JOIN US IN DAYS

BIG SAVINGS! BUY 1 GENERAL ADMISSION SUMMIT PASS AND GET 1 FREE! PLUS - GOVERNMENT ATTEND FOR FREE!

FireEye Cyber Defense Summit 2016

November 28-30 2016

Washington Hilton, Washington, DC

REGISTER NOW

2016 FireEye Summit Sponsors:

FireEye Cyber Defense Summit 2016

Join FireEye at the Washington Hilton in Washington, DC for the cyber security event of the year! Buy 1 General Admission Summit Pass, Get 1 Free plus 10% off Post-Summit Training Courses!

Summit: Nov. 28-30 2016
Post-Summit Training: Dec. 01-02 2016

2 full days offering the most current and vital information on Cyber Security

4 Session Tracks

4 Tracks - 36 Sessions
Executive Track: What a C-level Executive Needs to Know
Tales from the Trenches Track
New for 2016! Solutions for Industries Track
Incident Response Track
1000+ Attendees
20+ Industries
30+ Countries Attending

4 Keynote Presentations

3 Networking Receptions

23+ Industry Presentations

2 Vertical Focused Events

20+ Technology Demos

5 Post-Summit Training Courses

Up To 32 CPE Credits

FireEye Cyber Defense Summit 2015 Highlights

In 2010, Mandiant launched the first MIRcon (Mandiant Incident Response Conference). This first MIRcon was a single-track, two-day event with 100 attendees. MIRcon continued to grow year after year, and after FireEye acquired Mandiant, MIRcon was renamed.

Agenda

Nov 28
2:00pm - 8:00pm

Registration and Information Desk Open

Terrace Foyer, Terrace Level

5:30pm - 8:30pm

Welcome Reception - Solutions Showcase/Technology Demos, Hors d'oeuvres and Cocktails

International Terrace, Terrace Level

Nov 29
7:00am - 7:00pm

Registration and Information Desk Open

Terrace Foyer, Terrace Level

7:00am - 9:00am

Breakfast

Columbia, Terrace Level

7:00am - 9:00am

Solutions Showcase/Technology Demos

International Terrace, Terrace Level

9:00am - 11:30am

Welcome and Keynotes -- Travis Reese, President, FireEye, Kevin Mandia, CEO, FireEye, Grady Summers, EVP and CTO, FireEye and Ben Saunders, World Record-Breaking Polar Explorer

International Ballroom, Concourse Level

11:30am - 1:00pm

Solutions Showcase/Technology Demos

International Terrace, Terrace Level

11:30am - 1:00pm

Lunch

Columbia, Terrace Level

11:30am - 1:00pm

International Lunch

Monroe, Concourse Level

11:30am - 1:00pm

Financial Analyst Lunch

Kalorama, Lobby Level

1:10pm - 2:00pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Phishy Words: Internet-Scale Patterns of Word Affixes in Phishing Domains -- Tim Helming, Director, Product Management, Domain Tools
    • Among the most popular ways to generate phishing domains is to append certain words (e.g. “login,” “account,” “my-” etc) to the domain names of legitimate organizations, in order to make the victim believe they are visiting the legitimate site. We analyzed some 300 million domain names (the vast majority of the Internet) to detect “hotspots” of such activity, such as by geography, domain registrar, TLD, etc. We also analyzed which affixes represent the highest risk. Such patterns can be used to better understand attackers and, in some cases, to block new evil domains a priori.


  • Tales from the Trenches Track -- Using FireEye Intelligence for Effective Vulnerability Prioritization -- Michelangelo Sidagni, CTO, NopSec, Jerry Gagelman, Senior Data Scientist, NopSec
    • This talk will describe how FireEye’s intelligence can be used for vulnerability prioritization. NopSec used FireEye’s data to investigate attributes of vulnerabilities exploited in the wild, and created a machine learning model that predicts vulnerability exploitation with 93% accuracy. We use this model to re-prioritize vulnerabilities, and compare the results of our prioritization algorithm to a prioritization program that patches vulnerabilities with a CVSS score of 8 or higher. We will present this model and other interesting findings from our analysis of FireEye data in our annual State of Vulnerability report.


  • Solutions for Industries Track -- Industrial Cyber Security: What You Don't Know Can Hurt You (and Others): Tales from Real World ICS Incidents and Actionable Lessons Learned -- David Meltzer, Chief Research Officer, Belden/Tripwire, Ryan Brichant, Vice President and CTO, Global Critical Infrastructure, FireEye
    • Increasingly, external intruders with malicious intent are gaining access to the control level of industrial networks within critical infrastructure. Too often, these breaches occur quietly with no obvious indicators. In this presentation, cybersecurity and forensic experts share real world cases to illustrate what can be done to protect industrial control systems, endpoints, and networks. It will also explain what threat indicators to watch for, steps you can take and offer practical techniques for protecting the uptime, reliability, and safety of PLC, RTU, IED, and DCS equipment.


  • Executive Track -- Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection and Response -- Marshall Heilman, VP Service and Executive Director, IR and Red Team Operations, Mandiant Consulting, Craig Hoffman, Partner, Baker & Hostetler, LLP
    • Attackers often leverage “legitimate” credentials during an attack. Almost all breaches requires the investigation of credential usage, and unless you’re prepared, it may be difficult to distinguish legitimate from unauthorized activity. Credential misuse has wreaked havoc at companies causing issues such as the takeover of e-commerce accounts to the defeat of fraud analytics, to variations of the corporate wire transfer schemes, to initiating wire transfers from SWIFT or FedWire accounts. This session will review real-life examples of authentication failures and provide practical advice to detect and investigate credential misuse.                                                                       


2:10pm - 3:00pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Practical Incident Response Training:The Offseason-- Evan Peña, Principal Consultant, Mandiant Consulting
    • This session provides an actual case study of how red team for security operations enhanced the capabilities of a mature security team for a large venture capital firm. The talk includes scenarios that were used during each phase of the attack lifecycle, gaps that were identified, and how the tactical remediation steps were taken to see immediate changes in prevention and detection technologies. It also includes examples of longer term recommendations that were given to help detect activity performed during the assessment, as well as examples of immediate changes that were made and the result of testing just hours after changes in technology.


  • Tales from the Trenches Track -- Seven Best Practices to Maximize Your FireEye Investment -- Anand Deveriya, DSE, FireEye
    • This presentation talks about Seven Best Practices for Configuring FireEye Devices. The discussion is focused on CMS, NX, EX, AX, FX, HX appliances. Based on the DSE’s experience supporting enterprise customer, this talk covers how to configure FireEye appliance. The configuration customization is aimed at ensuring operational stability and security, resulting in maximum uptime. The customization also helps free up the Operations teams by automating some of the common admin tasks.


  • Solutions for Industries Track -- What's the DFIRence for ICS? -- Chris Sistrunk, Sr. Consultant, Industrial Control Systems, Mandiant Consulting, Josh Triplett, Sr. Reverse Engineer, FireEye
    • Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This session will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.


  • Executive Track -- Securing Your Cloud Deployments Through Continous Visibility and Effective Control -- Alex J. Attumalil, Sr Mgr Global Cyber Security Operations, Under Armour
    • Cloud security has been a highly debated topic these days. The simple fear of losing control, lack of visibility and the concept of shared responsibility has forced many of us to reject the cloud. But, executives in infrastructure and storage have heavily turned towards it for rapid deployment and to seamlessly provide capacity and capabilities. The cloud revolution is here and you should embrace it.       
3:00pm - 3:30pm

Coffee Break

Concourse Foyer, Concourse Level

3:30pm - 4:20pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Visa's Approach to an Intel-led Security Posture in the Fight Against Cybercrime -- Glen Jones, Head of Payment Cyber System Intelligence, Visa
    • Hackers and data thieves are becoming more skilled at monetizing stolen payment data in ways that can thwart traditional fraud detection methods. Many of them have learned how traditional fraud detection works and have adapted to make it harder for financial institutions to detect breaches of payment data. For Visa, this means compromise detection has had to change. This session will examine how Visa is now leveraging cyber intelligence, gained over years of exposure to cybercrime, to provide merchants with highly valuable intelligence that can be used to defend their networks from attacks.
  • Tales from the Trenches Track -- Keeping the Kids In and the Bad Guys Out -- Robert Losinski, Sr. InfoSecurity Administrator, Denver Public Schools
    • Since implementing FireEye, DPS has had success preventing many threats including Dridex, malicious advertisements dropping exploit kits,  and Ransomware. FireEye NX is also catching students attempting to get hacker tools of the Internet. DPS has made using FireEye HX Advanced and Redline triages a part of our incident handling process and seen good results in identifying the threats and entry vectors. The presentation will show sanitized examples of some of DPS’ encountered threats and our experiences handling the remediation of the users and devices.


  • Solutions for Industries Track -- Best Defense Should Decrease Attack Surface in Innovative Ways -- Joe White, Information Security Officer, Stanford University, Frank Weigel, Director of IT, Credit Karma
    • Defense is hard. We present innovative ways to reduce attack surface within any organization.  Although these techniques were developed within fast paced startup environment, they are applicable to organizations of any size.  Examples of techniques to reduce attack surface include: network architecture that enforces ‘VPN everywhere’ with TFA for accessing all company resources, zero trust model for internal network that treats internal network like a public Wi-Fi hotspot and abstracting complexity of enterprise security from the user experience.  Effectiveness of techniques to be discussed have been validated by external 3rd party assessments.


  • Executive Track -- Application of Counterinsurgency Principles to the Kinetic Cyber Battlefield: the Warrior Mindset -- Chuck McGregor, VP, Cyber Security Director Parsons and US Marine Corps Special Operations Command, Reserve Chief of Staff 
    • Study and application of key counterinsurgency principles play a critical role in military planning and execution of tactical operations. An analysis of these principles shows they also have direct application in today’s cyber fight. This session will highlight the top principles that should be the foundation of every cyber battlespace owner’s campaign plan and will encourage the audience to re-evaluate how their organization or team fights today. In each principle illustration, examples of those concepts will be correlated to critical cyber planning activities and select modern global counter-terrorism fight.


4:30pm - 5:20pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Lessons Learned from Responding to Disruptive Breaches -- Charles Carmakal, Vice President, Mandiant Consulting, Robert Wallace, Director, Security Consulting Services, Mandiant Consulting
    • This session will provide insight into the highly disruptive breaches that the team has investigated over the past few years. It will also describe how threat actors have destroyed system infrastructure and taken companies offline for days and weeks, provide suggestions for when and how to engage threat actors and dealing with extortion; and give tips for recognizing the fakers. We will also profile a few disruptive threat actors—who they are and what motivates them. Lastly, we’ll discuss lessons learned when responding to disruptive breaches, with key case studies and war stories throughout.


  • Tales from the Trenches Track -- Panel: Cybersecurity Automation and Orchestration: The Best Response to the Most Difficult Threats -- Paul A. Ferrillo, Weil, Gotshal & Manges, Paul Nguyen, VP, Orchestration & Integration, FireEye, Grady Summers, SVP & CTO, FireEye
    • 6.4 billion endpoints today. Maybe 50 billion by 2020. The Ransomware Plague. Blended DDoS attacks. And the continuing element of international cybercrime and cyber terrorism. These problems cannot be cumulatively handled through “business as usual” approaches. Traditional software, hardware and SIEM approaches do not give today’s organizations the visibility they need to handle the hundreds of thousands of alerts a day they traditionally face. This panel session discusses how today’s threats require cybersecurity automation and orchestration—a coordinated method of attacking the attackers through network speed responsiveness to cyber attacks.


  • Solutions for Industries Track -- What REALLY Matters for HIPAA Compliance? A Top 10 List for HIPAA Readiness -- Nathan Kottkamp, Partner, McGuireWoods
    • In the post-Omnibus Final Rule age, HIPAA is heating up with substantially increased enforcement activity and the start of the Round 2 Audits. What are covered entities and business associates to do?  This presentation will focus on an actionable list of top 10 items that all entities should do to achieve meaningful, yet practical (and efficient), HIPAA compliance. Among other things, this presentation will discuss the key items that should be included in every HIPAA tool kit, tips for ensuring an educated work force, and practical advice for negotiating (and monitoring) business associate agreements.


  • Executive Track-- The FBI (Cyber) Files -- Matthew Braverman, Washington Field Office, Supervisory Special Agent, FBI
    • The FBI is the lead U.S. agency for conducting domestic investigations into national security computer intrusions. This presentation will review several specific (anonymized) examples from FBI investigations where nation state actors have successfully hacked into companies or organizations and exfiltrated sensitive material or intellectual property. It will also discuss several best practices that companies can implement to help decrease the impact of this type of intrusion; and what a company can expect when the FBI notifies them of an active computer intrusion at their organization and how they integrate with their incident response process.


5:30pm - 8:30pm

Global Cuisine and Cocktail Reception, Solutions Showcase/Technology Demos

International Terrace, Terrace Level

Nov 30
6:30am - 4:30pm

Registration and Information Desk

Terrace Foyer, Terrace Level

7:00am - 9:00am

Breakfast

Columbia, Terrace Level

7:00am - 9:00am

Government Breakfast -- Guest Speaker: Brigadier General (retired) Gregory J. Touhill, U.S. Federal Chief Information Security Officer (CISO) in the Executive Office of the President (EOP)

Monroe, Concourse Level

7:00am - 9:00am

Solutions Showcase/Technology Demos

International Terrace, Terrace Level

9:00am - 10:00am

Keynote - John P. Carlin, Former Assistant Attorney General for National Security United States Department of Justice

International Ballroom, Concourse Level

10:00am - 11:00am

Panel Discussion -- FireEye’s Approach to Innovation: Exploring and Inventing at the Speed of Attackers -- Grady Summers, Lee Foster, Christopher Glyer, John Laliberte, Chris Sanders, Matt Allen

International Ballroom, Concourse Level

11:00am - 11:20am

Coffee Break

Concourse Foyer, Concourse Level

11:20am - 12:10pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Who's Bad? Moonwalking Through Disk Execution Artifacts -- David Cowen, Partner, G-C Partners
    • Analysts have been flooded with data from artifacts we find in DFIR. We have more data points to consider when trying to determine whether something is malicious, suspicious we will present a solution instead of a problem.  The methods shown in this presentation are not new, but in prior works they had to be done manually using multiple steps to validate, correlate multiple artifacts. Utilizing Elastic Handler and a python script, we can automate those correlation points to quickly bring out those executables who either have dlls in suspicious directories, no longer exist on disk, reuse existing mft entries, are in the wrong path, and more.


  • Tales from the Trenches Track -- City of New Orleans: Back from the Brink, Stronger (and More Secure) than Ever -- Freud Alexandre, Office of Information Technology & Innovation Enterprise Architect & Security Manager, City of New Orleans
    • Hurricane Katrina left an indelible mark on New Orleans; but it also presented the opportunity to create a brand new chapter in the City’s storied history. Post-Katrina, rumors of civil unrest were rampant, making implementation of a secure infrastructure a City-wide imperative. This presentation covers how FireEye solutions have been deployed to create an enhanced security posture, with multi-vector threat protection, to secure the diverse and widespread City infrastructure. Hear what was done and how security is contributing to the City’s resurgence as one of the world’s top tourist destinations.


  • Solutions for Industries Track -- Even Local Government Can Do Security Right; Let's Change the Stereotype -- Ricardo Lafosse, Chief Information Security Officer, Cook County Government
    • This session will provide an overview of building an effective cyber security tools portfolio and the necessary processes to achieve success. There is a dichotomy faced by every state and local government entity: everyone expects instant answers to questions, pervasive access to information, and total transparency—but this needs to be balanced with the need to continually ensure pervasive data security. This session provides an overview of how Cook County has built an effective multi-vendor cyber security tools portfolio to address critical detection, prevention, and response requirements—and the processes necessary to achieve success.


  • Executive Track -- The Myth of Phishing Awareness -- Aaron Higbee, Co-Founder and Chief Technology Officer, PhishMe
    • People click phishing emails because they are unaware of the threat. So the answer is to make them aware right? WRONG.  Reflecting on over 8 years of data gathered since launching PhishMe, this session will examine the data points that reshaped the speaker’s approach to the ‘phishing problem’. He will present data and discuss the following:

      1.  Phishing ‘awareness’ is not the problem

      2. The Security Awareness people in your organization probably shouldn’t be in charge of your phishing simulations

      3.  Most teams are tracking the wrong phishing metrics

      4.  The human element is the best source for real-time attack data


12:10pm - 1:30pm

Solutions Showcase/Technology Demos

International Terrace, Terrace Level

12:10pm - 1:30pm

Lunch

Columbia, Terrace Level

1:30pm - 2:20pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Boot What? Why Tech Invented by IBM is Still Relevant in 2016 -- Christopher Glyer, Technical Director, Mandiant Consulting
    • Starting in Windows 8, Microsoft introduced UEFI and Secure Boot to help ensure that the computer boots using only software that is trusted by the manufacturer. If malware can load into memory prior to the execution of the operating system, it can bypass a number of the security controls of the operating system. The vast majority of enterprise PCs and servers still run pre-Windows 8 operating systems. These older operating systems leverage legacy technologies (MBR and VBR) to load the operating system—each of which can be easily modified to load malicious code. While there has been a significant amount of prior work discussing MBR or VBR bootkits, we are still finding new attack methods and discovering new ways to detect MBR and VBR modifications.  What techniques can SOC analysts and incident responders use to investigate intrusions that leverage bootkits—both on individual systems and at scale?  Are there additional techniques for offensive teams to implement that have yet to be disclosed?


  • Tales from the Trenches Track -- Ransomware: Buy One, Get One Free -- Jack Weiner, Network Engineer, IS Infrastructure, Rush-Copley Medical Center
    • The proliferation of online stores selling malware – some even offering 24-hour support – has led to a surge in ransomware attacks. This commoditization gives attackers a low cost of entry and data shows a commensurate increase in attacks on small- and mid-size organizations; due in part to the perception of being softer targets than larger, better funded enterprises. The presentation will discuss Rush Copley’s first-hand experiences with ransomware and why traditional defenses are no longer effective. Focus will be placed on what it takes to stay ahead of today’s sophisticated attacks, wrapping up with lessons learned and a call to action.


  • Solutions for Industries Track -- Alternatives to Late-Stage Intrusion Detection in Medicine -- Mark Baenziger, Threat Assessment Manager, FireEye
    • This presentation explores how intrusion detection and response will have to change in the brave new world of connected medical devices.  Most major intrusion and detection methodologies accept the reality that occasionally adversaries will penetrate a network and achieve some or part of their intended actions. The reality that modern medical devices will now be connected to the Internet, and that there is a potential for “actions on target” to be lethal, changes the acceptability of these models.  This presentation will explore various mechanisms to shift left on the kill chain and change how we conduct incident detection and response.


  • Executive Track -- Cyber Governance Gaps in Product Companies and How to Close Them -- Brad Lunn, Corporate Executive at a leading A&D firm and Corporate Director, ESET Foundation
    • This presentation will focus on the need for corporate directors and senior executives to use an upgraded oversight model for cyber security starting in the boardroom, and introduce them to a simple but effective way to improve their cyber oversight effectiveness. It will challenge some basic assumptions of how to oversee cyber security and the special problems for product-based companies. Examples for corporate directors and executives to make immediate and powerful impact on cyber security oversight will be provided.


2:30pm - 3:20pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- Fortifying the Interior with Behavior/Analytics: 5 Real World Case Studies -- Stephen Jou, CTO, Interset
    • These are certain types of attacks that behavior analytics, when properly combined with machine learning and mathematical modeling, can identify—in most cases, before the harm is done. In this session, attendees will learn detailed explanations of the types of attacks behavior analytics uncovers, as well as the feature engineering, mathematical models, visualizations, development techniques and open source tools that are being used in these real world implementations.


  • Tales from the Trenches Track 
    •  Two Security Leaders. Many Happy Customers. Listen to Real-World Use Cases -- Amy DeSalvatore, Senior Director, Strategic Alliance, ForeScout, Ellen Sundra, Director, System Engineering, ForeScout
      • More than 2,000 organizations worldwide across a variety of industries trust ForeScout Technologies to secure more than 22 million devices. Don’t just take our word for it, learn what your peers are saying about their experiences with our integrated FireEye solution.

    • Security- Where Do You Begin?  Start with the Right Partner -- Don Ikhtiari, HPE Global Security Services 

      • At HPE we believe security must be an enabler not an inhibitor, ready to handle whatever comes your way. Our approach is to align security and protection to your business objectives, risk profile, and meet legal and regulatory needs. We will share real world customer problems to demonstrate how HPE and FireEye solved their security business challenges.

  • Solutions for Industries Track -- COPEing with Your Cyber Exposure -- Russ Cohen, Chubb, Director of Cyber/Privacy Services, North American Financial Lines, Ron Bushar, Global Managing Director Security Program Services, FireEye
    • The ability to present your company’s risk profile to the insurance market to secure sufficient and fairly priced insurance is a well-established process. But in a continually shifting cyber threat landscape, how are prospective cyber insurance policyholders and their underwriters able to insure cyber risk in a meaningful fashion?  This panel discussion will talk about the challenges and complexities associated with implementing a risk transfer strategy that complements your company’s security posture. We will also discuss disruptors that are sitting on the horizon that will change the way that cyber risk will be underwritten in the future.  This session will focus on Chubb’s new CyberCOPE modeling for cyber insurance and Mandiant’s new CIRA assessment.


  • Executive Track -- Hacking the Pentagon: Taking Incident Response from an Attacker Point of View -- Blake Turrentine, CEO, HotWAN
    • The Department of Defense’s “Hack the Pentagon” initiative was the first cyber bug bounty program in the history of the federal government. It began in April 2016 where invited hackers only from the United States were allowed to target its networks as well as the public faced websites registered under DoD.  This session will reveal what the speaker is allowed to from “Hack the Pentagon”. He will go through his initial fears, approach, and methodology in hacking the Pentagon as well as noting evasion techniques to the path of exploitation.


3:20pm - 3:40pm

Coffee Break

Concourse Foyer, Concourse Level

3:40pm - 4:30pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- PS I Love You: Detection, Evasion & the State of PowerShell Security-- Matthew Dunwoody, Senior Consultant, Mandiant Consulting, Daniel Bohannon, Consultant, Mandiant Consulting
    • PowerShell is a favorite tool for attackers and red-teamers alike, and every organization needs a plan to manage the risk of PowerShell-based attacks. However, our assumptions about PowerShell security are continually challenged by new attacks, bypasses, security features, best practices, etc. The rapid pace of research in PowerShell security, both offensive and defensive, has made it very difficult to keep up with the latest developments. This talk is your chance to catch up with the current state of PowerShell security, including detection, environment hardening, commodity and targeted attacks, code obfuscation, security bypasses and more.


  • Tales from the Trenches Track -- Intersection of Forensics and Legal Risk: Conducting a Forensic Investigation with Attorneys:Lessons Learned -- Christopher Cwalina, Partner, Holland & Knight, Gerasimos Stellatos, Director, Mandiant Consulting
    • Legal issues intersect with forensics investigations at every stage of the process. Ultimately, lawyers rely upon forensic firms’ expertise to determine legal risk and obligations. This discussion will focus on these legal issues and how incident responders and legal personnel can work together to the mutual benefit of the client.


  • Solutions for Industries Track -- Continuous Monitoring in Healthcare -- Sanjeev Sah, CSO & Director of IS Risk and Controls, Texas Children's Hospital
    • Texas Children’s Hospital is in the process of building a world class cyber program and fundamentally believes that full executive support and a continuous monitoring strategy is the only way to successfully build a world class digital/cyber program and facilitates adequate visibility into their environment to insure the delivery of secure patient care. 

  • Executive Track -- Panel: The Art and Science of Underwriting Cyber Risk -- Karen Kukoda, Cyber Risk Alliance Director, FireEye, Ron Bushar, Global Managing Director Security Program Services, FireEye, CJ Prusinsky, Underwriter, Beazley, Ben Beeson, Cyber Risk Practice Leader, Lockton Companies
    • The ability to present your company’s risk profile to the insurance market to secure sufficient and fairly priced insurance is a well-established process. But in a continually shifting cyber threat landscape, how are prospective cyber insurance policyholders and their underwriters able to insure cyber risk in a meaningful fashion? This panel discussion will talk about the challenges and complexities associated with implementing a risk transfer strategy that complements your company’s security posture. We will also discuss disruptors that are sitting on the horizon that will change the way that cyber risk will be underwritten in the future.


4:40pm - 5:30pm

Track Sessions

International Ballroom, Georgetown East/West, Jefferson East/West, Lincoln East/West -- Concourse Level

  • Incident Response Track -- The Magnificent FIN7 -- John Miller, Manager for Cyber Crime Intelligence, FireEye iSIGHT Intelligence, Devon Kerr, Manager for Incident Response, Mandiant Consulting
    • FIN7 is a sophisticated intrusion operation that has compromised multiple organizations to steal payment card data. It compromises victims via spear-phishing with malicious documents as well as exploiting trusted third parties, moves laterally using tools including Carbanak, and deploys multiple POS malware types. The group is also notable because its ties to Carbanak may mean that it is responsible for other known activity using this malware, such as ATM network compromises. The FIN7 operators are likely to continue both compromising POS environments and adapting to other opportunities for damaging intrusions.


  • Executive Track -- Using Geopolitical Analysis to Predict Cyber Attacks -- Christopher Porter, Manager, FireEye Horizons, FireEye iSIGHT Intelligence
    • Full spectrum cyber threat intelligence includes not only insight into adversary tools, tactics, and procedures but also an understanding of motivations behind likely future attacks. In this session, attendees will learn the value of intelligence-led cybersecurity by studying a series of success stories in the past year where geopolitical intelligence analysis and a deep understanding of adversary plans and intentions led to early warning of cyber operations sponsored by the Russian and North Korean Governments.


5:30pm - 7:30pm

Thank You Reception

International Terrace, Terrace Level

Dec 01
9:00am - 5:30pm

Post-Summit Training

Dec 02
9:00am - 5:30pm

Post-Summit Training


Incident Response Track

  • Advances in tools or methodologies for incident prevention, detection, response or containment
  • Case studies highlighting unique, real-world intrusion scenarios and investigation and response efforts
  • Best practices for leveraging threat intelligence
  • Digital forensics applied to host and network-based sources of evidence
  • Use of network security monitoring, host-based tools, and SIEM solutions to detect and respond to enterprise-scale attacks
  • Malware analysis and mitigation
  • Post remediation best practices

SPEAKERS AND SESSION TOPICS: 

  • Phishy Words:Internet-Scale Patterns of Word Affixes in Phishing Domains -- Tim Helming, Director, Product Management, Domain Tools
  • Hunting: Defense Against the Dark Arts -- Jacqueline Stokes, Principal Consultant, Mandiant Consulting, Julian Pileggi, Senior Consultant, Mandiant Consulting
  • Visa's Approach to an Intel-led Security Posture in the Fight Against Cybercrime -- Glen Jones, Head of Payment Cyber System Intelligence, Visa
  • Lessons Learned from Responding to Disruptive Breaches -- Charles Carmakal, Vice President, Mandiant Consulting, Robert Wallace, Director, Security Consulting Services, Mandiant Consulting
  • Who's Bad? Moonwalking Through Disk Execution Artifacts -- David Cowen, Partner, G-C Partners
  • Boot What? Why Tech Invented by IBM is Still Relevant in 2016 -- Christopher Glyer, Technical Director, Mandiant Consulting
  • Fortifying the Interior with Behavior/Analytics: 5 Real World Case Studies -- Stephen Jou, CTO, Interset
  • Detecting and Analyzing PowerShell Attacks -- Matthew Dunwoody, Senior Consultant, Mandiant Consulting, Daniel Bohannon, Consultant, Mandiant Consulting

Executive Track: What a C-Level Executive Needs to Know

  • Building and leading computer incident response teams (CIRTs)
  • Measuring and improving CIRT performance and ROI
  • Strategic, legal and/or operational considerations regarding incident detection and response
  • Adapting to regulatory or legislative aspects of incident detection and response
  • Case studies on CIRT work, including lessons learned and global best practices

SPEAKERS AND SESSION TOPICS:

  • The FBI (Cyber) Files -- Matthew Braverman, Washington Field Office, Supervisory Special Agent, FBI
  • Securing Your Cloud Deployments Through Continous Visibility and Effective Control -- Alex J. Attumalil, Sr Mgr Global Cyber Security Operations, Under Armour
  • Application of Counterinsurgency Principal's to the Kinetic Cyber Battlefield: the Warrior Mindset -- Chuck McGregor, VP, CyberSecurity Director Parsons and US Marine Corps Special Operations Command, Exercise Control Group Officer
  • Cyber Governance Gaps in Product Companies and How to Close Them -- Brad Lunn, Executive, General Atomics Aeronautical Systems (Aerospace and Defense) 
  • The Myth of Phishing Awareness -- Aaron Higbee, Co-Founder and Chief Technology Officer
  • Hacking the Pentagon: Taking Incident Response from an Attacker Point of View -- Blake Turrentine, CEO, HotWAN
  • Panel: The Art and Science of Underwriting Cyber Risk -- Karen Kokuda, Cyber Risk Alliance Director, FireEye, Ron Bushar, Global Managing Director Security Program Services, FireEye, CJ Pruzinsky, Underwriter, Beazley, Ben Beeson, Cyber Risk Practice Leader, Lockton Companies
  • Using Geopolitical Analysis to Predict Cyber Attacks -- Christopher Porter, Manager, FireEye Horizons, FireEye iSIGHT Intelligence
  • Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection and Response -- Marshall Heilman, VP Service and Executive Director, IR and Red TeamOperations, Mandiant Consulting, Craig Hoffman Partner, Baker & Hostetler LLP 


FireEye Tales from the Trenches Track

  • Real-world examples of leveraging FireEye offerings to prevent cyber attacks and protect your organization's assets
  • Best practices on how to gather, share and use intelligence to stay a step ahead of attackers
  • Insight into the unique nature of regional threats and how to leverage FireEye to mitigate those challenges
  • Lessons learned on addressing the particular challenges of cyber security within your industry
  • Showcase of successful experiences with FireEye's network security, endpoint security, investigations and incident response offerings
  • Cases/examples of orchestration/automation
  • Challenges, strategies and processes addressing cloud and mobile security

SPEAKERS AND SESSION TOPICS:

  • Using FireEye Intelligence for Effective Vulnerability Prioritization -- Michelangelo Sidagni, CTO, NopSec, Jerry Gagelman, Senior Data Scientist, NopSec

  • Keeping the Kids In and the Bad Guys Out -- Robert Losinski, Sr. InfoSecurity Administrator, Denver Public Schools

  • Seven Best Practices to Maximize Your FireEye Investment -- Anand Deveriya, DSE, FireEye

  • Panel: Cybersecurity Automation and Orchestration: The Best Response to the Most Difficult Threats -- Paul A. Ferrillo, Weil, Gotshal & Manges, Paul Nguyen, VP, Orchestration & Integration, FireEye, Grady Summers, SVP & CTO, FireEye

  • City of New Orleans: Back from the Brink, Stronger (and More Secure) than Ever -- Freud Alexandre, Office of Information Technology & Innovation Enterprise Architect & Security Manager, City of New Orleans
  • Ransomware: Buy One, Get One Free -- Jack R. Weiner, Network Engineer, IS Infrastructure, Rush-Copley Medical Center

New for 2016 - Solutions for Industries Track

  • Solutions and best practices for Industry Verticals including Healthcare, Retail, Financial Services, Telecom, Utilities, Government and Critical Infrastructure
  • Industry specific advances in tools or methodologies for incident prevention, detection, response or containment that are not "horizontal" or common across vertical markets. Examples include protecting electronic medical records (EMR, ePHI), Industrial Control Systems (ICS, SCADA) or industry specific data types (PII, PHI, PCI)
  • Challenges, strategies and processes addressing industry-specific compliance and security requirements
  • Insight into the unique nature of threats in a specific Industry Verticals
  • Real-world examples that reflect how cyber security requirements and solutions for vertical markets vary across government and commercial organizations 

SPEAKERS AND SESSION TOPICS:

  • Industrial Cyber Security: What You Don't Know Can Hurt You (and Others): Tales from Real World ICS Incidents and Actionable Lessons Learned -- David Meltzer, Chief Research Officer, Belden/Tripwire
  • What's the DFIRence for ICS? -- Chris Sistrunk, Sr. Consultant, Industrial Control Systems, Mandiant Consulting, Josh Triplett, Sr. Reverse Engineer, FireEye
  • Best Defense Should Decrease Attack Surface in Innovative Ways -- Joe White, Information Security Officer, Stanford University, Frank Weigel, Director of IT, Credit Karma
  • Even Local Government Can Do Security Right; Let's Change the Stereotype -- Ricardo Lafosse, Chief Information Security Officer, Cook County Government
  • What REALLY Matters for HIPAA Compliance? A Top 10 List for HIPAA Readiness -- Nathan Kottkamp, Partner, McGuireWoods
  • Alternatives to Late-Stage Intrusion Detection in Medicine -- Mark Baenziger, Threat Assessment Manager, FireEye
  • The Healthcare Industry vs The Cyber Threat -- Digital Warfare -- Angela Williams, Director, Enterprise Information Security, Blue Cross Blue Shield Michigan
  • Continuous Monitoring in Healthcare -- Sanjeev Sah, CSO & Director of IS Risk and Controls, Texas Children's Hospital  
  • COPEing wth Your Cyber Exposure -- Russ Cohen, Chubb, Director of Cyber/Privacy Services, North American Financial Lines, Ron Bushar, Global Managing Director Security Program Services, FireEye

 


Keynote Speakers 2016

FireEye Cyber Defense Summit 2016 is pleased to announce the following Keynote Speakers this year:



Kevin Mandia

Kevin Mandia

CEO and Board Director, FireEye

Kevin has been FireEye CEO since June 2016 and a member of the FireEye Board of Directors since February 2016. He previously served as FireEye President, from February 2015 until his appointment as CEO. Kevin joined the company as Senior Vice President and Chief Operating Officer in December 2013, when FireEye acquired Mandiant, the company he founded in 2004. As CEO of Mandiant, Kevin grew the company to nearly 500 employees and more than $100 million in revenue. Widely recognized as the leading provider of security incident management products and services prior to the acquisition, Mandiant remains the core of the highly successful FireEye consulting business.

Kevin has spent more than 20 years in information security and has been on the front lines helping organizations respond to computer security breaches. Before Mandiant, he was the Director of Computer Forensics at Foundstone (acquired by McAfee Corporation) from 2000 to 2003, and he was the Director of Information Security for Sytex (later acquired by Lockheed Martin) from 1998 to 2000. Kevin was also a United States Air Force Officer, serving as a computer security officer in the 7th Communications Group at the Pentagon, and a special agent in the Air Force Office of Special Investigations (AFOSI). He holds a B.S. in computer science from Lafayette College and a M.S. in forensic science from The George Washington University.

Grady Summers

Grady Summers

Executive Vice President and Chief Technology Officer, FireEye

As Executive Vice President and Chief Technology Officer for FireEye, Grady Summers oversees a global CTO team that supports R&D and product engineering efforts and works with customers worldwide to address today’s evolving threat landscape.

Grady has over 15 years of experience in information security both as a CISO and consultant to many Fortune 500 companies.  He joined FireEye through its acquisition of Mandiant in 2014.  At Mandiant, Grady led the company’s strategic consulting and customer success divisions. Prior to Mandiant, Grady was a partner at Ernst & Young, responsible the firm's information security program management practice. In this role, he worked with CISOs, CIOs, and directors to help improve their information security programs, with a focus on strategic information security planning, organization design, incident response, and targeted threats. His focus included board-level oversight of cyber security, and he has advised dozens of audit and risk committees on successful approaches to cyber risk governance.

Before E&Y, Grady was the Chief Information Security Officer (CISO) at General Electric, overseeing a large global information security organization. GE's information security function grew substantially under his leadership, including the development of the company's first incident response team, a software security center of excellence, and global security operations. His previous roles at GE include divisional CTO and a variety of positions in application security, web development, and infrastructure management.

Grady’s insights frequently appear in print, and he has been a guest on numerous television programs, including CNN Starting Point, Andrea Mitchell Reports, Cavuto, ABC World News, Australia’s Lateline, and France’s The Interview.

Grady holds an MBA from Columbia University and a bachelor of science in computer systems from Grove City College in Pennsylvania.

Brigadier General (retired) Gregory Touhill

Brigadier General (retired) Gregory Touhill

United States Chief Information Security Officer

Brigadier General (retired) Gregory J. Touhill is the U.S. Federal Chief Information Security Officer (CISO) in the Executive Office of the President (EOP).  As the first Federal CISO, General Touhill drives cybersecurity policy, planning, and implementation across the Federal Government.

Prior to OMB, General Touhill was the Deputy Assistant Secretary for Cybersecurity and Communications (CS&C) within the National Protections and Programs Directorate (NPPD) of the Department of Homeland Security (DHS). In July 2013, General Touhill retired from the United States Air Force after a distinguished career culminating as the Chief Information Officer and Director of Command, Control, Communications, and Cyber Systems at U.S. Transportation Command.

 General Touhill is a distinguished graduate of the Squadron Officer School, Air Command and Staff College, and the Advanced Communications Officer Training school. He also is a graduate of the Air War College, the Armed Forces Staff College, the Harvard University John F. Kennedy School of Government Senior Executive Fellows program, and the University of North Carolina’s Logistics and Technology Program for Executives.  He maintains the Certified Information Systems Security Professional(CISSP), Certified Acquisition Professional in Information Technology andProgram Management, and the American College of Corporate Directors MasterProfessional Director certifications.

John P. Carlin

John P. Carlin

Former Assistant Attorney General for National Security United States Department of Justice

The Honorable John P. Carlin, nominated by President Obama and confirmed overwhelmingly by the Senate, is the Former Assistant Attorney General for National Security and served as the Department of Justice's top national security attorney. As AAG, Mr. Carlin oversaw nearly 400 employees responsible for protecting the country against international and domestic terrorism, espionage, cyber, and other national security threats.

Under his leadership, NSD worked with U.S. Attorneys' Offices and others to:

  • Prosecute the Boston Marathon bombing cases.
  • Disrupt multiple terrorist plots and national security threats and bring those involved to justice.
  • Oversee the efforts of the National Security Cyber Specialist Network and the National Security/Anti-Terrorism Advisory Council program.
  • Investigate the attack on Sony Entertainment's computer systems.
  • Bring an unprecedented indictment against five members of the Chinese military for economic espionage.
  • Secure the first federal jury conviction on charges brought under the Economic Espionage Act of 1996.
  • Launch a nationwide outreach effort across industries to raise awareness of national security cyber and espionage threats against American companies and to encourage greater C-suite involvement in corporate cyber security matters.

Mr. Carlin joined NSD after serving as Chief of Staff and Senior Counsel to Robert S. Mueller, III, Director of the FBI, where he helped lead the Bureau's evolution to meet growing and changing national security threats, including cyber threats. A career federal prosecutor, Mr. Carlin previously served as National Coordinator of DOJ's Computer Hacking and Intellectual Property (CHIP) program and as an Assistant United States Attorney (AUSA) for the District of Columbia, where he prosecuted cases ranging from homicide and sexual offenses to cyber, fraud, and public corruption matters.

Mr. Carlin, who joined DOJ through the Attorney General's Honors Program, earned his Juris Doctor degree from Harvard Law School, where he received the Samuel J. Heyman Fellowship for Federal Government Service and served as Articles editor for the Harvard Journal on Legislation. Mr. Carlin earned his Bachelor of Arts degree magna cum laude from Williams College, where he was elected to Phi Beta Kappa.

Ben Saunders

Ben Saunders

World Record-Breaking Polar Explorer and Repeat TED Speaker

“I am an explorer of limits – geographically, physically and mentally. It's about pure human endeavour, and the way in which I can inspire others to explore their own personal potential.”

Polar explorer and world record-breaking long-distance skier Ben Saunders is a man making history. Best known for leading one of the most ambitious polar expeditions in a century, he was the first to successfully complete the epic, 105-day, 1,800-mile trek on foot to retrace Captain Robert Falcon Scott's ill-fated, early 20th-century journey to the South Pole – equivalent to running 69 marathons back-to- back. Of his expedition he said, “We can all accomplish great feats through ambition, passion, stubbornness, and refusal to quit. If you dream something hard enough, it does indeed come to pass.”

A speaker at the 2005, 2012, and 2014 TED conferences, Ben was labeled “a master story teller” by TED. Believing that “No one else is an authority on your potential” and “Impossible is just someone's opinion,” Saunders combines the allure and nostalgia of 20th century explorers with the ingenuity of today's modern adventurers. His presentation takes you to the ends of the Earth and back and showcases spectacular visuals, a commanding stage presence, a winning smile, and funny and relatable stories.

He enthralls audiences as he touches on themes like challenging conventional wisdom, pushing past self-imposed limits, the disconnect between ideas and action, communicating with your team, and managing change (the landscapes he travels are in constant flux). He jokes that he makes a living by dragging heavy things in cold places, but his message is one of inspiration, empowerment, and boundless potential. Saunders has also developed innovative methods that allow him to live blog his adventures, and he is known for his incredible pictures and video.

Ben has five North Pole expeditions under his belt and has accomplished some of the world's most impressive polar expeditions. He is the youngest person to ski solo to the North Pole and holds the record for the longest solo Arctic journey by a Briton. He also holds the record for the longest human- powered polar journey in history and is the third in history and the youngest by 10 years to reach the North Pole alone and on foot. Since 2001, he has skied more than 3,730 miles (or 142 marathons) in the Polar Regions. A powerful advocate for the natural world, Saunders has seen first-hand the effects of climate change, and his expeditions are raising awareness for sustainable solutions. He has also climbed in the Nepalese Himalayas, worked as an instructor at the John Ridgway School of Adventure, raced bikes at a national level, and run seven marathons and three ultra-marathons.

While not pulling a sled, Ben publishes Avant magazine and has contributed articles on his journeys to a number of publications. He was featured in the 2016 New York Times best-seller TED Talks: The Official Guide to Public Speaking, which was published by TED chief Chris Anderson. In the book, Ben is described by Chris as a “powerful storyteller” with a penchant for surprising audiences.

Post-Summit Training December 1-2

Overview:

This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

  • Hands-on malware dissection
  • How to create a safe malware analysis environment
  • How to quickly extract network and host-based indicators
  • How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
  • How to debug malware and modify control flow and logic of software
  • To analyze assembly code after a crash course in the Intel x86 assembly language
  • Windows internals and APIs
  • How to use key analysis tools like IDA Pro and OllyDbg
  • What to look for when analyzing a piece of malware
  • The art of malware analysis - not just running tools

Who Should Take This Course:

Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Student Requirements:

  • Excellent knowledge of computer and operating system fundamentals
  • Computer programming fundamentals and Windows Internals experience is highly recommended

What Students Should Bring:

Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space. A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

What Students Will Be Provided With:

  • A student manual
  • Class handouts
  • Mandiant giveaways

Overview:

Attacks against computer systems continue to increase in frequency and sophistication. In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive two-day course is designed to teach the fundamental investigative techniques needed to respond to today's landscape of threat actors and intrusion scenarios. Completely redeveloped with all new material in 2016, the class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, develop indicators of compromise to further scope an incident, and much more.

Who Should Take This Course:

This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments, and penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams or in roles that require oversight of forensic analysis and other investigative tasks.

Student Requirements:

Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.

What Students Should Bring:

Laptop or virtual machine running Windows 7 (32 or 64 bit). Students must possess Administrator rights to the system they will use during class and must be able to install software provided on a USB device.

What Students Will Be Provided With:

  • Class handouts and slides
  • Thumbdrive containing class materials, labs, and tools
  • Mandiant giveaways

Overview:

This course is designed to teach students how to deploy and use FireEye HX, as well as how to follow a prescribed methodology to deeply investigate and validate alerts using both the HX triage viewer and Redline®, and how to use the HX API to automate actions and integrate HX with other solutions. Students will be engaged in labs that simulate real world use of FireEye HX.

What You Will Learn:

  • Identify the components needed for HX deployment
  • Identify the key phases of HX operation
  • Perform initial configuration of HX appliance and hosts
  • Create custom threat indicators
  • Identify critical information in an HX alert
  • Validate an HX alert
  • Request and approve hosts for containment
  • Investigate a Redline® triage package using a defined methodology
  • Validate and provide further context for alerts using Redline®
  • Identify malicious activity hidden among common Windows events recorded in the lookback cache
  • Use the API to automate HX functionality

Who Should Take This Course:

Cyber Defense Summit attendees or FireEye HX customers who have not yet taken an HX training course. These courses can also be taken by those customers who are considering moving from MIR to HX, but have not yet had the opportunity to attend product training.

Student Requirements:

Students should have a working understanding of networking and network security, the Windows operating system, file system, registry, use of the CLI, regular expressions, and experience scripting in Python.

What Students Should Bring:

FireEye Endpoint Security (HX Series) labs are hosted online at portal.training.fireye.com, FireEye Training Virtual Labs, which requires students to bring their own laptops equipped with one of the following browsers: Chrome (latest), Firefox (latest), or Internet Explorer (10 or greater). Wireshark is recommended. Guest wireless access will be provided. Registrants will be provided details of the minimum requirements necessary to connect to the FireEye Training Virtual Labs.

What Students Will Recieve:

World class instruction from cyber security practitioners that have been teaching and working with HX for customers of both Mandiant and FireEye. Along with global and enterprise level instructors providing deep insight and training, students will receive courseware and an optional certificate of course attendance.

Overview:

This one-day course is designed to provide an exclusive look behind-the-scenes and learn how FireEye Threat Intelligence analysts take raw threat information and employ the painstaking process of assigning attribution to suspected nations or groups.

Course Description

The course is comprised of the following modules, with labs included throughout the instruction.

  • Understanding Threat Intelligence and Attribution – An introduction to the precise meaning of the terms ‘threat intelligence' and ‘attribution'. Not only will this module clarify those terms, but it will separate helpful information from hype. Demonstrations on how alerts, indicators, and investigative data form the basis of threat intelligence, allowing organizations to understand intrusions. The outcome: uncovering a true picture of threat activity and actors that support assessments of attribution.
  • The Value of Threat Intelligence – This module will explore the building blocks of a threat group: how FireEye analysts take raw tactical intelligence and weigh connections and relationships to start building a set of "related activity" that corresponds to a group of threat actors. This module includes the description of several factors that must be considered when attributing "related activity", and provide real-world examples or research and "pivoting".
  • Challenges with Analysis and Attribution – This module builds on the process of using tactical intelligence to identify indicators that can be grouped into a set of related activity and thereby attributed to a "threat group". During the early stages of identifying cyber attacks, it's critical to carefully evaluate data for correct attribution. Errors can lead to mischaracterization and possibly even misattribution down the road.
  • Determining Sponsorship –This module transitions from discussing tactical information to examining operations and strategic intelligence, both of which help us being to determine the "who" and "why" behind an operation. At this stage, we have built a collection of related indicators that we call a threat group and discussed common practices & errors in attributing those indicators. This module will now explore factors that help us make preliminary assessments on motivations and sponsorship of a threat group.
  • Why Attribution Matters for Organizations – Attribution can sometimes seem like a "nice to have", but in many ways this type of analysis can provide incredibly helpful context to threat activity that might enable more insightful decisions or save valuable resources.
  • The Big Picture for You – Focus on attribution from the threat group's point of view: the goal is to no longer look at attribution as a reactive process, but as one that enables us as network defenders to be proactive and even predictive of cyber attacks and operations before they happen.

Who Should Take This Course

This is a fast-paced course that is designed to provide insight into FireEye's attribution methodology while also demonstrating sound handling of threat intelligence information. The content and pace is intended for students with some background or familiarity with threat intelligence. Other technical skills are a plus but not required, including experience conducting forensic analysis, network traffic analysis, log analysis, security assessments & penetration testing, or even security architecture and system administration duties. It is also well suited for those managing a technical information security team.

Student Requirements:

Students must have a working understanding of basic information security principles and a general understanding of "threat intelligence" and indicators of compromise.

Course Materials

Students will receive a lab book, thumb-drive containing all required class materials and tools, and Mandiant-branded giveaways.

Overview:

As cyber security professionals and technologies continue to evolve and become better at prevention, detection, and remediation, attackers are forced to continually evolve their Tools, Tactics, and Procedures (TTPs) in order to remain effective. This is especially true with the most advanced attack groups operating that need to remain undetected for extended periods of time in order to effectively accomplish their mission. Mandiant is on the front lines investigating these types of breaches. This gives us unparalleled access to understand not only how advanced attackers operate and what TTPs they’re leveraging, but also what attack methodologies are most effective across industries.

Standard red team classes teach students how to run vulnerability scans, Nmap, Metasploit and other commercial tools to obtain domain administrator access. This class covers the important open source tools required to perform a red team assessment, but more importantly, teaches you how to be creative and “live off the land” by using native tools to accomplish the same goals without getting caught. Getting domain admin is just par for the course, we go deeper into accomplishing objectives that prove big impact to clients. For example, if your client is a big retailer and you got access to their retail network where they store encrypted credit card numbers, we teach you how to go the extra mile and understand how applications encrypt that data. If an application can decrypt credit card numbers, we teach you how to analyze code to decrypt data as well. This not only proves you can get an initial vector, escalate privileges, bypass firewalls to get access to secure networks, but also weaknesses in how they encrypt their sensitive data…and that’s just one example!

 This intense two-day course is designed to teach advanced offensive techniques to provide you with the ultimate skillset to test your existing security controls. You will learn proven Mandiant Red Team methodologies that start with the successful TTPs we see used by advanced attackers and builds upon them to be even more effective and stealthy. You will even learn how to successfully complete your mission even if part of your team is caught. This course makes heavy use of labs so that you get to practice everything you learn in a realistic scenario. By learning how to implement and protect against effective TTPs you learn how to help your organization best prevent, detect, and respond to cyber threats.

Modules Included:

  • Overview and Introduction – Covers the basics required to proceed through the course.
  • OSINT, Initial Vectors, and Bypassing Anti-Virus (AV) – Learn how to identify your target, fingerprint your target, initially compromise your target, and how to bypass AV to avoid detection when executing your initial payloads.
  • Persistence – Covers older techniques and the latest techniques to persist your target. Does not just cover host based persistence, but also creative ways to persistence networks without a host and privileges.
  • Privilege Escalation and Lateral Movement – Tools and methodologies that take the lowest privileged user and escalate to high privilege user while covertly moving through your target network. Covers both local and domain privilege escalation.
  • Overcoming Challenges – Will teach you have to avoid and bypass various challenges such as application whitelisting, encryption, multi-factor authentication, sandboxes, and more.
  • Completing the Mission – learn how to covertly take data off the network in a secure fashion and moving pivoting through firewalls to take data off “secure” networks.
  • Project Management – Understand how to setup and manage projects, measuring risk, the reporting process, and rules of engagement.


Why You Should Take This Course:

Thisis a fast-paced technical course designed to provide hands-on experienceconducting covert no-holds barred cyber-attack simulations to accomplish variousobjectives within in a corporate environment, similar to how an advancedadversary would perform. This course provides an opportunity to learn how realattackers conduct offensive operations, how we improve upon those operations,and to understand how to be creative with exiting technology to accomplish yourgoals. The content and pace is intended for students with a background in conducting penetration tests, security assessments, IT administration, and/or incident response.


Student Requirements:

Students must have working knowledge of the Windows Operating system, file systems, registry and use of the Windows command line.

Students should have some experience with the following:

Active Directory and basic Windows security controls; Common network protocols; Linux Operating Systems; Scripting languages such as PowerShell, Python, or Perl; Assessing web applications using the OWASP top 10.


What should students bring:

Laptop with a Kali Rolling virtual machine. Students must possess local administrator rights to their host OS and VMs and must be able to install software provided on a USB stick. Students must also have an Ethernet port, for laptops that don’t have one, please bring an adapter.

The course will provide the students with:

  • Class handouts and slides
  • A vulnerable virtual machine for some labs
  • Thumb drive containing class materials, labs, and tools

Book Your Room Now as Space is Limited!

Washington Hilton

1919 Connecticut Ave NW

Washington, DC 20009

Tel: +1-202-483-3000

For telephone reservations, reference code FCD

FAQs

Registration

Housing and Travel

Onsite

Buy 1 Summit Pass and Get 1 FREE! Register by November 21 for discount!


Registration Fee General Admission Government/Academia
July 20-September 30 $495 $0*
October 1-November 21 $995 $0*
November 22-November 30 $1500 $0*

*Must have valid government/academia ID to receive discount.