Threat Hunting Summit

Join this exclusive fireside chat with Google security engineer and VirusTotal threat intelligence strategist Vicente Diaz and learn about hunting for big-game adversaries at scale. In this interview with SecurityWeek editor-at-large Ryan Naraine, Diaz will discuss the art and science of threat intelligence, the nation-state malware threat landscape, the ransomware epidemic, the importance of data-sharing, and how companies can incorporate threat hunting into modern security programs.

Whether your organization’s biggest threat is from ransomware threat actors, APTs or other financially motivated actors, proactive threat hunting focused on TTPs used during all stages of the attack lifecycle is critical. First, we will discuss how to identify the techniques threat actors are using, focusing on those used during ransomware attacks. We will highlight the opportunities for threat hunters to detect these tools; from initial access, to persistence, to lateral movement, focusing on how to look for malicious behavior occurring before the deployment of the final payload. Finally, we will talk about how to use Recorded Future Intelligence to create threat hunting packages to look for these TTPs that can be refined and incorporated into your security workflow.

In a hybrid world, visibility itself has become essential as work occurs outside traditional corporate controls. With all of the competing requirements at both the executive and operational level, endpoint visibility provides defensible, forensically sound data that can be leveraged beyond traditional security tooling. In this talk, JJ Cummings will discuss the benefits of many different levels of endpoint visibility. You will walk away with a stronger foundation to start leveraging greater endpoint visibility immediately.

REvil has been one of the most notorious ransomware gangs in recent years. From celebrity law firms to the Colonial Pipeline, to Kaseya, REvil has wreaked ransomware havoc on both businesses and ordinary citizens.
One tactic commonly used by REvil is to use system backups to gain access to critical infrastructure and data. Coincidently this same tactic was recently used by the FBI to gain access and take REvil down. Much can be learned by understanding how REvil maliciously leveraged malware and backup systems to compromise critical systems to protect your organization from future attacks.

This session, Andrew Yeates, ReversingLabs Solutions Architect, will cover how organizations can take an intelligence driven approach to prevent future ransomware attacks like Sodinkinobi Revil Ransomware. Andrew will walk through how to analyze, protect and hunt for ransomware to prevent the next attack.

In this session you'll learn:
• How to detect similar ransomware in backup systems, S3 buckets and SMB shares
• How to analyze ransomware samples like Sodinkinobi to understand how it behaves
• How to put ransomware intelligence to work through YARA rules to detect future attacks
• How to go on the offensive and hunt for hidden ransomware through advanced search, retrohunt and automated notifications

This talk explores covers the basics of the threat hunting process from hypothesis creation over data collection, visualization and coming to conclusions and reporting. It explains where machine learning comes in to speed up the hunting process, where in the Pyramid of Pain this sits, what benefits proactive threat hunting delivers and how to turn a one-off threat hunt into an automated process. Suggestions for a generic threat hunting process will be provided - as well as results from real-life threat hunts (APT detections) using machine learning.

In this session, we’ll look at three practical challenges that seriously impede an organization’s security strategy. In the 2021 State of Threat Hunting and the Role of the Analyst survey, 66% of 1,778 respondents said they lacked visibility into their own network and 56% said they lacked visibility across their supply chains.

Lack of visibility, the existence of legitimate business processes that cannot be blocked, and the fact that large organizations are plagued with alerting noise present challenges that can only be overcome by looking at your enterprise and third-party ecosystem from the perspective of the cyber attacker.

Of note, highly regulated industries, such as the pharmaceuticals industry, have seen a facet of third-party risk that many don’t realize exists; threat actors targeting an organization’s regulators with ransomware and other attacks

During this presentation, David Monnier will illustrate the operational and financial outcomes associated with making external threat hunting a strategic priority. He will also walk through a Cobalt Strike C2 mapping exercise as an example of what elite teams at many organizations are doing today to put themselves in a position to do the following:
• Block phishing attacks
• Identify impending attacks against themselves and third parties
• Detect compromises within supply chain enterprises
• Improve alert validation and prioritization
• Optimize incident response from root cause analysis to remediation

Ransomware is more dangerous than ever before. Why? It’s partly because successful attacks don’t just affect the victim anymore. Take the Colonial Pipeline attack as an example. What if you could stay safer from ransomware, however it may attempt to get into your network? Join this event to learn how to stop ransomware infections with a first line and last line of defense approach from the cloud edge to the endpoint. Learn how this layered defense approach can help provide ultimate visibility with ultimate responsiveness against ransomware.

Ransomware is a major problem, and it’s not going away. To understand it, we must understand why threat actors turn to it—and how it can be stopped. The best way to do that is to chat with the masterminds behind these attacks.

In mid-August, we identified a new attack where a Nigerian threat actor offered a million dollars in bitcoin to anyone who was willing to turn on their employer and deploy DemonWare—a type of ransomware— on their servers. Since then, we’ve had multiple conversations with this person, learning who he is and why ransomware is his attack of choice.

In this session, Director of Threat Intelligence Crane Hassold will discuss the ransomware problem and why it has increased in the last few years, as well as how we used threat intelligence tactics to find him. You’ll also hear directly from the source himself, as our Nigerian threat actor discusses his life of cybercrime.