Kickoff & Welcome
Jorge Orchilles, SANS Instructor
Flip the Script: Applying Attacker Methodologies to XDR
Security teams rely on multiple tools with the hope of detecting and responding to attacks, but the breadth and sophistication of cyber threats outstrip human-based detection and single-point solutions. As a result, SOC teams are overwhelmed with an ever-increasing volume of alerts and false-positives. Security operations teams worldwide are exploring the value of Extended Detection and Response (XDR) in their existing security stack, both for detection efficacy and overall operational efficiency. However, correlation is only one piece of the puzzle. Scarcity of domain expertise has inhibited scaling of security teams. Automating proactive threat hunting processes that are based on real attacker methodologies for XDR can transform this equation. XDR is an emerging solution category that the industry is turning toward in order to improve threat detection and response in covering all attack surfaces and reducing alert noise.
Join this session to learn how automated threat hunting capabilities can be encoded into your XDR deployment:
Ofir Har-Chen, VP Operations & Intelligence, Hunters
Taking a Network Centric approach to Ransomware Detection and Mitigation
The recent surge of ransomware attacks has shown a shift in tactics employed by threat actors looking to extort organizations. With an estimated 1 in 5 organizations likely to experience a ransomware incident, and EDR evasion tactics on the rise, a network centric approach has become essential to successful detection and response. Join this session to explore how ransomware loitering allows security analysts to use network detection and response capabilities to discover malicious activity between initial compromise and encryption.
George Sandford, Manager, Customer Success, ThreatINSIGHT, Gigamon
Rethinking Threat Hunting for the Attacks of the Future
A cybersecurity professional’s approach to protecting networks needs to evolve from mitigating risks to actively pursuing adversaries. This requires performing consistent threat hunts across an organization’s threat surface. However, not all threat hunts are created equal, so how do you prepare for the unknown? Using real-world examples, join Andrew Mundell as he reviews the different types of threat hunts, and how and when to best leverage third-party threat intel. He’ll close the presentation with details and strategies for optimizing threat hunts for your unique circumstances and the future threat landscape.
Andrew Mundell, Principal Security Engineer, Sophos
Command Line Patterns For Blue Team Data Munging
We all know the command line and the coreutils are powerful tools, but not everyone has taken the time to learn to wield that capability. Threat hunters and responders alike have to work through piles of raw data at times and knowing how to quickly manipulate that data to achieve an end result can drastically speed up your workflow. Unfortunately, taking the time to learn all of the utilities at your fingertips can take years. Join Chad Anderson, Senior Security Researcher at DomainTools, as he walks you through some common data munging patterns, such as extracting IoCs from a CSV or parsing and reformatting JSON from threat intelligence feed APIs, and which tools can be used to rapidly accomplish what would take hours of copying and pasting otherwise.
Chad Anderson, Senior Security Researcher, DomainTools
Establish a First and Last Line for Defense Against Ransomware
Cyber criminals have gotten highly sophisticated in how they lock you down, hold your data hostage and demand money using ransomware. What would it take to stay ahead of ransomware attacks? Register for this webinar to learn how you can establish effective first and last line of ransomware defense, using the powerful combination of DNS and Endpoint Security. Join Cisco security experts Artsiom Holub and Adam Tomeo to learn the latest ransomware attack trends and behavior, early detection and defensive tactics, and threat hunting practices needed to stop them at their tracks before they wreak havoc to your organization.
Artsiom Holub, Sr. Security Analyst, Cisco Umbrella
Exploiting NDR to Cultivate Decision Advantage
As defenders, we deploy or develop a number of policies, procedures, tools and technologies to support our risk management strategy while struggling to maintain situational awareness. The regular outputs of detection and response activities rarely cross functional boundaries and result in missed opportunities to translate learnings into institutional memory. With an ever-evolving threat landscape including the transformation to a hybrid work model; the power of decision and ultimately Decision Advantage is the most valuable tool in cyber-defense. In this talk, Bernard Brantley will discuss the exploitation of data-centric NDR as the coalescence point for tactical and operational outputs and as a pathway to cultivating strategic decision advantage.
Bernard Brantley, CISO, Corelight
Leveraging CTI in Threat Hunting
Cyber Threat Intelligence (CTI) can help super power your threat hunting capability to enable you to proactively and iteratively search for abnormalities within your network. With CTI, you can make decisions faster and more accurately when it comes to threats. Join our own Chris Jacob, Global VP of Threat Intelligence as he takes a deep dive into Intelligent Threat Hunting. We'll discuss how you can more easily identify, detect, and respond to the specific types of threats that target your organization to better focus analysis and response efforts.
In this session you will learn:
Chris Jacob, Global VP of Threat Intelligence, ThreatQuotient
Automating Threat Detection Validation with PowerShell Empire and ./havoc
In today’s era of cybersecurity, there is no longer a way to prevent adversaries from attacking your environment. But we can make sure your environment is up to the task through automated testing and validation. As adversaries continue to advance in skill, let’s put your security posture through the ringer before a cyberattack does.
In this session, Tom D’Aquino, Sr. Security Engineer at Vectra will detail a platform and methodology that will help security practitioners automate testing and validation of a network security stack. This talk will focus specifically on the ability of implemented security tools to detect covert command and control communications, and show how by utilizing the ./havoc platform, security operators can automate the process of provisioning an AWS hosted PowerShell Empire "Attack Container."
Tom D'Aquino, Security Engineer, Vectra AI
Hunting for Needles in the Cloud Haystacks
Threat hunting in the cloud is fundamentally different. Clouds are hard to baseline due to the ephemeral nature of workloads. IP addresses, containers, functions and instances come and go with impunity. So, by the time you find the needle, the haystack may no longer exist. Also, there may be several haystacks - one in us-west, another in us-east and don’t forget the QA VPC that no one knew about, each with its own configuration and attack surface. To add to the confusion, each cloud has many subtle and not-so-subtle differences from each other making it hard to automate hunting workflows.
On the other hand, attackers are focusing on the cloud more than ever with phishing going after cloud credentials rather than infecting laptops, cloud access keys being sold on the dark web, backdoor-ed containers being dangled to developers to cause a supply chain attack and the arrival of complex multi-stage kill chains customized to the cloud.
In this talk, we discuss the three key requirements for effective threat hunting in the cloud:
Saumitra Das, CTO, Blue Hexagon
Palo Alto Networks Session Info Coming Soon
Jorge Orchilles, SANS Instructor