SAVE $400 when you register for the Summit and a course

www.sans.org/CTI-Summit

WASHINGTON, DC METRO AREA Bethesda, MDSUMMIT: Jan 29-30, 2018 TRAINING: Jan 31 - Feb 5, 2018

The Most Trusted Source for Information Security Training,Certification, and Research

The top three reasons to attend the Cyber Threat Intelligence Summit & Training are:

1. Two days of In-depth CTI Summit Talks – The Summit will feature presentations by prominent experts covering specific analytical techniques and capabilities that can be utilized to properly create and maintain threat intelligence in your organization.

2. Six hands-on SANS courses – Following the two-day Summit, choose from six world-class information security courses taught by real-world security practitioners.

3. Exclusive community-building events and evening bonus sessions – Network with fellow security professionals during the CTI Summit Night Out, DFIR NetWars, evening receptions, and more!

WASHINGTON, DC METRO AREA Bethesda, MD

SUMMIT: Jan 29-30, 2018 TRAINING: Jan 31 - Feb 5, 2018

“ One of very few venues/events devoted solely to tradecraft of cyber threat analysis and intelligence. Essential to both newcomers and seasoned practitioners, and neither too fast nor too slow for either.” -Patton Adams, Verisign iDefense

SANS Cyber Threat Intelligence Training Courses Jan 31 – Feb 5, 2018

FOR578: Cyber Threat Intelligence Instructor: Robert M. Lee | Certification: GCTI

FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting Instructor: Jake Williams | Certification: GCFA

FOR572: Advanced Network Forensics and Analysis Instructor: Ryan Johnson | Certification: GNFA

FOR585: Advanced Smartphone Forensics Instructors: Heather Mahalik & Domenica Crognale Certification: GASF

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques Instructor: Lenny Zeltser | Certification: GREM

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling Instructor: Matt Edmondson | Certification: GCIH

@sansforensics #CTISummit

“ This training summarizes CTI well and connects all the dots. You’ll get a clear answer to the following questions: What is CTI? How important is it? What is it built upon? And how can it be applied in practice?” -Nikita Martynov, NNIT A/S

SAVE $400 when you register and pay for a SANS course by Dec 13th

www.sans.org/CTI-Summit

Featured Summit TalksJanuary 29-30, 2018 The complete Summit agenda is available at: www.sans.org/CTI-Agenda

There Is MOAR To Structured Analytic Techniques Than Just ACH!

As private sector intelligence capabilities and tradecraft continue to evolve, structured analytic techniques are being incorporated into intelligence programs. Analysis of competing hypotheses (ACH) is perhaps the most featured structured analytic technique in use today. ACH is most effective when looking back at an event; it is not as useful for forecasting future events. Structured analytic techniques constitute a toolbox, and you need to pick the right tool for the job. This talk will highlight additional structured analytic techniques that can be leveraged to reduce uncertainty within intelligence analysis. Structured analytic techniques such as quadrants and the cone of plausibility will be broken down to align with tactical, operational, and strategic assessment needs. Attendees will leave with an understanding of which structured analytic techniques are best applied to specific scenarios within their organizations.

Rick Holland@rickhholland

Summit Co-Chair, SANS Institute

Event Threat Assessments: G20 as a Case Study for Using Strategic CTI to Improve Security

Large events pose unique cyber risks to organizations that have employees attending them. As the technology and threat landscape evolves, organizations need to understand the full extent of the cyber risks to which their personnel are exposed while attending such events. This presentation will use the G20 meetings as a case study to see how strategic cyber threat intelligence (CTI) illuminated the threat landscape for the organization’s attendees, used timeline analysis to come to surprising conclusions, and utilized Analysis of Competing Hypotheses (ACH) to evaluate adversary courses of action. This information allowed the organization to implement custom-tailored security guidance to improve security. In covering everything from intelligence requirements to product dissemination, the presentation will walk the audience through the story of how a cyber intelligence analyst used available intelligence resources and service providers to collect information, drew on internal resources to conduct analysis, and then partnered with the organization’s risk professionals to disseminate security guidance to event attendees. Attendees will see an example of an intelligence “success” that can be modeled and replicated, as well as learn about the cyber threats facing G20 meeting attendees and, ultimately, all of us.

Lincoln Ka�enberger@LincolnKberger

Threat Intelligence O�cer, International

Monetary Fund

Information Anarchy: A Survival Guide for the Misinformation Age

We are surrounded by information – data on every topic, from any angle, in every shape and size. All of this data should provide us with more understanding and insight than ever before. But there is just one problem. The information isn’t always accurate. We are living in the misinformation age. How can threat intelligence analysts survive in an age of information anarchy? We need information to form the basis of our analysis, but how can we pick out the truth from the overwhelming piles of data and ensure that our analysis is sound? This talk will discuss how we got to the state we are in, and how to identify accurate information versus intentional misinformation and misinformation born of confusion. Finally, we’ll look at some steps we as a community can take to eliminate unintentional misinformation and get to ground truth sooner, including ways to calculate mean time to accurate information on Twitter and how to identify IOC-outliers that require more scrutiny.

Rebekah Brown@PDXbek

Threat Intelligence Lead, Rapid7;

Summit Advisor, SANS Institute

Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline (TIQ-Test 2.0)

The challenge to implement an appropriate data processing pipeline to make good use of your indicators of compromise has been successfully addressed over the last few years. However, even with all the push for automation and orchestration, a fundamental question remains: which data should you be ingesting in your detection pipelines? There is no lack of data available, shared or not, paid or not. But how do you keep your cyber threat intelligence (CTI) incident response team from spinning its wheels on a pile of CTI mud? This presentation will discuss statistical analysis you can undertake using the CTI indicators that you collect and your own network telemetry.

Alex Pinto@alexcpsec

Chief Data Scientist, Niddel

The Challenge of Adversary Intent and Deriving Value Outside It

One of the most challenging intelligence requirements is determining adversary intent, yet many executives leverage this as an early expectation. Understanding why the challenge exists, how to move towards understanding perceived intent, and the role it plays in satisfying intelligence requirements is vastly important to helping our intelligence customers succeed. This presentation will focus on presenting the challenges and successes in this area through use cases and case studies that show the value of going through this process correctly and helping others become more successful.

Robert M. Lee@RobertMLeeSANS Certified

Instructor; Course Author of SANS

ICS515 & FOR578; CEO of Dragos Security

Summit Speakers and Talks

Rob Dartnall Rob Dartnall @cyberfusionteam Director of Intelligence, Security Alliance Ltd.Director of Intelligence, Security Alliance Ltd.Intelligence Preparation of the Cyber Environment (IPCE)Intelligence Preparation of the Cyber Environment (IPCE)

Matt Jane Principal Security Engineer, OktaPrincipal Security Engineer, OktaElasticIntel: Building an Open Source, Low-Cost, Scalable and ElasticIntel: Building an Open Source, Low-Cost, Scalable and Performance Threat Intel Aggregation PlatformPerformance Threat Intel Aggregation Platform

Keith Gilbert Keith Gilbert @Digital4rensics Security Technologist, Sqrrl/Malformity LabsSecurity Technologist, Sqrrl/Malformity LabsIntelligent Hunting: Using Threat Intelligence to Guide Your HuntsIntelligent Hunting: Using Threat Intelligence to Guide Your Hunts

Lincoln Kaffenberger Lincoln Kaffenberger @LincolnKbergerThreat Intelligence O�cer, International Monetary FundThreat Intelligence O�cer, International Monetary FundEvent Threat Assessments: G20 as a Case Study for Event Threat Assessments: G20 as a Case Study for Using Strategic CTI to Improve Security Using Strategic CTI to Improve Security

Rebekah Brown Rebekah Brown @PDXbekThreat Intelligence Lead, Rapid7; Summit Advisor, SANS InstituteThreat Intelligence Lead, Rapid7; Summit Advisor, SANS InstituteInformation Anarchy: A Survival Guide for the Misinformation AgeInformation Anarchy: A Survival Guide for the Misinformation Age

Dave Herrald Dave Herrald @daveherraldSta� Security StrategistSta� Security StrategistHunting Hidden Empires with TLS-Certified HypothesesHunting Hidden Empires with TLS-Certified Hypotheses

Rick Holland Rick Holland @rickhollandSummit Co-Chair, SANS InstituteSummit Co-Chair, SANS InstituteThere Is MOAR to Structured Analytic Techniques Than Just ACH!There Is MOAR to Structured Analytic Techniques Than Just ACH!

Ryan Kovar Ryan Kovar @meansec Senior Security Architect, SplunkSenior Security Architect, SplunkHunting Hidden Empires with TLS Certified HypothesesHunting Hidden Empires with TLS Certified Hypotheses

Matt Bromiley Matt Bromiley @mbromileyDFIRManaging Consultant, Kroll; Instructor, SANS InstituteManaging Consultant, Kroll; Instructor, SANS InstituteHomemade Ramen & Threat Intelligence: A Recipe for BothHomemade Ramen & Threat Intelligence: A Recipe for Both

Scott J. Roberts Scott J. Roberts Bad Guy Catcher, GitHub; Summit Advisor, SANS Institute Bad Guy Catcher, GitHub; Summit Advisor, SANS Institute Homemade Ramen & Threat Intelligence: A Recipe for BothHomemade Ramen & Threat Intelligence: A Recipe for Both

Robert M. Lee Robert M. Lee @robertmlee SANS Certified Instructor; Course Author of SANS ICS515 & FOR578; CEO of Dragos SecuritySANS Certified Instructor; Course Author of SANS ICS515 & FOR578; CEO of Dragos SecurityThe Challenge of Adversary Intent and Deriving Value Outside ItThe Challenge of Adversary Intent and Deriving Value Outside It

Michael Rea Michael Rea @ComradeCookie Senior Security Researcher, McAfeeSenior Security Researcher, McAfeeI Can Haz Requirements?: Requirements and CTI Program SuccessI Can Haz Requirements?: Requirements and CTI Program Success

Dhia Mahjoub Dhia Mahjoub @DhiaLiteHead of Security Research, Cisco Umbrella (OpenDNS)Head of Security Research, Cisco Umbrella (OpenDNS)Upgrading Your Cyber Threat Intelligence to Upgrading Your Cyber Threat Intelligence to Track Down Criminal Hosting InfrastructuresTrack Down Criminal Hosting Infrastructures

Alex Pinto Chief Data Scientist, NiddelChief Data Scientist, NiddelDetermining the Fit and Impact of CTI Indicators on Determining the Fit and Impact of CTI Indicators on Your Monitoring Pipeline (TIQ-Test 2.0)Your Monitoring Pipeline (TIQ-Test 2.0)

Christy Quinn Christy Quinn @ChristyQuinnSecurity Specialist, Cyber Threat Intelligence, iDefense, Accenture SecuritySecurity Specialist, Cyber Threat Intelligence, iDefense, Accenture SecurityExit Night, Enter LightExit Night, Enter Light

Chris Sanders Chris Sanders @chrissander88Founder, Applied Network DefenseFounder, Applied Network DefenseLeveraging Curiosity to Enhance Analytic TechniqueLeveraging Curiosity to Enhance Analytic Technique

Jason Straight Jason Straight @UnitedLexChief Privacy O�cer, UnitedLexChief Privacy O�cer, UnitedLexLegal Implications of Threat Intelligence SharingLegal Implications of Threat Intelligence Sharing

“This course gives a very smart and structured approach to cyber threat intelligence, something that the global community has been lacking to date.” -JOHN GEARY, CITIGROUP

GCTI CertificationAvailable Late 2017

WITH THIS COURSE www.sans.org/ondemand

FOR578Cyber Threat Intelligence

Five-Day Program Wed, Jan 31 - Sun, Feb 4 9:00am - 5:00pm 30 CPEs Laptop Required Instructor: Robert M. Lee

Who Should Attend Security practitioners

Incident response team members

Threat hunters

Security Operations Center personnel and information security practitioners

Digital forensic analysts and malware analysts

Federal agents and law enforcement o�cials

Technical managers

SANS alumni looking to take their analytical skills to the next level

Make no mistake: current network defense, threat hunting, and incident response practices contain a strong element of intelligence and counterintelligence that cyber analysts must understand and leverage in order to defend their networks, proprietary data, and organizations.

FOR578: Cyber Threat Intelligence will help network defenders, threat hunting teams, and incident responders to:

Understand and develop skills in tactical, operational, and strategic-level threat intelligence

Generate threat intelligence to detect, respond to, and defeat advanced persistent threats (APTs)

Validate information received from other organizations to minimize resource expenditures on bad intelligence

Leverage open-source intelligence to complement a security team of any size

Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC, and STIX

The collection, classification, and exploitation of knowledge about adversaries—collectively known as cyber threat intelligence—gives network defenders information superiority that is used to reduce the adversary’s likelihood of success with each subsequent intrusion attempt. Responders need accurate, timely, and detailed information to monitor new and evolving attacks, as well as methods to exploit this information to put in place an improved defensive posture.

Cyber threat intelligence thus represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary’s tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.

During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat. FOR578: Cyber Threat Intelligence will train you and your team in the tactical, operational, and strategic-level cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.

T H E R E I S N O T E A C H E R B U T T H E E N E M Y !

Robert M. Lee SANS Certified InstructorRobert M. Lee is the CEO and founder of the critical infrastructure cybersecurity company Dragos Security LLC, where he has a passion for control system tra�c analysis, incident response, and threat intelligence research. He is the course author of SANS ICS515: Active Defense and Incident Response and the co-author of SANS FOR578: Cyber Threat Intelligence. Robert is also a non-resident National Cyber Security Fellow at New America focusing on policy issues relating to the cybersecurity of critical infrastructure and a PhD candidate at Kings College London. For his research and focus areas, he was named one of Passcode’s

Influencers and awarded EnergySec’s 2015 Cyber Security Professional of the Year. Robert obtained his start in cybersecurity in the U.S. Air Force, where he served as a Cyber Warfare Operations O�cer. He has performed defense, intelligence, and attack missions in various government organizations, and he established a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Robert routinely writes articles in publications such as Control Engineering and the Christian Science Monitor’s Passcode and speaks at conferences around the world. He is also the author of SCADA and Me and the weekly web-comic (www.LittleBobbyComic.com) @RobertMLee

Influencers and awarded EnergySec’s 2015 Cyber Security Professional of the Year. Robert obtained his start in cybersecurity in the

www.sans.edu

www.sans.edu

“This course gave me not only much needed insight into host-level forensics, but, important ideas on how to augment and improve our own hunt-team capabilities.” -DANNY AKACKI, BOFA

FOR508Advanced Digital Forensics, Incident Response, and Threat Hunting

GCFA CertificationForensic Analyst

www.giac.org/gcfa

Six-Day Program Wed, Jan 31 - Mon, Feb 5 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Jake Williams

Who Should Attend Incident response team members

Threat hunters

Experienced digital forensic analysts

Information security professionals

Federal agents and law enforcement personnel

Red team members, penetration testers, and exploit developers

SANS FOR500 (formerly FOR408) and SEC504 graduates

FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting will help you to:

Detect how and when a breach occurred Identify compromised and a�ected systems Determine what attackers took or changed Contain and remediate incidents Develop key sources of threat intelligence Hunt down additional breaches using knowledge of the adversary

DAY 0: A 3-letter government agency contacts you to say an advanced threat group is targeting organizations like yours, and that your organization is likely a target. They won’t tell how they know, but they suspect that there are already several breached systems within your enterprise. An advanced persistent threat, aka an APT, is likely involved. This is the most sophisticated threat that you are likely to face in your efforts to defend your systems and data, and these adversaries may have been actively rummaging through your network undetected for months or even years.

This is a hypothetical situation, but the chances are very high that hidden threats already exist inside your organization’s networks. Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Prevention systems alone are insufficient to counter focused, human adversaries who know how to get around most security and monitoring tools.

This in-depth incident response and threat hunting course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivism. Constantly updated, FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting addresses today’s incidents by providing hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to detect, counter, and respond to real-world breach cases.

G AT H E R YO U R I N C I D E N T R E S P O N S E T E A M – I T ’ S T I M E T O G O H U N T I N G !

WITH THIS COURSE www.sans.org/ondemandwww.sans.org/cyber-guardian www.sans.org/8140

Jake Williams SANS Certified InstructorJake Williams is a principal consultant at Rendition Infosec. He has more than a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Before founding Rendition Infosec, Jake worked with various cleared government agencies in information security roles. He is well-versed in cloud forensics and previously developed a cloud forensics course for a U.S. government client. Jake regularly responds to cyber intrusions by state-sponsored actors in the financial, defense, aerospace, and healthcare sectors using cutting-edge forensics and incident

response techniques. He often develops custom tools to deal with specific incidents and malware-reversing challenges. Additionally, Jake performs exploit development and has privately disclosed a multitude of zero-day exploits to vendors and clients. He found vulnerabilities in one of the state counterparts to healthcare.gov and recently exploited antivirus software to perform privilege escalation. Jake developed Dropsmack, a pentesting tool (okay, malware) that performs command and control and data exfiltration over cloud file sharing services. Jake also developed an anti-forensics tool for memory forensics, Attention Deficit Disorder (ADD). This tool demonstrated weaknesses in memory forensics techniques. @MalwareJake

response techniques. He often develops custom tools to deal with specific incidents and malware-reversing challenges. Additionally,

“Stellar course! I highly recommend adding this course to the training plan of the new cyber protect teams.” -TOM L., U.S. AIR FORCE

FOR572Advanced Network Forensics and Analysis

GNFA CertificationNetwork Forensic Analyst

www.giac.org/gnfa

Six-Day Program Wed, Jan 31 - Mon, Feb 5 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Ryan Johnson

Who Should Attend Incident response team

members and forensicators Hunt team members Law enforcement o�cers, federal agents, and detectives Information security managers Network defenders IT professionals Network engineers Anyone interested in computer network intrusions and investigations Security Operations Center personnel and information security practitioners

Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.It is exceedingly rare to work any forensic investigation that doesn’t have a network component. Endpoint forensics will always be a critical and foundational skill for this career, but overlooking network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers who have been active for months or longer, or prove useful even in definitively proving a crime actually occurred.

FOR572: Advanced Network Forensics and Analysis was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking – we’ll teach you to listen.

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.

Whether you are a consultant responding to a client’s site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of “threat hunters,” this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS Security curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS Forensics alumni from FOR500 (formerly FOR408) and FOR508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.

www.sans.edu

Ryan Johnson SANS InstructorAs a globe-trotting cyber sleuth, Ryan Johnson is always looking to find the bad guy, and to share his enthusiasm and knowledge about digital forensics along the way. Ryan started out performing digital forensic exams for local law enforcement in Durham, N.C., assisting in homicide, fraud, narcotics, and child exploitation cases. He quickly saw the importance of digital evidence in ensuring that guilty parties are held accountable and innocent parties go free. That work led Ryan to join a team of media exploitation analysts working for the U.S. Army in Iraq. During his year in Iraq he helped gather actionable intelligence,

streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on computer intrusion cases. Since then he’s traveled the globe teaching digital forensics for the U.S. State Department’s Anti-Terrorism Assistance Program and served as a digital forensics analyst and consultant. Ryan co-authored several of the State Department’s digital forensics courses as well as the book Mastering Windows Network Forensics and Investigations, Second Edition. Ryan also currently serves as the Global Head of CSIRT at PricewaterhouseCoopers, where he leads the response, readiness and investigations functions. In addition, based on his background, practical forensic experience, and government clearance, Ryan has been regularly called upon to train U.S.-based government departments, international governments, and corporations in the areas of network and digital forensics. Ryan earned a master’s of science degree from Dalhousie University and two bachelor’s degrees from Queen’s University. He has taught college students, professionals, law enforcement, attorneys, and judges. Ryan knows that teaching the process, not the tool, is what gives students information they can put into practice outside of the classroom, and he works tirelessly to ensure every student understands the concepts he’s teaching. @ForensicRJ

streamline processes, and enhance equipment resources for in-country teams. When he returned stateside, Ryan began to work on

WITH THIS COURSE www.sans.org/ondemand

Heather Mahalik SANS Senior InstructorHeather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden’s media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. All told she has more than 14 years of experience in digital forensics, including eight years focused on mobile forensics – there’s hardly a device or platform she hasn’t researched or examined or a commercial tool she hasn’t used. These days Heather is the Director of Forensic Engineering at ManTech CARD. Heather

previously led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of the federal government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she handled a number of high-profile cases. She has also developed and implemented forensic training programs and standard operating procedures. @HeatherMahalik

Domenica Crognale SANS InstructorDomenica is one of the course co-authors of SANS FOR585: Advanced Smartphone Forensics. She has been working in digital forensics for more than 10 years and specializing in mobile devices since 2009. In previous jobs she has provided training to military and government agencies, worked on high-profile cases, tested and validated various mobile forensics utilities, and provided security assessments for many mobile applications. In her day job, she spends time dissecting third-party mobile applications, where there is no shortage of interesting data left behind. She maintains multiple certifications including the GASF, EnCE, CCE, and CISSP. @domenicacrognal

previously led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of

FOR585Advanced Smartphone Forensics

GASF CertificationAdvanced Smartphone Forensics

www.giac.org/gasf

Six-Day Program Wed, Jan 31 - Mon, Feb 5 9:00am - 5:00pm 36 CPEs Laptop Required Instructors: Heather Mahalik,

Domenica Crognale

Who Should Attend Experienced digital forensic analysts

Media exploitation analysts

Information security professionals

Incident response teams

Law enforcement o�cers, federal agents, and detectives

Accident reconstruction investigators

IT auditors

Graduates of SANS SEC575, SEC563, FOR500, FOR508, FOR572, FOR526, FOR610, or FOR518 who want to take their skills to the next level

S M A R T P H O N E S H A V E M I N D S O F T H E I R O W N . D O N ’ T M A K E T H E M I S TA K E O F R E P O R T I N G S Y S T E M E V I D E N C E A S U S E R A C T I V I T Y. I T ’ S T I M E T O G E T S M A R T E R !

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Advanced Smartphone Forensics will teach you those skills. Every time the smartphone thinks or makes a suggestion, the data are saved. It’s easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the find evidence button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 20 hands-on labs that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools. FOR585 is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you’re working on the day you leave the course. www.sans.edu

WITH THIS COURSE www.sans.org/ondemand

“This is the most advanced mobile device training that I know of and is greatly needed. It is currently the only course being taught at this level!” -SCOTT MCNAMEE, DOS/CACI

“This training was significantly more intense and educational than any security training I had previously attended. Great material!” -ALEXANDRA BLOSSER, BOOZ ALLEN HAMILTON

FOR610Reverse-Engineering Malware: Malware Analysis Tools and Techniques

GREM CertificationReverse Engineering Malware

www.giac.org/grem

Six-Day Program Wed, Jan 31 - Mon, Feb 5 9:00am - 5:00pm 36 CPEs Laptop Required Instructor: Lenny Zeltser

Who Should Attend Individuals who have dealt with incidents involving malware and want to learn how to understand key aspects of malicious programs

Technologists who have informally experimented with aspects of malware analysis prior to the course and are looking to formalize and expand their expertise in this area

Forensic investigators and IT practitioners looking to expand their skillsets and learn how to play a pivotal role in the incident response process

Learn to turn malware inside out! This popular course explores malware analysis tools and techniques in depth. FOR610 training has helped forensic investigators, incident responders, security engineers, and IT administrators acquire the practical skills to examine malicious programs that target and infect Windows systems.

Understanding the capabilities of malware is critical to an organization’s ability to derive threat intelligence, respond to information security incidents, and fortify defenses. This course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger, and many other freely available tools.

The course begins by establishing the foundation for analyzing malware in a way that dramatically expands upon the findings of automated analysis tools. You will learn how to set up a flexible laboratory to examine the inner workings of malicious software, and how to use the lab to uncover characteristics of real-world malware samples. You will also learn how to redirect and intercept network traffic in the lab to explore the specimen’s capabilities by interacting with the malicious program.

Malware is often obfuscated to hinder analysis efforts, so the course will equip you with the skills to unpack executable files. You will learn how to dump such programs from memory with the help of a debugger and additional specialized tools, and how to rebuild the files’ structure to bypass the packer’s protection. You will also learn how to examine malware that exhibits rootkit functionality to conceal its presence on the system, employing code analysis and memory forensics approaches to examining these characteristics.

FOR610 malware analysis training also teaches how to handle malicious software that attempts to safeguard itself from analysis. You will learn how to recognize and bypass common self-defensive measures, including code injection, sandbox evasion, flow misdirection, and other measures.

Hands-on workshop exercises are a critical aspect of this course. They enable you to apply malware analysis techniques by examining malicious software in a controlled and systematic manner. When performing the exercises, you will study the supplied specimens’ behavioral patterns and examine key portions of their code. To support these activities, you will receive pre-built Windows and Linux virtual machines that include tools for examining and interacting with malware.

Lenny Zeltser SANS Senior InstructorAptly called the “Yoda” of malware analysis by his students, Lenny Zeltser keeps his eye on the big picture and focuses on the sum of events rather than individual occurrences. He lives by that philosophy and brings it to his job and classroom. A seasoned business and technology leader with extensive information security expertise, Lenny started his professional journey in a variety of technical InfoSec roles before serving as the national lead of the U.S. security consulting practice at a major cloud services provider. Later in his career he oversaw a portfolio of security services at a Fortune 500 technology company. Today, as VP of Products

at Minerva Labs, Lenny designs and builds creative anti-malware products. Lenny also developed the Linux toolkit REMnux to make it easier to use a variety of freely available malware analysis tools, many of which run well on Linux but can be di�cult to find and install. Lenny earned the prestigious GIAC Security Expert professional designation, and he currently serves on the Board of Directors of SANS Technology Institute. Lenny holds a bachelor’s degree in computer science from the University of Pennsylvania and a master’s in business administration from MIT Sloan and is the co-author of four books on malware, network security, and digital forensics. @LennyZeltser

at Minerva Labs, Lenny designs and builds creative anti-malware products. Lenny also developed the Linux toolkit REMnux to make it

www.sans.edu

WITH THIS COURSE www.sans.org/ondemand

“I can’t wait to bring new information from SEC504 back to my organization.” -JOSH HOSS, NETSPEND

“A real eye opener on the Web attack section. Windows command-line bootcamp section was excellent.”-TERRENCE

RANDELL, JPMORGAN CHASE

SEC504Hacker Tools, Techniques, Exploits, and Incident Handling

GCIH CertificationIncident Handler

www.giac.org/gcih

Six-Day Program Wed, Jan 31 - Mon, Feb 5 9:00am - 7:15pm (Day 1) 9:00am - 5:00pm (Days 2-6) 37 CPEs Laptop Required (If your laptop supports only wireless, please bring a USB Ethernet adapter.) Instructor: Matt Edmondson

Who Should Attend Incident handlers

Leaders of incident handling teams

System administrators who are on the front lines defending their systems and responding to attacks

Other security personnel who are first responders when systems come under attack

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection and one or two disgruntled employees (and whose does not!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

“As someone who works in information security but has never had to do a full incident report, SEC504 taught me all the proper processes and steps.”

-TODD CHORYAN, MOTOROLA SOLUTIONS

This course enables you to turn the tables on computer attackers by helping you understand their tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge, insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents and a detailed description of how attackers undermine systems so you can prepare for, detect, and respond to those attacks. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. This course will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

WITH THIS COURSE www.sans.org/ondemandwww.sans.org/cyber-guardianwww.sans.edu www.sans.org/8140

Matt Edmondson SANS InstructorMatt performs technical duties for the U.S. government and is a Principal at Argelius Labs, where he performs security assessments and consulting work. Matt’s extensive experience with digital forensics includes conducting numerous examinations and testifying as an expert witness on multiple occasions. A recognized expert in his field with a knack for communicating complicated technical issues to non-technical personnel, Matt routinely provides cybersecurity instruction to individuals from the Department of Defense, Department of Justice, Department of Homeland Security, Department of Interior, as well as other

agencies, and has spoken frequently at information security conferences and meetings. Matt is a member of the SANS Advisory Board and holds 11 GIAC certifications, including the GREM, GCFA, GPEN, GCIH, GWAPT, GMOB and GCIA. In addition, Matt holds the O«ensive Security Certified Professional (OSCP) certification. @matt0177

agencies, and has spoken frequently at information security conferences and meetings. Matt is a member of the SANS Advisory

Challenge yourself before the enemy does!

Now with new tournament challenges!

FEBRUARY 3 & 4 6:30-9:30 PM

Register and be one of the first to win the new challenge coin.

DFIR NETWARS IS FREE OF CHARGE TO ALL STUDENTS AT SANS CTI SUMMIT & TRAINING 2018.

www.sans.org/CTI-Summit

The SANS DFIR NetWars Tournament is an incident simulator packed with brand-new forensic and incident response challenges for individual or team-based “firefights.” It is developed by incident responders and forensic analysts who use these skills daily to stop data breaches and solve complex crimes. The DFIR NetWars Tournament allows each player to progress through multiple skill levels of increasing difficulty, learning first-hand how to solve key challenges they might experience during a serious incident. The tournament enables players to learn and sharpen new skills prior to being involved in a real incident.

“ Hands-on challenges with evidence types you have never seen before can be challenging; but to be LETHAL, you must rise!” -Jonathan Mutz Molina Healthcare Inc

Pay Early and Save*

FOR THE SUMMIT ONLY DATE DISCOUNT DATE DISCOUNT

Pay & enter code before 12-13-17 $200.00 1-3-18 $100.00

FOR A COURSE ONLY DATE DISCOUNT

Pay & enter code before 12-13-17 $400.00 1-3-18 $200.00

*Some restrictions apply. Early bird discounts do not apply to Hosted courses.

Use code EarlyBird18 when registering early

Save $400 when you register for the summit and a course!

Register online at www.sans.org/CTI-SummitWe recommend you register early to ensure you get your first choice of courses.Select your course and indicate whether you plan to test for GIAC certification. If the course is still open, the secure, online registration server will accept your registration. Sold-out courses will be removed from the online registration. Everyone with Internet access must complete the online registration form. We do not take registrations by phone.

Cancellation & Access PolicyIf an attendee must cancel, a substitute may attend instead. Substitution requests can be made at any time prior to the event start date. Processing fees will apply. All substitution requests must be submitted by email to registration@sans.org. If an attendee must cancel and no substitute is available, a refund can be issued for any received payments by January 9, 2018. A credit memo can be requested up to the event start date. All cancellation requests must be submitted in writing by mail or fax and received by the stated deadlines. Payments will be refunded by the method that they were submitted. Processing fees will apply.

SANS Voucher ProgramExpand your training budget! Extend your fiscal year. The SANS Voucher Program provides flexibility and may earn you bonus funds for training.

www.sans.org/vouchers

Top 5 reasons to stay at the Hyatt Regency Bethesda1 All SANS attendees receive complimentary high-

speed Internet when booking in the SANS block.

2 No need to factor in daily cab fees and the time associated with travel to alternate hotels.

3 By staying at the Hyatt Regency Bethesda, you gain the opportunity to further network with your industry peers and remain in the center of the activity surrounding the training event.

4 SANS schedules morning and evening events at the Hyatt Regency Bethesda that you won’t want to miss!

5 Everything is in one convenient location!

Enjoy this completely renovated hotel located in the heart of downtown Bethesda, Maryland. The hotel is ideal for both business and leisure travelers to the Washington, DC area.

Special Hotel Rates AvailableA special discounted rate of $182.00 S/D will be honored based on space availability.

Government per diem rooms are available at $182.00 S/D with proper ID. These rates include high-speed Internet in your room and are only available through January 9, 2018.

Hyatt Regency Bethesda One Bethesda Metro Center 7400 Wisconsin Ave | Bethesda, MD 20814 301-657-1234 www.sans.org/event/cyber-threat-intelligence-summit-2018/location

Registration Information

Hotel Information

NewslettersNewsBites Twice-weekly, high-level executive summaries of the most important news relevant to cybersecurity professionals.

OUCH! The world’s leading monthly free security awareness newsletter designed for the common computer user.

@RISK: The Consensus Security Alert A reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) how recent attacks worked, and (4) other valuable data.

WebcastsAsk the Experts Webcasts SANS experts bring current and timely information on relevant topics in IT security.

Analyst Webcasts A follow-on to the SANS Analyst Program, Analyst Webcasts provide key information from our whitepapers and surveys.

WhatWorks Webcasts The SANS WhatWorks webcasts bring powerful customer experiences showing how end users resolved specific IT security issues.

Tool TalksTool Talks are designed to give you a solid understanding of a problem, and how a vendor’s commercial tool can be used to solve or mitigate that problem.

Other Free Resources (No portal account is necessary)• InfoSec Reading Room• Top 25 Software Errors• 20 Critical Controls• Security Policies• Intrusion Detection FAQs• Tip of the Day

• Security Posters• Thought Leaders• 20 Coolest Careers• Security Glossary• SCORE (Security Consensus

Operational Readiness Evaluation)

5705 Salem Run Blvd. Suite 105 Fredericksburg, VA 22407

Save $400 when you pay for any 4-, 5-, or 6-day course and enter the code “EarlyBird18” by December 27th. www.sans.org/dallas

To be removed from future mailings, please contact unsubscribe@sans.org or (301) 654-SANS (7267). Please include name and complete address. NALT-BRO-Dallas-2018

As the leading provider of information defense, security, and intelligence training to military, government, and industry groups, the SANS Institute is proud to be a Corporate Member of the AFCEA community.

Create a SANS Account today to enjoy these free resources at www.sans.org/account