SANS WhatWorks Summit in Forensics and Incident Response

with Rob Lee

Dates:

Pre-Summit Courses: October 10-12

Summit: October 13-14

Post-Summit Courses: October 15-20

Summit Venue:

Caesar's Palace
3570 Las Vegas Blvd
Las Vegas, Nevada 89109
Phone: 877-427-7243
Website: www.caesarspalace.com
Reservations: https://www.harrahs.com/CheckGroupAvailability.do?propCode=CLV&groupCode=SCSNS8

Table of Contents

• Summit Overview
• What You Will Learn
• Questions To Be Answered
• Register Today
• Pre and Post Summit Courses
• Summit Agenda

Summit Overview

In the commercial sector, TJ Maxx, Hannaford, and TD Ameritrade are victims of large-scale data breaches and intrusions. From these attacks, personal or account information of more than 100 million individuals has been compromised. In the government sector, cyber attacks on government agencies and contractors, originating from China, have proved difficult to suppress. In both situations, incident response and mitigation, class action lawsuits, and fines place remediation costs in the billions of dollars.

For more than five years, threats originating from at home and abroad, such as China and Russia, have proved challenging to contain. Utilizing advances in spear phishing, web application attacks, and persistent malware these new sophisticated attackers advance rapidly through your network. Perimeter based cyber-defenses, the information security Maginot Line, have provided a false sense of security which only slows persistent attackers; it does not stop them.

Incident response and forensic techniques have clearly evolved to help diminish the outcomes of these attacks. Join industry experts at the SANS Incident Response and Forensic Summit to discuss these advanced threats and learn about the latest strategies and effective techniques to keep you and your company a step-ahead.

Speaker/Topic Overview

These industry leaders in the IR/Forensic field will discuss new forensic and IR tools, techniques, and methods to help investigate, contain, and mitigate large scale intrusions against the enterprise. The speakers will frame their discussion in case studies in organization successes and failures.

1. Rob Lee (SANS Institute, Mandiant) — "The Forensic and IR Counterinsurgency Field Manual"
2. Drew Fahey (Creator of HELIX, e-fense Inc.) — "Latest trends in IR/Forensic techniques to combat sophisticated threats"
3. Bryan Sartin (Creator of the Verizon Data Breach Report, Verizon Cybertrust) — "Applying Security Intelligence to Drive Incident-Handling"
4. Harlan Carvey (IBM ISS, Author of Windows Forensic Analysis) — "Secrets of Registry Analysis Revealed"
5. Cory Altheide (Author of Unix and Linux Forensic Analysis) — Panelist
6. Wendi Rafferty and Ken Bradley (Mandiant) — "Slaying the Red Dragon: Countering the China Cyber Threat"
7. Ovie Carroll (DOJ and co-host Cyberspeak Podcast) — "Law Enforcement Trends and and the Future of Computer Forensics and Incident Response"
8. Aaron Walters (Volatile Systems) — "Upping the 'Anti': Using Memory Analysis to Fight Malware"
9. Eoghan Casey (Author of Handbook of Computer Crime Investigation) — "Using the Home Advantage Combating Anti-Forensics and Linkage Blindness"
10. Mike Poor and Tom Liston (Intelguardians) — Panelists

Summit Speakers and Panels

One of the highlights of the conference will be two panels featuring the world-class incident response teams from Mandiant, Intelguardians, Verizon Cybertrust, and IBM ISS.

These teams have been regularly called upon to fend off banks from attacks from Russia, attacks on government contractors from China, and responded to some of the high profile cases in the news such as Hannaford, TD Ameritrade, and TJ Maxx.

IR/Forensic Team Panel Topic #1

• Cutting Edge Incident Response and Forensic Techniques
• How does a small IR/Forensic team investigate a massive data breach?
• How do response teams know how to tell which sensitive data is compromised?
• What techniques work? What techniques do not?

IR/Forensic Team Panel Topic #2

• Incidents Gone Wrong!
• An IR responder's digression of incident response/forensic best practices and failures.
• What are organizations doing right and wrong?
• How do the organizations identify machines that have malware installed on it?
• Team recommendations to help use the right investigative tools and techniques to investigate large scale incidents.

Government Panel

• Government, Department of Defense, Law Enforcement, and Defense Industrial Branch representatives
• How are government agencies and contractors responding to large scale intrusions successfully?

Volatile Data Examination Panel

• Hibernation files, memory images, and more.
• How do we analyze these new treasures?
• While useful, is the only tool we can use strings?

Why is the Incident Response and Forensics Solutions Summit important?

The SANS Incident Response and Forensics Solutions Summit brings together industry leaders to help enterprises get the most out of their forensic analysis and incident response programs. We'll discuss the latest processes and technologies for effective incident response and mitigation, forensic analysis, and recovery as a result of a data breach in any size organization. In a series of highly interactive sessions, expert forensic analysts and law enforcement personnel will share lessons learned from the trenches with the goal of helping others improve their response techniques and forensics analysis.

Detailed Q&A sessions will let attendees grill the experts to get deep into policy, process, and technical aspects of investigations. Several case studies will illustrate best practices as well as techniques to avoid. Vendor shoot-outs provide an opportunity to ask hard questions to determine which tools best meet business and technical requirements. Whether your organization performs forensic analysis in-house or relies on third-party analysis companies, this SANS Summit will help you maximize the value of your incident response and forensics budget.

What Will You Learn at the Forensics, and Incident Response Summit?

1. Methods for ensuring practical and accurate incident response and computer forensics for incidents.
2. Real-world forensic techniques from industry-recognized experts to find evidence while minimizing the chance of disruption of compromised systems.
3. Details about products and free tools that should be on your short list for use in effective computer forensics and incident response.
4. Lessons learned from compromises, litigation, and incidents in large- and medium-scale environments.
5. Practices of computer forensic pioneers that push the envelope in developing new tools and techniques for finding key evidence.
6. Current trends in malicious attacks and how our forensic/response processes must adapt based on them.

Questions to Be Answered at the Summit

1. How are the latest forensic techniques used to help combat threats in organizations today?
2. Which products are the best in the incident response and computer forensic community?
3. What are the lessons learned from organizations that were compromised or had data breaches?
4. What are the best practices to utilize in performing incident response and computer forensics?
5. When should an organization hire third party consultants to help out in an incident?
6. How can an organization respond to hundreds of machines in a single incident effectively?
7. How can I reduce the impact of a data breach investigation?

Who Should Attend?

• Anyone who would like to stay abreast of the latest threats and techniques for computer forensics and incident response by people actually doing it
• Any organization that is currently attempting to mitigate a large scale intrusion or data breach
• Incident response personnel who are looking for an integration of forensics and investigative methodologies
• Information Security consultants who would like to accelerate their forensic/IR career field
• Law Enforcement personnel who are looking at taking their technical skills to the next level
• Internal investigators who want to learn the latest evidence collection and analysis techniques
• Managers who learn by listening to a panel of experts discuss the recent developments in the incident response and computer forensic fields
• Incident responders who are faced with intrusions that might evade the traditional forensic tools

Pre and Post Summit Courses

Register for these in-depth SANS secure programming courses both preceding and following the Summit and really get the most out of your training budget.

Pre-Summit Courses

SEC 551: First Responder

This is an introductory course in incident handling and the basics of system forensics that is designed to help participants function as first responders.
Last chance to take this course as a one-day stand-alone course!

SEC 427: Browser Forensics

Be a part of this fast-paced skill sharpening short course and learn the latest greatest techniques for conducting solid browser forensics on any system.

SEC 526: Next Evolution in Digital Forensic

This course focuses on innovative forensic techniques and methodologies so the seasoned practitioner can keep his skills sharp and up-to-date with the latest research areas in both live and static based disk forensics.

SEC 537: Identifying and Removing Malware

This course discusses the essential tools and techniques for examining a system, looking for malware using a variety of tools and techniques.
Last chance to take this course as a one-day stand-alone course!

Post-Summit Courses

SEC 508: Computer Forensics, Investigation and Response

Beginning with fundamental forensic concepts, such as the file system structures of Windows and Linux, the content and difficulty level of this course advance rapidly to include evidence acquisition, hash database comparisons, and full and partial file recovery and analysis. Learning more than just how to use a forensic tool, you will be able to demonstrate how the tool functions step by step. You will become skilled with diverse tools, such as the Sleuthkit, Foremost, and the HELIX Forensics Live CD. You will rapidly move on to advanced forensic and investigation analysis topics and techniques. This SANS hands-on technical course arms you with a deep understanding of the forensic methodology, tools, and techniques to successfully solve even the most difficult case.

SEC 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

This recently-expanded four-day course discusses practical approaches to examining malware using a variety of system monitoring utilities, a disassembler, a debugger, and other tools useful for reverse-engineering malicious software. You don't have to be a full-time malware searcher to benefit from this course — as organizations increasingly rely on their staff to act as first responders during a security incident, malware analysis skills become increasingly important.

How Good Are SANS Summits?

Here's more from people who attended the last Summit:

• Hearing from those who have actually gone through the process provides you with the information to plan, evaluate and deploy the proper solutions.
  - Sven Doersam, John Hopkins Univ/Applied Physics Lab
• The ability to network with peers who have implemented solutions and learn from them is worth the price of admission!
  - Kevin Horton, Wells Fargo Bank
• The vast amount of lessons learned and best practices are key to successful evaluations and implementations.
  - Bob Dillenschneider, Florida Dept. of Health
• Interesting with very practical info from people who have done it already.
  - Jeff Hutchinson, American Electric Power