaigns. This includes looking at how they are developing their TTPs over time, using spear-phishing, supply chain abuse, public exploits, and stolen credentials. Based on these lessons learned, we will look at how organizations can reduce their attack surface and use Picnic to make it harder for these actors to exploit the human element.

Manit Sahib, Director of Global Intelligence, Picnic Corporation

11:30 - 12:10 PM CT
12:30 - 1:10 PM ET

How to Benchmark Your Threat Hunting Readiness and Prepare for the Next Step

Many organizations want to start threat hunting but struggle with knowing where to begin, how to measure success, and how to scale an effective program. This presentation draws on the experience of elite hunters and teams around the world and will discuss an actionable threat hunting maturity model and help you prepare for each step of the journey with specific guidance, concrete examples, and sample threat hunts.

John Gamble, Sr. Director of Product Marketing, Corelight

12:15 - 1:15 PM CT
1:15 - 2:15 PM ET


1:15 - 1:55 PM CT
2:15 - 2:55 PM ET

Threat Hunting with Active and Passive DNS

When adversaries register malicious domains for C2 servers, phishing, or payload servers, the choices they make when it comes to registration, hosting, certificates, mail servers, subdomains, and more can be useful in discovering a fuller picture of their operations. In this session we’ll take a look at how to:

  • Identify attacks while they are still in the setup stage
  • Take a single element, like a domain name, and pivot on it to discover a broader map of adversary infrastructure
  • Monitor for new activity matching adversary patterns in DNS Using DomainTools Iris and Farsight DNSDB.

Taylor Wilkes-Pierce, Sales Engineer Lead, DomainTools

2:00 - 2:40 PM CT
3:00 - 3:40 PM ET

How to Use Different Types of Threat Intel in Threat Hunting

Adversaries today are continually using new techniques to compromise hosts and evade detection. Cybercriminals, no longer satisfied with traditional ransomware attack tactics, have turned to double, triple, and even quadruple extortion to extract ever increasing ransoms from their victims. Attend this session to understand the latest cybersecurity trends observed by Palo Alto Networks Unit 42, a world-recognized authority on threat research. During this session, we will discuss:

  • The different types of threat intelligence data you can use for threat hunting
  • The latest threat hunting techniques to uncover attacks quickly
  • The security tools that can help you accelerate and even automate threat hunting
  • How to reduce the risk of successful attack with proactive assessments If your organization is developing a threat hunting program or if you're interested in becoming a threat hunter, then be sure to attend this informative session.

Dominique Kilman, Director - Unit 42, Palo Alto Networks

2:45 - 3:00 PM CT
3:45 - 4:00 PM ET


3:00 - 3:40 PM CT
4:00 - 4:40 PM ET

How to unlock achievements in Threat Hunting using Velociraptor

Velociraptor is the open source DFIR framework that everyone is talking about! Have you ever needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can! This session will introduce Velociraptor and cover the recent capabilities investigating and monitoring the security of Linux hosts. Velociraptor’s superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We will cover common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.

Michael Cohen, Consulting Software Engineer, Rapid7

3:45 - 4:25 PM CT
4:45 - 5:25 PM ET

How to Reap the Benefits Of Threat Hunting in the New Post-Macro World

The promised land for each threat hunting exercise is to uncover an attack that has gone unnoticed despite the layers of security tools. But it’s not as easy as just typing some indicators in a search box, especially when the threat landscape is continuously changing. Even if the hunt results in success, the next step is to formulate this for future protection by turning unknown threats into contextual threat intelligence. Blocking of Macros in Office applications is one of the recent developments that will likely affect the delivery tactics of the bad actors. With all these moving targets, successful threat hunting requires rigorous understanding of unknown threat behaviours. Join this session to hear about:

  • How fast the threat actors reshape their tactics in the post-macro era
  • VMRay’s approach on how the defenders can respond to this new era of attacks
  • How to detect and analyze this new wave of threats

H. Fatih Akar, Security Product Manager, VMRay
Ertugrul Kara, Sr. Product Marketing Manager, VMRay

4:30 - 4:45 PM CT
5:30 - 5:45 PM ET