Threat Hunting Summit Solutions Track

  • Friday, 08 Oct 2021 10:00AM EDT (08 Oct 2021 14:00 UTC)
  • Speakers: Jorge Orchilles, Guy Yasoor, George Sandford, David Torres, Andrew Mundell, Chad Anderson, Artsiom Holub, Adam Tomeo, Bernard Brantley, Chris Jacob, Tom D'Aquino, Saumitra Das, Andrew Nelson, Ken Murphy

There's a high chance that hidden threats already exist inside your organization's networks. No matter how thorough and sophisticated an organization's security precautions may be, it cannot assume that its security measures are impenetrable. By themselves, prevention systems are insufficient to counter focused human adversaries who know how to get around today's advanced security and monitoring tools. It takes highly skilled and focused hunters to defeat these persistent adversaries.

Join this SANS lead forum as we explore various threat hunting and incident response topics through invited speakers while showcasing current capabilities available today. Presentations will focus on technical case-studies and thought leadership using specific examples relevant to the industry.


Featured Speakers From Our Platinum Sponsors

Blue_Hexagon_Logo_Color.pngCisco Secure LogoCorelight_Transparent.pngDomainTools_Logo_Color_(1).pngGigamon-Logo.pngHunters_Full_Logo.pngPalo_Alto_Networks.pngsophos logotq_main-logo-color.pngVectra.png

Silver Sponsors

Anomali-logo_lion-wordmark_RGB-color.pngCybereason logo


Timeline (EDT)

Session Details

10:00 AM
Kickoff & Welcome

Jorge Orchilles, SANS Instructor

10:15 AM

Flip the Script: Applying Attacker Methodologies to XDR

Security teams rely on multiple tools with the hope of detecting and responding to attacks, but the breadth and sophistication of cyber threats outstrip human-based detection and single-point solutions. As a result, SOC teams are overwhelmed with an ever-increasing volume of alerts and false-positives. Security operations teams worldwide are exploring the value of Extended Detection and Response (XDR) in their existing security stack, both for detection efficacy and overall operational efficiency. However, correlation is only one piece of the puzzle. Scarcity of domain expertise has inhibited scaling of security teams. Automating proactive threat hunting processes that are based on real attacker methodologies for XDR can transform this equation. XDR is an emerging solution category that the industry is turning toward in order to improve threat detection and response in covering all attack surfaces and reducing alert noise.

Join this session to learn how automated threat hunting capabilities can be encoded into your XDR deployment:

  • How to use data sources and security tools across surfaces to connect the dots between them with cross-correlations
  • How you can gain incident clarity leveraging threat hunting methodologies and the MITRE ATT&CK framework
  • Watch a Hunters XDR product demo to see how you can implement an automated Threat Hunting workflow in your SOC

Guy Yasoor, Threat Researcher, Hunters

10:50 AM

Taking a Network Centric approach to Ransomware Detection and Mitigation

The recent surge of ransomware attacks has shown a shift in tactics employed by threat actors looking to extort organizations. With an estimated 1 in 5 organizations likely to experience a ransomware incident, and EDR evasion tactics on the rise, a network centric approach has become essential to successful detection and response. Join this session to explore how ransomware loitering allows security analysts to use network detection and response capabilities to discover malicious activity between initial compromise and encryption.

George Sandford, Sr. Manager, ThreatINSIGHT Customer Success, Gigamon
David Torres, ThreatINSIGHT Technical Success Manager, Gigamon

11:25 AM

Rethinking Threat Hunting for the Attacks of the Future

A cybersecurity professional’s approach to protecting networks needs to evolve from mitigating risks to actively pursuing adversaries. This requires performing consistent threat hunts across an organization’s threat surface. However, not all threat hunts are created equal, so how do you prepare for the unknown? Using real-world examples, join Andrew Mundell as he reviews the different types of threat hunts, and how and when to best leverage third-party threat intel. He’ll close the presentation with details and strategies for optimizing threat hunts for your unique circumstances and the future threat landscape.

Andrew Mundell, Principal Security Engineer, Sophos

12:00 PM


12:20 PM

Command Line Patterns For Blue Team Data Munging

We all know the command line and the coreutils are powerful tools, but not everyone has taken the time to learn to wield that capability. Threat hunters and responders alike have to work through piles of raw data at times and knowing how to quickly manipulate that data to achieve an end result can drastically speed up your workflow. Unfortunately, taking the time to learn all of the utilities at your fingertips can take years. Join Chad Anderson, Senior Security Researcher at DomainTools, as he walks you through some common data munging patterns, such as extracting IoCs from a CSV or parsing and reformatting JSON from threat intelligence feed APIs, and which tools can be used to rapidly accomplish what would take hours of copying and pasting otherwise.

Chad Anderson, Senior Security Researcher, DomainTools

1:00 PM

Establish a First and Last Line for Defense Against Ransomware

Cyber criminals have gotten highly sophisticated in how they lock you down, hold your data hostage and demand money using ransomware. What would it take to stay ahead of ransomware attacks? Register for this webinar to learn how you can establish effective first and last line of ransomware defense, using the powerful combination of DNS and Endpoint Security. Join Cisco security experts Artsiom Holub and Adam Tomeo to learn the latest ransomware attack trends and behavior, early detection and defensive tactics, and threat hunting practices needed to stop them at their tracks before they wreak havoc to your organization.

Artsiom Holub, Sr. Security Analyst, Cisco Umbrella
Adam Tomeo,
Product Marketing Manager, Cisco Secure

1:35 PM

Exploiting NDR to Cultivate Decision Advantage

As defenders, we deploy or develop a number of policies, procedures, tools and technologies to support our risk management strategy while struggling to maintain situational awareness. The regular outputs of detection and response activities rarely cross functional boundaries and result in missed opportunities to translate learnings into institutional memory. With an ever-evolving threat landscape including the transformation to a hybrid work model; the power of decision and ultimately Decision Advantage is the most valuable tool in cyber-defense. In this talk, Bernard Brantley will discuss the exploitation of data-centric NDR as the coalescence point for tactical and operational outputs and as a pathway to cultivating strategic decision advantage.

Bernard Brantley, CISO, Corelight

2:10 PM


2:25 PM

Leveraging CTI in Threat Hunting

Cyber Threat Intelligence (CTI) can help super power your threat hunting capability to enable you to proactively and iteratively search for abnormalities within your network. With CTI, you can make decisions faster and more accurately when it comes to threats. Join our own Chris Jacob, Global VP of Threat Intelligence as he takes a deep dive into Intelligent Threat Hunting. We'll discuss how you can more easily identify, detect, and respond to the specific types of threats that target your organization to better focus analysis and response efforts.

In this session you will learn:

  • How CTI can enhance your threat hunting capability
  • How to use both internal and external threat intelligence
  • How collaboration across tools helps achieve greater efficacy in threat hunting

Chris Jacob, Global VP of Threat Intelligence, ThreatQuotient

3:00 PM

Automating Threat Detection Validation with PowerShell Empire and ./havoc

In today’s era of cybersecurity, there is no longer a way to prevent adversaries from attacking your environment. But we can make sure your environment is up to the task through automated testing and validation. As adversaries continue to advance in skill, let’s put your security posture through the ringer before a cyberattack does.

In this session, Tom D’Aquino, Sr. Security Engineer at Vectra will detail a platform and methodology that will help security practitioners automate testing and validation of a network security stack. This talk will focus specifically on the ability of implemented security tools to detect covert command and control communications, and show how by utilizing the ./havoc platform, security operators can automate the process of provisioning an AWS hosted PowerShell Empire "Attack Container."

Tom D'Aquino, Security Engineer, Vectra AI

3:35 PM

Hunting for Needles in the Cloud Haystacks

Threat hunting in the cloud is fundamentally different. Clouds are hard to baseline due to the ephemeral nature of workloads. IP addresses, containers, functions and instances come and go with impunity. So, by the time you find the needle, the haystack may no longer exist. Also, there may be several haystacks - one in us-west, another in us-east and don’t forget the QA VPC that no one knew about, each with its own configuration and attack surface. To add to the confusion, each cloud has many subtle and not-so-subtle differences from each other making it hard to automate hunting workflows.

On the other hand, attackers are focusing on the cloud more than ever with phishing going after cloud credentials rather than infecting laptops, cloud access keys being sold on the dark web, backdoor-ed containers being dangled to developers to cause a supply chain attack and the arrival of complex multi-stage kill chains customized to the cloud.

In this talk, we discuss the three key requirements for effective threat hunting in the cloud:

  1. Making sure the entire multi-cloud real estate is being monitored all the time. If you don’t know the haystack exists and the extent of it, there is zero chance of finding the needle.
  2. Having the right data in terms of frequency, depth and breadth and normalizing it such that you can automate hunting workflows.
  3. Fighting automation with automation - using automated guardrails and machine learning to aid the hunter to focus on the top risks rather than swimming in a sea of data.

Saumitra Das, CTO, Blue Hexagon
Andrew Nelson
, Threat Researcher, Blue Hexagon

4:10 PM

How to Use Different Types of Threat Intel in Threat Hunting

Adversaries today are continually using new techniques to compromise hosts and evade detection. Cybercriminals, no longer satisfied with traditional ransomware attack tactics, have turned to double, triple, and even quadruple extortion to extract ever increasing ransoms from their victims. Attend this session to understand the latest cybersecurity trends observed by Palo Alto Networks Unit 42, a world-recognized authority on threat research.

During this session, we will discuss:

  • The different types of threat intelligence data you can use for threat hunting
  • The latest threat hunting techniques to uncover attacks quickly
  • The security tools that can help you accelerate and even automate threat hunting
  • How to reduce the risk of successful attack with proactive assessments

If your organization is developing a threat hunting program or if you're interested in becoming a threat hunter, then be sure to attend this informative session.

Ken Murphy, Security Architect, Palo Alto Networks

4:45 PM


Jorge Orchilles, SANS Instructor