• Who we are
• Instructions on getting lab setup

• Intro to Adversarial Machine Learning
• Intro to Inference Style Attacks

• Hands on conducting inference attack on Image recognition models

• How and Why models are stolen
• Examples of this done in the wild

• Train and steal a model using open-source tooling

• Examples of data poisoning in the wild
• How ML models consume data and where opportunities exist to poison the data

• Train an image recognition model
• Create a dataset with a backdoor implanted into the images
• Retrain the model
• Test the data poison success

• How model files are saved/loaded
• How we can take advantage of this process from an attacker’s perspective

• Create new model files with arbitrary code injected into them
• Inject arbitrary code into existing model files

Nadhem AlFardan, PhD

In this session, we describe and showcase the concept of AI agents, starting with using AI for red teaming and demoing how to build an AI agent that can automate the process of vulnerability discovery, exploitation, and reporting. We then share our experience leading the development of an AISecOps analyst to help the security operations blue team detect and respond faster and better, giving access to critical information, data, and insights across their threat landscape. Information comes in different forms and from different places: alerts, tickets, vulnerabilities, policies, processes, etc. How do we collect and provide this data in a single GenAI pane to the blue team? We share hands-on cyber security operations AI use cases, the approach, the architecture, and lessons learned. We explore the growth that AISecOps is experiencing to become a composite of expertise, allowing it to extend to cover other AIOps areas such as NetOps and DataOps. Finally, we discuss how secure the AI pipeline was as we built and operated the platform. We will demo the AISecOps analyst and demonstrate it in operation.

The session will help attendees:
- Understand the structure of AI agents and agentic workflows
- Demonstrating AI for red teams and AI for security operation centers.
- Discussion on the architrave of an AI platform
- Showcasing critical functions delivered by an AI architecture: text-to-SQL and retrievals With examples
- Sharing the lessons learned across the different sections

Generative AI and Large Language Models (LLM) have become increasingly popular over the last couple of years. The attackers are using this technology to gain advantages, thus, so should the investigators. This session will examine innovative methods of utilizing LLMs, embedding models, and Machine Learning clustering algorithms in concert to help you efficiently analyze data sets using similarity. The techniques demonstrated in this session can provide handy tools to have for triaging certain types of data points such as command line executions. This method will first be demonstrated via Jupyter Notebook to show the fun technical details of how and why this method works, then, an open-source tool that can run against native Windows Event Logs will be utilized and demonstrated which automates this method allowing you to partake in the fun! You will not only learn about new innovative methods but also get free tools to walk always with.

Richard Macwan

Overview of this presentation coming soon.

Explore how data-driven cybersecurity engineers can harness AI and ML to decode data. Using ML methods and LLMs, this talk showcases practical techniques for anomaly detection and behavior classification, featuring open-source tool demos. Through in-depth demonstrations moving from raw data to actionable models, attendees will reimagine cybersecurity analysis.
Full outline:
The next generation of cybersecurity engineers will be data engineers specializing in cybersecurity, leveraging modern technology to interpret the vast amounts of data they collect. We are constantly inundated with information about GPT, ML, AI, and various other acronyms. The critical question is: how can cybersecurity engineers utilize these tools effectively for more efficient analysis? Using ML and AI from a cybersecurity researcher's perspective, we will discuss concrete examples that demonstrate how to uncover insights and make discoveries. A key highlight will be a discussion on benchmarks—evaluating the most promising language models for applications of ML in cybersecurity.
To set the stage, we will examine the types of data commonly encountered in a cybersecurity ecosystem. Through a combination of the traditional matrix data structure, pandas, paired with the capabilities of LLMs, we will explore methods for extracting key patterns and features. The end goal of this exploration is to classify behaviors as either malicious or benign.
Next, we will delve into the framework of Exploratory Data Analysis (EDA), that is employing statistical methods and visualizations to make sense of opaque datasets. We will demonstrate how AI can assist in “questioning” data, drawing actionable conclusions, and building anomaly detection models.
Finally, we will showcase how practitioners can use and tune language models to classify data as malicious or benign, offering insights into the effectiveness of different LLMs for tackling cybersecurity challenges. This presentation includes open-source demonstrations using Jupyter notebooks and public datasets featuring known network attacks, allowing participants to reproduce and adapt these demonstrations for their own projects.
The ultimate goal of this talk is to demonstrate how defenders can use data to uncover malicious activity using traditional ML techniques, such as EDA and classification, implemented with the help of various language models. By comparing language models’ effectiveness in traditional ML tasks for cybersecurity applications, we aim to inspire creativity and resourcefulness among cybersecurity engineers. Through this journey from raw data to actionable models, we will highlight the vast potential ML and AI offer to redefine the field of cybersecurity.
Demo repository (subject to changes): https://github.com/mundruid/cyberdata-mlai

See how Retrieval-Augmented Generation (RAG) transforms raw data into actionable intelligence for incident response. Drawing from extensive research, this session includes practical demonstrations on how generative AI empowers security teams, surfacing critical insights to accelerate threat detection beyond traditional methods

LLMs have revolutionized the way we do cybersecurity, but they also open new avenues for attackers. In this hands-on workshop, you will explore three core facets of LLMs in cybersecurity:

• LLMs for Security
• LLMs against Security
• Security for LLMs

First, we will learn how to leverage LLMs to accelerate detection, investigation, and reporting of threats. Next, you will discover how adversaries might weaponize these same capabilities to craft sophisticated phishing attacks or malicious scripts. Finally, you will delve into the best practices for securing LLM-based applications against threats such as prompt injection, data leakage, and model poisoning. Expect a highly interactive session with live exercises, real-world scenarios, and actionable insights that you can immediately apply to enhance your organization’s defensive posture.

This presentation will explore the strategy behind influence operations conducted by state-sponsored actors and how they leverage AI to weaponize their campaigns.

This talk will go over the tools and techniques used to build an AI assistant like the one developed for the new SEC535: Offensive AI - Attack Tools and Techniques course. Attendees will be able to take away how to leverage AI model tool calling to automate the running of tools like nmap and metasploit and how to keep the outputs of those tools in sync with an AI chat context. Attendees will also learn how to properly prompt the AI to use tools and associated commands correctly.

This presentation provides attendees with actionable insights and strategies to effectively secure their own AI systems against current and future threats in this rapidly evolving landscape.This presentation explores the distinct security risks introduced by the rapid expansion of AI-powered applications, particularly online chatbots. It goes beyond general AI security issues to address the growing threat of category drift, where applications are exploited by users for unintended and potentially harmful purposes.
The presentation examines practical strategies to mitigate a range of risks, including prompt injection, data poisoning, and application misuse. It investigates both proactive measures like robust input validation and output analysis, as well as reactive approaches for identifying and addressing malicious activity.
Attendees will leave this presentation with actionable insights and strategies to effectively secure their own AI systems against current and emerging threats in this rapidly changing environment.

Emphasizing the critical role of human intuition, ethical judgment, and interpersonal skills in an increasingly AI-driven world. This talk uncovers why, despite advancements in machine learning, the human touch remains indispensable for ethical and effective AI integration.

Kick off your evening with food, drinks, and networking at the SANS360 Reception! 

The 360 talks will run from 6:00 PM to 7:00 PM - 10 speakers x 360 seconds/each = 60 minutes of amazing AI content. Don’t miss this opportunity to connect, learn, and engage with AI and cybersecurity professionals in a high-energy setting.

SANS 360 Speakers:
6:00 - 6:06 | Chaitanya Rahalkar 
6:06 - 6:12 | Jason Ross
6:12 - 6:18 | Vaishali Vinay
6:18 - 6:24 | Carolyn Duby
6:24 - 6:30 | Joy Toney
6:30 - 6:36 | Bethany Abbate
6:36 - 6:42 | Casey Bleeker
6:42 - 6:48 | Foster Nethercott
6:48 - 6:54 | Jess Garcia
6:54 - 7:00 | Gaurav Mehta

Agentic AI systems, which combine generative AI capabilities with autonomous decision-making, interact dynamically with their environment. These advanced systems bring new opportunities but also pose significant security challenges. Unlike traditional software, agentic AI operates in dynamic environments where evolving goals, actions, and external inputs can create unique threats.
This session will focus on how to effectively threat model these systems, using architectural examples to illustrate their complexity and potential risks. Attendees will learn to identify critical security concerns, such as goal misalignment, unintended behaviors, and vulnerabilities in AI workflows. The session will also provide actionable strategies for integrating threat modeling into the design and deployment of agentic AI to ensure safety and reliability.

AI is actively enhancing and augmenting industries across the world. However, immense benefits also come with significant security risks if improperly managed. This talk examines key safeguards and security practices to mitigate threats, prevent misuse or attacks, and help your organization harness AI’s potential securely and effectively.

Companies must look to adopt a robust and flexible AI governance framework to systematically identify, assess, mitigate and monitor the safety and security risks for AI systems. An AI governance framework is typically made up of a variety of components including policies and procedures; administrative and technical controls and monitoring and oversight mechanisms. Due to the lack of an authoritative framework that companies can refer to or benchmark against, implementing a strong AI governance mechanism is always going to be a challenging endeavor, Drawing upon the requirements of existing AI standards and learnings from several audits of AI systems, this article outlines the five mandatory building blocks for operationalizing a strong and comprehensive AI governance framework:

1. Model inventory
2. AI risk and impact management program
3. Data management processes
4. Model verification and validation requirements

5. AI system observability requirements

Responsible AI refers to an ideal desired state of the AI ecosystem at an organization. It is critical to implement these building blocks to create a solid foundation to effectively plan, track, manage and monitor the development or deployment of AI and thereby, enhance stakeholder trust.

AI is the ultimate accelerant for application development—its power unmatched—but without balance and control, it can quickly ignite new risks, turning potential into destruction. Explore the tangible impact of AI-generated code in this session by playing with fire – Using GPT-driven prompts, we’ll build a fully functional application, and in real time, we’ll uncover how common security flaws like SQL injection, cross-site scripting, and weak authentication can manifest in AI-generated code.
Through hands-on exploration, we’ll walk through the potential impact of these vulnerabilities and how these risks could be avoided with secure coding practices, defined policies, developer guardrails, and thorough security audits and code reviews.
By the end of the session, you'll have a deep understanding of how to:
* Recognize and assess the risks AI introduces in your code.
* Implement secure coding practices and enforce security policies.
* Integrate security audits, code reviews, and testing into your development workflow to ensure AI-generated code is safe for production.
This session is vendor agnostic and designed to empower you to reap the benefits of AI without sacrificing security.

Forget theoretical frameworks of potential risks, we're going to talk about practical scenarios including several real-world examples of how hackers can and have attacked production AI systems at organizations. There are many checklists out there on AI threat vectors, but which ones should you prioritize defending against if your organization is utilizing AI, be it traditional machine learning or generative AI?

The talk would offer a fresh perspective on AI security, emphasizing that while securing the core AI models are often the focus, the surrounding infrastructure and cloud services are equally critical to securing AI applications, particularly with the rise of AI-as-a-Service.

• Highlights on the rapid growth of AI-as-a-service (AIaaS) & increasing dependency on cloud-based AI solutions
• Recent attack incidents targeting AI infrastructures and cloud services
  Common attack vectors in AI services and pipelines
• A real-world ML supply chain attack scenario showcasing how weaknesses in AWS SageMaker and Bedrock can compromise entire ML pipeline & AI application.

• Actionable strategies to monitor & secure AWS AI Pipelines

Keyloggers have long been a tool of choice for both penetration testers and cybercriminals. However, traditional options—like Meterpreter—are easily flagged by antivirus solutions, while writing a custom keylogger from scratch can be cumbersome and technically demanding. But with the rise of Generative AI, that challenge has all but disappeared.

In this hands-on workshop, we'll harness the power of AI to build a fully functional keylogger from the ground up—no prior expertise required. Taking an iterative approach, we'll start with a basic keylogger before progressively refining it with quality-of-life enhancements such as output cleanup, window monitoring, timestamps, and clipboard capture.In the second half, we'll push the boundaries further, integrating advanced capabilities like persistence, trojanization, and built-in safety mechanisms—including self-destruct features, file encryption, and blacklisting protections.Whether you're a red teamer looking to sharpen your offensive toolkit or a security professional seeking to better understand and mitigate modern threats, this workshop will equip you with the skills to build, analyze, and defend against next-generation keyloggers—all with the power of AI.

CRITICAL NOTE ABOUT THIS WORKSHOP: This is considered an advanced workshop that has a list of device requirements that must be met prior to attending the workshop.

The requirements are:

• Access to a Windows 10 or 11 device for testing.
• Virtual machines or other sandboxed environments are highly recommended.
• Your device must have an integrated development environment (IDE), such as Visual Studio Code, installed prior to the workshop.
• Python must be installed on the target device.
• Mobile devices such as phones and tablets will not be sufficient for this lab.

Legal Disclaimer

1. This workshop involves the development and execution of live malware, which has the potential to compromise system integrity.
2. Participants acknowledge that the use of spyware or similar tools on individuals or systems without explicit consent is both  unethical and illegal.
3. SANS and its affiliates  expressly disclaim any liability for the misuse of malware developed during this session.
4. Furthermore, no guarantees are made regarding the safety or stability of executing such software on any device. 
5. Participants assume full responsibility for any consequences arising from their use or deployment of the materials covered in this workshop.
6. This workshop is strictly for educational and research purposes.
7. By participating, attendees agree to abide by all applicable laws and ethical guidelines governing cybersecurity practices.

What are the real concerns for security professionals when it comes to AI? How can you avoid getting lost in theoretical risks and focus on practical solutions? And most importantly—where should you start?
In this session, Rob van der Veer will introduce an actionable AI security framework and a step-by-step approach developed by the OWASP AI Exchange. This framework has played a key role in shaping the upcoming global AI security standard (ISO/IEC 27090) and the official security standard for the EU AI Act. Both are still in development, so you’ll get an exclusive preview of cutting-edge work in AI security standardization.

Join this talk to gain clear, practical guidance on securing AI systems—without getting lost in the AI rabbit hole.

The increasing utilization of artificial intelligence systems brings a proportional rise in threats to these technologies. The presentation will cover protection methods for AI models and their deployments against adversarial attacks, data poisoning threats, and prompt injection methods. This presentation will show attendees how AI systems' vulnerabilities can lead to attacks that cause model integrity issues and system failures.

The session will cover several defense methods, including robust model training, input sanitization, and adversarial training alongside anomaly detection techniques. This discussion includes how model hardening and encryption protect AI systems. Participants will learn to deploy defensive techniques that will strengthen their AI system security while preventing unauthorized access and maintaining data integrity and model trustworthiness.

This presentation is ideal for AI developers, security professionals, and technology leaders focused on securing AI-driven systems. Whether you're building AI solutions from the ground up or integrating pre-built models into your organization, this session will provide valuable tools and strategies to safeguard against emerging attack vectors