Ryan Chapman

Ryan is a Principal Threat Hunter who has worked in the Digital Forensics & Incident Response (DFIR) realm for 13 years. He is the author of SANS FOR528: Ransomware and Cyber Extortion and also teaches SANS FOR610: Reverse Engineering Malware

Prior to working as a Threat Hunter, Ryan worked in Incident Response consulting for nearly 5 years. During his overall career, he has worked in Security Operations Center and Cyber Incident Response Team roles that handled incidents from inception through remediation. With Ryan, it's all about the blue team. Researching IOCs, hunting through log aggregation utilities, analyzing malware, and performing host and network forensics are all skills in his repertoire. 

More About Ryan

Profile

Prior to moving to security, Ryan worked as a technical trainer for six years. His stint as a full-time trainer prepared him for the rigors of life-long learning. He loves training and often assists with training development.  

Ryan’s current passion is researching ransomware in order to help as many people as possible learn to deter, detect, and respond to the threat. In preparing for development of FOR528, Ryan has drawn on his extensive expertise working ransomware incidents. The course features numerous labs, a full-day Capture the Flag exercise, and provides tools that can be used to share and collaborate on hunting queries between entities and disparate systems. 

"When it comes to ransomware, the primary blocker for students is realizing that early detection often requires hunting," Ryan explains. "Some DFIR students who take the FOR528 course may not have experience with hunting, so the concept is simply new to them. We are not just relying on alerting systems. Rather, we are relying on our ability to seek out and hunt the adversary within our networks." 

Outside of ransomware, one of Ryan’s interests in the security realm is the exciting world of reverse engineering. “Malware has become pervasive,” he says, “and I relish in the ability to dissect, understand, and protect against evolving threats." Ryan loves finding all the new tricks that malware authors use to circumvent security appliances. 

Ryan's association with SANS began when he took a course in 2013, a path that eventually led to him becoming a course instructor and author. 

"These days it’s difficult to have a conversation concerning DFIR without referencing SANS in some way, shape, or form,” he says. “The power of SANS isn’t just behind the courses, but rather behind the family as a whole. The course authors, instructors, and folks in all other departments have come together to create an ever-evolving beast of a training institute." 

As a teacher Ryan wants his students to walk away with a full understanding of the content covered in class. "I don’t want to teach people how to push buttons to get bananas. I aim for every student to understand the ‘why’ behind the ‘how.’ For example, I want to ensure that students leave the class knowing why we look for VirtualAlloc and VirtualProtect calls in packed malware samples. I want my students to know WHY these are important function calls," he says. 

Ryan also wants students to recognize their potential for mastering the topics covered in class. "Be it ransomware or general malware analysis, I strive to instill confidence in my students. Sure, we learn the foundations and advanced topics. But these things are doable outside of the classroom, even at their daily jobs. My classes aren’t magical adventures that end when the class concludes. Rather, these are skills that can be translated to the daily lives of every student." 

When teaching, Ryan often stays after class to provide additional examples of the topics covered each day. He provides additional resources such as vetted and trusted YouTube videos and articles that cover the topics in slightly different ways. "I tell any student struggling with a given concept that it’s all about the practice and recognition of the activity involved. Thus, I provide plenty of examples to ensure that if they put in the time, the concept will solidify for them." 

Ryan also previously led a hacker and security conference in Arizona called CactusCon.  Outside of work, he enjoys watching anime with his daughter, mountain biking, and collecting retro video games. 

Qualifications Summary:

  • 13 years of experience in incident response, digital forensics investigations (host- and network-based forensics), and malware analysis 
  • Seasoned speaker at technical conferences including DefCon, BSides events, CactusCon, Splunk conferences, and more 
  • Former lead organizer for CactusCon, Arizona’s hacker/security conference 
  • Faculty member at the SANS Technology Institute
  • Author of several PluralSight.com training courses 

Ryan's Workshops and Webcasts (his favorites!):

Ryan Chapman's Accomplishments:

  • Presented a workshop at DefCon 5 years running 
  • 1st Place in SOCX Professional SOC Team Work Championship 2021 (team) 
  • 1st Place in Network Forensics Puzzle Contest at DefCon 23 and DefCon 22 (team) 
  • Masters of Information Assurance from a NSA-certified Regis University 
  • GIAC Reverse Engineering Malware (GREM) 
  • GIAC Defending Advanced Threats (GDAT) 
  • GIAC Certified Incident Handler (GCIH) 
  • CompTIA Security+ and Linux+ 
  • Learn more about Ryan at his website: https://incidentresponse.training/