2019 Presentation Roster
TTP Safari: Taking a Look at Adversarial Tactics, Techniques, and Procedures Being Used in the Wild presented by Brandon Poole.
In order to be successful defenders we must know what our adversaries are doing hence the adage "offense must inform defense". During this talk we will discuss some of the TTP adversaries are using today in the wild to get into our networks as well as controls that can be implemented to detect or prevent the TTPs. Talk will end on discussion on MITIRE ATT&CK framework and how to test for gaps in your current security controls.
Brandon is a Detection Engineer at Red Canary, who spends most of his time analyzing, researching, and developing methods to detect evil on endpoints. Brandon's experience prior to Red Canary includes being an independent consultant for a large MSSP helping customers build SOCs, investigating and performing incident response for APT actors, and system/network administrator. Brandon is also a Mentor instructor for SANS.
OSINT: Breach Data, Ethics, and OpSec... Oh My! presented by Josh Huff.
What does breach data look like? Is breach data ethical? How can they be used? What does breach data teach us about privacy and security awareness? What can we do to protect our own data against a breach? Using real-world examples, we’ll discuss these questions and provide resources you can use to leverage breach data in your own investigation.
SOC Survival Guide: Analysis and Investigative Theory presented by Brandon Poole
Investigating security threats can for folks new to the SOC/DFIR roles in infosec. They often become overcome with thoughts such as "How can a deal with this massive volume of data/alerts?" or "What does evil look like?" or lastly "Where do I even start?!?!".
This talk is designed to provide models, processes, and common data pivots to help answer these questions and not just survive but thrive in an entry level SOC role. This presentation will end with a few common SIEM/IDS alerts so the group can apply what they have just been shown.
Multitasking Host Forensics presented by Beth Lancaster
Finding out how a host was compromised and/or what type of malware/exploit is present is a challenge. Dividing forensics tasks into processes that happen simultaneously can provide answers quicker.
Knowing how a host was compromised will help determine if other hosts on your network are vulnerable or have been compromised. This presentation will discuss strategies and steps for host based forensics focusing on things that can be done simultaneously. New analysts may feel overwhelmed at first with hosts forensics. Preparation and planning will help you respond quicker in a crisis. Strategies for what to examine first for a given situation can save valuable time. We will step through a typical situation that requires host forensics to attempt to identify the source of the exploit.
Acquire a memory dump
Pull network data from your SIEM
Pull the password hashes and start password cracking with tools such as John the Ripper and/or Hashcat
Review system log files Review application log files
Start running anti-virus on the image