sans.org/ThreatHuntingSAVE $400 when you register for the Summit and a course

“ An excellent opportunity to stay current with threat hunting trends and techniques.” -John Senn, EY

“ Conferences like this bring professionalism and peer review to the discipline of threat hunting.” -Travis M, Anonymous

Founding Partner

New Orleans SUMMIT: Sept 6-7 TRAINING: Sept 8-13

Will You be the Hunter or the Prey?

@sansforensics #ThreatHuntingSummit

Fellow security practitioners to network with350+

6Coins to earn

while playing DFIR NetWars – The

Coin Slayer

25Threat Hunters and Responders covering the latest tools and techniques

2

7SANS Threat Hunting &

Incident Response courses to enhance your skills

Nights of community events

Expert @Night Talks4

and

SUMMIT: Sept 6-7 TRAINING: Sept 8-13

“ This training enlightened me to threats that I was unaware of, and provided me with skills and tools I can now use to combat bad actors more efficiently.” -David Whittridge, Kettering Health Network

FOR508 Advanced Digital Forensics, Incident Response, and Threat Hunting Rob Lee

FOR526 Memory Forensics In-Depth Alissa Torres

FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response Philip Hagen

FOR578 Cyber Threat Intelligence Robert M. Lee

FOR610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques Evan Dygert

SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling Chris Pizor

SEC511 Continuous Monitoring and Security Operations John Hubbard

Threat Hunting & Incident Response SANS Courses September 8-13, 2018

sans.org/ThreatHuntingSAVE $400 when you register for the Summit and a course

Simulcast available for this course

Featured Summit TalksSeptember 6-7, 2018

Hunting Webshells: Tracking TwoFace

Microsoft Exchange Servers are a high-value target for many adversaries, which makes investigation of them during incident response vital. Where do you start? What should you look for? Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every exchange server. During this presentation, we will use real-world examples carried out by an adversary group using web-based backdoors to breach and maintain access to networks of targeted organizations in the Middle East.

Robert Falcone Palo Alto Unit 42

Josh Bryant (@FixtheExchange), Tanium

Threat Hunting in Your Supply Chain

In 2017, the world experienced the most devastating cyber-attacks to date as attackers used leaked National Security Agency exploits to wreak havoc in Europe and beyond. Attackers gained initial entry to networks through supply-chain attacks, piggybacking on legitimate applications. It is more obvious than ever that supply-chain attacks need to be part of our threat models. But supply-chain risks don’t lend themselves well to traditional threat hunting processes, since agreements with third parties often limit the amount of data available for threat hunting. In this talk, Jake will introduce a model for including supply-chain risks (hardware, software, and service) into your threat hunting operations in order to ensure that your organization does not overlook this critical area of security.

Jake Williams (@MalwareJake), Rendition InfoSec; SANS Institute

Who Done It? Gaining Visibility and Accountability in the Cloud

Every day, more enterprises are incorporating cloud services and workflows. Moving data to the public cloud has numerous advantages, but it also brings new risks and challenges for the security team. While traditional techniques and controls apply in many cases, there are also new areas involving cloud native services and APIs unique to this environment. This presentation will explore several use cases, techniques, and tools that can be applied to address the risks and challenges of using the public cloud.

Ryan Nolette Security Technologist, Amazon Web Services

The complete Summit agenda is available at: sans.org/threat-hunt-agenda

How to Submit a Threat Profile to MITRE ATT&CK

The MITRE Corporation’s framework to describe the behavior of cyber adversaries operating within enterprise networks – known as Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) – is growing fast. It is also being adopted by more and more security-solution providers, including big names like Microsoft and Splunk. This is likely to continue because the framework draws on years’ worth of detailed forensic reports on cyber-attacks and attackers that have not been fully taken advantage of up until now. The security industry has largely been focused on sharing and utilizing indicators of compromise (IOCs). By focusing on techniques and tactics of adversaries, the ATT&CK framework has gone deeper and is increasingly being used to help organizations identify gaps known to be exploited by cyber adversaries. The framework focuses on the inevitable post-compromise, which forces cyber adversaries to change not only surface level and trivial IOCs but also their tactics and techniques, which are much more difficult to change. This presentation will go into detail about what it takes to collect public information security, threat intelligence, and forensic reports on a security threat group, and then submit all of the adversarial tactics and techniques to MITRE for inclusion in the ATT&CK framework.

Walker Johnson (@wjohnsonsled), Financial Services Industry

ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK

Every day, adversaries remind us that we need to evolve our defensive focus beyond indicators toward tactics, techniques, and procedures (TTPs). Yet we struggle with how to do this. In this presentation, the MITRE ATT&CK team will discuss an end-to-end methodology for how to better organize cyber threat intelligence and leverage it to conduct adversary emulation and hunting using ATT&CK. Threat analysts will gain an understanding of how to structure reporting in the form of ATT&CK techniques to increase the effectiveness of the products they create. Hunt teams, incident responders, and defenders will learn how to use that understanding of adversary TTPs to identify defensive gaps as well as prioritize hunting and mitigation activities. Red Teamers will also benefit by learning how to leverage that same intel on adversary TTPs to plan operations, communicate with defenders, and perform adversary emulation.

Katie Nickels (@likethecoins), The MITRE Corporation

Cody Thomas (@its_a_feature), The MITRE Corporation

Featured Summit TalksSeptember 6-7, 2018

Launching Threat Hunting from Almost Nothing

Many organizations that don’t have very sophisticated hunting teams wonder how to incorporate threat hunting functions into their current security operations. Would it even be of value for them to have such a function? We had the exact same questions upon hearing the term “threat hunting” for the first time. After having launched our hunting activities starting virtually from scratch, we can now say “Yes. It’s worth pursuing.” In this presentation we’ll explain why threat hunting was considered of value for us, what threat hunting functions were carried out, and how we have been improving our security operations. The hunting operations enabled us to identify some significant attacks that were undetected by several security measures. As a result, we have been making continuous improvements to make hunting a scalable mechanism that does not depend on a few advanced experts. This session will provide case studies that focus on threat hunting in enterprise security operations.

Takahiro Kakumaru NEC

Uncovering and Visualizing Malicious Infrastructure

How much information about a threat can you find using a single IP address, domain name, or indicator of compromise (IOC)? What additional threats can you identify when looking at attacker and victim infrastructure? To discover and analyze the infrastructure behind large-scale malware activity, this session begins by looking at known indicators from popular botnets spreading such threats as Locky, Globeimposter, and Trickbot. The presentation will highlight co-occurring malicious activities observed on the infrastructure of popular botnets. We will demonstrate practical techniques to find threats, analyze botnet and malware infrastructure in order to identify actor and victim infrastructure, and show how to pivot to discover additional IOCs using such techniques as passive DNS and OSINT. Finally, we will demonstrate how visualizing known IOCs helps to better understand the connections between infrastructure, threats, victims, and malicious actors.

Josh Pyorre (@joshpyorre) Cisco Umbrella

Andrea Scarfo (@AScarf0) Cisco Umbrella

The complete Summit agenda is available at: sans.org/threat-hunt-agenda

Forecast: Sunny, Clear Skies, and 100% Detection

”Those who have knowledge, don’t predict. Those who predict, don’t have knowledge.” -Lao Tzu

Attack simulations test the resilience of threat detection and response capabilities and validate security implementations. They are an essential component of a solid threat hunting program. Is your internal team’s forecast for detection of simulated adversary activity overly optimistic? Strong predictions of success prior to conducting attack simulations can uncover false pretenses and failed implementations. Learn how to incorporate forecasting and subsequent validations into your Blue Team hardening efforts.

Alissa Torres (@sibertor) SANS Institute

Quantify Your Hunt: Not Your Parents’ Red Team

The security marketplace is saturated with product claims of detection coverage that have been almost impossible to evaluate, all while intrusions continue to make headlines. To help organizations better understand the detection provided by a commercial or open-source technology platform, a framework is necessary to measure depth and breadth of coverage. This presentation builds on the MITRE ATT&CK framework by explaining how to measure the coverage and quality of ATT&CK, while demonstrating open-source Red Team tools and automation that generate artifacts of post-exploitation. Attendees will gain new or improved abilities to measure detection capabilities. Finally, the presentation will articulate a call to action for the industry: Adopt this common language that describes these detection capabilities in a tangible and quantifiable way.

Devon Kerr (@_devonkerr_) Endgame

Threat Hunting Using Live Box Forensics

In a threat landscape characterized by targeted attacks, file-less malware, and other advanced hacking techniques, the days of relying solely on traditional “dead box” forensics for investigations are… well, dead. Live forensics, a practice considered a dangerous and dark art just a decade ago, has now become the de facto standard. However, many Computer Security Incident Response Teams still struggle with this type of threat hunting. This session will discuss the benefits, pitfalls, and best practices for performing live box forensics as a threat hunting tool. John will introduce and demo a free and publicly available command-line tool for Windows that automates the execution and data acquisition from other live forensics tools in a more secure and easier-to-maintain manner.

John Moran DFLabs

Summit Speakers

David Evenden CenturyLinkTALK: Viewing the Nodes in the Noise: Leveraging Data Science to Discover Persistent Threats

Stuart Davis IBMTALK: Cyber Threat Hunting in the Middle East

Robert Falcone Palo Alto Unit 42TALK: Hunting Webshells: Tracking TwoFace

Josh Bryant TaniumTALK: Hunting Webshells: Tracking TwoFace

@FixTheExchange

Rob Lee Summit Co-Chair; SANS Institute

@robtlee

Philip Hagen Summit Co-Chair; Red Canary; SANS Institute

@PhilHagen

David J. Bianco TargetTALK: Lightning Talks

@davidjbianco

Michael Gough Malware ArchaeologyTALK: This is The Fastest Way to Hunt Windows Endpoints

@HackerHurricane

Walker Johnson Banking & FinanceTALK: How to Submit a Threat Profile to MITRE ATT&CK

@wjohnsonsled

Takahiro Kakumaru NECTALK: Launching Threat Hunting From Almost Nothing

Devon Kerr EndgameTALK: Quantify Your Hunt: Not Your Parents’ Red Team

@_devonkerr_

Robert M. Lee Dragos IncTALK: Threat Hunting or Threat Farming: Finding the Balance in Security Automation@RobertMLee

Rick McElroy Carbon BlackTALK: Keynote

@InfoSecRick

Matt Bromiley Cylance; SANS InstituteTALK: Live Debates

@mbromileyDFIR

John Moran DFLabsTALK: Threat Hunting Using Live Box Forensics

Andrea Scarfo Cisco UmbrellaTALK: Uncovering and Visualizing Malicious Infrastructure

@AScarf0

Katie Nickels The MITRE CorporationTALK: ATT&Cking the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK@likethecoins

Cody Thomas The MITRE CorporationTALK: ATT&Cking the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK@its_a_feature_

Ryan Nolette Amazon Web ServicesTALK: Who Done It: Gaining Visibility and Accountability in the Cloud

Alissa Torres SANS InstituteTALK: Forecast: Sunny, Clear Skies, and 100% Detection

@sibertor

Alex Pinto Niddel (a Verizon company)TALK: Threat Hunting or Threat Farming: Finding the Balance in Security Automation@alexcpsec

Mauricio Velazco BlackstoneTALK: Hunting for Lateral Movement Using Windows Event Logs

@mvelazco

Josh Pyorre Cisco UmbrellaTALK: Uncovering and Visualizing Malicious Infrastructure

@joshpyorre

Jake Williams Rendition Infosec TALK: Threat Hunting in Your Supply Chain

@MalwareJake

Roberto Rodriguez SpecterOpsTALK: Quantify Your Hunt: Not Your Parents’ Red Team

@cyb3rward0g

“ The breadth of knowledge of the speakers as well as the attendees is incredibly valuable.”-Jeven Adami, Consilio

Rob Lee SANS Faculty Fellow@robtlee @sansforensics

Rob Lee is the Curriculum Lead and an author for SANS’ digital forensic and incident response training. He earned his MBA from Georgetown and graduated from the U.S. Air Force Academy. As a member of the Air Force Office of Special Investigations, Rob led crime investigations and worked directly with government agencies as a technical lead. He was also a director at MANDIANT, the commercial firm focused on responding to advanced adversaries such as the APT.

“ The skills learned are usable immediately usable on real-world cases as soon as you get back to work from training. Rob is absolutely top notch.”-Jason Janka, University of Florida

FOR508 Coin

FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting sans.org/THIR-FOR508

GCFAForensic Analyst

Advanced Threats Are in Your Network – It's Time to Go Hunting Learn advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including advanced persistent (APT) threat nation-state adversaries, organized crime syndicates, and hactivists. Use threat hunting to catch intrusions in progress, instead of after attackers have completed their objectives. Learn to:

▐ Detect how and when a breach occurred ▐ Identify compromised and affected systems ▐ Perform damage assessments and determine what was

stolen or changed ▐ Contain and remediate incidents ▐ Develop scalable indicators and threat intelligence ▐ Hunt down additional breaches using knowledge of the

adversary

“ This course will help me go back to my job and start immediately implementing IR and malware analysis' best practices.” -Paul DeGeiso, PJM Interconnection

“ From a more technical forensics standpoint, I think this course is spot on in providing necessary skills for an individual to share with their team.” -Victor Munoz, Beckman Coulter

“ I came back to work with a new malware case and was able to implement my skills learned in class on day one.” -Melissa Sokolowski, Xerox

Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required

Who Should Attend Incident response team members

Threat hunters Experienced digital forensic analysts

Information security professionals

Federal agents and law enforcement personnel

Red team members, penetration testers, and exploit developers

SANS FOR500 and SEC504 graduates

FOR526: Memory Forensics In-Depth sans.org/THIR-FOR526

Malware Can Hide, But It Must RunDig into memory and uncover the malicious code where it runs. Security analysts need critical analysis skills to successfully perform live system memory triage and analyze captured memory images. This course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work in order to tackle advanced forensics, trusted insider, and incident response cases. This course will teach you how to:

▐ Demonstrate targeted memory capture, ensure data integrity, and overcome obstacles to Anti-Analysis/Anti-Acquisition Behaviors

▐ Detect rogue, hidden, and injected processes, kernel/user-level rootkits, Dynamic Link Libraries (DLL), and more

▐ Craft a YARA signature to identify insider threat behaviors and malware indicators

▐ Use process timelining and high-low-level analysis to spot anomalous behavior

▐ Implement triage, live system analysis, and alternative acquisition techniques for targeted memory analysis

“ This training is valuable to me because I am learning the tools to spot evil lurking and the steps to walk through an investigation, which is key.” -Brice Smith, BCBSKS

“ This class gives good insights into incident response skills when interacting with a team doing memory forensics.” -Venkat Luckyreddy, BMS

" The training opened my eyes to the need to collect memory images, as well as physical images for single computer analysis, such as theft of IP or other employee investigations." -Greg Caouette, Kroll

Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required

Who Should Attend Incident response team members

Experienced digital forensic analysts

Red team members, penetration testers, and exploit developers

Law enforcement officers, federal agents, and detectives

SANS FOR508 and SEC504 graduates

Forensics investigators

FOR526 Coin

Alissa has more than 15 years of experience in computer and network security spanning government, academic, and corporate environments. Her current role as an Incident Response Manager at Cargill provides daily challenges “ in the trenches” and demands constant technical growth. Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant’s computer incident response team (MCIRT). She has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland, she and holds the GCFA, GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa was recognized by SC Magazine as one of its “2016 Women to Watch.

Alissa Torres SANS Certified Instructor

@sibertor

GNFANetwork Forensic Analyst

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response sans.org/THIR-FOR572

Bad Guys Are Talking – We’ll Teach You to Listen This course covers the tools, technology, and processes required to integrate network data sources into your investigations, with a focus on efficiency and effectiveness. There are many use cases for network data, including proactive threat hunting, reactive forensic analysis, and continuous incident response. The techniques we cover can help to close gaps in these use cases and more. We’ll cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. Learn about:

▐ Hunting, forensic, and IR-based analysis of NetFlow, full-packet capture, and infrastructure log files

▐ Correlating events across different evidence types ▐ Seeking Artifacts of Communication that can drive other

investigative processes ▐ Efficiently and effectively handling large volumes of

evidence

“ This class teaches security pros how to boil the ocean. Every network-focused investigator should be taking this course.” -Jacob Grant, Arctic Wolf Networks

“ I love how this course is very well organized, and the step-by-step walkthrough of the lab allows even someone new to network forensics to get started right away.” -Paul Kim, PWC

“ An excellent, in-depth course on network-level forensics and a deeper understanding into other forensic methods.” -Christina Camilleri, BAE Systems

Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required

Who Should Attend Incident response team members and forensicators

Hunt team members

Law enforcement officers, federal agents, and detectives

Information security managers

Network defenders

IT professionals

Network engineers

Anyone interested in computer network intrusions and investigations

Security Operations Center personnel and information security practitioners

Phil’s career has spanned the full attack life cycle – from tool development to deployment, operations, and investigative aftermath – giving him rare and deep insight into the artifacts attackers leave behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He’s managed a team of forensic professionals in the national security sector and provided forensic consulting services for law enforcement, government, and commercial clients.

“ Phil continues to illustrate through examples and paint the big picture for examiners/responders. His approach and teaching style are second to none when it comes to Network Forensics.”-Brad Garnett, Cisco

Philip Hagen SANS Senior Instructor

@PhilHagen

FOR572 Coin

FOR578: Cyber Threat Intelligence sans.org/THIR-FOR578

There Is No Teacher but the Enemy During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team to counter the threat. This course teaches the tactical, operational, and strategic level of cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, security operations more robust, and organizations more aware of the evolving threat landscape. Discover how to:

▐ Generate threat intelligence to detect, respond to, and defeat advanced persistent threats (APTs)

▐ Validate information received from other organizations to minimize resource expenditures on bad intelligence

▐ Develop and enhance analysis and critical thinking skills ▐ Leverage open-source intelligence to complement a

security team of any size ▐ Create Indicators of Compromise (IOCs) in formats such as

YARA, OpenIOC, and STIX

“ This course gives a very smart and structured approach to Cyber Threat Intelligence, something that the global community has been lacking to date.” -John Geary, Citigroup

“ This training very well summarizes CTI and connects all of the dots. We got clear answers to what CTI is, how important it is, what it is built upon, and how it can be applied in practice.” -Nikita Martynov, NNIT A/S

“ This course was invaluable in framing my role as a hunter in the intelligence consumption/generation process.” -Christopher Vega, CitiGroup

Five-Day Program Sat, Sep 8 - Wed, Sep 12 9:00am - 5:00pm 30 CPEs Laptop Required

Who Should Attend Security practitioners

Incident response team members

Threat hunters

Security Operations Center personnel and information security practitioners

Digital forensic analysts and malware analysts

Federal agents and law enforcement officials

Technical managers

SANS alumni looking to take their analytical skills to the next level

GCTICyber Threat Intelligence

FOR578 Coin

Robert M. Lee is founder and CEO of Dragos, a firm specializing in cybersecurity solutions for industrial control system (ICS) networks. He got his start as a U.S. Air Force Cyber Warfare Operations Officer assigned to the National Security Agency. There, Lee created and led a mission hunting and analyzing nation-states that targeted ICS, the first mission of its kind.

“ Robert M. Lee is the best instructor I have seen. Real-world examples, humor, time-efficient, and effective.”-Toni Benson, US-CERT

Robert M. Lee SANS Certified Instructor

@RobertMLee

Evan Dygert is a consultant for Dygert Consulting, Inc., with over 30 years of experience in software development in several areas including compilers, databases, finance, insurance, computer networking and security, and software security. Evan has performed digital forensics, computer security and expert witness work since 2005. He has a B.S. in computer science from Brigham Young University, an MBA from Rollins College, and has completed the coursework for a Ph.D. in computer information systems.

“ Evan is very knowledgeable, and brings a lot of additional helpful information to the course that is not in the books.”-Kirk D., U.S. Army

Evan Dygert SANS Instructor

FOR610 Coin

GREMReverse Engineering Malware

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques sans.org/THIR-FOR610

Learn to Turn Malware Inside Out This course equips students with the skills necessary to systematically reverse-engineer malicious code. Attendees will learn how to de-obfuscate complex malware, identify and circumvent anti-analysis capabilities, and review assembly code for a deeper understanding of malware functionality. Regardless of your prior exposure to these topics, you will leave with a strong foundation for analyzing malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger, and many other freely available tools. This course will teach you to:

▐ Examine how malware interacts with the file system, registry, network, and other processes in a Windows environment

▐ Derive Indicators of Compromise from malicious executables to strengthen incident response and threat intelligence efforts

▐ Control relevant aspects of the malicious program's behavior through network traffic interception and code patching to perform effective malware analysis

“ As a malware analyst, this course is invaluable.” -McKade Ivancic, Optiv Security

“ This is definitely one of those trainings that every professional working in Incident Response should attend.” -Kamal Ranjan, DarkMatter LLC

“ An excellent course to enable the student to master malware analysis and have the tools to carry out analysis in a safe environment.” -G. Conway, NCA

Six-Day Program Sat, Sep 8 - Thu, Sep 13 9:00am - 5:00pm 36 CPEs Laptop Required

Who Should Attend Security practitioners

Incident response team members

Threat hunters

Security Operations Center personnel and information security practitioners

Digital forensic analysts and malware analysts

Federal agents and law enforcement officials

Technical managers

SANS alumni looking to take their analytical skills to the next level

Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents and a detailed description of how attackers undermine systems, so you can prepare, detect, and respond to them. In addition, SEC504 explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. SEC504 helps you turn the tables on computer attackers by enabling you to understand their tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. This course will teach you to:

▐ How to recover from computer attacks and restore systems for business

▐ How to understand and use hacking tools and techniques ▐ Attacks and defenses for Windows, Unix, switches, routers, and

other systems ▐ Application-level vulnerabilities, attacks, and defenses ▐ How to develop an incident handling process and prepare a

team for battle ▐ Legal issues in incident handling

Six-Day Program Sat, Sep 8 - Thu, Sep 13 This course has extended hours 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required

Who Should Attend Incident handlers

Leaders of incident handling teams

System administrators who are on the front lines defending their systems and responding to attacks

Other security personnel who are first responders when systems come under attack

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling sans.org/THIR-SEC504

SEC504 Coin

Chris Pizor is a civilian employee working for the U.S. Air Force as the lead curriculum designer for cyber warfare operations training. Chris served on active duty in the USAF as a Network Intelligence Analyst before retiring in 2010. He was part of the initial cadre of the NSA Threat Operations Center and helped develop tactics to discover and eradicate intrusions into U.S. government systems. Chris earned a bachelor’s degree in intelligence studies and information operations from the American Military University and a master’s of science in cybersecurity from University of Maryland University College. Chris is also a recipient of the “General John P. Jumper Award for Excellence in Warfighting Integration” for Air Force Space Command. The General Jumper award recognizes individuals for sustained superior performance and outstanding contributions to the integration of Air Force or DoD warfighting and/or operations support capabilities that shorten the kill chain and/or enhance the decision cycle.

Chris Pizor SANS Certified Instructor

@chris_pizor

GCIHIncident Handler

“ The training offered at SANS is the best in the industry, and the SEC504 course is a must for any IT security professional – highly recommended.” -Michael Hoffman, Shell Oil Products

“ SEC504 was invaluable in helping me understand the capabilities of the adversary, the tools they use, and how they are able to circumvent and disguise their traffic to avoid detection.” -Mike Clites, OneBeacon Insurance Group

Six-Day Program Sat, Sep 8 - Thu, Sep 13 This course has extended bootcamp hours 9:00am - 7:00pm (Days 1-5) 9:00am - 5:00pm (Day 6) 46 CPEs Laptop Required

Who Should Attend Security architects

Senior security engineers

Technical security managers

Security Operations Center (SOC) analysts, engineers, and managers

CND analysts

Individuals working to implement Continuous Diagnostics and Mitigation (CDM), Continuous Security Monitoring (CSM), or Network Security Monitoring (NSM)

SEC511: Continuous Monitoring and Security Operations sans.org/THIR-SEC511

GMONContinuous Monitoring

John is a dedicated blue-teamer and is driven to help develop defensive talent around the world. Through his years of experience as the SOC Lead for GlaxoSmithKline, he has real-world, first-hand knowledge of what it takes to defend an organization against advanced cyber-attacks and is eager to share these lessons with his students. As a SANS Cyber Defense curriculum instructor and course author of SEC455, John specializes in threat hunting, network security monitoring, SIEM design and optimization, and constructing defensive postures that allow organizations to protect their most sensitive data. Throughout class, he works with students to explain difficult concepts in relatable and clear language, illustrates important ideas with stories and demonstrations, and encourages students to push themselves beyond the limit of what they thought possible. John holds degrees in electrical and computer engineering and his past research ranges from malware reverse-engineering to car hacking, mobile app security, and IoT devices.

John Hubbard SANS Instructor

@SecHubb

We continue to underestimate the tenacity of our adversaries! Organizations are investing significant time and financial and human resources to combat cyber threats and prevent cyber attacks, but despite this tremendous effort, organizations are still getting compromised. The traditional perimeter-focused, prevention-dominant approach to security architecture has failed to prevent intrusions. No network is impenetrable, which is a reality that business executives and security professionals alike have to accept. Prevention is crucial, and we can’t lose sight of it as the primary goal. However, a new proactive approach to security is needed to enhance the capabilities of organizations to detect threats that will inevitably slip through their defenses.

This course will teach you:: ▐ Analyze a security architecture for deficiencies ▐ Apply the principles learned in the course to design a

defensible security architecture ▐ Understand the importance of a detection-dominant security

architecture and a Security Operations Center (SOC) ▐ Identify the key components of Network Security Monitoring

(NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Monitoring (CM)

▐ Determine appropriate security monitoring needs for organizations of all sizes

▐ Implement robust Network Security Monitoring/Continuous Security Monitoring (NSM/CSM)

▐ Utilize tools to support implementation of Continuous Monitoring per NIST SP 800-137 guidelines

▐ Determine requisite monitoring capabilities for a SOC environment

▐ Determine capabilities required to support continuous monitoring of key Critical Security Controls

“ SEC511 is a VERY worthwhile addition to the Cyber Defense curriculum for Blue Teamers.”- Robert Peden, NextGear Capital

DFIR COIN SLAYER!

Leave New Orleans with a motherlode of coinage! All you have to do is:1) Register for the DFIR Netwars Tournament (free with your course purchase)2) To earn a specific coin, correctly answer all of the class coin-specific

questions across all four levels.

This is your chance to prove you've mastered the DFIR arts by earning DFIR Challenge coins.

Windows Forensics and Incident Response

(FOR500 or FOR508)

Memory Forensics (FOR526)

Advanced Network Forensics (FOR572)

Smartphone Analysis (FOR585)

Malware Analysis (FOR610)

Mac Forensics (FOR518)

DFIR NetWars

Evening Networking Events

All work and no play makes for dull threat hunters. Give your overloaded brain the night off and enjoy your time in New Orleans while networking with fellow attendees.

Threat Hunting & Incident Response Summit Night Out!September 6 | 6:00pm

DFIR Community Night Out in NOLASeptember 10 | 6:30pm

“ The networking was probably the most valuable part of the event. 10 out of 10!” -Michael Depuy, Precision Castparts

Evening Networking Events

All work and no play makes for dull threat hunters. Give your overloaded brain the night off and enjoy your time in New Orleans while networking with fellow attendees.

Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to registration@sans.org. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by August 20, 2018. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.

Pay Early and Save*

FOR THE SUMMIT ONLY DATE DISCOUNT DATE DISCOUNT

Pay & enter code before 7-18-18 $200.00 8-8-18 $100.00

FOR A COURSE ONLY DATE DISCOUNT

Pay & enter code before 7-18-18 $400.00 8-8-18 $200.00

*Some restrictions apply.

Use code EarlyBird18 when registering early

Save $400 when you register for the summit and a course!

Register online at sans.org/ThreatHuntingWe recommend you register early to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.

Registration Information

Hotel InformationAstor Crowne Plaza New Orleans sans.org/threat-hunt-location

Special Hotel Rates AvailableA special discounted rate of $169.00 S/D will be honored based on space availability. Government per diem rooms are available with proper ID. These rates are only available through 5pm EST on August 15, 2018.

Top 3 reasons to stay at Astor Crown Plaza New Orleans1 The hotel is a short walk to Bourbon Street, Jackson Square, and

Frenchmen Street.

2 Great New Orleans restaurants like K-Paul’s Louisiana Kitchen and Cafe du Monde are nearby.

3 It is the hub of activity for hundreds of fellow security professionals. Take advantage of additional networking opportunities and informal community outings.

SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.

www.sans.org/vouchers