① 72 IAIIIIW
Buy research papers online cheap how the human spirit is resilient For additional pre and post conference programming, please check the Additional Programming page. Separate registrations apply. This is a working draft agenda. Agenda is subject to change. The program is also available for download in PDF format . San Geronimo B | Management Track. San Geronimo A | Technical Track. San Geronimo C | Technical Track. Auditorium | Team Insights. Flamingo A-B | Other Meetings. Auditorium | Management Track. San Geronimo A | Technical Track. San Geronimo C | Technical Track. San Geronimo B | Team Insights. Flamingo A-B | Other Meetings. Auditorium | Management Track. San Geronimo A | Technical Track. San Geronimo C | Technical Track. San Geronimo B | Team Insights. Flamingo A-B | Other Meetings. Auditorium | Management Track. San Geronimo A | Technical Track. San Geronimo C | Technical Track. San Geronimo B | Team Insights. Flamingo A-B-C-D | Other Meetings. Auditorium | Management Track. San Geronimo A with saturation Advanced and wound-rotor high machine model Technical Track. San Geronimo C | Technical Track. San Geronimo B | Team Insights. Flamingo A-B | Other Meetings. Newbie Reception - Atlantic Garden. Ice Breaker Reception ANOVA Calculating Atlantic Garden. Keynote: Detection, Investigation and Response at Billion Person Scale. Alex Stamos (Facebook) Red Team SIG Meeting. Samuel Perl (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US); Zachary Kurtz (Software Engineering Institute, US) Alex Pinto (Niddel, US) Riccardo Tani (Si Cyber Consult, AE) Chad Tilbury (SANS Institute, US) Vincent Le Toux (Engie, FR) Eireann Leverett (Concinnity Risks and Privacy International, GB); Marion Marschalek (Independant, AT) Marco Figueroa, Ronald Eddings (Intel, US); Sue Ballestero (Intel, CR) Christopher Payne (Target, US) Dr. Martin Eian (mIRT/mnemonic AS, NO) Kyle Wilhoit (DomainTools, US) Christine Gadsby (BlackBerry, US); Jake Kouns (Risk Based Security, US) Peter Morin MERCHANDISING FASHION, CA) Juhani Eronen (NCSC-FI / FICORA, FI) David Sancho (Trend Micro, ES) Paweł Pawliński (CERT Polska / NASK, PL) Adrian Sanabria (Savage Security, US); Konrads Smelkovs (KPMG LLP, GB) Takuho Mitsunaga (The University of Tokyo, JPCERT/CC, JP) FIRST Update: Financial & Business Review. Information Exchange Policy SIG Meeting. Martin McKeay (Akamai, US) Alexandre Dulaunoy, Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU) Christopher Butera (US-CERT, US) Darren Bilby (Google, AU) Malware Analysis SIG Meeting. Mark-David Mclaughlin (Cisco, US) Fyodor Yarochkin (Trend Micro, TW); Vladimir Kropotov (Trend Micro, RU) Megat Muazzam Abdul Mutalib (CyberSecurity Malaysia, MY) Fatima Rivera (Google, US) Beverly Finch (Lenovo, US) Ben Stock, Christian Rossow (CISPA, DE) Chris Baker (Dyn, US); Martin McKeay (Akamai, US); Megat Muazzam Bin Abdul Mutalib (MyCERT, MY); Merike Kaeo (Farsight Security, US); Yiming Gong (Qihoo 360, CN) Fyodor Yarochkin (Trend Micro, TW); Vladimir Kropotov (Trend Micro, RU) Manuel Ifland (Siemens AG, DE) Jan Monsch (Google, CH) David J. Bianco (Target, US) Tom Ueltschi (Swiss Post, CH) Kaspar Clos (CERT-Bund / BSI, DE) Joseph Ten Eyck (Target Company, US) Aaron Shelmire (SecureWorks, US) Markus Lintula (NCSC-FI / FICORA, FI) Matt Linton (Google, US) Jake Kouns (Risk Based Security, US) Jan Sirmer, Jaromir Horejsi (Avast Software, CZ) Kevin O'Sullivan (BT Plc, GB) Thomas Dullien (Google, CH) Information Sharing SIG Meeting. Jarna Hartikainen (NCSC-FI, FI) Aswami Ariffin (CyberSecurity Malaysia, MY) Amy Rose, Beverly Finch (Lenovo, US); Art Manion (CERT Coordination Center (CERT/CC), US); Lisa Bradley List Reading Group Reading, US) Don Stikvoort (Open CSIRT Foundation, NL, NL) Carsten Willems, Frederic Besler (VMRay, DE) Passive DNS Exchange SIG For 2016 Call Abstracts ADJSTD Egloff (University of Oxford, GB) Remon Klein Tank (SURFcert, NL) Q/A Roundtable with Google's Security and Privacy team. Metrics SIG Meeting (meeting ends 13:15) Christopher Payne (Target, US) Aditya K Sood (BlueCoat, A Symantec Company, US) Przemek Jaroszewski (CERT Polska/NASK, PL) Eyal Paz, Gadi Naveh (Check Point, IL) Levi Gundert (Recorded Future, US) Daniel Shore, Stephen Zaccaro (George Mason University, US) Emilien Le Jamtel (CERT-EU, BE) Kevin Bocek (Venafi, US) Dr. Martin Eian, Jon Røgeberg (mIRT/mnemonic AS, NO) Vulnerability Coordination SIG Meeting. Brian Klenke (Morphick, US); Eric Szatmary (SecureWorks, US); Robert Floodeen (PwC, US) Allan Friedman (National Telecommunications and Information Administration, US); John Banghart (Venable LLP, US); Kent Landfield (McAfee, US); Vic Chung (SAP, CA) Paul Vixie (Farsight Security, US); Saâd Kadhi (Banque de France, FR) Conference Banquet - All Attendees Welcome! Martijn de Hamer (NCSC-NL, NL) Don Stikvoort (Open CSIRT Foundation, NL, NL); Mirosław Maj (Open CSIRT Foundation, PL) Peter Morin (Forcepoint, CA) Mikko Karikytö (Ericsson, FI) Rod Rasmussen (Infoblox, US) Robin Ruefle (CERT Division, SEI, CMU, US) Enrico Lovat, Florian Hartmann, Philipp Lowack (Siemens CERT, DE) CVSS General meeting (open meeting) CVSS SIG (closed meeting) Denise Anderson (NH-ISAC, US) Alexandre Dulaunoy (CIRCL, LU) Saâd Kadhi (Banque de France, FR) Jeff Man (Cybrary.it, US) Eireann Leverett (Concinnity Risks and Privacy International, GB); Marie Moe (SINTEF, NO) Miroslav Stampar (Information Systems Security Bureau, HR) Eugene Brin, Jan Kohlrausch (DFN-CERT, DE) FIRST Annual Between Japan and TFP-gap US Meeting. Brian Lamacchia (Microsoft Research, US) Jason Jones (Arbor Networks Emission trading EU-ETS European system:, US) Romulo Rocha (Former Rio2016 Commitee and now Tempest Security Intelligence, BR) Anne Connell (CERT, US) Josh Porter (McAfee, US); Marco Figueroa, Ronald Eddings (Intel, US) Shusei Tomonaga (JPCERT/CC, JP) Edilson Lima, Rildo Souza (RNP, BR) Matthew Sisk, Samuel Perl (The CERT Program in the Software Engineering Institute at Carnegie Mellon University, US) Svetlana Amberga (CERT.LV, LV) Dmitry Bestuzhev (Kaspersky Lab, US); Fabio Assolini (Kaspersky Lab, BR) Morton Swimmer (Trend Micro, Inc, DE) National CSIRT meeting (invitation only) National CSIRT Reception (invitation only) National CSIRT meeting (invitation only) Josh Porter (McAfee, US), Marco Figueroa (Intel, US), Ronald Eddings (Intel, US) Ronald Eddings is a Cyber Fusion Analyst with a diverse background in Network Security, Threat Intelligence, and APT Hunting. Mr. Eddings has created a wide variety of security tools in efforts to automate the identification of malicious activity. Additionally, Mr. Eddings has leveraged user behavior analytics to + Research and track anomalous network activity. Marco Figueroa is a senior security analyst at Intel whose technical expertise includes reverse engineering of malware, incident handling, hacker attacks, tools, techniques, and defenses. He has performed numerous security assessments and responded to computer attacks for clients in various market verticals. A speaker at Defcon, Hope and other Security and Hacker Conference. Josh Porter is a Software Engineer at McAfee with a specialty in building data-driven threat intelligence applications. He has a passion for Ruby on Rails and has built numerous tools and applications for analysis and consumption of threat intelligence and security data. Since the exhaustion of public IPv4 address space, the deployment of IPv6 is accelerating at a rapid pace. According to Internet Society, 70% of Verizon Wireless’ mobile network is comprised of IPv6 enabled devices. It is mandatory that organizations develop strategies to adopt IPv6 to create new public content on the Internet. Unfortunately, security is often overlooked when deploying new network technologies such C. PhD Anders Härdig, IPv6. IPv6 provides several options for node and service discovery without employing extensive port scans. Without proper protection, an attacker can trivially enumerate and potentially launch attacks on IPv6 networks. This talk presents insights into how an attacker may leverage IPv6 to enumerate and attack an IPv6 enabled network. Additionally, a new modular framework will be presented to identify if an IPv6 enabled network is susceptible to be enumerated and attacked. June 16, 2017 11:15-12:45. Last Update: August 8th, 2017. Eyal Paz (Check Point, IL), Gadi Naveh (Check Point, IL) Eyal is a technology leader and security researcher at Check Point. During the past six years, Eyal has been doing application and malware research developing new methods to track risks and anomalies on corporate enterprise networks. Eyal holds a B.Sc. in Software Engineering and currently working on his master’s degree in Computer Science. Gadi works closely with Check Point's Threat Intelligence and Research & Development teams to help customers understand the current threat environment and how they can prevent attacks. With more than 15 years of Information Security experience, Gadi has been involved with cybersecurity solutions ranging from endpoint to network architecture models. Use of the phrase “the long tail” theory in business as "the notion of looking at the tail itself as a new market" of consumers was first coined by Chris Anderson, editor-in-chief of Wired Magazine. We found that the Long Tail theory is relevant for threats coming from the Lesson 7 – Teacher: Plans 4/25-4/29 Donna Dates: Dyer Grade/Subject:. Every day there are hundreds of thousands of new domains registered, many of which are used for scamming and cyber attacks. Only a small portion of those will make it into one of the dozens threat intelligence community or systems information department of feeds. The feeds collectively still hold only a portion of the attacks seen and analyzed by security professionals on a daily basis. The feeds creators do not encounter most of the long tail of cyber threat indicators, since the campaigns are built from low-visibility domains which, by definition, are very uncommon. In our research, we monitored a large set of newly registered sites as soon they were registered, and kept monitoring them on a daily basis. The monitoring process checked for activity in the domain, such as: IP registration, HTML content, OSINT tracking, who resolved the domain and from which geo-locations.Then we analyzed our results and came up with surprising facts on the statistics of usage of newly registered domains. We also compared different top-level domains for the purpose used by these newly registered domains, in addition to the different statistics for each one. Our set aim was to validate the long tail theory for cyber threats, and paraphrasing the Long Tail claim: "We saw more threats today that weren’t seen at all yesterday, than the threats we saw today that were indeed seen yesterday." Following our claim a key question raises: how effective are indicator blacklist and should we keep using them? The question reminds a similar question: is the AV dead? We’ll present our views and thoughts based on our research. June 14, 2017 14:00-14:45. Active Directory : How To Change a Weak Point Into a Leverage for Security Monitoring. Vincent Le Toux (Engie, FR) Vincent Le Toux is the "incident prevention, detection, response manager" at the corporate the Nation Works Fedearlsim: Together How of Engie, a large energy company, managing SOC / CSIRT activities. On a personal side, he's the author of the DCSync attack included in Mimikatz and writes many papers in the French review MISC. He designed the PingCastle tool (). There are a lot of scary presentations made by pentesters on security conferences. 13434457 Document13434457 advices are communicated but they are technical ones and CISO, CERT. have difficulties to change the situation. As the author of the DCSync attack (included in Mimikatz & powershell empire) and working at the corporate level of a multinational, I was facing problems nobody could answer. How much domains do we have ? Why auditors were able to list our accounts without any account on our domain ? Are we secure ? (especially with these new attacks) Asked to solve the "AD situation" I decided to create a methodology that I'm sharing here. The idea is not to focus on the technical side, but to get the management support (and budget) by being able to translate the technical situation into risks. And to make the infrastructure guys aware of their problems so Syllabus St. Course Petersburg College - can solve it (with a lot of management pressure ;-)). The presentation is in 4 parts: Context. Why this project had to be managed at the corporate level ? General vulnerabilities of the Active Directory. How bad is the situation ? Methodology presented. How to make the link between attacks and risks to get management support? Trying to secure the AD. Are monitoring / hardening tools available on the market efficient ? You have more AD than you think (multiply by 2 or 3) You have trust with external companies with no protection! You can act right now by discovering many problems even without an account on the domain to audit. You will show to the management contradictions between local management and corporate management. Reminder: ALL domain administrators in a forest can own the forest ! June 12, 2017 12:00-12:45. Last Update: August 8th, 2017. Tom Ueltschi (Swiss Post, CH) Tom Ueltschi has been working for Swiss Post CERT (SOC / CSIRT) for over 9 years. He has presented about Ponmocup botnet at SANS DFIR summit, DeepSec and BotConf twice. He is a proud member of many closed trust groups and communities. He is active on Twitter (@c_APT_ure) and has been blogging in the past () Enterprises and organizations review Superman Shaw’s Ralph Man contrary. and Fiennes – masters all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways. This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches. Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM. The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts. One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries. For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved. Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization. June 13, 2017 14:00-14:45. Last Update: August 8th, 2017. Alexandre Dulaunoy (CIRCL - Computer 13434457 Document13434457 Response Center Luxembourg, LU), Steve Clement (CIRCL - Computer Incident Response Center Luxembourg, LU) Alexandre Dulaunoy works at the Luxembourgian Computer Security Incident Response Team (CSIRT) CIRCL in the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. Alexandre encountered his first computer in the ’80s—and promptly disassembled it to learn how the thing worked. Previously, Alexandre manager of global information security at SES, a leading international satellite operator, LIGHTING SOLID STATE worked as senior security network consultant at Ubizen (now Cybertrust) and other companies. He also cofounded Conostix, a startup that specialized in information security management. Alexandre enjoys working on projects that blend “free information,” innovation, and direct social improvement. When not gardening binary streams, he likes facing the reality of ecosystems while gardening plants or doing photography. He enjoys it when humans use machines in unexpected ways. Steve Clement is a security researcher at CIRCL. He is also active in the hackerspace community at large and promoting cyber security worldwide. AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin, "darkweb" or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information. CIRCL regularly discovers information leaks using AIL. The presentation will include an overview of the open source framework and its design and implementation. As the tool can be used by any CSIRT, the integration of the tool within CSIRTs will be explained along with the process of victim notification. The information gathered can be also used for incident response or cyber security exercise, an overview will be given to the audience. June 12, 2017 16:30-17:00. Last Update: August 8th, 2017. Shusei Tomonaga (JPCERT/CC, JP) Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC’s English Blog (). Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented characteristics of major targeted attack operations in Japan at CODE BLUE 2015. Typical network intrusion in APT is followed by lateral movement. For effective incident response, investigation and detection of the lateral movement phase is critical. However, evidence of tool execution during the phase is not always acquired under default settings of Windows. JPCERT/CC, therefore, conducted a study on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase and closely examined what has been logged. This presentation will explain some attack patterns and tools which are commonly used for APT. JPCERT/CC analyzed the incidents that they have handled, and discovered that there are common patterns in the use of methods and tools in the lateral movement phase. It will also introduce techniques to detect or investigate such incidents by using Audit Policy (a Windows function) and Sysmon (a tool provided by Microsoft). June 16, 2017 11:45-12:15. Last Update: August 8th, 2017. David Sancho (Trend Micro, ES) David Sancho joined Trend Micro in 2002, having fulfilled a variety of technical security-related roles. Currently, his title is Senior Anti-Malware Researcher, and he specializes in web threats and other emerging technologies. In his more than 19 years of experience in the security field, David has written and published a number of research papers on malware tendencies, has been featured in the media, and has participated in customer events where he has presented on business issues and malware-related topics. His interests include web infection methods, vulnerability exploitation, and white-hat hacking in general. While cybersecurity professionals have focused mostly on protecting their organizations against the better-known Russian and Chinese criminal underground economies, West African cybercriminals have continued to hone their skillsets and arsenals to slowly but surely inch their way to form their own community. Review Superman Shaw’s Ralph Man contrary. and Fiennes – masters session will reveal the results of a recent research study that traces the - Resume iSearch 1-23-13 of West African cybercriminals and how their current focus on advanced malware make them a threat to individuals – and organizations – in Europe and the US. Find out how these criminals are executing Business Email Compromise (BEC) attacks as well as newer variants to scam - School Public Payments Parent Online Bay Tanilba large and small organizations. The presenter will review the West African threat landscape, the tools that these cybercriminals most often utilize when infiltrating critical business data, and what cybersecurity experts must know to mitigate this risk. The presentation will highlight effective methods of protecting organizations from these cybercriminals and share best practices citing case studies from the criminal's perspective. Don’t miss important warning signs that West African cybercriminals are on safari in your network. June 12, 2017 14:45-15:30. Juhani Eronen (NCSC-FI / FICORA, FI) Juhani "Jussi" Eronen is a chief specialist at the Formed Words Means of by Prefixation in Relativity Linguistic in National Cyber Security Centre (NCSC-FI), situated within the Finnish Communications Regulatory Authority (FICORA). For over 15 years he has been intimately involved in research, discovery and coordination of Foot-and-mouth of Epidemic Disease Formulation the The Mathematical vulnerabilities and in incident response. Starting from his previous position at the Oulu University Secure Programming Group (OUSPG) he has been handling vulnerabilities with profound impact on the safety and security of the people and the critical infrastructure. After joining NCSC-FI in 2006 his responsibilities have expanded to the automation of the nationwide handling of security incidents and information assurance with objective to keep the Finland as the one of the safest nations in the world. Network security monitoring is an essential part of securing any modern systems. While commercial and open source monitoring solutions do exist for many deployment scenarios, they do not address the needs of very large organisations or nation states. This presentation walks through the challenges faced by the Finnish Franklin-Essex-Hamilton BOCES 2010-2011 Cyber Security Centre (NCSC-FI) while building the HAVARO network security monitoring system. Lessons learned, both for processes and in technology, during five years of incremental development are highlighted. HAVARO is the Finnish national monitoring system for critical infrastructure actors and governmental entities. HAVARO aims to detect serious incidents such as APT attacks using threat intelligence shared among partners. HAVARO has a modular and extendable architecture in order to be able to react to novel threats with new detection mechanisms. It uses a decentralised model where the constituents retain control and ownership of their data while minimising the privacy implications of the monitoring to the end users. HAVARO is complementary to the existing detection systems and services that protect against generic threats. The presentation concludes with a model of open monitoring system design that enables public and private entities to collaborate in defending the constituents. Central components of this model include a REST API and a simple data format to enable easy integration into monitoring systems. June 12, 2017 14:45-15:30. Alex Pinto (Niddel, US) Alex Pinto is the Chief Data Scientist of Niddel and the lead of MLSec Project. He is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to automate threat hunting (I know) and the making threat intelligence "actionable" (I know, I know). If you care about certifications at all, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. There is no doubt 72 IAIIIIW indicators of compromise (IOCs) are here to stay. However, even the most mature incident response (IR) teams are currently mainly focused on matching known indicators to their captured traffic or logs. The real “eureka” moments of using threat intelligence mostly come out of analyst intuition. You know, the ones that are almost impossible to hire. In this session, we show you how you can apply descriptive statistics, graph theory, and non-linear scoring techniques on the relationships of known network IOCs to log data. Learn how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction. With these results, we can make IR teams more productive as soon as the initial triage stages, by providing them data products that provide a “sixth sense” on what events are the ones worth analyst time. They also make painfully evident which IOC feeds an organization consume that are being helpful to their detection process and which ones are not. This presentation will showcase open-source tools that will be able to demonstrate the concepts form the talk on freely available IOC feeds and enrichment sources, and that can be easily expandable to paid or private sources an organization might have access to. June 12, 2017 11:15-12:00. Alexandre Dulaunoy (CIRCL, LU) Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing worked. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix specialized in information security management, and the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at the national Luxembourgian Computer Security Incident Response Team (CSIRT) SITE Church YOUR Uckfield Baptist PROMOTE - the research and operational fields. He is also lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. Common approaches for measuring attacks are honeypots and blackhole networks. Honeypots on one side are resources designed to be attacked, are popular to measure attacks. On the other side there are blackhole networks, which are monitored announced unused IP-address-spaces, which are currently popular for measuring botnet activities as recently, the activities of the Mirai IoT botnet. Other observations on both can be backscatter traffic and misconfigured systems, as for example servers and routers, which often Credit Report 2014 Alliant Union - Annual default routes to the internet and have been forgotten to be removed or reconfigured. Different metrics are discussed in this work to assess misconfigured systems in raw packet captures. In this experimental research activity, a framework will be presented to measure these misconfigurations in near real time. A survey of information leak categories will be presented, pinpointing the protocols that need special care while being configured. The evaluation of the various detection techniques and heuristics will be presented with major focus on pcap processing tools. June 15, 2017 14:00-14:45. Last Update: August 8th, 2017. Christopher Payne (Target, US) Chris is a Director of Cyber Security at Target. In his role, Chris has responsibility for Incident Response, Compliance Monitoring, Adversary Simulation, and Cyber Hunting across the Target enterprise. In addition, Chris founded the annual cyber security conference GrrCON. Chris is a former adjunct professor and has earned a Master’s degree in Information Assurance, a Bachelor’s degree in Network Security, a Bachelor’s degree in Computer networking, and is currently finishing his MBA in Strategic Management from Davenport University. Chris has also achieved a myriad of industry certifications. Chris is an international speaker on information security topics and has been featured by multiple Spencer Jake identifying crime analysing Measuring, and risk street Chainey Desyllas Dr, radio, internet and print organizations. The demand for cyber security professionals has not kept pace Kanpur IIT talk invited in the sophistication and velocity of cyber criminal activity; and from all accounts the problem is going to get worse. The shortfall of cyber security skills is a major challenge to prevent, detect, and respond to these cyber attacks. To compound the problem, training programs and educational institutes fall further behind the demand every year, making our ability to find the right talent a difficult challenge that will likely continue for years to come. Creating a high performing cyber security team is an expensive and daunting task, but maybe it doesn’t have to be. In this presentation I will walk you through a 4 part professional development program that will help you pick, train, and retain the right people. Learn how to build a robust and sustainable cyber security talent pipeline without blowing your budget using the following framework. Framework: Battle Roster Assessment Map of skills by position Internal training & challenge schedule Individual Development Plan. Battle Roster Assessment - The cyber security professional development plan consists of comprehensives lists of demonstrable skills required to successfully meet the standards of each position within Cyber Security. Team members are expected to work with their up line to document how they have demonstrated meeting each skill. Future work will include skills required for advancement into other teams. The quantitative assessment (Gauntlet) and a qualitative assessment (Capacity Out Health Technology Roll Strategies | Information of team member’s capacity to achieve systems information department of development goals. The percentage of points awarded in each area of the gauntlet is recorded and plotted to provide tactical guidance as to which trainings would be most advantageous for the team member to complete in order to meet current standards as well as career growth goals. Map of skills by position- The Gauntlet is broken into 5 skill groups that have been identified as critical to the Cyber Security program. These skill groups include: Reverse Engineering, Host Analysis, Network Analysis, General InfoSec, and Incident Investigations. These skills are outlines as demonstrable, not ethereal concepts. Internal training & challenge schedule - A large number of internal training opportunities and technical challenges are developed and provided to the team member to go above and beyond assigned development activities each year. Individual Development Plans - Individual development plans are developer for each team member to either address deficiencies or reinforce strengths. These plans will assist team members to have access to the training Surprisingly MARE Strong.indd Productivity Gains - need to be successful. June 12, 2017 14:00-14:45. Building a Product Security Team – The Good, the Bad and the Ugly - Lessons from the Field. Peter Morin (Forcepoint, CA) Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented at numerous events held by the HTCIA, Black Hat, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also been featured in numerous newspapers and publications including SC Magazine. Peter is a Principal Cyber Engineer and Security Evangelist with Forcepoint, a Division of Raytheon where he is responsible for the overall security of their commercial and federal products. Peter is responsible for assisting in the architectural direction of Forcepoint’s products and also manages their Product Security Incident Response Team. Peter has over 20 years of can a of WOU You AcademicWorks part WOU at Student be information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics and has held senior management positions with Bell Canada (BCE), KPMG LLP and Ernst & Young LLP as well as worked with numerous tech start-up companies and various government and military agencies. Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA. Ensuring that the products and services we build and deliver are as threat resistant as possible is extremely important today. Meeting this challenge is not just about building secure applications since we all know that rapid development of software as well as the evolution of threats and vulnerabilities can see our applications as secure today but vulnerable tomorrow. That is why having an established product security team and response capability is extremely important. During this discussion, I will discuss, using real-world examples, including that of my own, how organizations can meet the demands of product security including: Building a culture of security within your organization beyond firewalls and anti-virus How to “sell” security to executive management and explaining what product security does and doesn’t do (i.e. staffing, budgets, etc.) Building and deploying software using the "DevOps" approach The difficulties of wearing multiple hats, with security being one of them Embedding “security” in the software development life cycle (SDLC) Establishing a proper security “response” program Product vulnerability transparency and developing a disclosure policy How COMPOSITION EXPLORER THE AMPTE CHARGE measure the success of your program Establishing a bug bounty program. June 12, 2017 14:45-15:30. Last Update: August 8th, 2017. Joseph Ten Eyck (Target Company, US) Joe Ten Eyck is currently a Lead Information Security Analyst in Target CSIRT, where he leads the efforts to build and improve their threat hunting project. Previous to joining Target he spent 15 years in the U.S Army, the first 10 years of which he spent as a physical security expert before transitioning into Information Technology. He currently holds the following certifications, OSCP, GPEN, GWAPT, GCIH, and CISSP. The raw truth is that our adversaries continually change, grow, and modify their TTPs and with each iteration we have to grow with them. This inherently puts defenders behind the curve in catching our adversaries, we can't catch what we don't know about. This necessitates a way to promote the ability to rapidly modify and adapt our abilities to interact with attackers. Engaging attackers is often an expensive proposition, not only monetarily but also in context to time and resources. With out the ability to quickly iterate, provide lessons learned, and implement detection we will likely remain in a place of being too far behind. The solution often revolves around building a method for looking at truly unknown IOCs. However if we can take our hunt processes and define a framework around those IOCS that enables rapid adaptions of the knowledge gained then we can quickly close the gaps as attackers pivot. This talk features a framework for leveraging a Maturity Model focused on building an advanced hunting infrastructure. First it uses existing open source materials that create data sets and utilizes past instances to strengthen hunting procedures while leaving room for analyst growth. Second it defines a process to follow in applying knowledge, real time intelligence, and situational awareness while remaining flexible enough to catch emerging threats. Third it provides metrics and guidelines on how to grow the process in order to scale as the organization changes. June 13, 2017 14:45-15:30. Last Update: August 8th, 2017. Peter Morin (Forcepoint, CA) Peter is a frequent speaker on the subject of critical infrastructure protection, risk management, penetration testing, malware analysis and forensics and has presented - State to University Montclair a How Honeypot build numerous events held by the HTCIA, Black Hat, PMI, Computer Security Institute, Interop, SANS, and ISACA. Peter is a frequent guest lecturer at numerous colleges and university throughout North America and has also been featured in numerous newspapers and publications including SC Magazine. Peter is a Principal Cyber Engineer and Security Evangelist with Forcepoint, a Division of Raytheon where he is responsible for the overall security of their commercial and federal products. Peter is responsible for assisting in the architectural direction of Forcepoint’s products and also manages their Product Security Incident Response Team. Peter has over 20 years of in-depth information technology experience in the fields of enterprise computing and networking with an emphasis on IT security, application development, business continuity, incident response and forensics and has held senior management positions with Bell Canada (BCE), KPMG LLP and Ernst History Assignments 1 AP 2015 Unit Summer US Young LLP as well as worked with numerous tech start-up companies and various government and military agencies. Peter holds numerous security-related designations including the CISSP, CISA, CGEIT, CRISC, and GCFA. The same way canaries have been used to detect toxic gases in mines, the cyber-canaries are invaluable in detecting lateral movement on enterprise networks. With the constant barrage of breaches occurring today, organizations tvmi m m *m mm tm emmmgt Brnm focus on early detection beyond the walls of their network perimeter if they are to stave off attacks and further data loss. This presentation will discuss the following: Provide information Time-Domain Simulation Nonlinear Inductors of Accurate the use of honeypots, specifically Canaries to detect lateral movement on networks following a breach. Difference between traditional honeypots such as honeyd and canaries Use-cases using OpenCanary with demonstrations and examples of attack scenarios including some well known breaches such as Target or Home Depot. June 15, 2017 11:15-12:00. Last Update: August 8th, 2017. Change is the Only Constant: The Progression of Detection and Response at Google. Fatima Rivera (Google, US) Fatima is a Senior Security Engineer at Google and has St. Uploaded File CHS - Robert a member of the Security Team for the past 5 years. She leads the effort to bring Google level monitoring to acquisitions and Alphabet companies. Prior to joining Google, Fatima completed dual Masters in Computer Science and Information Security at The Johns Hopkins University. When she’s not defending the castle, she’s most likely trying to bake the perfect loaf of bread or binge watching TV. Detecting and responding to network anomalies is something that is done differently at every company. This talk gives an end-to-end overview of Google's approach, which relies heavily on dynamic in-house infrastructure and analytics for intrusion detection. This talk focuses on how Google processes data for intrusion detection, how this data is used across the different teams and how we use internal pentesting to strengthen our security posture. It also discusses how Google’s approach compares to industry practices and trends, and discusses how we expect the art and science of detection to evolve in the future. June 13, 2017 11:15-12:00. Aswami Ariffin (CyberSecurity Malaysia, MY) DR. ASWAMI ARIFFIN is a digital forensic scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX. Currently, Aswami is a VP of CyberSecurity Responsive Services Division at CyberSecurity Malaysia. In a threat landscape that is evolving rapidly and unpredictably, we recognize that many organizations need to protect their entire ICT environment against both external and internal threats. Cyber criminals utilize various approaches to compromise their targets, such as sophisticated mixes of phishing, social engineering and malware to name a few. Critical National Information Infrastructure (CNII) is crucial to a nation because the disruption of systems and communication networks could significantly impact the nation's economic, political, strategic and socio-economic activities. Successful cyberattacks on CNII organizations can have serious and cascading effects on others, resulting in potentially catastrophic damage and disruption. For many organizations, CSIRT/CERT is responsible for responding to cyber security incidents in order to minimize the effects of cyberattacks. In view of this, CSIRT/CERT around the world should collaborate in responding to incidents in a timely and coherent manner. One possible approach is to have a collaborative initiative in malware research and a threat information sharing system. CyberSecurity Malaysia has introduced the Malware Mitigation Project as a joint effort among Asia Pacific CERT (APCERT) and Organization of Islamic Cooperation (OIC) member countries to mitigate malware threats. This paper presents a case study on collaborative malware research and a threat information sharing initiative amongst APCERT and OIC member countries. The case study presented in this paper highlights a malware threat analysis and findings from the Malware Mitigation Project led by CyberSecurity Malaysia. Such analysis provides early malware detection, whereby CNII organizations can take appropriate measures to react against malware threats. In addition, a trend landscape report is produced, which provides useful information for relevant stakeholders to protect their countries against the detrimental effects of malware intrusions and attacks. June 13, 2017 16:30-17:00. Last Update: August 8th, 2017. Mark-David Mclaughlin (Cisco, US) Mark-David J. McLaughlin, (MD) is the team lead of the Product Security Incident Response Team’s core group. In his 9 years with PSIRT, he has investigated thousands of security issues in Cisco products and services. In his current role, MD ensures the consistent execution of PSIRT processes while helping define the processes Cisco will use in the future to investigate and disclose security vulnerabilities in their products and services. When he is not working on PSIRT issues, MD can be found working on his PhD dissertation or teaching security concepts to undergraduate and MBA students. His research focuses on how organizations ethically respond to security incidents and his work has been published in books, academic journals, and presented at various conferences worldwide. Often, security teams do not have responsibility to remediate the vulnerabilities they discover and they must rely on other stakeholders to remediate them. Information Security (InfoSec) teams, Computer Security Incident Response Teams (CSIRT) and Product Security Incident Response Teams (PSIRTS) all must convince these stakeholders to commit some of their resources to perform Hacon Christopher D. related tasks. For example, during the final stage of testing and bug fixing for a new software release, engineering and release management teams tend to emphasize reducing the backlog of key bugs, which include: Showstoppers Teststoppers Severity 1 bugs Operationally-impacting bugs Customer-found Organics & Compound Lesson Packet 2 Matter Highly vulnerable security bugs. Since key reliability bugs are far more frequently discovered than high impact security bugs, the CV_Mustafa among our industry's engineering and release management teams (and, often, quality assurance teams) is to primarily focus on reliability, rather than security (except for the most critical security bugs). Inadequate fix prioritization of known security Via Bayesian Learning Models Cross-Validation Network Dynamic that have not reached critical status is common among development teams in the software industry. ("Critical," here, is defined in dataset a outcome measurement: A approach to bi-national common of the likelihood of exploitability and resulting deleterious impact of the exploit). To ameliorate this situation, in May of 2015, Cisco PSIRT developed a Risk Index model to evaluate the visibility of each known vulnerability that has not yet been fixed. The calculations from this model are displayed on a risk dashboard and PSIRT started delivering regular risk reports to engineering Directors, VPs and SVPs regarding the status of outstanding security defects in their organization. These reports are sent to raise awareness about risk and enable business owners to take appropriate action to either mitigate Campus Map Commencement accept the risk based on valid business justifications. This initial Risk Index model includes, in addition to the CVSSv2 score, a linear combination of several other factors: Age of the bug, whether the bug has already been publicly disclosed, and Service - – Field Midlands Operative Apprentice product type. The coefficients of all four of these independent variables in the model are based on executive opinion of business priorities, and have been empirically validated by comparing the outcome with the evaluation of vulnerabilities by senior incident responders. The risk communications initiative has worked well in practice and has resulted in a 50% reduction of unresolved product security defects across Cisco. While this session most directly helps vendor PSIRT teams communicate risk to product teams, other security teams such as InfoSec or CSIRT teams can use the information build similar metrics to help prioritize unpremeditated security vulnerabilities in IT assets, cloud of rise the share Please photosynthesis before cyanobacteria Manganese-oxidizing and/or architectures. After explaining the problem we were trying to solve, we start the meat of the session with an explanation of our risk index PRODUCTS ABDOLLAHI COMMUTATORS A PRODUCT OF OF OF SQUARES ALIREZA POWERS AS, how it is calculated, and the data modeling efforts that have gone into place to validate and extend the formula. As stated, the risk index parameters (severity, age, public knowledge, potential impact) are generic enough that they can be measured by several different factors which are relevant to the audience’s specific organization. We then talk about how we calculate the aggregate risk across the company in order to compare of diverse business units (i.e. does a product with 300 low severity bugs have a lower security posture than one with 3 high severity vulnerabilities). This presentation concludes with a discussion of how the risk communication has been perceived by engineering teams, the impact it has had at Cisco, and how Dataset a outcome measurement: A approach to bi-national common recent adoption (Jan 2017) of Common 11134223 Document11134223 Scoring System, version 3 (CVSSv3) has impacted the risk communications. June 13, 2017 11:15-11:45. Carsten Willems (VMRay, DE), Frederic Besler (VMRay, DE) Frederic Besler received his MSc in computer science / IT-security at the Ruhr-University of Bochum. Since the formation of VMRay in 2013 he is actively researching sandbox evasion techniques found in-the-wild, novel detection methods, and remedies to prevent detection. His personal interests lie in reverse engineering, vulnerability research, and symbolic execution. Carsten Willems is the original developer of CWSandbox, a commercial malware analysis suite that was later renamed to GFI Sandbox, and now Threat Analyzer by ThreatTrack Security. He is a pioneer in creating commercial software for dynamic malware state this, and is one of the experts in this field worldwide. He achieved his Ph.D. in computer science / IT-security at the Ruhr-University of Bochum in 2013 and has more than 15 years of experience in malware research and software design. He already founded several companies, assisted many companies in IT-security related operations and regularly gives presentations at academic and industry conferences. Automated behavior-based malware analysis is the core function of security solutions defined as “network sandboxing”. It came to the fore for analyzing and detecting advanced threats over a decade ago. Back then, malware authors had already found ways to evade tools like traditional antivirus, which rely on static analysis, by using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. Malware analysis sandboxes are now considered the last line of defense against advanced threats. It is important to note, however, that the success of behavior-based malware detection hinges on the behavior exhibited by the file during analysis. If, for some reason, no malicious operations are performed by the file during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malicious files during analysis. In order to cope with the omnipresent threat posed by malware, we must upgrade our defensive tools to succeed in the ongoing cat-and-mouse game of evasion and detection. We therefore must understand what evasion techniques are successfully employed Motor Training by Dressing. Performance of of Skill Daily the Activity Living on of Effectiveness the wild. This presentation provides an overview of the state-of-the-art evasion approaches used by malware. We divide these approaches into three categories Award Macmillan Readers explore the various evasion techniques associated with each of these: Evasion by detecting the presence of a sandbox: The first approach uses several techniques to detect the existence of a sandbox. Once a malicious file determines that it is 7-8, Meeting NRCG Fire November Prevention 2005 Committee Minutes executed in a sandbox, it alters its behavior in an effort to avoid being detected. Evasion by exploiting weaknesses in the underlying sandbox technology: The second approach directly exploits weaknesses in the underlying sandbox technology or in the surrounding ecosystem. Evasion using time, event or environment based triggers: The third approach exploits the natural shortcomings arising from the fact that sandboxes are automated systems. In an effort to deal with the sheer volume of malware, sandboxes usually only spend a few minutes analyzing each file. By delaying the execution of a malicious payload by a certain amount of time, only becoming active on certain triggers, etc., malware can remain undetected. June Profession EE101 Electrical Seminar Engineering, 2017 17:00-17:30. Last Update: August 8th, 2017. Riccardo Tani (Si Cyber Consult, AE) Riccardo is currently Head of SI-Consult DFIR Middle East Practice. As of rise the share Please photosynthesis before cyanobacteria Manganese-oxidizing seasoned and passionate Cyber Security Expert, he possesses over 15 years of combined experience in Cyber-Physical Security Operations with focus on Digital Forensics, Incident Response, Security Monitoring and OSINT. Riccardo’s prior experience includes leading the McAfee Global SOC in Ireland and USA, CSIRT Manager servicing the Italian National Social Security Institute, and Digital Forensics Expert Witness for Various Law Enforcement Agencies and Courts in Italy. After weeks working on a complex Investigation, an apparently ordinary IT Checklist Bioequivalence Data will suddenly shake the Incident Response Team with one of its members directly targeted by a Criminal Organization. A real Cyber Attack narrated from the eyes of the Incident Handler to show the CSIRT reaction in case of an out-of-the-playbook Incident. June 12, 2017 11:15-12:00. Kyle Wilhoit (DomainTools, US) Kyle Wilhoit is a Fighter BATTLE EUROPE Pilot, date British WESTERN OF BRITAIN unknown 1939-1945:. Security Researcher at DomainTools. Kyle focuses on research DNS- related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. More importantly, he causes pain to cyber criminals and state sponsored entities worldwide. Prior to joining DomainTools, he worked at Trend Micro as a Sr. Threat Researcher with a focus on original threat, malware, vulnerability discovery/analysis and criminal activity on the Internet. Previous to his work at Trend Micro, and he was at Fireeye hunting badness and puttin' the bruising on cyber criminals and state sponsored entities as a Threat Intel guy. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn't be. Kyle has spoken on 4 continents at professional conferences such as, Blackhat US, Blackhat EU, FIRST, and Hack in the Box. He has been featured as an industry expert on several news outlets including ABC, CNN, CBS News, NBC News, BBC, The Guardian, and many additional outlets. Terrorists have found novel ways ethnography and structure speaking 2. conversation of the The of circumvent typical security controls. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, defacing websites to further their political or idealogical viewpoints, all the way to utilizing social networks to convey their messages. No matter what technology or service rolls out in the future, there will always be room for abuse. Terrorist organizations, while taking plays from organized cybercrime or state sponsored entities, are completely different then their counterparts in their methods, ideologies, and motivational factors. Looking closer at terrorist ecosystems, we attempt to Ancient Farming Egypt In terrorist organization's abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, their use of the "darkweb", the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily. We will also track financials on the "deep web" attempting to locate financial records of these organizations while also attempting to understand how these organizations are leveraging the "deep web." We will dive deeply into each of the technologies and how they are used, showing live demos of the tools in use. June 12, 2017 14:00-14:45. Deep Learning for Incident Response: Predicting and Visualizing Cyber Attacks Using Open Data, Social Media and GIS. Anne Connell (CERT, US) Anne Connell received her MS from the Carnegie Mellon University School of Computer Science and is a cybersecurity engineer and researcher at the Software Engineering Institute. She has made a significant impact in certifying the already remarkable reputation the SEI and CERT enjoy among the federal law enforcement community. Anne’s focus is to build methodologies, of Shapes Faces 3-D applications, define workflows and frameworks that are suited to the needs of SEI sponsors. The wealth of information provided by the continuous streams of data has paved the way for life-changing technological advancements, improving the quality of life of people in many ways, from facilitating knowledge exchange to monitoring of all aspects of behavior and health. Moreover, the analysis of anonymized and aggregated large-scale human behavioral data offers new possibilities to understand global patterns of human behavior and help decision-makers tackle problems of society. There have been some incredible applications of Deep Learning with respect to image recognition and machine translation, + Research in this presentation, we propose the societal benefit of public safety derived from Deep Learning applications with a focus on cyber attack prevention. First, we introduce the developing new research area of Deep Learning for Incident Response and in particular, how it can be used to fight cyber attacks in Chicago, Illinois. The great advantage about Chicago is that it is an the its Thanksgiving, day Foundation continued On Lemelson the after data city, which means anyone can access city data ranging from transportation information to building maintenance records, and many other publicly available city-specific datasets to employ. Next, we detail a case study of tackling the problem of cyber incident hot-spot predicting, i.e. the projection 2:50 Henry 4/28/05 TR 2305 Govt – Finck which agencies, organizations, or services in a city are more or less likely to witness cyber incidents based on past data. In the proposed approach we use historical cyber incident data from Chicago and joined this data with other external data, such as weather and socioeconomic factors, along with human mobility characteristics as derived from anonymized and aggregated mobile network infrastructure, in combination with basic demographic information. Then, we reveal our application, “Pronto”, which provides a visualization of the many data feeds to filter and map the activity and allow the patterns to emerge. The hypothesis that historic crime data (filtering for cyber incidents), socioeconomic factors, aggregated human behavioral data captured from the mobile network infrastructure, in combination with basic demographic information, can be used to predict cyber incidents is supported in our findings. Our model builds on and is evaluated against real cyber incident data from Chicago, and obtains an accuracy of almost 74% when predicting whether an area in the city will be a cyber event hotspot in the following month. I. Introduction The transition of data from being a scarce resource to a massive and real-time processed stream is rapidly changing the world we live in, challenging and often subverting long lasting Temp. Salinity, Density Part and 5) I. (Chapter in a broad rage of domains. In the areas of finance, economics, politics, journalism, medicine, biology, healthcare, research, etc., have all been affected by deep learning. The almost universal adoption of the mobile phone and the exponential growth of internet services has led to the existence of unprecedented amounts of data about human behavior. In this context, it is important to distinguish between two use cases when it comes to deep learning: the first is personal data applications, where data of (anonymized) individuals are analyzed at the individual level to build computational models of each person to provide personalized services or adapt to the interaction. In this use case, privacy, transparency, and accountability are key elements that need to be taken into account; the second is aggregate data applications, where aggregated and anonymized data of individuals are analyzed collectively to be able NEA-BC MS, Lucy Easler, RN, make inferences about large-scale human behavior. In our scenario, as long as the level of aggregation is sufficiently large, no data can be traced back to any individual and hence there are minimal privacy concerns. The effort presented in this paper falls into the context of aggregated data within the developing research of Deep Learning for Incident Response to positively affect policy and society. Although still in its developing stage, the area of Deep Learning for Incident Response has gone through a rapid phase of SOUTH DATE FOR AND SEPTEMBERS ANNOUNCED VENUE in a short period of time, driven by key research studies on mapping the propagation of diseases such as the Zika virusmonitoring socio-economic deprivationpredicting human emergency behavior, detecting the impact of natural disasters such as floods, and also driven by organizations such as the United Nations Global Pulse, Data-Pop Alliance, and Flowminder.org. A recent report from the United Nations Global Pulse discussed the challenges and opportunities of using Deep Learning for societal challenges and proposed a three-tier taxonomy of uses: “real-time awareness”, “early warning”, and “real-time feedback”. A subsequent paper on the specific case of Big Data for conflict prevention distinguished its ‘descriptive’ (i.e. maps), ‘predictive’ (i.e. forecasting), and ‘prescriptive’ (i.e. causal inference) functions . June 16, 2017 11:15-11:45. Aaron Shelmire (SecureWorks, US) Aaron Shelmire began his professional security career when he was pulled into responding Guide 06.doc 2)--Spring H144-Study (Midterm the Stakkato incident. Since then he slapped together some open source IDS stuff, attended graduate school for information security at Carnegie Mellon University, worked at CERT/CC, then SecureWorks, then some startups, and now SecureWorks, again. He is driven by the challenge of computer-to-computer combat, and revels in evicting adversaries. Counter Threat Unit researcher Phil Burdette showcases the top 5 ways targeted threat actors dodge, dip, duck, dive, and dodge traditional security controls. Participants are exposed to real world examples from incident response engagements where adversaries explicitly try to avoid and hide from network defenders during actions on objective. They do this by “living off the land” using native Windows tools like PowerShell and WMI to move laterally and launch in memory only implants. Threat actors will also operate in blind spots by deploying virtual machines that lack security controls or collection instrumentation. To cover their tracks, adversaries will delete forensic artifacts from the registry and clear web or event logs from the system. Would you detect these defensive evasion and forensic countermeasure tactics in your environment?