An excellent opportunity to stay current with threat ... · “ An excellent opportunity to stay...
Transcript of An excellent opportunity to stay current with threat ... · “ An excellent opportunity to stay...
sans.org/ThreatHuntingSAVE $400 when you register for the Summit and a course
“ An excellent opportunity to stay current with threat hunting trends and techniques.” -John Senn, EY
“ Conferences like this bring professionalism and peer review to the discipline of threat hunting.” -Travis M, Anonymous
Founding Partner
New Orleans SUMMIT: Sept 6-7 TRAINING: Sept 8-13
Will You be the Hunter or the Prey?
@sansforensics #ThreatHuntingSummit
Fellow security practitioners to network with350+
6Coins to earn
while playing DFIR NetWars – The
Coin Slayer
25Threat Hunters and Responders covering the latest tools and techniques
2
7SANS Threat Hunting &
Incident Response courses to enhance your skills
Nights of community events
Expert @Night Talks4
and
SUMMIT: Sept 6-7 TRAINING: Sept 8-13
“ This training enlightened me to threats that I was unaware of, and provided me with skills and tools I can now use to combat bad actors more efficiently.” -David Whittridge, Kettering Health Network
FOR508 Advanced Digital Forensics, Incident Response, and Threat Hunting Rob Lee
FOR526 Memory Forensics In-Depth Alissa Torres
FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response Philip Hagen
FOR578 Cyber Threat Intelligence Robert M. Lee
FOR610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques Evan Dygert
SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling Chris Pizor
SEC511 Continuous Monitoring and Security Operations John Hubbard
Threat Hunting & Incident Response SANS Courses September 8-13, 2018
sans.org/ThreatHuntingSAVE $400 when you register for the Summit and a course
Simulcast available for this course
Featured Summit TalksSeptember 6-7, 2018
Hunting Webshells: Tracking TwoFace
Microsoft Exchange Servers are a high-value target for many adversaries, which makes investigation of them during incident response vital. Where do you start? What should you look for? Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every exchange server. During this presentation, we will use real-world examples carried out by an adversary group using web-based backdoors to breach and maintain access to networks of targeted organizations in the Middle East.
Robert Falcone Palo Alto Unit 42
Josh Bryant (@FixtheExchange), Tanium
Threat Hunting in Your Supply Chain
In 2017, the world experienced the most devastating cyber-attacks to date as attackers used leaked National Security Agency exploits to wreak havoc in Europe and beyond. Attackers gained initial entry to networks through supply-chain attacks, piggybacking on legitimate applications. It is more obvious than ever that supply-chain attacks need to be part of our threat models. But supply-chain risks don’t lend themselves well to traditional threat hunting processes, since agreements with third parties often limit the amount of data available for threat hunting. In this talk, Jake will introduce a model for including supply-chain risks (hardware, software, and service) into your threat hunting operations in order to ensure that your organization does not overlook this critical area of security.
Jake Williams (@MalwareJake), Rendition InfoSec; SANS Institute
Who Done It? Gaining Visibility and Accountability in the Cloud
Every day, more enterprises are incorporating cloud services and workflows. Moving data to the public cloud has numerous advantages, but it also brings new risks and challenges for the security team. While traditional techniques and controls apply in many cases, there are also new areas involving cloud native services and APIs unique to this environment. This presentation will explore several use cases, techniques, and tools that can be applied to address the risks and challenges of using the public cloud.
Ryan Nolette Security Technologist, Amazon Web Services
The complete Summit agenda is available at: sans.org/threat-hunt-agenda
How to Submit a Threat Profile to MITRE ATT&CK
The MITRE Corporation’s framework to describe the behavior of cyber adversaries operating within enterprise networks – known as Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) – is growing fast. It is also being adopted by more and more security-solution providers, including big names like Microsoft and Splunk. This is likely to continue because the framework draws on years’ worth of detailed forensic reports on cyber-attacks and attackers that have not been fully taken advantage of up until now. The security industry has largely been focused on sharing and utilizing indicators of compromise (IOCs). By focusing on techniques and tactics of adversaries, the ATT&CK framework has gone deeper and is increasingly being used to help organizations identify gaps known to be exploited by cyber adversaries. The framework focuses on the inevitable post-compromise, which forces cyber adversaries to change not only surface level and trivial IOCs but also their tactics and techniques, which are much more difficult to change. This presentation will go into detail about what it takes to collect public information security, threat intelligence, and forensic reports on a security threat group, and then submit all of the adversarial tactics and techniques to MITRE for inclusion in the ATT&CK framework.
Walker Johnson (@wjohnsonsled), Financial Services Industry
ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK
Every day, adversaries remind us that we need to evolve our defensive focus beyond indicators toward tactics, techniques, and procedures (TTPs). Yet we struggle with how to do this. In this presentation, the MITRE ATT&CK team will discuss an end-to-end methodology for how to better organize cyber threat intelligence and leverage it to conduct adversary emulation and hunting using ATT&CK. Threat analysts will gain an understanding of how to structure reporting in the form of ATT&CK techniques to increase the effectiveness of the products they create. Hunt teams, incident responders, and defenders will learn how to use that understanding of adversary TTPs to identify defensive gaps as well as prioritize hunting and mitigation activities. Red Teamers will also benefit by learning how to leverage that same intel on adversary TTPs to plan operations, communicate with defenders, and perform adversary emulation.
Katie Nickels (@likethecoins), The MITRE Corporation
Cody Thomas (@its_a_feature), The MITRE Corporation
Featured Summit TalksSeptember 6-7, 2018
Launching Threat Hunting from Almost Nothing
Many organizations that don’t have very sophisticated hunting teams wonder how to incorporate threat hunting functions into their current security operations. Would it even be of value for them to have such a function? We had the exact same questions upon hearing the term “threat hunting” for the first time. After having launched our hunting activities starting virtually from scratch, we can now say “Yes. It’s worth pursuing.” In this presentation we’ll explain why threat hunting was considered of value for us, what threat hunting functions were carried out, and how we have been improving our security operations. The hunting operations enabled us to identify some significant attacks that were undetected by several security measures. As a result, we have been making continuous improvements to make hunting a scalable mechanism that does not depend on a few advanced experts. This session will provide case studies that focus on threat hunting in enterprise security operations.
Takahiro Kakumaru NEC
Uncovering and Visualizing Malicious Infrastructure
How much information about a threat can you find using a single IP address, domain name, or indicator of compromise (IOC)? What additional threats can you identify when looking at attacker and victim infrastructure? To discover and analyze the infrastructure behind large-scale malware activity, this session begins by looking at known indicators from popular botnets spreading such threats as Locky, Globeimposter, and Trickbot. The presentation will highlight co-occurring malicious activities observed on the infrastructure of popular botnets. We will demonstrate practical techniques to find threats, analyze botnet and malware infrastructure in order to identify actor and victim infrastructure, and show how to pivot to discover additional IOCs using such techniques as passive DNS and OSINT. Finally, we will demonstrate how visualizing known IOCs helps to better understand the connections between infrastructure, threats, victims, and malicious actors.
Josh Pyorre (@joshpyorre) Cisco Umbrella
Andrea Scarfo (@AScarf0) Cisco Umbrella
The complete Summit agenda is available at: sans.org/threat-hunt-agenda
Forecast: Sunny, Clear Skies, and 100% Detection
”Those who have knowledge, don’t predict. Those who predict, don’t have knowledge.” -Lao Tzu
Attack simulations test the resilience of threat detection and response capabilities and validate security implementations. They are an essential component of a solid threat hunting program. Is your internal team’s forecast for detection of simulated adversary activity overly optimistic? Strong predictions of success prior to conducting attack simulations can uncover false pretenses and failed implementations. Learn how to incorporate forecasting and subsequent validations into your Blue Team hardening efforts.
Alissa Torres (@sibertor) SANS Institute
Quantify Your Hunt: Not Your Parents’ Red Team
The security marketplace is saturated with product claims of detection coverage that have been almost impossible to evaluate, all while intrusions continue to make headlines. To help organizations better understand the detection provided by a commercial or open-source technology platform, a framework is necessary to measure depth and breadth of coverage. This presentation builds on the MITRE ATT&CK framework by explaining how to measure the coverage and quality of ATT&CK, while demonstrating open-source Red Team tools and automation that generate artifacts of post-exploitation. Attendees will gain new or improved abilities to measure detection capabilities. Finally, the presentation will articulate a call to action for the industry: Adopt this common language that describes these detection capabilities in a tangible and quantifiable way.
Devon Kerr (@_devonkerr_) Endgame
Threat Hunting Using Live Box Forensics
In a threat landscape characterized by targeted attacks, file-less malware, and other advanced hacking techniques, the days of relying solely on traditional “dead box” forensics for investigations are… well, dead. Live forensics, a practice considered a dangerous and dark art just a decade ago, has now become the de facto standard. However, many Computer Security Incident Response Teams still struggle with this type of threat hunting. This session will discuss the benefits, pitfalls, and best practices for performing live box forensics as a threat hunting tool. John will introduce and demo a free and publicly available command-line tool for Windows that automates the execution and data acquisition from other live forensics tools in a more secure and easier-to-maintain manner.
John Moran DFLabs
Summit Speakers
David Evenden CenturyLinkTALK: Viewing the Nodes in the Noise: Leveraging Data Science to Discover Persistent Threats
Stuart Davis IBMTALK: Cyber Threat Hunting in the Middle East
Robert Falcone Palo Alto Unit 42TALK: Hunting Webshells: Tracking TwoFace
Josh Bryant TaniumTALK: Hunting Webshells: Tracking TwoFace
@FixTheExchange
Rob Lee Summit Co-Chair; SANS Institute
@robtlee
Philip Hagen Summit Co-Chair; Red Canary; SANS Institute
@PhilHagen
David J. Bianco TargetTALK: Lightning Talks
@davidjbianco
Michael Gough Malware ArchaeologyTALK: This is The Fastest Way to Hunt Windows Endpoints
@HackerHurricane
Walker Johnson Banking & FinanceTALK: How to Submit a Threat Profile to MITRE ATT&CK
@wjohnsonsled
Takahiro Kakumaru NECTALK: Launching Threat Hunting From Almost Nothing
Devon Kerr EndgameTALK: Quantify Your Hunt: Not Your Parents’ Red Team
@_devonkerr_
Robert M. Lee Dragos IncTALK: Threat Hunting or Threat Farming: Finding the Balance in Security Automation@RobertMLee
Rick McElroy Carbon BlackTALK: Keynote
@InfoSecRick
Matt Bromiley Cylance; SANS InstituteTALK: Live Debates
@mbromileyDFIR
John Moran DFLabsTALK: Threat Hunting Using Live Box Forensics
Andrea Scarfo Cisco UmbrellaTALK: Uncovering and Visualizing Malicious Infrastructure
@AScarf0
Katie Nickels The MITRE CorporationTALK: ATT&Cking the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK@likethecoins
Cody Thomas The MITRE CorporationTALK: ATT&Cking the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK@its_a_feature_
Ryan Nolette Amazon Web ServicesTALK: Who Done It: Gaining Visibility and Accountability in the Cloud
Alissa Torres SANS InstituteTALK: Forecast: Sunny, Clear Skies, and 100% Detection
@sibertor
Alex Pinto Niddel (a Verizon company)TALK: Threat Hunting or Threat Farming: Finding the Balance in Security Automation@alexcpsec
Mauricio Velazco BlackstoneTALK: Hunting for Lateral Movement Using Windows Event Logs
@mvelazco
Josh Pyorre Cisco UmbrellaTALK: Uncovering and Visualizing Malicious Infrastructure
@joshpyorre
Jake Williams Rendition Infosec TALK: Threat Hunting in Your Supply Chain
@MalwareJake
Roberto Rodriguez SpecterOpsTALK: Quantify Your Hunt: Not Your Parents’ Red Team
@cyb3rward0g
“ The breadth of knowledge of the speakers as well as the attendees is incredibly valuable.”-Jeven Adami, Consilio
Rob Lee SANS Faculty Fellow@robtlee @sansforensics
Rob Lee is the Curriculum Lead and an author for SANS’ digital forensic and incident response training. He earned his MBA from Georgetown and graduated from the U.S. Air Force Academy. As a member of the Air Force Office of Special Investigations, Rob led crime investigations and worked directly with government agencies as a technical lead. He was also a director at MANDIANT, the commercial firm focused on responding to advanced adversaries such as the APT.
“ The skills learned are usable immediately usable on real-world cases as soon as you get back to work from training. Rob is absolutely top notch.”-Jason Janka, University of Florida
FOR508 Coin
FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting sans.org/THIR-FOR508
GCFAForensic Analyst
Advanced Threats Are in Your Network – It's Time to Go Hunting Learn advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including advanced persistent (APT) threat nation-state adversaries, organized crime syndicates, and hactivists. Use threat hunting to catch intrusions in progress, instead of after attackers have completed their objectives. Learn to:
▐ Detect how and when a breach occurred ▐ Identify compromised and affected systems ▐ Perform damage assessments and determine what was
stolen or changed ▐ Contain and remediate incidents ▐ Develop scalable indicators and threat intelligence ▐ Hunt down additional breaches using knowledge of the
adversary
“ This course will help me go back to my job and start immediately implementing IR and malware analysis' best practices.” -Paul DeGeiso, PJM Interconnection
“ From a more technical forensics standpoint, I think this course is spot on in providing necessary skills for an individual to share with their team.” -Victor Munoz, Beckman Coulter
“ I came back to work with a new malware case and was able to implement my skills learned in class on day one.” -Melissa Sokolowski, Xerox
Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required
Who Should Attend Incident response team members
Threat hunters Experienced digital forensic analysts
Information security professionals
Federal agents and law enforcement personnel
Red team members, penetration testers, and exploit developers
SANS FOR500 and SEC504 graduates
FOR526: Memory Forensics In-Depth sans.org/THIR-FOR526
Malware Can Hide, But It Must RunDig into memory and uncover the malicious code where it runs. Security analysts need critical analysis skills to successfully perform live system memory triage and analyze captured memory images. This course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work in order to tackle advanced forensics, trusted insider, and incident response cases. This course will teach you how to:
▐ Demonstrate targeted memory capture, ensure data integrity, and overcome obstacles to Anti-Analysis/Anti-Acquisition Behaviors
▐ Detect rogue, hidden, and injected processes, kernel/user-level rootkits, Dynamic Link Libraries (DLL), and more
▐ Craft a YARA signature to identify insider threat behaviors and malware indicators
▐ Use process timelining and high-low-level analysis to spot anomalous behavior
▐ Implement triage, live system analysis, and alternative acquisition techniques for targeted memory analysis
“ This training is valuable to me because I am learning the tools to spot evil lurking and the steps to walk through an investigation, which is key.” -Brice Smith, BCBSKS
“ This class gives good insights into incident response skills when interacting with a team doing memory forensics.” -Venkat Luckyreddy, BMS
" The training opened my eyes to the need to collect memory images, as well as physical images for single computer analysis, such as theft of IP or other employee investigations." -Greg Caouette, Kroll
Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required
Who Should Attend Incident response team members
Experienced digital forensic analysts
Red team members, penetration testers, and exploit developers
Law enforcement officers, federal agents, and detectives
SANS FOR508 and SEC504 graduates
Forensics investigators
FOR526 Coin
Alissa has more than 15 years of experience in computer and network security spanning government, academic, and corporate environments. Her current role as an Incident Response Manager at Cargill provides daily challenges “ in the trenches” and demands constant technical growth. Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant’s computer incident response team (MCIRT). She has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland, she and holds the GCFA, GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa was recognized by SC Magazine as one of its “2016 Women to Watch.
Alissa Torres SANS Certified Instructor
@sibertor
GNFANetwork Forensic Analyst
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response sans.org/THIR-FOR572
Bad Guys Are Talking – We’ll Teach You to Listen This course covers the tools, technology, and processes required to integrate network data sources into your investigations, with a focus on efficiency and effectiveness. There are many use cases for network data, including proactive threat hunting, reactive forensic analysis, and continuous incident response. The techniques we cover can help to close gaps in these use cases and more. We’ll cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. Learn about:
▐ Hunting, forensic, and IR-based analysis of NetFlow, full-packet capture, and infrastructure log files
▐ Correlating events across different evidence types ▐ Seeking Artifacts of Communication that can drive other
investigative processes ▐ Efficiently and effectively handling large volumes of
evidence
“ This class teaches security pros how to boil the ocean. Every network-focused investigator should be taking this course.” -Jacob Grant, Arctic Wolf Networks
“ I love how this course is very well organized, and the step-by-step walkthrough of the lab allows even someone new to network forensics to get started right away.” -Paul Kim, PWC
“ An excellent, in-depth course on network-level forensics and a deeper understanding into other forensic methods.” -Christina Camilleri, BAE Systems
Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required
Who Should Attend Incident response team members and forensicators
Hunt team members
Law enforcement officers, federal agents, and detectives
Information security managers
Network defenders
IT professionals
Network engineers
Anyone interested in computer network intrusions and investigations
Security Operations Center personnel and information security practitioners
Phil’s career has spanned the full attack life cycle – from tool development to deployment, operations, and investigative aftermath – giving him rare and deep insight into the artifacts attackers leave behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He’s managed a team of forensic professionals in the national security sector and provided forensic consulting services for law enforcement, government, and commercial clients.
“ Phil continues to illustrate through examples and paint the big picture for examiners/responders. His approach and teaching style are second to none when it comes to Network Forensics.”-Brad Garnett, Cisco
Philip Hagen SANS Senior Instructor
@PhilHagen
FOR572 Coin
FOR578: Cyber Threat Intelligence sans.org/THIR-FOR578
There Is No Teacher but the Enemy During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team to counter the threat. This course teaches the tactical, operational, and strategic level of cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, security operations more robust, and organizations more aware of the evolving threat landscape. Discover how to:
▐ Generate threat intelligence to detect, respond to, and defeat advanced persistent threats (APTs)
▐ Validate information received from other organizations to minimize resource expenditures on bad intelligence
▐ Develop and enhance analysis and critical thinking skills ▐ Leverage open-source intelligence to complement a
security team of any size ▐ Create Indicators of Compromise (IOCs) in formats such as
YARA, OpenIOC, and STIX
“ This course gives a very smart and structured approach to Cyber Threat Intelligence, something that the global community has been lacking to date.” -John Geary, Citigroup
“ This training very well summarizes CTI and connects all of the dots. We got clear answers to what CTI is, how important it is, what it is built upon, and how it can be applied in practice.” -Nikita Martynov, NNIT A/S
“ This course was invaluable in framing my role as a hunter in the intelligence consumption/generation process.” -Christopher Vega, CitiGroup
Five-Day Program Sat, Sep 8 - Wed, Sep 12 9:00am - 5:00pm 30 CPEs Laptop Required
Who Should Attend Security practitioners
Incident response team members
Threat hunters
Security Operations Center personnel and information security practitioners
Digital forensic analysts and malware analysts
Federal agents and law enforcement officials
Technical managers
SANS alumni looking to take their analytical skills to the next level
GCTICyber Threat Intelligence
FOR578 Coin
Robert M. Lee is founder and CEO of Dragos, a firm specializing in cybersecurity solutions for industrial control system (ICS) networks. He got his start as a U.S. Air Force Cyber Warfare Operations Officer assigned to the National Security Agency. There, Lee created and led a mission hunting and analyzing nation-states that targeted ICS, the first mission of its kind.
“ Robert M. Lee is the best instructor I have seen. Real-world examples, humor, time-efficient, and effective.”-Toni Benson, US-CERT
Robert M. Lee SANS Certified Instructor
@RobertMLee
Evan Dygert is a consultant for Dygert Consulting, Inc., with over 30 years of experience in software development in several areas including compilers, databases, finance, insurance, computer networking and security, and software security. Evan has performed digital forensics, computer security and expert witness work since 2005. He has a B.S. in computer science from Brigham Young University, an MBA from Rollins College, and has completed the coursework for a Ph.D. in computer information systems.
“ Evan is very knowledgeable, and brings a lot of additional helpful information to the course that is not in the books.”-Kirk D., U.S. Army
Evan Dygert SANS Instructor
FOR610 Coin
GREMReverse Engineering Malware
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques sans.org/THIR-FOR610
Learn to Turn Malware Inside Out This course equips students with the skills necessary to systematically reverse-engineer malicious code. Attendees will learn how to de-obfuscate complex malware, identify and circumvent anti-analysis capabilities, and review assembly code for a deeper understanding of malware functionality. Regardless of your prior exposure to these topics, you will leave with a strong foundation for analyzing malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger, and many other freely available tools. This course will teach you to:
▐ Examine how malware interacts with the file system, registry, network, and other processes in a Windows environment
▐ Derive Indicators of Compromise from malicious executables to strengthen incident response and threat intelligence efforts
▐ Control relevant aspects of the malicious program's behavior through network traffic interception and code patching to perform effective malware analysis
“ As a malware analyst, this course is invaluable.” -McKade Ivancic, Optiv Security
“ This is definitely one of those trainings that every professional working in Incident Response should attend.” -Kamal Ranjan, DarkMatter LLC
“ An excellent course to enable the student to master malware analysis and have the tools to carry out analysis in a safe environment.” -G. Conway, NCA
Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required
Who Should Attend Security practitioners
Incident response team members
Threat hunters
Security Operations Center personnel and information security practitioners
Digital forensic analysts and malware analysts
Federal agents and law enforcement officials
Technical managers
SANS alumni looking to take their analytical skills to the next level
Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents and a detailed description of how attackers undermine systems, so you can prepare, detect, and respond to them. In addition, SEC504 explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. SEC504 helps you turn the tables on computer attackers by enabling you to understand their tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. This course will teach you to:
▐ How to recover from computer attacks and restore systems for business
▐ How to understand and use hacking tools and techniques ▐ Attacks and defenses for Windows, Unix, switches, routers, and
other systems ▐ Application-level vulnerabilities, attacks, and defenses ▐ How to develop an incident handling process and prepare a
team for battle ▐ Legal issues in incident handling
Six-Day Program Sat, Sep 8 - Thu, Sep 13 This course has extended hours 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required
Who Should Attend Incident handlers
Leaders of incident handling teams
System administrators who are on the front lines defending their systems and responding to attacks
Other security personnel who are first responders when systems come under attack
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling sans.org/THIR-SEC504
SEC504 Coin
Chris Pizor is a civilian employee working for the U.S. Air Force as the lead curriculum designer for cyber warfare operations training. Chris served on active duty in the USAF as a Network Intelligence Analyst before retiring in 2010. He was part of the initial cadre of the NSA Threat Operations Center and helped develop tactics to discover and eradicate intrusions into U.S. government systems. Chris earned a bachelor’s degree in intelligence studies and information operations from the American Military University and a master’s of science in cybersecurity from University of Maryland University College. Chris is also a recipient of the “General John P. Jumper Award for Excellence in Warfighting Integration” for Air Force Space Command. The General Jumper award recognizes individuals for sustained superior performance and outstanding contributions to the integration of Air Force or DoD warfighting and/or operations support capabilities that shorten the kill chain and/or enhance the decision cycle.
Chris Pizor SANS Certified Instructor
@chris_pizor
GCIHIncident Handler
“ The training offered at SANS is the best in the industry, and the SEC504 course is a must for any IT security professional – highly recommended.” -Michael Hoffman, Shell Oil Products
“ SEC504 was invaluable in helping me understand the capabilities of the adversary, the tools they use, and how they are able to circumvent and disguise their traffic to avoid detection.” -Mike Clites, OneBeacon Insurance Group
Six-Day Program Sat, Sep 8 - Thu, Sep 13 This course has extended bootcamp hours 9:00am - 7:00pm (Days 1-5) 9:00am - 5:00pm (Day 6) 46 CPEs Laptop Required
Who Should Attend Security architects
Senior security engineers
Technical security managers
Security Operations Center (SOC) analysts, engineers, and managers
CND analysts
Individuals working to implement Continuous Diagnostics and Mitigation (CDM), Continuous Security Monitoring (CSM), or Network Security Monitoring (NSM)
SEC511: Continuous Monitoring and Security Operations sans.org/THIR-SEC511
GMONContinuous Monitoring
John is a dedicated blue-teamer and is driven to help develop defensive talent around the world. Through his years of experience as the SOC Lead for GlaxoSmithKline, he has real-world, first-hand knowledge of what it takes to defend an organization against advanced cyber-attacks and is eager to share these lessons with his students. As a SANS Cyber Defense curriculum instructor and course author of SEC455, John specializes in threat hunting, network security monitoring, SIEM design and optimization, and constructing defensive postures that allow organizations to protect their most sensitive data. Throughout class, he works with students to explain difficult concepts in relatable and clear language, illustrates important ideas with stories and demonstrations, and encourages students to push themselves beyond the limit of what they thought possible. John holds degrees in electrical and computer engineering and his past research ranges from malware reverse-engineering to car hacking, mobile app security, and IoT devices.
John Hubbard SANS Instructor
@SecHubb
We continue to underestimate the tenacity of our adversaries! Organizations are investing significant time and financial and human resources to combat cyber threats and prevent cyber attacks, but despite this tremendous effort, organizations are still getting compromised. The traditional perimeter-focused, prevention-dominant approach to security architecture has failed to prevent intrusions. No network is impenetrable, which is a reality that business executives and security professionals alike have to accept. Prevention is crucial, and we can’t lose sight of it as the primary goal. However, a new proactive approach to security is needed to enhance the capabilities of organizations to detect threats that will inevitably slip through their defenses.
This course will teach you:: ▐ Analyze a security architecture for deficiencies ▐ Apply the principles learned in the course to design a
defensible security architecture ▐ Understand the importance of a detection-dominant security
architecture and a Security Operations Center (SOC) ▐ Identify the key components of Network Security Monitoring
(NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Monitoring (CM)
▐ Determine appropriate security monitoring needs for organizations of all sizes
▐ Implement robust Network Security Monitoring/Continuous Security Monitoring (NSM/CSM)
▐ Utilize tools to support implementation of Continuous Monitoring per NIST SP 800-137 guidelines
▐ Determine requisite monitoring capabilities for a SOC environment
▐ Determine capabilities required to support continuous monitoring of key Critical Security Controls
“ SEC511 is a VERY worthwhile addition to the Cyber Defense curriculum for Blue Teamers.”- Robert Peden, NextGear Capital
DFIR COIN SLAYER!
Leave New Orleans with a motherlode of coinage! All you have to do is:1) Register for the DFIR Netwars Tournament (free with your course purchase)2) To earn a specific coin, correctly answer all of the class coin-specific
questions across all four levels.
This is your chance to prove you've mastered the DFIR arts by earning DFIR Challenge coins.
Windows Forensics and Incident Response
(FOR500 or FOR508)
Memory Forensics (FOR526)
Advanced Network Forensics (FOR572)
Smartphone Analysis (FOR585)
Malware Analysis (FOR610)
Mac Forensics (FOR518)
DFIR NetWars
Evening Networking Events
All work and no play makes for dull threat hunters. Give your overloaded brain the night off and enjoy your time in New Orleans while networking with fellow attendees.
Threat Hunting & Incident Response Summit Night Out!September 6 | 6:00pm
DFIR Community Night Out in NOLASeptember 10 | 6:30pm
“ The networking was probably the most valuable part of the event. 10 out of 10!” -Michael Depuy, Precision Castparts
Evening Networking Events
All work and no play makes for dull threat hunters. Give your overloaded brain the night off and enjoy your time in New Orleans while networking with fellow attendees.
Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to [email protected]. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by August 20, 2018. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.
Pay Early and Save*
FOR THE SUMMIT ONLY DATE DISCOUNT DATE DISCOUNT
Pay & enter code before 7-18-18 $200.00 8-8-18 $100.00
FOR A COURSE ONLY DATE DISCOUNT
Pay & enter code before 7-18-18 $400.00 8-8-18 $200.00
*Some restrictions apply.
Use code EarlyBird18 when registering early
Save $400 when you register for the summit and a course!
Register online at sans.org/ThreatHuntingWe recommend you register early to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.
Registration Information
Hotel InformationAstor Crowne Plaza New Orleans sans.org/threat-hunt-location
Special Hotel Rates AvailableA special discounted rate of $169.00 S/D will be honored based on space availability. Government per diem rooms are available with proper ID. These rates are only available through 5pm EST on August 15, 2018.
Top 3 reasons to stay at Astor Crown Plaza New Orleans1 The hotel is a short walk to Bourbon Street, Jackson Square, and
Frenchmen Street.
2 Great New Orleans restaurants like K-Paul’s Louisiana Kitchen and Cafe du Monde are nearby.
3 It is the hub of activity for hundreds of fellow security professionals. Take advantage of additional networking opportunities and informal community outings.
SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.
www.sans.org/vouchers