tuesday, july 9, 2013 july 9, 2013 time room 1 room 2 7:00am - 8:00am registration | networking...
TRANSCRIPT
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Tuesday, July 9, 2013
Time Room 1 Room 2
7:00am
-
8:00am
Registration | Networking Breakfast
Presented By
8:00am
-
8:10am
Welcome and Introduction to the 2013 Digital Forensics and Incident Response
Summit
Rob Lee & Alissa Torres– Summit Chairs Digital Forensics and Incident Response Summit
8:10am
-
9:10am
Digital Forensics and Incident Response Summit - Keynote Address - TBA
9:10am
–
9:20am
Networking Break
9:20am
-
10:20am
Title: File system journaling forensics theory, procedures and analysis impacts
David Cowen with Matthew Seyer, G-C Partners, LLC
Title: Mining for Evil
John McLeod - Manager, Incident Response Team
Mike Pilkington - Senior Consultant, Incident Response Team
10:20am
-
10:40am
Networking Break
10:40am
–
11:40am
Title: The “Trusted” Insider Theft of Intellectual Property and Trade Secrets
Warren G. Kruse II - VP, Altep, Inc.
Michael Barba - Managing Director, BDO
George Wade - Senior Manager, Booz Allen
Title: Volatile IOCs for Fast Incident Response
Takahiro Haruyama, Forensic Investigator, Internet Initiative Japan Inc.
11:40am
-
12:40pm
Lunch & Learn
Presented By
12:40pm
–
1:40 pm
Title: Johnny AppCompatCache: the Ring of Malware
Jeff Hamm - Senior Consultant, MANDIANT
Mary Singh - Senior Consultant, MANDIANT
Title: iOS Device Forensics on a Budget
Brian Moran - Digital Forensic Analyst, CyberPoint, LLC
1:40pm Title: (Mostly) Open Source DFIR – A Toolkit for End-to- Title: Offence informs Defense, or does it?
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
–
2:40pm
End Investigations
David Kovar - Manager, Advisory Center of Excellence, Ernst & Young
Jeff Brown - Director of Cyber Operations, Cyber Clarity
2:40pm
–
3:00pm
Networking Break
3:00pm
-
4:00pm
Title: Open Source Threat Intelligence
Kyle Maxwell - Senior Analyst, Verizon Business
Title: Cyber Nightmares: Red October & Shamoon
Harold Rodriguez- Malware Reverse Engineer, General Dynamics Fidelis Cybersecurity Solutions
4:00pm
-
5:00pm
Title: Automating Malware Analysis with Cuckoo Sandbox
Claudio Guarnieri - Security Researcher, Rapid7
Title: "My name is Hunter, Ponmocup Hunter"
Tom Ueltschi - Security Officer, Swiss Post
5:00pm
–
6:00pm
Title: Hunting Attackers with Network Audit Trails
Tom Cross - Security Researcher, Lancope
Charles Herring - Security Researcher, Lancope
Panel Title: Women in DFIR Panel
Stacey Edwards
TBA
TBA
TBA
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Wednesday, July 10, 2013
7:00am
-
8:00am
Networking Breakfast
Presented By
Time Room 1 Room 2
8:00am
-
8:30am
Title: Forensic 4Cast Awards
Lee Whitfield - Director of Forensics at Digital Discovery - http://forensic4cast.com
8:30am
-
9:30am
Title: Autopsy 3: Extensible Open Source Forensics
Brian Carrier - VP of Digital Forensics, Basis Technology
Title: Timeline Analysis by Categories
Corey Harrell - IT Specialist III, New York Office of the State Comptroller
9:30am
-
10:30am
Title: Detecting data loss from cloud synchronization applications
Jake Williams - Principal Consultant, CSRgroup Computer Security
Title: A Day in the Life of a Cyber Tool Developer
Jonathan Tomczak – Chief Information Officer, TZWorks, LLC
10:30am
-
10:50am
Networking Break
10:50am
-
11:50pm
Title: Proactive Defense
Adam Meyers - Director of Intelligence, CrowdStrike, Inc
Title: The 7 Sins of Malware Analysis
Dominique Kilman, Malware Analyst, KPMG LLP
12:00pm
-
1:00pm
Lunch & Learn
Presented By
1:00
-
2:00pm
Title: Plaso– Reinventing the Super Timeline
Kristinn Gudjonsson – Senior Security Engineer, Google
Title: Facilitating Fluffy Forensics (a.k.a. Considerations for Cloud Forensics)
Andrew Hay - Chief Evangelist, CloudPassage, Inc.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
2:00pm
–
3:00pm
Title: Timeline creation and review, GUI style!
David Nides, Manager, Forensic Technology Services KPMG LLP
Title: Building, Maturing, and Rocking a Security Operations Center
● Brandie Anderson - Manager, Security Operations Center and Security Delivery Operations, Hewlett-Packard
3:00pm
–
4:00pm
Title: ICS, SCADA, and Non-Traditional Incident Response
Kyle Wilhoit - Threat Researcher, Trend Micro
Title: Restoring Credential Integrity after an Enterprise Intrusion
James Perry - Lead Associate Booz Allen Hamilton
Anuj Soni - Lead Associate Booz Allen Hamilton
4:00pm
-
4:20pm
Networking Break
4:20pm
-
5:30pm
DFIR SANS360
In one hour, 10-12 Digital Forensics and Incident Response experts will discuss the coolest forensic
technique, plugin, too, command line, or script they used in the last year that really changed the outcome of
a case they were working. If you have never been to a lightning talk it is an eye opening experience. Each
speaker has 360 seconds (6 minutes) to deliver their message. This format allows SANS to present 10-12
experts within one hour, instead of the standard one presenter per hour. The compressed format gives you
a clear and condensed message eliminating the fluff. If the topic isn't engaging, a new topic is just 6 minutes
away.
1. Don't be a script kiddie - Kyle Maxwell, Verizon 2. Hunting and Sniper Forensics - Jason Lawrence 3. Incident Readiness - Top 10 Keys to a Successful Forensic Investigation - J Jewitt 4. Social Media Forensics - Brian Lockrey 5. Finding Evil Everywhere: Combining host-based and network indicators - Alex Bond 6. Chasing Malware, Not Rainbows - Frank McClain 7. Raising Hacker Kids - Joseph Shaw 8. TBA - Hal Pomeranz 9. A Decade of Trends in Large-Scale Financial Cyber Breaches - Ryan Vela 10. Reconstructing Reconnaissance - Mike Sconzo 11. Advanced Procurement Triage - Michael Ahrendt
5:30pm
-
5:40pm
Summary & Closing Remarks
Rob Lee & Alissa Torres– Summit Chairs Digital Forensics and Incident Response Summit
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Session Information
Title: File system journaling forensics theory, procedures and analysis
impacts
Presenters: David Cowen with Matthew Seyer
Abstract: Journaled file systems have been a part of modern file systems for years but the science of computer forensics has only been approaching them mainly as a method of recovering deleted files. In this talk we will outline the three major file systems in use today that utilize journaling (NTFS, EXT3/4, HFS+) and explain what is stored and its impact on your investigations. We will demonstrate tools for NTFS and EXT3/4 that allow us to:
■ Recover data hidden or destroyed by anti-forensics ■ Recover previously unrecoverable artifacts ■ Trace all file system movements and actions of malware ■ The possibility of entirely new analysis techniques
Ending with a review of HFS+ and the future of file system forensics in relations to journals and new file systems such as ReFS.
Biography
David Cowen, CISSP, is a partner at G-C Partners, LLC based in Dallas, Texas. Mr. Cowen is one of the Speakers of Hacking Exposed:Computer Forensics first and second editions and the third edition of the Anti-Hacker Toolkit and the upcoming 'Computer Forensics, A Beginner's Guide' all from McGraw Hill. Mr. Cowen is also the Speaker of the popular Hacking Exposed Computer Forensics Blog and a graduate of the University of Texas at Dallas with a B.S. in Computer Science. Mr. Cowen is the captain of the National Collegiate Cyber Defense Competition's Red Team. Mr. Cowen has been working doing computer forensics since 1999 and information security since 1996 acting as an expert witness in civil cases around the nation. Working as a computer forensic expert Mr. Cowen has assisted Fortune 500 companies across the United States and the world in dealing with civil litigation and internal investigations.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Mining for Evil
Speaker Name(s): John McLeod; Mike Pilkington
Speaker Titles: Manager, Incident Response Team; Senior Consultant, Incident Response Team Abstract:
Microsoft’s System Center Configuration Manager (SCCM), formerly Systems Management Server (SMS), can be a gold mine when hunting for evil. During a response it can provide valuable information of what was executed on the host system. This presentation will provide an understanding of SCCM, host artifacts, scripts and tips to find targeted threats in your enterprise. Although this presentation details SCCM, the concepts can be used on similar configuration-management platforms.
The second part of this presentation will delve into the finer points of Windows log file analysis. Properly configured Windows logging can provide a wealth of information, making the jobs of both proactive intrusion detection and reactive incident response faster and more effective. We’ll discuss a number of tips and techniques for implementing a strong logging policy and for analyzing the resulting logs for evidence of compromise.
Biographies:
John is a Manager at a Fortune 500 company and responsible for IT Security Defense services. He engaged and neutralized targeted threats since the 90’s while serving Air Force Office of Special Investigations as a Computer Crime Investigator. He has his Master degree in Network Security and holds various certifications. He is a recognized subject matter in Computer Crime, Incident Response and Digital Tradecraft. He was involved with many high-profile investigations including: Operation Aurora, TJX hacking incident, Solar Sunrise, Moonlight Maze and Titan Rain. He conducted digital media exploitation in Kosovo, Iraq and Afghanistan.
Mike Pilkington is a Senior Security Consultant for a Fortune 500 company in the oil & gas industry. He has been an IT professional since graduating in 1996 from the University of Texas with a B.S. in Mechanical Engineering. Since joining his company in 1997, he has been involved in software quality assurance, systems administration, network administration, and information security. Mike currently serves as a lead responder on the company's intrusion detection and incident response team. Outside the office, Mike has been involved with the SANS Institute as a mentor and instructor, leading classes in computer forensics and wireless security.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: The “Trusted” Insider Theft of Intellectual Property and Trade
Secrets
Speaker Name(s):
Warren G. Kruse II, VP, Altep, Inc.
Michael Barba, Managing Director, BDO
George Wade, Senior Manager, Booz Allen Abstract
As company downsizing becomes more prevalent in today's economic downturn, business are increasingly vulnerable to the pirating of Intellectual Property by current and former employees. Learn how to mitigate these risks as one of the former lead investigators of the “Comtriad” investigation shares the story for this discussion. See how Warren Kruse, George Wade, and Michael Barba became aware of a potential issue, developed a strategic approach, assessed potential damages, and developed leads using forensic and network technologies which led to the arrest of three foreign nationals attempting to appropriate Intellectual Property which was valued to be in excess of one billion dollars. This investigation garnered worldwide attention and has received the High Tech Criminal Investigative Association's (HTCIA) Case of the Year award.
Hear how computer and network forensics, along with current technologies and with a little luck, aided this investigation.
Biography
Warren is a vice president with Altep Inc., a national provider of e-discovery and computer forensic services. He has spent the last twenty-five years between law enforcement and as a consultant supporting various agencies with incident response, computer forensics and eDiscovery. He is the President of the Digital Forensics Certification Board (www.DFCB.org) He is the Speaker of “Computer Forensics: Incident Response Essentials”, and has supported incident response projects across a wide range of major U.S. corporations and agencies. In addition: led a team of computer forensic experts in a three-year engagement in support of a fraud investigation task force at the world’s largest international cooperative organization. He was the eDiscovery expert for AMD on the AMD versus Intel Antitrust lawsuit; led the forensics on the billion dollar "Comtraid" theft of Intellectual Property and Trade Secrets; and testified as a computer forensic expert for the US Securities and Exchange Commission (SEC).
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Volatile IOCs for Fast Incident Response
Speaker Name: Takahiro Haruyama
Speaker Title: Forensic Investigator Company: Internet Initiative Japan Inc. Abstract:
Incident response against malware infection generally takes long time for memory forensics, disk forensics and malware analysis. It's desirable to find and identify malware at an early stage performing memory forensics, but it requires expert knowledge about malware. In this session, I show "volatile IOCs (Indicators of Compromise)" to detect some famous malware (e.g., ZeuS, SpyEye, Poison Ivy) from physical memory images. By using the IOCs, everyone can pinpoint the type of malware without disk forensics and malware analysis. Audiences can also grasp the techniques of fast malware triage. Specifically, I explain how to define volatile IOCs using OpenIOC that is an extensible XML schema for describing technical characteristics of known threats. Some IOCs are already available on the Internet, but most of them are difficult to reuse and need non-volatile information such as file hash values and file names. Volatile IOCs introduced in this session can identify malware including its variants based on only volatile evidences like header signatures of data structures, deobfuscated strings and a sign of code injection in memory space.
Biography:
Takahiro Haruyama, EnCE, is a forensic professional with over seven years of extensive research experience and knowledge in intrusion detection, authentication, VPN, digital forensics and malware analysis. He is the Speaker of memory forensic EnScript such as Raw Image Analyzer (previously known as Memory Forensic Toolkit) and Crash Dump Analyzer. He also has spoken at several conferences about digital forensics and computer security including Black Hat Europe, The Computer Enterprise and Investigations Conference (CEIC), RSA Conference Japan, FIRST Technical Colloquium.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Johnny AppCompatCache: the Ring of Malware
Speaker Name(s): Jeff Hamm & Mary Singh
Speaker Title: Senior Consultants Company: MANDIANT Abstract:
In 2012, MANDIANT investigators determined that a registry key, AppCompatCache, maintained a list of executable files. The structure also contained date and timestamps. Researching the structure indicated that it belonged to the Windows Application Compatibility Database. The structure itself contains full file paths, date and time information, file sizes, and in some versions of Windows, an execution flag. A MANDIANT consultant, Andrew Davis, wrote a python script that is able to extract the information from the various versions of the Application Compatibility Database. With this tool and knowledge, MANDIANT has been able to enhance their investigations by determining that executable files were on a system and putting time or chronological context to the investigation where none had existed before. This paper and discussion will examine the structure of the database across the various versions of Windows, will discuss why many Windows registry analysis tools fail to see the structure’s data, and will provide examples of case work that illustrate why the analysis of the Application Compatibility Cache have become a regular process in MANDIANT investigations.
Biographies:
Jeff Hamm is employed with MANDIANT as a Senior Consultant where he conducts forensic examinations and incident response. Response and examinations range from a single host to over 100,000 hosts on a network. He also works part-time as an adjunct lecturer at Gjøvik University College in Gjøvik, Norway. There he provides intense practical labs based on real world computer forensic incidents using both Windows and Linux hosts and attackers. He was a Deputy with the Oakland County Sheriff’s Office in the State of Michigan, USA for over 11 years. He worked four years with the Sheriff’s Office as a Computer Crimes Detective and Forensic Examiner and three years as a first-line supervisor (Sergeant). Jeff has significant training in the computer forensic field and obtained his CFCE (Certified Computer Forensic Examiner) in 2003. He obtained his ACE (AccessData Certified Examiner) in 2008, his EnCE (EnCase Certified Examiner) in 2010, and his GCFA (GIAC Computer Forensic Analyst) in 2010. He has been instructing in the field of computer forensics since 2004 at IACIS (The International Association of Computer Investigative Specialists). Mary Singh is a Senior Consultant with Mandiant with over ten years of experience in information security. Ms. Singh specializes in forensic analysis, location of information exposure, and EnCase forensic software. She has experience in military information operations, intrusion detection and incident response, and identified specific military and engineering data targeted at several major defense contractors. In a recent investigation, she discovered a malicious driver that was unknowingly being hosted and distributed from a legitimate website. In the military and as a consultant, Ms. Singh developed both network and host level indicators of compromise. She shares her experience and knowledge by teaching courses on network investigative techniques and incident response, most recently at Black Hat USA 2012. She also presented the
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
past two years at the DoD CyberCrime Conference, sharing the latest methods to “find evil” with law enforcement, federal government, and industry.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title – iOS Device Forensics on a Budget
Speaker Name - Brian Moran
Speaker Title - Digital Forensic Analyst Company - CyberPoint, LLC Abstract
The prominence of mobile devices has exploded in recent years, and rapid mobile device growth is expected to continue over the next several years. Many companies have created solutions in order to perform forensic analysis on these devices, however, these tools are often very expensive and may be cost prohibitive for many companies and/or agencies to purchase. This talk will cover ways that an examiner can perform some forms of forensic analysis on iOS devices while utilizing open source or very cheap tools. Methods and techniques demonstrated in this presentation allows an examiner to perform analysis on iOS devices, but these methods can be utilized for other phone operating systems as well.
Biography
Brian Moran is currently employed by CyberPoint, LLC as a digital forensic analyst. Mr. Moran was hired by CyberPoint in 2012 following a brief stint at cmdLabs after spending 13 years in the United States Air Force. He has spent the past 10 years working in the mobile device and incident response/digital forensics career fields. His first DFIR experience came during a 2004 deployment to Mosul, Iraq. He returned to Iraq in 2006 to serve in a support role performing digital forensics in support of detainee operations. He was a co-winner of the 2012 Unofficial Forensic 4cast Awards under the "Best Photoshop of Lee Whitfield" category. He currently resides in Maryland where he enjoys photography, pandas, outdoor activities, and attending Orioles games.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: (Mostly) Open Source DFIR – A Toolkit for End-to-End
Investigations
Presenter: David Kovar
Title: Manager, Advisory Center of Excellence Company: Ernst & Young, LLC Abstract:
We are entering a “golden age” of incident response investigations. After many years of being outgunned and depending mostly on expensive tools to fight back, a wide range of open source tools and powerful low cost applications are coming on line. Look at the Collective Intelligence Framework, Google’s Rapid Response, Malformity, foorep, and plaso to name a few. We will spend most of the session taking a close look at some significant tools and how they contribute to a well-run incident response effort. We will close with a quick run through a number of other tools that you might want to investigate.
● Google Rapid Response – We heard about GRR at the Summit last year. Is it ready for prime time? How can you instrument, monitor and investigate a global enterprise with an open source tool?
● Maltego with Malformity – Using Maltego to conduct open source investigations of malware, network indicators, and threat actors. There are some very interesting transforms coming out to help shape Maltego for incident response.
● Foorep – You need to organize, categorize, and share your evidence. Foorep handles a lot of the static analysis, presents the results well, enables the analyst to annotate the samples, and facilitates sharing of samples and intel.
● Yara/OpenIOC/Stix – You’ve got a piece of malware, great. Now, how do you find it in the wild? Or, find things like it? Or find things that behave like it? Despite claims to the contrary, signatures and IOCs provide a lot of IR value, even if you’re just using them to share intel.
● Collective Intelligence Framework – “A framework for warehousing intelligence bits.” So you’ve got your malware all tidied up in a malware zoo. What about the rest of your data? CIF doesn’t get it all, but it goes a long way to collect, normalize, and report on threat intel from a variety of feeds.
At the end of the session you should have enough information to go home and stand up a pretty impressive incident response toolkit capable of meeting many needs in a large enterprise at the cost of your time and some hardware.
Bio:
David Kovar is a manager in Ernst & Young’s Advisory Center of Excellence where he develops and offers operational services in the digital forensics and incident response space. He has also been an entrepreneur, ediscovery consultant, software engineer, search and rescue incident commander, executive protection agent, and a lethal forensicator. He’s collected images in China, rescued wayward Americans in Australia, and fenced with APT actors from all over the world.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Offence informs Defence, or does it?
Speaker Name: Jeff Brown
Speaker Title: Director of Cyber Operations Company: Cyber Clarity Abstract:
This presentation will look at various highly publicized attack campaigns like (CVE-2011-0609,CVE-2012-1535 & CVE-2012-4792) and reveal behavioral characteristics found in each one, Attack methodologies and defensive measures will be explored in the malware, the memory artifacts and network traffic signatures. The idea is to enumerate features of the attacks to supplement defensive operations and this can only be accomplished through intelligence derived from the campaigns. Open source intelligence can be a great source of data on present day attacks which can yields volumes of threat data in a timely fashion. All of these facets will be combined and fused into a process that can make it more difficult for the attacker to succeed and help defenders elevate their awareness.
Biography:
Jeff Brown has over twelve years’ experience in information technology with over seven years in computer network defense and cyber threat intelligence. He has worked in various large-scale security operations centers where he augmented analytical capabilities, advised leadership on security architecture and conducted trainings/briefings to constituents across multiple sectors. Previous experience include advancing analytics at US-CERT by bringing passive DNS database access to analysts, conducted various training classes on current attack trends to security analysts and briefed organizations such as the FS-ISAC, FIRST, DHS SOC, various other federal agencies and law enforcement on elements of APT and Cybercrime. He has developed curriculum and taught classes on information assurance for Regis University and cyber warfare (attack/defense) at George Washington University.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Open Source Threat Intelligence
Speaker Name(s): Kyle Maxwell
Speaker Title: Senior Analyst Company: Verizon Business Abstract:
Organizations can no longer rely purely on general, preventive controls. Instead, defenders must continually adapt to their adversaries, including using threat intelligence as appropriate. This talk will examine a number of tools and sources of “open source” intelligence (OSINT) focusing on network indicators, malware, and threat actor tracking. We will also look at how to extend and integrate these tools and sources with existing common technologies for already-stressed incident response teams.
Biography:
Kyle Maxwell is a senior network security analyst for Verizon Business on the RISK Intel team, producing unclassified threat intelligence for private and public sector clients as well as supporting field investigators. He writes a blog on threat intelligence and network security at ThreatThoughts.com. Previously, he led the incident response team at Heartland Payment Systems and performed digital forensics for clients across the United States at several private investigation firms. Mr. Maxwell holds a degree in Mathematics from the University of Texas at Dallas.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Cyber Nightmares – Operation Red October and Shamoon
Speaker Name(s): Harold Rodriguez
Speaker Title: Malware Reverse Engineer Company: General Dynamics Fidelis Cybersecurity Solutions Abstract
The presentation will cover potential delivery methods used to infect the victim hosts and networks of the two most recent malware attacks—Shamoon and Red October. The presentation will also explore some of the implementation and obfuscation techniques that might explain how the malware used in the Red October operation was reportedly undetected for several years. During the live analysis of these pieces of malware, the attendees will be exposed to a series of tools used for malware analysis together with suggestions on report writing.
Biography Mr. Rodriguez received a MS EE from Johns Hopkins University. He has about seventeen (17) years of experience in the engineering field. Mr. Rodriguez worked as a Federal employee in the MD area. After that, Mr. Rodriguez worked as a contractor for a customer in the Fort Meade area and at the Defense Cyber Crime Center (DC3). At DC3, Mr. Rodriguez was involved in the areas of Research & Development, Network Intrusions, Computer Forensics, and Malware Analysis/Reverse Engineering.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: "Malware is for the Bad, Automation the Good... don't be the
Ugly." "Automating Malware Analysis with Cuckoo Sandbox"
Speaker Name: Claudio Guarnieri
Speaker Title: Security Researcher Company: Rapid7 Abstract:
Corporations, governments and organizations of any sort have the growing need to digest hundreds of thousands of malicious artifacts every day. Being for incident response, preemptive analysis or just to collect intelligence, we are all having a hard time keeping up the pace. Cuckoo Sandbox is an open source software that enables you to easily automate the process of analyzing your feeds of malware samples and start collecting actionable threat data. In this presentation we will walk through the different unique features of this tool, learn how to use it, customize it and hopefully take some sweat off of you and guide you to the light of automation. Outline: - The battle against the malware - The need for automation - Introduction to Cuckoo Sandbox - Typical usage of Cuckoo - Customizing Cuckoo to achieve great things - Make sense of automated malware analysis - Tips from the open source world - Conclusions
Bio:
Claudio is a Security Researcher at Rapid7. He started messing with malware and needing tools to do it and out of despair and boredom ended up making such tools himself. As a result he created Cuckoo Sandbox, an open source malware analysis system, and Malwr.com and started violently advocating for open source in the security industry. Eventually he made of fighting malware and botnets his mission and fantasizes of changing the Internet as a core member of The Shadowserver Foundation and of The Honeynet Project. He presented at several international conferences and he brags that some of his tackles on cybercrooks were featured on the likes of Bloomberg and the New York Times. He can be found ranting on Twitter as @botherder.
References: http://www.cuckoosandbox.org http://www.malwr.com http://www.honeynet.org http://www.shadowserver.org
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: "My name is Hunter, Ponmocup Hunter" Speaker Name: Tom Ueltschi
Speaker Title: Security Officer
Company: Swiss Post
Abstract:
In early 2011 we discovered some botnet malware infected systems in our network. Starting
from one A/V event we discovered several host- and network-based indicators to identify and
confirm several infections. A brief high-level overview of the security architecture will help you
understand how the indicators could be found and searched for. With a one-strike remediation
all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several
known C&C domains showed the botnet was very big (several million bots). Quickly I got
obsessed with analyzing and hunting this malware, which could infect fully patched systems
without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered
A/V. The malware got some visibility and media attention in June 2012 with titles such as
"printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True".
This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably
didn't happen to all infected hosts or networks.
You'll learn:
- how the malware was discovered, what indicators were derived
- how all infected hosts were identified and how remediation was done
- how this malware spreads and how to defend against it
- how to detect infected systems (host & network indicators)
- how to find infected web servers used to spread it
- what malware functionalities are known and currently still unknown
Biography:
Tom Ueltschi received his Bachelors and Masters of Science in Computer Science and
Engineering from University of Texas at Arlington. After about 6 years working in Software
development (mainly Java web applications) he switched to IT Security five and a half years ago.
Hunting for and analyzing new malware is part of his job and hobby as well. He's an (in-
)frequent blogger about APT resources and malware/botnet research (c-apt-ure.blogspot.com)
and believes in sharing threat and malware intelligence using Twitter (@c_APT_ure), Storify, CIF
feeds and IOCs. He holds several GIAC certifications (GCIH, GWAPT, GXPN) and received the
SANS Lethal Forensicator Coin for submitting several IOCs to ForensicArtifacts.com. He's a
member of several closed/trusted groups for fighting cybercrime and sharing malware and APT
intelligence.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Hunting Attackers with Network Audit Trails
Speaker Name: Tom Cross
Co-Speaker Name: Charles Herring
Speaker Title: Director of Security Research
Co-Speaker Title: Senior Systems Engineer
Company: Lancope Abstract
Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time. Reports cataloging trends in data breaches reveal a systematic problem in our ability to detect that they ever occurred. Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are needed.
The purpose of the session is to review how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks. These technologies can be used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic. We will demonstrate how to these records can be used to discover active attacks in each phase of the attacker’s “kill chain.” We will also cover how these records can be utilized to determine the scope of successful breaches and document the timeline of the attacks. The session will demonstrate these processes and techniques in both open source and commercial solutions.
Biography Tom Cross is Director of Security Research at Lancope where he works to improve Lancope's network anomaly detection capabilities. He has more than a decade of experience as a security researcher and thought leader. Tom was previously manager of the IBM X-Force Advanced Research team where he focused on advancing the state of the art in network intrusion prevention technologies. He is credited with discovering a number of critical security vulnerabilities in enterprise class software and has written papers on security issues in Internet routers, securing wireless LANs, and protecting Wikipedia from vandalism. He frequently speaks on security issues at conferences around the world. Charles Herring is Senior Systems Engineer at Lancope. Charles spent 10 years on active duty with the US Navy. His last position in the Navy was as the Lead Network Security Analyst for the Naval Postgraduate School. After leaving the Navy, he spent six years consulting with the Federal government as well as serving as a contributing network security product reviewer for the InfoWorld Test Center. Charles spends much of his time assisting StealthWatch operators in detecting and responding to advanced security threats.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Autopsy 3: Extensible Open Source Forensics
Speaker Name: Brian Carrier
Speaker Title: VP of Digital Forensics]
Company: Basis Technology
Abstract:
Autopsy 3.0 is an open source, end-to-end digital forensics platform based on The
Sleuth Kit. It is a complete rewrite from Autopsy 2.0 and was designed to be an
extensible platform with modules that are open or closed source and free or commercial.
This talk covers the exciting new features of this system, including multi-threaded
frameworks, triage, embedded databases, web artifact analysis, and indexed keyword
search. This talk is targeted towards both users and developers. Users will learn about
the tool, and how they can use it. Developers will learn the basics of where they can
incorporate their tools into the Autopsy workflow as modules.
Biography:
Brian leads the digital forensics team at Basis Technology, delivering services and developing
custom systems. He is the Speaker of the book File System Forensic Analysis and developer of
several open source digital forensics analysis tools, including The Sleuth Kit and the Autopsy
Forensic Browser. Brian has a Ph.D. in computer science from Purdue University and worked
previously for @stake as a research scientist and the technical lead for their digital forensics
lab. Brian is on the committees of many conferences, workshops and technical working groups,
including the Annual DFRWS Conference and the Digital Investigation Journal.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Timeline Analysis by Categories
Speaker: Corey Harrell
Speaker Title: IT Specialist III
Company: New York Office of the State Comptroller
Abstract
When it comes to timeline analysis there are two train of thoughts about how to approach it.
One is the kitchen sink approach where all artifacts supported by the tools are included in the
timeline. The second is the minimalist approach where only the required artifacts are initially
included and more artifacts are added as needed. Both approaches are equally valid but there is
a third train of thought emerging about how to approach timeline analysis. The approach is to
build timelines based on categories and it is a combination of the kitchen sink and minimalist
approaches.
Artifacts can be organized into categories based on the examination process one uses. The
various categories can then be selected for incorporation into a timeline. In essence, the
approach is including all artifacts that belong to certain categories. Not only does categories
timeline analysis provide examiners with a more effective timeline but it makes the creation of
targeted timelines easier for different types of cases.
In this presentation Corey will discuss the process for creating timelines based on categories.
The topics will include the following: examination process, categories, timeline tools, tools
compatibility issues, artifacts in each category, and timeline matrixes for common case types.
At the conclusion of the presentation attendees will know how to leverage the timeline analysis
based on categories approach.
Biography
Corey Harrell is an information security specialist with the New York Office of the State
Comptroller. In this capacity, he has spent over five years providing digital forensic services that
supports: security incidents, investigations, fraud audits, and acceptable use policy violations. In
addition, Corey has performed vulnerability assessments at other New York State agencies to
identify and confirm weaknesses in their security management and network.
Corey is an avid blogger - posting frequently - on his personal "Journey Into Incident Response"
blog about Digital Forensics and Incident Response. He is currently developing a Malware
Analysis course for one of Champlain College's graduate programs. He has more than 10 years of
experience in Information Technology including seven of which was specific to information
security. He holds a Master of Science in Information Assurance from Norwich University and a
Bachelor of Science in Telecommunications from SUNY Institute of Technology. Corey has
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
achieved several technical certifications including Encase Certified Forensic Examiner (ENCE) and
Certified Ethical Hacker (CEH).
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Detecting data loss from cloud synchronization applications
Speaker: Jake Williams
Company: CSRgroup Computer Security Consultants Abstract:
Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files in each location. Many of these applications “install” into the user’s profile directory and the synchronization processes are placed in the user’s registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely. Cloud backup providers are marketing directly to corporate executives offering services that will “increase employee productivity” or “provide virtual teaming opportunities.” Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed.
Bio: Jake Williams, a principal consultant at CSRgroup Computer Security Consultants, has over a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Prior to joining CSRgroup, he worked with various government agencies in information security roles. Jake has twice won the annual DC3 Digital Forensics Challenge and has spoken at several regional ISSA meetings, Shmoocon, and the DC3 Conference, as well as numerous US government conferences. Jake is currently pursuing a PhD in Computer Science where he is researching new techniques for botnet detection. His research interests include protocol analysis, binary analysis, malware RE methods, subverting the security of cloud technologies, and methods for identifying malware Command and Control (C2) techniques.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: A Day in the Life of a Cyber Tool Developer
Speaker Name: Jonathan Tomczak
Speaker Title: Software Engineer/CIO
Company TZWorks, LLC Abstract
As the density of digital media continues to grow, the forensic investigator will see massive amounts of data during any acquisition phase or computer analysis. Timely reduction and processing of large, disjointed datasets will be extremely important for those investigative shops that face more work than the number of available, qualified people doing the analysis. This means automating the workflow process to ensure consistent, accurate reporting which will in turn translate into more revenue for the investigator. To aid in this, forensic development shops will need to use and/or create toolsets that are flexible and scalable to assist in any automation transition. This talk will focus on how TZWorks takes on the challenge of developing a tool to aid in this automation process. The discussion will be centered on a TBD tool that has been developed in the past. It will include:(a) the step by step process used in the development and where key decision points were made, (b) the research that was involved when identifying critical data structures, and (c) how it was decided which data will be presented to the end user and which data will not. This discussion will be from a developer's perspective.
Biography
Jonathan Tomczak is the Chief Information Officer and Co-Founder at TZWorks, LLC. Jonathan's professional background stems from game engine programming and design focusing on IRC based games. With most of his programming foundation in C and C++, Jonathan has taken his knowledge and applied it to find solutions to aid the information security world. Jonathan's personal time is spent primarily outdoors, whether that be hiking, kayaking or mountain biking. As part of his desire to tinker, he retains his status as a knowledgeable bike mechanic and loves getting his hands full of dirt and grease. Jonathan attended George Mason University for Computer Engineering with a focus on Computer Software Development.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Proactive Defense
Presenter: Adam Meyers
Title: Director of Intelligence Company: CrowdStrike, Inc Abstract:
By nature, computer network defenders tend to be very reactive - an IDS alert triggers and they take action. This can quickly cause a defense team to become overwhelmed with things they need to react to, causing them to miss key indicators. Proactive network defense allows defenders to look at the threat landscape to proactively anticipate where the adversary will be in-order to defend against an attack before it happens. Today we collect large volumes of data on our enterprises. This massive amount of data, coupled with defenders who are focusing on technical analysis and typically do not have the background or experience in traditional intelligence discipline, inhibits thinking proactively. This presentation is tailored towards technical analysts who want to learn about intelligence collection and analysis and how to couple it with technical analysis in-order to mine the myriad of data to extract powerful information about the adversary such as their Tools, Techniques, and Practices (TTP). As this data is extracted, the audience will learn to start asking proactive questions about the data so that they may anticipate the adversary’s next move and begin the defense in advance. This presentation will provide background on intelligence collection, intelligence analysis, building a collection, and introduce some powerful tools to mine intelligence.
Biography: Adam Meyers is Director of Intelligence for CrowdStrike, Inc. Adam manages collection activity, reverse engineering, and adversary categorization. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International. Adam served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Adam provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. Adam’s background is in penetration testing and reverse engineering. He also acted as the product manager for SRA Cyberlock a dynamic malware analysis platform. Adam supports various law enforcement agents as a technical resource, regarding malware and criminal investigation. In support of the Department of State Bureau of Diplomatic Security, Adam trained and managed an elite team of reverse engineers who conducted incident investigation and analysis in support of the mission of the Office of Cyber Security. He is a recognized speaker who has spoken on a variety of topics ranging from technical to emerging threat at security conferences throughout the world. Adam has provided significant contributions to the Wikileaks, Night Dragon, and Shady RAT investigations, as well as provided critical assistance to law enforcement in investigations of numerous hacking incidents.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: The 7 Sins of Malware Analysis
Speaker: Dominique Kilman
Company: KPMG LLP Abstract:
In this presentation, I will discuss the common mistakes that analysts make when working with malicious code. Each of these ‘sins’ will be presented along with their corollary ‘what to do instead’. I hope to give new analysts a head start so they don’t make some of the newbie mistakes that can happen, as well as remind experienced analysts of some of the important characteristics that make for good analysis.
Biography:
Dominique is a Senior Associate with KPMG’s Forensic Technology Services (“FTS”) practice in San Antonio, TX. She specializes in malicious code analysis, network forensics and incident response. She has over 10 years of experience in the computer security field and 4 years’ experience in software development. She is a CISSP and CISM, holds SANS certifications in Malware Analysis, Auditing, Incident Handling and Wireless Auditing as well as the EC-Certified Security Analyst certification. She obtained an MS in Computer Security from University of Illinois in 2002 and a BS in Computer Engineering from Texas A&M in 1997.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Plaso - Reinventing the Super Timeline
Speaker: Kristinn Gudjonsson Title: Senior Security Engineer Company: Google Abstract:
Timeline analysis has really grown in the past few years with new tools that can automate the correlation between multiple data sources into a single timeline. This analysis technique has provided the analyst with a completely new and unprecedented view of the data that lies on the drive. And with the introduction of the new log2timeline engine called plaso things are even changing more. The next generation of log2timeline produces more structured data with more features, which in turns opens up new ways of analyzing the massive dataset the tool extracts from any given drive. The goal of this presentation is to introduce the audience to timeline analysis in a practical way, showing how to use the tool in a simple malware intrusion investigation as well as to show how to expand the tool to parse new datasets in a simple way.
Bio:
Kristinn Gudjonsson is a senior security engineer at Google, focused on forensics, incident response, tool development and whatever gets thrown his way. Prior to joining Google he worked as a technical security manager at ArionBanki and even before that as a security/incident response/forensics consultant at Skyggnir.
Kristinn holds a M.Sc. degree in computer engineering from INT (Institut National des Telecommunications) in Paris as well as a B.Sc. degree in electrical and computer engineering from the University of Iceland. Kristinn also holds several certifications such as GCIA, GCIH and GCFA Gold.
Kristinn is among other things the creator of the tool log2timeline, and now one of the core developers of the new backend engine of log2timeline called plaso.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Facilitating Fluffy Forensics (a.k.a. Considerations for Cloud
Forensics)
Speaker Name(s): Andrew Hay
Speaker Title: Chief Evangelist Company: CloudPassage, Inc. Abstract:
Cloud computing enables the rapid deployment of servers and applications, dynamic scalability of system resources, and helps businesses get products to market faster than ever before. Most organizations are aware of the benefits of adopting cloud architectures and many are becoming aware of the potential security risks. The majority of organizations, however, don’t realize the numerous challenges of conducting incident response (IR) activities and forensic investigations across public, private, and hybrid cloud environments. It’s not all doom and gloom, however. The consumption model of cloud architectures actually lends itself to helping investigators conduct forensic and IR exercises faster and more efficiently than on a single workstation. For this to happen, however, the tools and techniques employed must evolve. In this session, CloudPassage Chief Evangelist Andrew Hay will address the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations. Topics that will be discussed include: - Traditional forensics and IR - Cloud architectural challenges for responders - Chain-of-custody and legal issues across architectures and regions - How existing forensics/IR tools can help - and what they can do better - Advantages of conducting forensics/IR in cloud environments
Biography:
Andrew Hay is the Chief Evangelist at CloudPassage, Inc., where he represents the company and its cloud security portfolio. Prior to joining CloudPassage, Andrew served as a Senior Security Analyst for 451 Research’s Enterprise Security Practice (ESP) providing technology vendors, private equity firms, venture capitalists and end users with strategic advisory services – including competitive research, new product and go-to-market positioning, investment due diligence and tactical partnership, and M&A strategy. Through his work at 451 Research, Andrew was instrumental in securing tens of millions of dollars in equity investment for numerous security product vendors. He is a veteran strategist with more than a decade of experience related to endpoint, network, and security management technologies.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Timeline creation and review, GUI style!
Speaker: David Nides
Company: KPMG LLP Abstract:
Timeline analysis is a concept used by Digital Forensic and Incident Response practitioners to normalize event data by time and present it in chronological order for review. This sequence of data is used to tell a narrative “story” of events over a period of time. Furthermore, it can be used to put events into context, interpret complex data and identify anomalies or patterns. Thanks to tools like log2timeline the creation of timeline data is easy, however the review process can be challenged by gigabytes and millions of rows of events. This presentation will focus on making the creation of timeline data even EASIER and challenges of reviewing large timeline data sets using a FREE tool called, l2t_R, a cross-platform GUI solution specifically designed for reviewing timeline data.
Biography:
David is a Manager with KPMG’s Forensic Technology Services (“FTS”) practice in Chicago, IL. Currently David plays a national lead Incident Response role consulting client globally in APT, data breach, and other cybercrime investigations. His experience includes working in the People’s Republic of China where he significantly contributed to the growth of KPMG’s Asia Pacific FTS practices by leading high profile cross-border investigations, establishing end-to-end e-discovery solutions, integrating methodologies and technologies consistent with the US, and making best practices transparent between global practices. Ultimately, David was in part responsible for the establishment of a Forensic Technology team and service line in Shanghai, China. David also served a rotation with KPMG’s Office of General Counsel leading internal investigations involving the identification, preservation, analysis, and presentation of Electronically Stored Information in result of litigation and government inquiries. David holds a number of professional certifications and in 2012 won the forensic4cast award for Speaking “best forensic article” of the year.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: Building, Maturing and Rocking a Security Operations Center
Speaker Name: Brandie Anderson
Company: Hewlett-Packard Abstract
I will discuss key items around building a security operations center and maturing it. Initially working through points on the importance of process and procedures, how to document and options to store and actively use documentation. I will discuss hiring, on-boarding and training analysts and monitoring technology (while there are many, we are an ArcSight shop so while covering general topics of use case development and actionable content, any screen shots included would be ArcSight) and data feed on-boarding (again ArcSight Logger would be mentioned/screen shots but overall log feed theories and best practices). After having a SOC in place, there are items you start to discuss around maturing the processes, incident response within the SOC and the interactions with internal and external organizations. The last section will cover incident response, daily reactions to users, noise, etc and a “rocking” example of one of our responses to a virus outbreak – going from detection, impact and a hack back response the SOC analysts used to shut it down. I will use the SANS Incident Response Model walking through the steps and how we made decisions and handled the issue. The reason I have chosen this virus outbreak is because, while dealing with the big things (intruders, etc) end up involving a lot of folks and get the visibility, sometimes the nuisance things are the hardest to get visibility internally from other groups but the security teams have to address regardless and offers an example of how to handle things when other groups aren’t as invested.
Biography I am the current manager of the HP Global Security Operations Center, the APT Hunter and the Security Delivery Operations teams. Having worked in both private and public sectors in a variety of technology positions, 13 years specializing in Information Security, highlighting both tactical and strategy functions, I have been successful in building security operations centers and working with broken teams/processes. My educational experience includes a Master’s degree in Information Management with a specialization in Information Security/Assurance and I was awarded one of the first ISC(2) scholarships from the year of the Security Professional. Current certifications include CISSP and GCIH with past certifications including MCSE, MCP and CNA. In my spare time, I am an on-going adjunct professor for information security and networking for ECPI University and have taught in the same capacity for DeVry Online and University of Phoenix. My family includes my husband, Dave, daughter Cailin, 12, son Collin, 22 and two step-daughters, Tracy, 22 and Amy, 21.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title: “ ICS, SCADA, and Non-Traditional Incident Response ”
Speaker Name(s): Kyle Wilhoit
Speaker Title: Threat Researcher Company: Trend Micro Abstract
INTRODUCTION: With the attack landscape constantly changing, new focus has been placed on industrial control systems (ICS) and SCADA systems. This talk aims to show not only a high level overview of ICS and SCADA systems, but also shows how to effectively perform incident response in these often times remote systems. CORE CONCEPTS: Core concepts that will be covered include, but are not limited too:
● How ICS/SCADA systems differ than normal systems. ● Core overview of ICS/SCADA overview. (Common uses for these systems) ● Reasons behind ICS/SCADA systems. ● How ICS/SCADA differs in terms of incident response. ● How to effectively perform incident response on ICS/SCADA systems.
GOALS: Goals that are included, but are not limited include:
● Help conference goers understand core incident response subjects. ● Help conference goers understand what ICS/SCADA systems are used for. ● Help conference goers be able to differentiate between ICS/SCADA incident response
and traditional incident response. ● Help conference goers leave the conference with core notes on being able to easily
perform incident response on ICS/SCADA systems.
Biography: Kyle Wilhoit is a Threat Researcher at Trend Micro on the Future Threat Research Team. Kyle focuses on original threat, malware, and vulnerability discovery/analysis. He has 8 years of experience in the information security field, holds a Bachelor's and Masters in Information Systems, and holds several professional certifications. Kyle has regular interaction with US Department of Defense regarding threat research and malware analysis. In addition, he has spoken at several conferences- including Washington University in St. Louis, Missouri and United Security Summit in San Francisco, California. Prior to joining Trend Micro, he was the Lead Incident Handler and Reverse Engineer at a large energy company, focusing on industrial control system/SCADA security and persistent threats. He has also worked at Savvis Communications, a Tier 1 Internet service provider as a Threat Analyst and Incident Response Specialist. Kyle is also involved with several open source projects.
SANS Digital Forensics and Incident Response Summit Agenda 2013
#DFIRsummit
Title Restoring Credential Integrity after an Enterprise Intrusion
Speaker Name(s) James Perry and Anuj Soni
Speaker Title Lead Associate Company Booz Allen Hamilton Abstract
One of the most important, and most overlooked, steps of running an enterprise APT intrusion investigation involves the rapid identification of risk factors that enabled the threat actors to establish an enterprise presence in that environment. One of these risk factors is related to Active Directory and local system user credentials. Investigators must rapidly determine the status of these factors from an investigative perspective to eventually help the organization restore credential integrity with a hard password reset. We will discuss how to rapidly determine which user, admin, and service accounts have active or historical LanManager password hashes, which user accounts share credentials, which domain administrators share credentials between their standard and privileged accounts, and other factors related to user credential risk. We will demonstrate the tools and techniques we currently use, identify common pitfalls, and will include a couple of enterprise hard password reset case studies
Biography Anuj Soni is an incident responder and forensic analyst at Booz Allen Hamilton. He is a Lead Associate on Booz Allen’s Proactive Threat Identification (PTI)/ Advanced Persistent Threat (APT) ) team where he manages and executes specialized incident response techniques to detect, respond to, and mitigate sophisticated threat actors on Federal Government client networks. He uses his skills in conducting host-based forensics, malicious code analysis, APT risk assessments, and APT mitigation development to help clients improve their security posture. He has over 7 years of experience in incident response, forensics, intrusion detection, penetration testing and steganalysis. Anuj received his Bachelors and Masters from Carnegie Mellon University, where he also worked and developed whitepapers for the Software Engineering Institute’s Computer Emergency Response Team (CERT). Anuj is a Certified Information Systems Security Professional (CISSP), an EnCase Certified Examiner (EnCE), and a GIAC Reverse Engineering Malware (GREM)-certified analyst. He is also a SANS Mentor for the Reverse Engineering Malware course. James Perry is an incident responder and forensic Analyst at Booz Allen Hamilton. He is a Lead Associate on Booz Allen's Proactive Threat Identification (PTI)/ Advanced Persistent Threat (APT) team where he manages and executes enterprise intrusion investigations to detect, respond to, and mitigate sophisticated threat actors on client networks in the commercial and government sectors. He has over 7 years of experience in network security, intrusion detection, forensics, and incident response. Mr. Perry holds Masters of Information Technology from The John's Hopkins University and a Bachelor’s of Science in Systems Engineering from The University of Virginia. Mr. Perry has received forensic training from the Defense Cyber Investigations (DCITA) Training Academy.