Любое использование данного материала без прямого разрешения АО «Позитив Текнолоджиз» запрещено. Докладчик покажет, как провести эффективный первичный анализ системных журналов при помощи бесплатных продуктов. Система, собранная за 10 человеко-часов из нескольких открытых программных продуктов (syslog, Logstash, Elasticsearch и Kibana), позволяет расследовать инциденты безопасности в два щелчка мыши.
The rise in targeted eCrime attacks was a major focus of CrowdStrikes 2020 Global Threat Report. The OverWatch threat hunting team has continued to see this trend in 2020 as criminal adversaries evolve to capitalize on targeted tactics, particularly with intent to deploy ransomware. This presentation covers how these intrusions occur and what you should look for in your threat hunting to uncover them. Discussion will include details on the commands the adversaries are actually running to exploit their victims.
Attendees will learn:
— More about the current eCrime ecosystem
— Targeted eCrime techniques recently observed in the wild
— How to use threat hunting to discover eCrime actors before they accomplish their objectives
Speaker Bios
Katie Nickels
Katie is a SANS instructor for FOR578: Cyber Threat Intelligence and a Principal Intelligence Analyst for Red Canary. She has worked on cyber threat intelligence (CTI), network defense, and incident response for nearly a decade for the DoD, MITRE, Raytheon, and ManTech. Katie hails from a liberal arts background with degrees from Smith College and Georgetown University, embracing the power of applying liberal arts prowess to cybersecurity. With more than a dozen publications to her name, Katie has shared her expertise with presentations at Black Hat, multiple SANS Summits, Sp4rkcon, and many other events. Katie has also served as a co-chair of the SANS CTI Summit and FIRST CTI Symposium. She was the 2018 recipient of the Presidents Award from the Womens Society of Cyberjutsu and serves as the Program Manager for the Cyberjutsu Girls Academy, which seeks to inspire young women to learn more about STEM. You can find Katie on Twitter @LiketheCoins
Karl Scheuerman
Karl is a Senior Strategic Intrusion Analyst on CrowdStrike’s OverWatch threat hunting team. Previously, he led threat intelligence programs for the Department of Energy. Karl began his career as an Air Force officer and he continues to serve in the Air National Guard as commander of a threat intelligence squadron. He holds multiple SANS certifications, a Bachelor of Science degree from the U.S. Air Force Academy, and a Master of Public Policy degree from the University of Maryland, College Park. You can follow him on Twitter at @KarlScheuerman.
Jason Wood
Jason is a Senior Researcher on CrowdStrike’s OverWatch threat hunting team. He has worked as a threat hunter, penetration tester, consultant, trainer, security engineer and systems administrator. Jason is involved in the security community through podcasting and speaking at conferences. You can find him every week on Security Weekly News and the InfoSec Career Podcast. Jason is also an instructor for SANS SEC504, Hacker Tools, Techniques, Exploits, and Incident Handling. He holds a bachelors degree in Computer Science and the GCIH certification.
FOR578 — Cyber Threat Intelligence has now been running as a course at SANS for a little over two years. In that time a lot has evolved including the field itself being extended through the SANS FOR578 authors and students. A major update has now taken place in the course to codify next skill sets and advancements, understanding in adversary behavioral tradecraft, and new exciting labs to push security to a new level. Come learn about the updates, why FOR578 should be a class you should take, and in general why Intelligence matters to you regardless of your security role.
For more information about the FOR578 course visit or to register for the course visit: sans.org/FOR578
Robert M. Lee is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was named one of Passcodes Influencers, awarded EnergySecs Cyber Security Professional of the Year (2015), and inducted into Forbes 30 under 30 for Enterprise Technology (2016).
A passionate educator, Robert is the course author of SANS ICS515 — «ICS Active Defense and Incident Response» with its accompanying GIAC certification GRID and the lead-author of SANS FOR578 — «Cyber Threat Intelligence» with its accompanying GIAC GCTI certification. He may be found on Twitter @RobertMLee
Dragos VP of Threat Intelligence, Sergio Caltagirone, co-hosted with Dave Bittner from Cyberwire, discusses threat intelligence as part of a cybersecurity strategy to help organizations reduce risk by improving detection, response, and prevention of secure critical infrastructure.
Topics covered:
— What is threat intelligence and why you need it
— How threat intelligence can reduce your organization’s risk profile
— Vulnerable industrial assets that need protection
— Highlights from major cyber risks impacting Oil and Gas and Utilities
Two useful disciplines are cyber threat intelligence and active cyber defense. However, there is confusion around both of these areas that leads to a perception of hype and cost instead of vital tools for defenders to use. In the case of threat intelligence, many security companies have offered a range of threat intelligence products and feeds but there is confusion in the community as a whole as to how to maximize the value out threat intelligence. With active defense, there has been an attempt to brand this strategy as a hack-back or otherwise offense based practice whereas the strategy for an active defense has existed long before the word ‘cyber’ and is focused around practices such as incident response. This presentation will examine the current state of cyber threat intelligence and active cyber defense as well as provide strategies for leveraging proven cyber intelligence models within active cyber defense operations
This talk will look at the art of espionage and intelligence gathering over the last 50 years.
Thursday, May 11, 2017
5:00pm-6:00pm
Room 001, Rockefeller Center
This talk will look at the art of espionage and intelligence gathering over the last 50 years. We will look at the evolution of the tools of the trade and the rules of the trade, and a number of examples of successful espionage episodes will be discussed in relation to the tools and rules. We’ll see how the number of participants has exploded over the past 50 years, and speculate about the path of espionage in the coming years.
Richard M. (Dickie) George joined the National Security Agency in 1970 as a mathematician, and remained at NSA until his retirement in 2011. While at NSA, he wrote more than 125 technical papers on cryptomathematical subjects, and served in a number of positions: analyst, and technical director at the division, office, group, and directorate level. He served as the Technical Director of the Information Assurance Directorate for eight years until his retirement. Mr. George remains active in the security arena; he is currently the Senior Advisor for Cyber Security at the Johns Hopkins University Applied Physics Laboratory where he works on a number of projects in support of the U.S. Government. He is also the APL representative to the I3P, a consortium of universities, national labs, and non-profit institutions dedicated to strengthening the cyber infrastructure of the United States.
This talk will examine Intelligence Preparation for the Battlefield and for the Environment (IPB/IPE) for the cyber domain. We will look at the conventional intelligence methodologies and use our findings to answer key questions for Intelligence Preparation of the Cyber Environment (IPCE): What do I look I look like to my attackers, what do my attackers look like to me, how are we likely to “do battle,” and thus how can I better prepare for it. The talk will
provide an overview of how the conventional methodology is applied to the cyber environment and, ultimately, how it applies to
the organizations of attendees themselves.
We’ll look at how to collect information on the attackers, how to understand your own environment, and how to visualize a likely attack and prepare for it.
Speaker Bio: Rob Dartnall (@cyberfusionteam), Director of Intelligence, Security Alliance Ltd.
Drawing on his diverse intelligence background, Rob brings together both cyber and traditional intelligence experience. Rob is an ex-British Army Military Intelligence Operator specializing in intelligence fusion, exploitation, and strategic analysis. After leaving the military, he entered the cyber security industry, where he specializes in bringing traditional methodologies to cyber threat
intelligence and insider threat analysis
.