Cyber Security is not for the weary. The challenge is immense - Keep your organization safe against highly motivated, persistent attackers employing sophisticated deceptive techniques. And you need to maintain that security in a highly dynamic environment where a mobile workforce uses a multitude of platforms to consume and provide services.
Many of today's solutions focus on detection of threats but don't connect seemingly normal activity with malicious compromise.
Join ThreatTrack as we discuss the need for an adaptive approach to detect and track threats and identify changes in behavior in dynamic environments by discovering interconnected malicious activities and move beyond isolated incidents.
DLP has historically been used to protect against the insider threat while keeping legitimate users from using data in the wrong way, such as uploading classified information or accessing privileged files. However, the question remains can DLP be used to thwart advanced malware attacks? This session will explore if DLP systems can successfully stop advanced malware including malicious programs at the PC/BIOS level, ransomware and the latest forms of wiping/destructive malware.
The bad guys are winning, punching our servers and taking our data. To win any fight, you gotta know your weaknesses and have solid fundamentals: recognize when and where you're getting punched, identify who is punching you and have the strength to take a punch. Learn how to implement fundamental security at any scale across all modern compute environments. All without breaking a sweat.
As the malware and forensic security lead in a large advanced Critical Incident Response Center I spend my day hunting for evil lurking in the dark, which can make you a bit paranoid. Learn how I turn that paranoia into an obsession to constantly improve our incident response program. Specifically, this session will discuss the techniques our team uses for deep malware and forensic analysis, tips for finding hidden incidents, the process we follow when responding and the information we leverage in order to see better.
Visualize 100 million random files; now try to identify the one million unique malicious files. Talos deals with this issue every single day. That's a staggering amount of intelligence to leverage and this is just a portion of our data. Talos works with one of the largest malware datasets in the world. In order to protect our customers we must constantly hunt for malware that pose the most harm to our customers via direct action and innovation. Talos is made up of world-class threat researchers dedicated to this cause. In this talk we will discuss hunting and examine various threats Talos is tracking.
File synchronization services, such as GoogleDrive, DropBox and others are becoming widespread, both with private and corporate use. These applications, while offering great convenience to their users, also provide a hacker with ideal platform for C2 infrastructure. Instead of setting up a new C2 server, an attacker simply needs to open a new cloud storage account, or even use the victims account as the platform.
In our presentation we will examine how common cloud synchronization services can be used by hackers to steal private and corporate data, remain persistent on infected machines and avoid perimeter detection mechanisms. All of this could be done from the attacker's laptop, without any exploits and without writing server side code.
Global networks have evolved, and so must the way we assess their security and compliance posture. Traditional assessment methods present many challenges for security teams such as scanning windows, managing credentials, and the rise of cloud environments, which can be cost prohibitive. This talk presents a new disruptive approach using lightweight cloud agents to continuously assess and address the security and compliance of global IT assets, whether on-premise, in elastic cloud environments or endpoints.
The traditional medium-centric approach to intrusion detection (NIDS, HIDS) normalizes all analysis around the medium, while files - and all their different formats, data structures, metadata, and embedded contents - are left as secondary or ignored completely. Comprehensive analysis of these attributes when fused with an understanding of adversary TTPs enables highly effective intelligence-driven network defense.
A file-centric intrusion detection approach supports this model, disassociating the medium to allow deep inspection of files regardless of transport or encapsulation. We'll demonstrate IDS "Laika BOSS", the implementation of this approach that we developed within Lockheed Martin. It will be made available open-source.
Threat Intelligence certainly needs to be shared, but it really needs to be operationalized. And operationalization can range from check-the-box to find-all-the-things. This talk covers key principles behind the application of technical threat intelligence in the enterprise and helps you establish a maturity process for this critical function within the Security Operations Center. Attend and unlock your intel.
Enterprises need to know the effectiveness of their security systems as a whole including event monitoring, patch management, malware defenses, inventory control, user access and many other security defenses. Tenable's continuous network monitoring solution leverages automation, unique sensors and security content to directly measure how effective your security program is. This session will take a closer into Tenable's Five Critical Cyber Controls and how they're packaged in Assurance Report Cards, available pre-installed in Tenable's SecurityCenter Continuous View.
With the volume of cyber incidents and alerts exploding, finding the needle in the digital haystack is a significant challenge. Come watch a new and innovative solution to clear away the clutter and focus on preventing the advanced adversary from wrecking havoc in your network.
The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.
Diversion -- A maneuver intended to draw off attention from the point of main attack.
Traditionally, security analysts are focused on blocking attackers and keeping them out. This usually works, but it does not provide defenders much intelligence on who is attacking them and why, nor do such methods actually keep attackers out. Without such crucial data, it's difficult to know whether or not an adversary has actually been removed from the environment as well. Let's turn the tables and beat them at their own games. They use diversions to break in, so we can pull the same tricks on them. Let's track their movements, better understand their tactics, and possibly even find out who they really are in the process.
This talk will dive into various tools and techniques that can be used to deceive our attackers, track them, rapidly respond to incidents, and even help train your user base to better identify and inform you of potential attacks. We will also be releasing a new, open source, Incident Response tool designed to assist with rapid data acquisition and quarantine of remote hosts within the enterprise.
Tailored Attacks Require Tailored Defenses: Improving Your Incident Response Strategy Through Advanced Threat Hunting
Keeping the bad guys out is a hard problemfinding them once they're in is even harder. The difficulty further increases when adversaries gain valid credentials and immediately become insiders. Once insiders, they can add accounts, hide in the noise, and accomplish their goals by using built-in tools and executables. How do you start defending yourself against this and have some resiliency? We'll discuss the threat landscape, trends of attackers and how you can start to proactively hunt these threats to reduce the scope of incidents.
This presentation discusses Esri's Shared Situational Awareness work. Utilizing existing, out-of-the-box GIS technology to implement this framework enables the integration of cyber data with relevant data from the various physical specialties to create a single, actionable common operational picture (COP). The framework improves decision-making by supporting the detection and assessment of cross-domain effects that could result from any type of disturbance (cyber or physical).
Utilizing current Web GIS technology allows the COP to be embedded within dashboards that can be configured to support existing policies and procedures within each discipline. This approach will be demonstrated using the ArcGIS platform.
The recent Duqu 2.0 attack, resulting from the exploitation of the vulnerability in the Kerberos protocol, is a reminder of the vulnerabilities found in the most established controls. It also highlights the common attack method of privileged account exploitation.
This session will discuss such credential theft attacks, focusing on:
How pass the hash, pass the ticket and overpass the hash are the primary methods used to access domain controllers and execute a Kerberos attack.
Best practices for mitigating risk of a Kerberos attack.
What we are seeing in post-Kerberos attack environments and how it can be applied to mitigation.
It's a lot more common for private industry to successfully sue security researchers than for governments to criminalize security research and prosecute even though over the past ten years it has also become easier to submit a vuln to industry (ZDI, most open-source projects, Google, etc.) than it is to the government of your choice. The past decade saw ZDI, Mozilla, and others leading the way to better private-sector relations with researchers, so why does it still feel like the public sector has a better grip on how to deal with the realities of research?
The use of machine learning, contextual analytics and data correlation across various threat types allows us to gain a better understanding of where, how and to what level of danger a malicious actor poses to an organization to help predict and ultimately prevent future occurrences. Contextual analytics of various threat data provides a deeper understanding of a given threat and enables identification of unknown threat vectors. In this session, David Dufour will provide a solid understanding of machine learning in its current state, a basic understanding of contextualization and an introduction to theories around predictability.
Given the recent frenzy of high profile breaches, security is squarely in the spotlight. The increasing realization is that a breach will happen, but when? Prevention alone is not enough and security analysts and security operations teams need a strategy to detect, contain, and control threats. Traditional technologies offer limited value in this endeavor. Security teams need end-to-end contextual visibility coupled with analytics capabilities to help them take decisive action against malicious activity and attack profiles across the enterprise.
As the web grows with enormous speed, it attracts criminals and even top-tier intelligence agencies to target innocent internet connected systems making the "naïve" server operators an easy prey.
It takes only several minutes after placing your website on the internet for you to be hit by an attempt to exploit a known critical vulnerability that could allow the attackers to pwn your server.
In this talk, we will uncover what is really going on outside your website's front door.
This session will discuss how you can use Privileged Identity Management for active cyber defense to mitigate risks and reduce losses. Chris Stoneff will present the theory of how automated, aggressive PIM can stop intruders using zero-days, as well as how this works in practice, presenting the application and the politics of this technology - lessons learned and tips for reducing corporate risks