Agenda | Anomali


Sunday, September 29

3:00 - 6:00pmRegistration Open 
6:00 - 8:00pmWelcome Reception/Exhibits Open 

Monday, September 30

8:00 - 8:50amBreakfast 
9:00 - 12:30pmKeynotes 
12:30 - 2:30pmLunch/Turbo Talks/Exhibits Open 
2:40 - 5:30pmTechnical Breakout Sessions 
6:00 - 8:00pmPartner Reception/Exhibits Open 

Tuesday, October 1

8:00 - 8:50amBreakfast 
9:10 - 12:00pmTechnical Breakout Sessions 
12:00 - 2:00pmLunch/Turbo Talks/Exhibits Open 
2:10 - 5:00pmTechnical Breakout Sessions 
6:00 - 10:00pmConference Party 

Wednesday, October 2

8:00 - 8:50amBreakfast 
9:00 - 12:00pmTechnical Breakout Sessions 
12:00 - 1:00pmLunch/Exhibits Open 

Session Schedule

Monday, September 30

8:30 – 9:30am

Let Us Take You Higher
Hugh Njemanze
CEO, Anomali

9:30 – 10:00am

Intel 471

10:00 – 11:00am

Admiral Michael S. Rogers
Former Director, National Security Agency & Former Commander, US Cyber Command

11:00 – 12:00pm

Ray Mabus
Secretary of the Navy under President Obama

2:40 – 3:30pm

OP/ISIS and the Modern Age of Cyber War

The fight against ISIS might have been decided in Syria, but in cyberspace it rages on. As ISIS fighters from around the world rallied around their infamous black banner, Anonymous hacktivists answered the call to counter ISIS online.

The talk will trace how ISIS used online networks to grow their influence, and how ISIS has taken measures to enforce strong cybersecurity measures among its members (e.g. a Russian-language ISIS cybersecurity manual shared on a dark web forum).

Discussing Anonymous and “OP” campaigns, the talk will focus on the DecryptISIS campaign by the hacking group “Ghost Squad Hackers”. GSH were able to infect ISIS members’ phones and computers with malware, and expose their IP addresses, physical addresses, names, and faces. The DecryptISIS operation provides a rare glimpse into threat actors’ TTPs, and can help cybersecurity professionals better understand Anonymous cyber threats, and how to defend against them.

Benjamin Preminger, Cyber Threat Intelligence Specialist – Sixgill

"Gophering": How to Catch the Gophers, Not the Bill Murray Way

Go is a programming language that was developed inside Google in 2007 with an increased adoption each year. It was developed for the 21st century with a focus on simplicity and readability. Go also has a well-designed concurrency model and support for cross-compilation which can be useful features for malware authors. Up until recently, there has only been a handful of new malware written in Go found in the wild each year. In the last couple of months, there has been a noticeable uptick in its use amongst threat actors, even Advanced Persistent Threat (APT) actors are using the language. The purpose of this talk is to introduce the nuances of Go binaries and show how a statically compiled and stripped monolith with over 6000 subroutines can be reduced down to the actual important code.

Joakim Kennedy, Threat Intel Manager – Anomali

Gathering Tactical Intelligence From the DNS

In the 2019 Verizon DBIR, one attacker claimed that they were able to maintain persistence in a company’s network for 10 years. One way to break the cycle of persistence is to gain visibility and knowledge of the attacker’s infrastructure. In this presentation, “Gathering Tactical Intelligence From the DNS,” Farsight Security CTO Ben April will show how attackers use DNS resources like domain names and name-servers, to obfuscate their assets. Security professionals will learn how to use historical passive DNS to uncover published infrastructure and actionable insights into an attacker’s tactics, techniques and procedures.

Ben April, CTO – Farsight Security

3:40 – 4:30pm

Intelligence Powered Vulnerability Management

As more and more devices are added to our networks including more and more applications, it is becoming increasingly more difficult for organizations to properly manage and prioritize vulnerabilities on their network. By combining threat intelligence into the vulnerability management process, vulnerability management owners finally have the tools necessary to properly convey to the business a patching prioritization schedule based on actual threats instead of an outdated CVSS score.

Greg Mathes, Cyber Security Analyst – Arvest Bank

Building a CTI Program: Tips, Tricks, and Lessons Learned

Cyber Threat Intelligence (CTI) is all the buzz for all Security Operations Programs, management wants it, but what does that mean? Considering the unique environments, there are no two identical CTI programs. With over 14 years of experience and five programs built, the talk with present lessons learned from real-world experience. Topics will touch on building your teams, defining your Priority Intelligence Requirements (PIRs), processes, reporting, identifying your stakeholders, proof-of-concepts for tools and feeds, and much more. The audience will walk away motivated with a deeper understanding on building successful and scalable CTI programs.

Susan Peediyakkal, Cyber Threat Intelligence Consultant

Automating Open Source Intel (OSI)

Correlating between numerous intel feeds can be a challenge for many organizations, while TIPs assist, there is still a requirement for additional contextual information.

To address this, FirstEnergy SOC developed a semi-automated process to ingest customized OSI into our TIP, add contextual data, and then automatically share with the community. This session demonstrates our approach of OSI ingestion to add contextual information into the TIP. Because the grouping of indicators by report, this enhanced the capability to identify actionable threats. Also covered in this session is leveraging Social Media (SM) within the same automation approach. Reports can group indicators together by campaign, actor, and even other reports. This assists in evaluating the threat beyond a single indicator and provides the needed enriched contextual data. We have proven ROI of increased accuracy, situational awareness, and supports timely decisions.

Chris Collins, Security Analyst – FirstEnergy
Scott Poley, TSOC Manager – FirstEnergy

4:40 – 5:30pm

I’m a SOC Analyst, Threat Intelligence is Just Used to Feed my SIEM, Right?

Threat Intelligence is so much more than observable consumption. There is a common viewpoint within traditional Security Operation Centres that Threat Intelligence is simply used to send indicators of compromise (IOC’s) to other security devices within an organisation, whilst this is obviously an important aspect of any successful defence in depth strategy, threat intelligence is so much stronger.

This presentation will cover three key areas:

  • The impact of Threat Intelligence to the SOC analyst’s daily routine
  • Reporting upstream to management and how a well-informed management team can drive timely responses to key issues
  • Information sharing: SOC analysts can have a huge impact on sharing communities as what they are observing on a daily basis may feed into what their peers are observing

This presentation is technology agnostic and will not be a deep dive into the technical world of a SOC analyst, therefore the presentation is suitable for both technical and non-technical audiences.

Mark Magill, Customer Success Manager – Anomali

Turning intelligence Into Action with MITRE ATT&CK

Many of you have embraced the concept of a threat-informed defense but are still struggling to bridge the gap between intelligence and action. MITRE ATT&CK provides a structure for organizing adversary tactics, techniques, and procedures (TTPs) that allows intel analysts to organize adversary behaviors and communicate them in a way that is actionable by defenders. The presenters will explain how they recommend you use ATT&CK to improve the practice of threat intelligence based on experience gained mapping hundreds of public threat intelligence reports to ATT&CK. The presenters will then explore a number of the biases inherent in public threat intelligence and the process of mapping it to ATT&CK, how to avoid traps that you may encounter as a result, and ways that intelligence expressed with ATT&CK can be successfully applied to defend against your priority threats.

Katie Nickels, ATT&CK Threat Intelligence Lead – MITRE Corporation
Adam Pennington, Principal Cyber Security Engineer – MITRE Corporation

Fireside Chat with Reuters Cybersecurity Writer and Author of “Cult of the Dead Cow” Joe Menn

Joseph Menn is the author of the new bestseller “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World,” which among other things revealed that presidential candidate Beto O’Rourke belonged to the oldest surviving group of US hackers. The New York Times Book Review said: “The tale of this small but influential group is a hugely important piece of the puzzle for anyone who wants to understand the forces shaping the internet age.” He is an investigative reporter specializing in technology issues for Reuters, having previously worked at the Financial Times and Los Angeles Times. Menn also wrote the 2010 bestseller “Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet,” a real-life thriller that brought the modern face of cybercrime to a mainstream audience. Fatal System Error revealed collaboration between major governments and organized crime and was placed on the official reading list of the US Strategic Command.

Tuesday, October 1

9:10 – 10:00am

Ransomware - From Humble Beginnings to Monster of Masses

Ransomware has steadily evolved since it was first reported in 1989, and since that time it has simultaneously become more accessible to threat actors of all levels of sophistication. Early ransomware families were simple, and primary functions included encrypting file names, hiding directories and using symmetric cryptography. Some families were only distributed by physical means e.g floppy disks, while others by using initial email platforms, and still others utilizing multiple methods.

Fast forward to 2019 and some ransomware families have emerged as a tool for actors in targeted attacks. Threat actors have learned that some people caught in large-scale distribution methods may not be able to pay for the files back, but a large company specifically targeted for such payment may be more likely to pay for their valuable data back. This talk will touch on ransomware milestone points over the past 30 years and contributing factors that brought ransomware to where it is today.

Breandan McCavana, Cyber Security Specialist – Anomali

Class of ’18 APT Round-up

Discovering an advanced persistent threat on your network is the worst-case scenario for any government department or business. Shadowy espionage, tradecraft, difficult attribution coupled with ever changing tactics can make these threats seem like an impenetrable wall of numbers and weird names. Join security analyst Rory for a high-level overview of the most pertinent APT groups examining their behaviour, attribution and changing TTPs.

Rory Harrison Gould, Threat Intelligence Analyst – Anomali

Cyber Intelligence Starts Here

Participate in an informative presentation on building effective cyber intelligence programs. Learn the problems most companies face, some fundamentals of intelligence, the keys aspect to focus on in building and maintaining an effective intelligence program, and samples of how mature intelligence programs are structured and function. Other topic highlights include; vendor and source selection, personnel challenges, budgeting and project planning to improve your intelligence posture.

AJ Nash, Director Cyber Intelligence Strategy - Anomali

One Stop Shopping – Evaluating and Integrating External Sources

We’ve all seen it– dozens of browser tabs open, each offering some insight into an observable you are investigating. Twitter feeds reporting the latest malware detections. Without a doubt, there is tremendous benefit in bringing more automation to your repeatable research processes. But not all external data sources are created equally.

As platforms become more open, integration options are seemingly endless. I’ll suggest a simple framework for evaluating the value in integrating with external enrichment sources, provide an introduction to SDKs, and walk through an in-depth technical example leveraging enrichment SDK.

Joe Gehrke, Solutions Architect – Anomali

Better together -TIP and SOAR, the new world of Threat Detection

We are moving to a world where technologies need to work with each other to maximize the effectiveness of SOCs investment in their tools. TIP (Threat Intelligence Platform) and SOAR (Security Orchestration Automation and Response) working together is inevitable. Now that people see the power of TIPs and SOARs, they are starting to appreciate the enhanced benefits of making them work together. This panel of customers and industry experts will share the potential of these technologies when used together.

Richard Rushing, CISO Motorola
Rich Schliep, CTO Colorado, Department of State
Cynthia Moore, Senior Director, BlackLine 

Hugh Njemanze, CEO Anomali
Monica Jain, Co-Founder LogicHub

10:10 – 11:00am

DRAINING GAINS: Sapping Economic Incentives of Abuse with Threat Intelligence

Motivated by an infinite number of gains, but limited by their finite resources, attackers can only sustain their business operations when the cost of executing abuse is less than the value that can be extracted. Therefore, the impact of threat intelligence shouldn’t be measured by the number of attack instances it can stop, but rather the degree to which it can undermine the economic viability of an attacker’s business. After all, the motivation of an attacker is diminished when they stand to gain very little from their nefarious investment. This session contextualizes threat intelligence in the greater abuse economy and provides strategic examples of how attritional techniques can protect a business’s competitive advantage – namely by sapping attackers’ operational resources to break their business models, which ultimately compel them to surrender. It also explores long-standing industry practice, which has primarily focused on restriction, and examines the attacker’s bottom line to explain why it should be top-of-mind for security operations personnel.

Kevin Gosschalk, CEO & Founder – Arkose Labs

Know Thine Enemy

Do we romanticise cyber threat actors? When a cyber incident strikes, we may love the idea that it is some APT (insert number here) or Fancy/Angry (insert animal here) or some other famous threat actor, perhaps with nation-state abilities. But we may also hate the idea that it might be: these are the most dangerous adversaries. In reality our enemies aren’t even on our radar, because we turn a blind eye to the smaller signals our controls catch for us. But sometimes these are small pieces of a bigger puzzle we need to understand. Every detection by our Security controls tells a story, this is why we profile.

Andrew de Lange, Senior Solutions Consultant – Anomali

How to Avoid Rolling a Critical Fail in Your Investigation

Security professionals don’t need to be told how fast-paced and critically important their jobs are. Amid the daily onslaught of alerts and tickets, blue teams rely on myriad tools and datasets to secure their network. One particularly effective tool, which oftentimes is overlooked, is to conduct adversary infrastructure investigations in an efficient and effective manner.

Join Senior Product Manager, Sourin Paul, to explore five fundamental tactics to conduct effective investigations through the lens of real-world examples. These five strategies include setting goals and objectives according to your role within a security organization, asking questions regarding the probability threats will affect your organization, knowing your own limitations, knowing when you’ve hit a dead end, and most importantly, knowing when to say no. By learning and applying these five tactics, security professionals can significantly reduce the risk to their organization while simultaneously speeding up their processes.

Sourin Paul, Senior Product Manager – Domain Tools

Intelligence is Good - Structured Intelligence is Better

Cyber intelligence from the criminal underground has a key role to play in helping organisations mitigate risk. Structure is key as it allows organisations to link events and trends observed in the underground to what is going on inside the organisation. Without it, all too often intelligence just remains stories.

In this talk, we will discuss ways of structuring your cyber intelligence efforts and also present recent developments from the criminal underground where a structured approach yielded significant results.

Maurits Lucas, Director of Intelligence Solutions – Intel 471

11:10 – 12:00pm

Hiring your New Employee: Threat Intelligence

Throughout the last six years, threat intelligence has been the buzz word within the cybersecurity sector. Industry and companies have struggled to determine how to operationalize threat intelligence. The struggle is real, and usually results in companies utilizing threat intelligence reactively as reference information only. This talk will discuss a different perspective on how to treat a threat intelligence program as a human resource, and attendees will learn how to Hire threat intelligence as an active member of their team. Attendees will leave understanding what hiring a threat intelligence program means by utilizing traditional human resource techniques, as well as what to do when that “employee” doesn’t work out.

Nicholas Hayden, Senior Director Threat Intelligence – Anomali

Automating the boring, Invigorate the Bored: Engineering and Staffing a Bleeding Edge Threat Response Program

Threat detection could certainly be viewed as a fool’s endeavor if viewed through a pessimistic lens. You can recognize a threat, make a compensating control to adjust for same, and expect to receive no fanfare, recognition, bonus, or reduction in cyber insurance premium costs. Perform this exercise several times an hour and the results are the same. Fail to respond to any of these threats, however, and we know the results. Possible compromise, angry customers and Directors, and regulatory and compliance audits. We’ve painted quite an attractive job description, haven’t we?

The challenge, then, is to make threat detection and response attractive to both employers and candidates alike. How do we do this?

  • Automate response to obvious threats
  • Encourage and reward our Threat hunters – A single Threat Analyst, when properly trained, can leverage automation to turn focus to the quieter, more targeted, and usually deadly attacks.

Andrew Pense, IT Security Analyst – Horizon BCBS of NJ

Assessing Threat Information and Sources

Working with a vast amount of sources and feeds in a threat monitoring program can become very overwhelming and taxing at times. Anomali provides a great way to collect, store, and enrich information; but having an approach to score and/or identify what information you want to operationalize on can help prioritize on specific feeds or identify gaps.

To address this, FirstEnergy SOC has developed a method where we can effectively compare and score through a quantitative and qualitative approach. We evaluate sources based on their timeliness, accuracy, relevancy, and predictiveness (TARP principles) to help frame the quality that we are getting from different sources. This has helped us in our strategy to make decisions based on cost and sweat equity to maximize our return on investment.

Thomas Gorman, Big Data Security Analytics Developer – FirstEnergy
Scott Poley, TSOC Manager – FirstEnergy

ThreatBot: API Integration, Slack Bots, and Happiness

In this presentation I will cover a brief overview of CyBot framework, adapting API code for use with Slack, and sample use cases. Threat Intelligence Platforms are a great shared resource for operational teams, but sometimes attempting to collaborate in real-time in support of an investigation can be difficult. Sharing full URLs or copy/pasting data into a group chat is not always efficient, and not all involved parties may have login access.

Building on Cylance's "CyBot" framework, I have created a working prototype of Slack bot commands that take advantage of API integration. This allows a team to rapidly query and have the information shared and readily available to all interested parties.

For this presentation, I will give a brief overview of the CyBot framework, share the API code I've created, and walk through a few example use cases as a demonstration. Should be a great time!

Will Rodina, Threat Intelligence Analyst – Large Financial Institution

2:10pm – 3:00

So You Have Threat Intelligence, Now What?

Maintaining a well-organized aggregation of CTI is a critical step to effective threat detection, but once you have that CTI, what do you do with it? Especially when it comes to threat hunting. As a satellite ISP providing Internet connections to high-level customers in remote locations, availability and confidentiality are critical service components we strive to protect. In order to do this we've broken away from the traditional analyst driven security mold to integrate engineers, data scientists, intelligence professionals and incident responders into our SOC. Together, we have developed methodologies we would like to share with the CTI community that allow us to hunt for threats in a real-time fashion combining behavioral analytics with network activity characterization. We hope to equip network security teams with intelligence driven knowledge they can use to improve their ability to hunt evil.

Jessica O’Bryan, Cyber Threat Intelligence & Threat Hunt Development Lead – Viasat

The Joule Thief: A Look Into the Activity of “the Cryptominer Champion” Rocke

In August 2018, Cisco Talos released a report on a new threat actor that they named “Rocke”. Even though their activity was exposed to the public, the actor has not stopped stealing enterprises' CPU cycles for profit; wasting precious energy for the hardware owner. Instead, Rocke has constantly evolved its tools and techniques to increase their potential targets. This talk will look into the actor’s activity and how it has changed from the first campaign reported by Cisco Talos to the most recent active campaign detected and reported by Anomali Threat Research. It will include an in-depth look at malware, tools, techniques, and procedures used by the actor. At the end of this presentation, the audience will know how to protect their CPU cycles from being stolen by Rocke. Unfortunately, already stolen joules cannot be returned.

Joakim Kennedy, Threat Intel Manager – Anomali

Operationalising SOAR

Cybersecurity teams are faced with an uphill battle when it comes to defending their organisations against skilled attackers. The waves of attacks are relentless and increasingly sophisticated. Security teams need to speed up when it comes to detection and response. During this presentation I will explain how security orchestration, automation & response adoption is a necessity for security teams and how it can help organisations scale up when it comes to detection and response.

The presentation will cover ICON’s challenges any why we looked to SOAR to solve them. Discussed will be deployment challenges; lessons learnt and what to be careful of in implementing SOAR.

Mick Ryan, Cybersecurity Operations Manager – ICON Plc

Prioritizing Threats: What Would Threat Researchers Do (WWTRD)

Thousands of daily headlines inundate all security and risk stakeholders. These do everything from focusing the spotlight onto some of the most raging security forest fires to promoting the latest and greatest cybersecurity technology innovations. Prioritizing resources to address the most serious threats is challenging/ Fortunately, there are sources of information that can help you to make smarter decisions.

This panel features Anomali threat intelligence experts and researchers Joakim Kennedy, Roberto Sanchez, Paul Sheck and Marc Green. The group will discuss which of the most high-profile and under-the-radar threats they believe deserve attention and how to take effective actions towards defense and mitigation.

Various Speakers - PANEL

3:10pm – 4:00

Looking for The Last Domain: A Practical Approach to Combating Modern Phishing

Phishing is still a critical threat. We will focus on the evolution of modern phishing tactics that are designed to defeat reputation systems, web-crawling detection, and advanced sandboxing. Today’s phishing has become an elaborate chain of events, and most detection/prevention is focused on the more dynamic beginning of this process—leading to ineffective protection. However, the attacker’s new methods have an Achilles heel—the last domain resolved. This last stop is where stolen credentials are sent to be harvested—hidden at the end of a long chain of links that give the attackers a modular infrastructure that evades detection. Find this piece of data, and you’ve found the static piece of the attacker’s infrastructure that is leveraged for weeks by multiple actors and campaigns—and where most security solutions don’t bother to look. We will discuss how to find and leverage this data in multiple insertion points.

Chris Montgomery, Solutions Architect – Proofpoint

Obfuscation: The Art of Hiding in Plain Sight

Obfuscation is defined as "to make something less clear and harder to understand, especially intentionally”. Malware authors often employ this methodology to make their malware and payloads more difficult to detect and analyze. This talk will drive down into the fundamentals of obfuscation, encryption, and get down and dirty with deobfuscating funny and some downright bizarre APT samples discovered by Anomali researchers. We will also look at a Necurs botnet email that attempted to target victims with an obfuscated script to drop GlobeImposter ransomware and the Trickbot trojan. Attendees will learn how to deobfuscate payloads in PowerShell, JavaScript, and VBScript using a multitude of open source tools; as well as tricks to identify files that are not as they first seem.

Ryan Robinson, Security Researcher – Anomali

Building a Threat Landscape for a Super App

Understanding the threat landscape as it affects an organisation and utilising this information to improve its defenses and help with proactive identification of potential incidents is not an easy task. This task becomes even more complicated when an organisation’s core business is providing users with a super app and operates in a region with different local security cultures.

In this talk, we will present how we identified the strategic and operational threats that are relevant to our organisation – categorised as IT, ride-hailing and wallet services – which operates in multiple countries in SE Asia. Based on our research and learnings, we will also provide an overview of high-level threats as it pertains to the different industry verticals and regions.

Swetha Balla, Lead - Continuous Monitoring & Threat Intelligence - GrabTaxi Holdings Pte Ltd

Halving our workload: Threat Intelligence meets Orchestration

Two years ago, inundated with phishing attacks, Icon PLC outlined a vision of a security operations team that would be threat intelligence-led, whilst heavily leveraging automation to action this intelligence on our security controls, in order to free up our analysts’ time to focus on analysis. This session is a technical counterpart to our executive presentation, and will focus on the technical detail of how we configured our phishing mailboxes, built automated processes around IOC orchestration, shared and interacted with our ISAC, and integrated our SOAR, AV, Firewalls, Mail gateways into a highly streamlined and efficient solution that helped win us SC Magazine’s “Best Security team” award for 2019.

Francesco Chinnici, Cyber Security Analyst – ICON Plc

4:10pm – 5:00

A Model Driven Approach of Contextualizing Threat Intelligence

A Model Driven approach of analyzing data provides more context of threats than just reports and tags. More importantly, it turns data into Threat Intelligence. The context explains and illustrates the relationships between the adversary, infrastructure, capabilities and targeted victim. By using a model, one create baseline where this model could be used for data analytics. Data analytics are used to determine e.g. the probability of new threats being associated to ongoing threat/investigation.

In this seminar, Gino Rombley discusses how to leverage the Diamond Model in a Threat Intelligence Platform to contextualize threats. Contextualization uses MITRE ATT&CK Framework to describe the Tactics, Techniques, and Procedures (TTPs) that are associated to a Threat Actor. The end result is a model or multiple models that can be used for data analytics. The data analytics provide answers to simple or complex questions from a competing hypothesis.

Gino Rombley, Solutions Architect – Anomali

The Evolution of SIEM

As today’s threats become more prolific and complex, legacy SIEM solutions struggle to keep up with successfully detecting threats facing an organization such as Compromised Users and Insider Threats. In this session we talk about how these challenges when coupled with skills shortages is forcing us to rethink how we use SIEM and how rule-based detection no longer makes the grade. We will look at how Behavior Analytics allows us to establish what is normal and detect abnormal behavior in a more-timely manner, and how the integration with SOAR reduces detection and remediation times.

Stefan Tapp, Solutions Architect – Exabeam
John Kitchen, Solutions Architect – Anomali

Navigating the Shift from Opportunistic to Targeted Ransomware Attacks

Ransomware has been steadily shifting from opportunistic to targeted attacks since mid-2018. Unlike the notorious WannaCry and Gandcrab variants that have long embodied the “spray and pray” model of extorting many victims for relatively small sums, campaigns involving new variants such as LockerGoga and Ryuk indicate a transition toward highly selective targeting and larger ransom demands.

Christopher Elisan, Director of Intelligence - Flashpoint

Anomali Powered DNS Sinkhole

A DNS sinkhole is a valuable preventative and detective network security control; the effectiveness of which heavily depends on the accuracy of the threat intelligence data feeding the DNS Response Policy Zones (RPZ) and the processes governing the sinkhole. Today’s adversaries frequently cycle through malicious and compromised domains; forcing defenders to be nimble. Poor threat intelligence or an inability to react to the dynamic nature of the ‘domain’ indicators may result in a high false positive rate and potentially cause business disruption.

This presentation will offer a close look at how at AbbVie, we integrated an Open Source DNS sinkhole with Active Directory DNS, Anomali Platform and SEIM to achieve a highly effective network security control. It will also highlight how we leverage various Anomali features to design flexible workflow processes to react quickly to false positives, throttle alerting and perform investigations.

Vijay Kora, Senior Security Engineer - Abbvie

Wednesday, October 2

9:10 – 10:00am

How do I build a CTI Theme in a Threat Intelligence Platform?

A Cyber Threat Intelligence (CTI) Team focuses on several themes based on their define threat landscape of their organization. Themes could be Financial Crime, Brand Abuse or Data Breaches as a theme. To be effective, the team will need to select the right threat intelligence and enrichment sources to be consumed in the Threat Intelligence Platform (TIP). How do you build a theme in a TIP? To do this, the sources of the data will need to be tagged using a defined taxonomy. Based on these tags, filters can be created to show new indicators as they are consumed in the TIP.

In this seminar, Gino Rombley discusses how to build a CTI Theme in a Threat Intelligence Platform.

Gino Rombley, Solutions Architect – Anomali

Level Up your SOC

A Security Operations Center (SOC) is an organized and highly skilled team whose mission is to continuously monitor and improve an organization’s cyber security posture while preventing, detecting, analyzing and responding to security incidents with the aid of technology and well-defined processes and procedures. The success of your SOC revolves around three primary components; people, process and technology. The focus of this presentation is to discuss these three focus areas that will help you level up your SOC.

John Kitchen, Solutions Architect – Anomali

Filling the Threat Intelligence Gap in your CyberSecurity Resilience Strategy

85% say threat intelligence is important for a strong security posture but 41% say they have not made progress in the effectiveness of Threat Intelligence data. This comes from a recent 2019 study carried out by the Ponemon institute with over 1000 IT Security Practitioners in North America and the United Kingdom.

The difference is the Threat Intelligence Gap. This is an opportunity for adversaries to attack an organisation’s cyber defence blind spot. Reducing this gap shines a light and exposes these covert external threats, squeezes out the adversaries and lessens their impact which can and have proven to be catastrophic.

This presentation will explore five takeaways:

  • Establish a Formal and Dedicated Team to Manage Threat Intelligence Activities
  • Allocate Adequate Budget to Threat Intelligence, Including Threat Hunting and Advanced Attacker Investigations
  • Participate in Threat Intelligence Sharing
  • Increase the Security Team’s Knowledge about Adversaries Including Their Motivations, Infrastructure and Methods
  • Improve Ability to Integrate Threat Intelligence with Your Tools

The difference is the Threat Intelligence Gap. This is an opportunity for adversaries to attack an organisation’s cyber defence blind spot. Reducing this gap shines a light and exposes these covert external threats, squeezes out the adversaries and lessens their impact which can and have proven to be catastrophic.

Parthi Sankar, Cyber Solutions Consultant – Anomali

10:10 – 11:00am

Domain names - how the wolves hide amongst the sheep

The web is an ever-evolving battlefield – control of information, financial scams and predation, and maintaining critical image for election candidates – are small glimpses of ongoing key activities. Using domain registration information (WHOIS) and passive DNS (pDNS), we investigate the domains and behavior ranging from the campaigns around the “Wipro Hack” to 2020 U.S. Presidential election. How potent “official looking” domains can lead to compromise and important perception issues.

  • Campaigns and domains used in the Wipro Hack
  • 2020 U.S. Presidential websites - real and not so real

Paul Sheck, Senior Threat Research Analyst – Anomali

Inadvertent Adversary: Unwitting Foes in the Workplace

In any organization, the weakest link is always human error. A threat actor does not need to expend effort in social engineering to gain secrets when employees give sensitive information out freely. This talk delves into common services and software that users unwittingly leak company confidential information potentially resulting in substantial damage. A case study will show Fortune Global 500 companies, government entities, and defense contractors leaking out information and source code to the public without any authentication via project management resources and information collaboration workspaces. Employees are becoming more security aware because of training and phishing exercises, however, an abundance of legitimate emails and documents are inadvertently being uploading to the public eye by security conscious workers who believe they are performing their due diligence.

Ryan Robinson, Security Researcher – Anomali

Transforming Incident Response to Intelligent Response Using Intelligence-Driven Solutions

Cyber practitioners are faced with the urgent challenge of investigating intrusion attempts by synthesizing large volumes of data and disparate sources of information into a contextualized report with actionable insights. Moreover, different security incidents necessitate different analytic procedures to be employed to better understand the case; however, it can be a manually intensive process. In this session, we will provide tried-and-true analytic methods for obtaining actionable insights on cyber incidents while transforming these analytic methods into an automated, seamless workflow using Enrichment SDKs. By combining field-tested analytic tradecraft with technological solutions, security professionals will be able to build the context of cyber events and incidents while quickly visualizing in a directed link analysis graph and/or a single pane of glass allowing them to take appropriate actions to protect and defend their enterprises.

Yulong Gan, Senior Software Engineer
Roberto Sanchez, Director of Threat & Sharing Analysis

11:10 – 12:00pm

Malicious Reality: The Future of Threats in AR/VR

The internet is no longer just a screen in front of our faces, with the advent of the Internet of Things (IOT) it spread to our everyday lives in thermostats and fridges. Now so too do we see the spread of AR/VR Tools and Applications that doesn’t just bring the internet into our lives but overlays an entirely new reality that can be harnessed and interacted with by a user. Like everything though the internet spreads the good AND bad, from the original first virus (Elk Cloner) to modern threats like BitLocker or Stuxnet. In the case of AR/VR provides many new & unseen attack surfaces that hackers, terrorist, & criminals will seek to take advantage of and abuse, while customers and enterprises will need to defend & respond against in the future as more immersive and interactive experiences/products occur. So are you prepared for the new Malicious Reality?

Timothy Duckett, Technical Account Manager – Anomali

Attribution is in the Object: Using RTF Data to Become the Phishing Guardian of Your Network Galaxy

“Nothing made by a human can avoid personal expression” (Hrant Papazian). Anomali Labs has conducted an in-depth study of RTF phishing attachments and identified four key ways to perform attribution of targeted exploits. By analyzing the metadata, obfuscation, shell code, and object dimensions of a phishing attachment, attribution can be developed. This presentation will rank RTF attribution methods and present a use case where a single RTF object dimension was used to track 5 Chinese APTs over the course of 2 years.

Audiences will learn weaponization is a difficult kill-chain phase to gain visibility into. However, these methods, especially tracking object dimensions, can facilitate the tracking and attribution of RTF phishing weaponizers to major APT adversaries. This will empower Detect attendees to become the Phishing Guardians of their Network Galaxy.

Ghareeb Saad, Principal Security Researcher – Anomali

The Journey of the Modern Threat Analyst

This session would tell a tale of an ‘average’ investigation of a Threat Analyst before and after having a threat intelligence platform as a threat hunting tool.

Andras Borbely, Strategic Customer Success Manager – Anomali