In an age where cyber threats are constantly evolving, traditional incident detection and response methods are no longer sufficient. This presentation delves into the strategies for developing adaptive use case management that can keep pace with the ever-changing threat landscape. We will discuss the importance of continuous monitoring and playbook optimization using real-time threat analysis, for more effective detection and response capabilities. Participants will learn how to create and maintain dynamic use cases that align with their organization's security objectives, ensuring a robust defense against sophisticated cyber attacks. Through case studies and practical advice, we will illustrate how adaptive use case management can transform incident response processes and fortify cybersecurity resilience.

The cybersecurity industry celebrates the reduction of dwell times. The latest M-Trends report states the global median dwell time is 10 days; however, more than 10% of incidents investigated had dwell times of more than 6 months—with some at over 5 years. In this session we will discuss the motivations and tactics behind attacks with various dwell times, and the impact these attacks can have on organizations. Guidance will be provided for how to hunt for these types of intrusions, as well as steps to take to temper these squatters.

Preventing, detecting, and responding to cybersecurity events increasingly depends on an organizations ability to match security operations needs with the correct people, process, and technology requirements. At the heart of this dependency is the robust, mature, and capable Security Operations Center (SOC). However, existing cybersecurity frameworks are limited and not designed for developing capable, effective SOCs. This is because there is no single approach to SOC development. Organizational needs are unique and therefore the roles, services, and tools needed for the SOC to support organizational mission and goals must also be unique. Developing or improving a SOC is a process which must be flexible. To assist organizations is this process, the SEI has developed OSCAR, the Ontology for SOC Creation Assistance and Replication. OSCAR is a structured knowledge base developed using description logics which organizes SOC knowledge in to 5 domains and more than 80 classes. Built based on interviews with SOC experts and years of institutional knowledge and experience, OSCAR provide new perspectives on SOC development and a new tool for teams to use when developing SOC capabilities.

Cloud Encryption is seen as a valuable component of a robust data security strategy. But what does cloud encryption actually offer in terms of security? Cloud Encryption has multiple different types including Cloud Service Provider Managed and Customer Managed. Depending on the type - the security offered can range from another robust layer of access control to a false sense of security. In this talk, we’ll cover the following:

• Types of encryption (such as CSP Managed, Customer Managed)
• Default encryption for services in cloud.
• How cloud encryption impacts data perimeters.
• How cloud encryption translates into and impacts cloud identity and access management.
• Best practices and considerations for how to implement cloud encryption and data security in cloud.

Application teams often have to navigate a complex web of security teams and requirements in order to launch a secure and compliant solution. Once the solution has been launched, the teams have to survive audits and maintain the security of the application while keeping up with changing requirements and implementations, all while working hard to run and grow their business.

While regulatory complexity is a large contributor to the challenge, it can be further exacerbated by the lack of a clear, well lit path provided by legal, compliance, and security teams. Application teams often receive conflicting requirements and priorities from various teams, or follow a path that leads to them launching a solution that is security, but not compliant, or vise-versa? Security teams are often frustrated with the focus on compliance requirements, rather than leveraging them to meet shared goals.

Russ Ayres (Equifax) and Derek Coulson (Mandiant) will review how Equifax simplified its control requirements framework to help internal customers navigate security requirements more easily and enable proper auditing scoping and response using the Equifax Security Controls Framework.

In the digital era, safeguarding remote identity verification is critical. Inherence-based security factors are the most trusted way of verifying users whether they’re customers or the workforce, but deepfakes and synthetic media pose significant challenges. To combat deepfake attacks, science-based biometrics as a service can enable remote identification for customers and workforce that is reliable, easy to administer, and almost effortless to use. This should start at onboarding and continue at risk-based inflection points throughout the identity lifecycle. This talk will explore challenges to enabling remote identity across the enterprise and share best practices from customers in the most security conscious organizations around the world By understanding the implications of generative AI on remote identity verification, organizations can develop effective strategies to ensure the security and integrity of their remote identity verification systems, protecting against deepfakes and other synthetic media-based attacks, and maintaining user trust and privacy.

Hacktivism has been present in the threat landscape for decades but since 2022 it has significantly changed to geopolitical motivated activity. This presentation provides understanding of the hacktivist landscape and provides some innovative methodologies to track and monitor the threat landscape. This talk will explore what the geopolitical catalyst was for the shift in Hacktivist activity. How hacktivism has changed. What type of attacks we see and the type of groups using them. What the overall intent and motivations of the Hacktivist groups are. It will explain that Hacktivist activity and information operations are largely entwined. It will explain a new methodology on how to track and monitor Hacktivist groups, by putting them into categories - with four key ones being presented. This talk will challenge traditional views on cyber threats, by shifting the focus from technical indicators and capability to looking at intent to drive analysis. Many organizations are struggling to understand how to view hacktivism in terms of the threat landscape, this talk aims to clarify misconceptions and provide clearer understandings of the Hacktivist threat landscape.

Delve into the trenches with a pragmatic guide to implement quantitative risk management. Gain knowledge of methods for quantitative program design that comprise risk primitives, analysis approach, and workflow design. Risk primitives such as capacity, appetite, tolerance, and KRIs are described. Understand what modifications can be made to simplify operational use of FAIR for first timers and how to embrace Python and R for analysis with an open source approach. Be empowered to address workflow challenges using a simplified approach to the entire risk lifecycle from assessment intake and management to modeling and reporting output and finally risk decisions with trending and ROI analysis. Additionally, learn implementation and operation of the program design through people, process, and technology. Finally, close the gap for the last mile of transition to quant risk management and learn how to communicate and report risk from the boardroom to the team room.

Experience Google Threat Intelligence's CTF game – a thrilling cybersecurity experience – at the mWISE Expo. Players dive into a simulated threat hunt using real-world data from CISA, ransom notes, and the dark web. This hands-on challenge lets you practice with tools and data used by real investigators. By solving puzzles and analyzing evidence, you'll capture flags while learning valuable cybersecurity skills. Whether you're a beginner or an expert, this CTF is your chance to test your knowledge, compete against others, and gain practical threat intelligence experience.

The necessity for diverse and outsourced managed security services (MSS) has never been more imperative than in today's cyber landscape. This presentation will outline the key drivers behind this growing need, including the usual suspects (people, process and technology), but also delve into modern challenges these programs must address such as the rise in cloud usage, generative AI, machine learning (ML) and more. Optiv has expanded its strategic alliance with Google Cloud to provide our clients with just that - a simplified approach to improving security maturity. Join us as we discuss Optiv MDR on the Google Security Operations platform and the variety of other ways we offer clients flexibility and scalability for their SecOps program.

See how Google Cloud Security pushes the boundaries on proactive, intelligence-driven security with a deep dive into the world of threat detection, investigation, and response (TDIR). Explore a use case with us that highlights the essential capabilities every security team needs to have in their arsenal.

Experience Google Threat Intelligence's CTF game – a thrilling cybersecurity experience – at the mWISE Expo. Players dive into a simulated threat hunt using real-world data from CISA, ransom notes, and the dark web. This hands-on challenge lets you practice with tools and data used by real investigators. By solving puzzles and analyzing evidence, you'll capture flags while learning valuable cybersecurity skills. Whether you're a beginner or an expert, this CTF is your chance to test your knowledge, compete against others, and gain practical threat intelligence experience.

Digital transformation not only fundamentally changed the way we work, but it’s also expanded the current threat landscape exponentially. Today’s enterprise attack surface is dynamic, transitory, and has far more available for attackers to target than ever before, making it even harder to defend against threats. How can you leverage your threat intel and make it a competitive advantage?

Join Erin Joe, Office of the CISO at Google Cloud and former SVP at Mandiant as she discusses today’s threat landscape and the role threat intelligence plays in securing vulnerabilities in your attack surface with partners, Ryan Whelan, Managing Director and the Global Head of Cyber Intelligence at Accenture Security; and Michael Leland, Chief Cybersecurity Evangelist at SentinelOne.

Ransomware is evolving, challenging old paradigms and reshaping power dynamics. Our talk, "RaaS is Dead, Long Live RaaS," explores the shift from a hierarchical Ransomware as a Service (RaaS) to a decentralized model where affiliates gain autonomy. RaaS platforms, adapting to this change, now offer better incentives and support to attract skilled affiliates. We'll discuss how law enforcement crackdowns and the rapid advancement of hacking techniques have catalyzed these changes.

The presentation will also examine the ransomware industry's resilience and innovation, considering the implications for cybersecurity defenses. We aim to provide insights into the adaptability of digital extortion and its impact on future security strategies. Join us for a detailed look at the ransomware market's transformation and what it signifies for the fight against cybercrime.

The cloud is secure, right? Well, yes and no. Cloud providers invest heavily in security, largely exceeding what most organizations can achieve on their own. Yet, headlines scream of cloud breaches and leaks. What gives? The truth is, cloud security isn't merely a shared responsibility; it's a shared opportunity. The "customer's fault" narrative is too simplistic. It's not just about misconfigurations (though those are a major problem). It's about a fundamental disconnect between the cloud's potential for security and the realities of how organizations use it. In this talk, we'll dive into this paradox. We'll explore:

• The Myth of "Set It and Forget It": Why cloud security requires ongoing vigilance and adaptation, not just ticking boxes.
• The Shared Responsibility Model and Shared Fate: What you're truly responsible for, where the cloud provider steps in, and where you have to work together.
• Secure by Design, Insecure by Default?: How to leverage cloud-native security features and avoid common misconfigurations.

The year was 2023, and AI was everywhere. While consumers used Generative AI to help them with a variety of tasks, from image generation to helping them write emails or term papers, vendors were detailing their ever-evolving plans to add some type of AI to their existing solutions. The ideas ranged from the obvious, embedding it into spreadsheets, workbooks, search engines, and image editors, to the mind boggling, such as AI powered shoes, cat pain detectors and even AI powered toothbrushes. But what about cybersecurity, and security operations in particular? We all know the surveys that tell SecOps teams feel pressured, isolated, and eventually, burn-out, but analysts are often our first line of defense. We understand that detection can be hard, and rule writing takes several iterations to optimize results. Threat hunting is like looking for a needle in a pile of needles. AI promises a great leap forward in efficiency, and practicality. In this presentation, we will examine how AI can supercharge your security operations teams to drive these efficiencies and greater productivity, leading to better and faster detections, efficient analysis of threats, and rapid threat hunting.

In an increasingly sophisticated era of cyber threats, having complete visibility into applications, API, and data is paramount. However, enterprises have their applications running across hundreds of hosts in multiple subdomains and building an inventory of such apps and data flows is very difficult, if not impossible.

Enter eBPF (Extended Berkeley Packet Filter), a revolutionary technology that extends the capabilities of the Linux kernel, enabling real-time visibility into running apps regardless of their language and framework.

This talk explores the transformative power of eBPF in modern security engineering. Attendees will learn how eBPF's dynamic tracing and filtering capabilities provide unparalleled visibility into application, data flow, and API behaviour, allowing for proactive vulnerability detection and risk assessment.

Discover how integrating eBPF into your security strategy can safeguard your applications and data against evolving cyber threats, ensuring robust and resilient protection for your digital assets. Join us to unlock the full potential of eBPF and step into the future of app and data security.

This talk exposes a sophisticated cyber-espionage campaign orchestrated by a North Korean threat actor targeting a cryptocurrency company. Threat actor tactics, techniques, and procedures (TTPs), that inclued social engineering to gain initial access, in-depth source code reviews, and exploitation of a logical vulnerability that resulted in the exfiltration of millions of dollars worth of cryptocurrency.

Through the lens of real-world investigations, the threat actor's motivations and the broader implications of their activities will be analysed. Furthermore, this talk will shed light on the lack of robust security monitoring in cloud environments, a critical factor that contributed to the success of this attack. The importance of implementing comprehensive security measures in cloud infrastructures to mitigate the risk of similar attacks in the future will also be discussed. Attendees will gain valuable insights into the evolving landscape of cyber threats, and the vulnerabilities often present in cloud environments.

This knowledge will empower organizations to better understand and defend against sophisticated cyber attacks targeting their valuable digital assets.

Join April Mardock, CISO for Seattle Public Schools, as she teaches how to run a cyber incident response tabletop session with the help of Generative AI.

April will provide both a tabletop session that you can participate in dynamically, as well as teach you how to lead your own tabletop, and tune the exercise for your organization's strengths and weaknesses.

PwC discusses their view on the threat landscape and how its influencing security operations transformation, Gain valuable insights into the successes, ROI and challenges faced by clients in overhauling their SecOps strategies.

In this Deloitte sponsor session, we will address overcoming technical debt in security log collection and introduce a framework for engineering scalable data pipelines to enable complex use cases.

Generative AI is shifting the defender landscape‚ from how practitioners do their job, to the user experience of the tooling, to how we think about securing AI workloads in the cloud. In this session, Google Cloud Security leaders will surface insights from conversations with CISOs, the latest Mandiant research, and Google DeepMind innovations to elucidate macro trends seen at the intersection of security and AI and what they mean for your organization. At a time when 88% of organizations have a difficult time investigating and responding to threats in a timely manner, you will also gain an understanding of real-world use cases for how AI is evolving the security lifecycle to be semi-autonomous, so defenders gain and maintain the upper-hand as threats continue to evolve.

The infamous Russian hacktivist group, Killnet, operated as a rabid cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinged on identifying a critical vulnerability – its connection to the Russian illegal drug marketplace - Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet's leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism.

Since 2020 Chinese Espionage operations have fundamentally changed. Gone are the days of actor registered infrastructure and command and control reuse. A new practice of "Operational Relay Box" (ORB) networks has risen to obfuscate CNE network traffic via a TOR like network of registered VPS space and compromised end of life home routers.

This presentation will:

• Demonstrate the ways ORBs have made blocking network IOCs Extinct
• Provide a 4 quadrant signature and detection approach that will allow defenders and threat hunters to pivot through these complex networks. (Censys, YARA, Netflow, Active Scanning)
• Define a scalable universal anatomy for talking about ORB networks and map signature types to these components.
• Utilize an active PLA and MSS leveraged ORB network to provide real world examples of what manifestations of these ORB networks look like.
• And Finally Shift the world view of network defenders from IOC blocking to detecting ephemeral infrastructure networks leveraged by multiple malicious APT actors.

This panel will discuss the record-breaking number of supply chain attacks in the summer of 2023, highlighting key incidents such as 3CX, MOVEit, and Barracuda. The panel will discuss lessons learned, emerging trends, increased global cooperation and the shift in government expectations. The panel will address cyber preparedness and risk tolerance. The panel will offer thoughts on minimizing legal exposure, cyber reporting obligations, and handling threat actor communications, especially if company officials or family member are approached or threatened. Finally, the panel will discuss how cyber investigators can approach multi-cloud environments despite the many challenges these types of investigations present and how they can enhance incident response in complex environments. The panel will discuss the need for enhanced data protection and methods for enhancing security posture and incident preparedness. The panel will also address how the increase in supply chain attacks affected the way a company and counsel think about risks as well as the need to understand legal, regulatory, and contractual requirements in a complex environment.

Cybersecurity defenders face a constant challenge: balancing the need to adopt innovative technologies with the imperative to protect their organizations. Recent examples like Supply Chain Security, Large Language Models, and Generative AI highlight the tension between business demands and security concerns.

This talk presents a practical framework for evaluating and integrating new technologies into existing security programs and risk registers. We will address key decision points for ensuring safe and productive implementation within an organization. Attendees will learn how to:

• Cut through the hype cycle and assess new technologies objectively.
• Identify potential risks and develop mitigation strategies.
• Communicate effectively with stakeholders, including CIOs, about the benefits and challenges of new technology adoption.
• Make informed decisions that enable innovation while maintaining security.

By the end of this talk, attendees will be equipped to confidently navigate the introduction of new technologies without compromising their organization's security posture.

This presentation examines a Cyber Threat Intel (CTI) team designed to integrate seamlessly with Incident Response (IR) and Security Operation Center (SOC) teams based on real world experiences from Mandiant’s Advanced Practices team. CTI provides organizations with context needed to understand adversaries, their tactics, and the industry or assets they target. Attendees will gain insight to help develop a CTI function of value to frontline defenders.

Key insights:

• Action: Identify intel directly enhancing IR and SOC operations
• Structure: Outline CTI team roles & skills needed to support frontline operations
• Insights: Translate data into actionable intel 
• Integration: Embed workflows & outputs into IR playbooks and SOC alert triage
• Peril: Lessons from 15+ years of frontline CTI support

Attendee takeaways:

• A CTI team blueprint, purpose-built for frontline operations
• Methods to ensure output is timely, relevant, and actionable
• Seamless frontline services integration strategies
• Benefit from years of frontline CTI support experience

Ideal Audience: Security leads, CTI managers, SOC analysts & incident responders interested in maximizing CTI value

Does your incident response plan account for the complexities of the cloud? This session empowers security professionals to seamlessly integrate cloud security considerations into their existing response strategy. We'll unveil the critical importance of a cloud-aware incident response plan and explore the unique challenges it presents. Dive deep into cloud-specific procedures for containment, eradication, and recovery, ensuring you're prepared for any cloud-borne threat. Next, we'll delve into the power of Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) for advanced cloud incident response. Discover how these tools can streamline detection, investigation, and remediation, saving you valuable time and resources. The session concludes with practical guidance on building a robust cloud-aware incident response plan. Learn how to identify cloud-specific risks, define roles and responsibilities, and map out clear response workflows. We'll even explore the importance of conducting effective tabletop exercises to test your plan's efficacy and ensure your team is prepared to handle any cloud security incident with confidence.

The Defender's Advantage is based on the notion that you have control over the landscape where you will meet your adversaries. Come learn about the six critical functions of cyber defense and how to activate them. It is through this activation that you can ready your organization to face modern threats, confidently.

The landscape of cyber threats is undergoing a transformative shift with the integration of Generative AI (GenAI) technologies by cybercriminals. This presentation delves into how GenAI tools are increasingly being adopted in the cybercrime arena, highlighting specific cases where these technologies have been utilized for malicious purposes. We will explore a range of examples including phishing attacks crafted with AI-generated content, the use of deepfakes for identity fraud, and AI-driven network intrusion techniques.

The presentation will then pivot to discuss future predictions, suggesting potential new vectors of cyber attacks powered by further advancements in AI technologies.It will also critically analyze the escalating arms race between cybersecurity measures and AI-enhanced cybercrime methodologies.

Finally we will challenge the audience to consider whether the rise of AI in cybercrime is a trend of necessity or opportunity, and what this means for the future of both cybersecurity strategies and criminal tactics. We will delve into the implications of AI's dual-use nature, reflecting on how its potential for misuse shapes the evolving landscape of cybersecurity.

Serverless computing revolutionizes app development, but introduces unique security challenges due to its dynamic nature and reliance on third-party services. Drawing on insights from Google Cloud's security practices and real-world incidents, this talk explores the root causes of significant vulnerabilities exploited over the past decade. We'll delve into critical issues such as insecure coding practices, supply chain attacks, and misconfigurations, illustrating their potential consequences. Through data-driven insights attendees will gain actionable recommendations for hardening serverless security.

Serverless security is not solely about safeguarding individual applications; it has far-reaching implications for the entire cloud ecosystem. The interconnected nature of serverless architectures means that a vulnerability in one component can cascade, potentially compromising multiple services and users. Therefore, a holistic approach to serverless security is essential, encompassing not only secure coding practices within applications but also robust protection for the underlying infrastructure, data storage, and network communications.

VirusTotal has been using Large Language Models (LLMs) to analyze malware for over a year, starting with macros and scripts. This experience gave us a good grasp of what LLMs can and can't do. But the real challenge was always executables. So, we took on a huge task: disassembling all the binaries and memory dumps in VirusTotal and using LLMs to figure out how they work.

In this talk, we'll share what we've learned from this massive project. We'll be upfront about the challenges of using LLMs on complex malware and the wins we've had, including how LLMs provide an approach for pivoting that shows very promising early results.

Come hear our story and get a glimpse of the future of malware analysis with AI. We'll have a real talk about how (besides the hype) there are areas where LLMs are making a real difference and what's next in this exciting field.

Recent prominent breaches at healthcare organizations have proven that the healthcare sector is a primary target for financially motivated threat actors. The extended recovery times associated with these incidents have demonstrated that there exists opportunities for improvement in the incident response and management programs.

Using the NIST incident response framework as a template, we will highlight improvements in preparation, detection, containment, and recovery phases as applicable to the healthcare sector. Healthcare is a critical industry quite literally impacting people’s lives. Ensuring that this important service is available to the public at all times is a necessity. Through the changes suggested in this talk, an incident response program will be able to meet goals of confidentiality, integrity, and availability.

To highlight an example of the talk, we will discuss building automations through a Security Orchestration and Response tool to automate containment of suspected infected hosts.

Join Kevin Mandia and seasoned CISOs discuss what you need to know to be a successful CISO.

As cyber threats become increasingly sophisticated, driven by generative AI, organizations need robust, proactive defenses. This session reveals how AI-powered collaboration tools using the principles of Zero Trust provide a critical first line of defense against email-based attacks, empowering secure work from anywhere.

Shared libraries are common in code development to increase efficiency, and provide a well-developed set of subroutines and functions. When a vulnerability is discovered in a shared library, it poses a serious risk to any organization that used that library - think Log4j. But, in the scenario that the vulnerability is not disclosed or fixed by the open source project and developers are unaware that they need to reconfigure it, this exposes organizations to even greater risk. In this session Mandiant and Ivanti will detail the discovery, remediation and disclosure of a vulnerability in the Apache XML Security for C++ library, which is part of the Apache Santuario project. By default, the library resolves references to external URIs passed in Extensible Markup Language (XML) signatures, allowing for server-side request forgery (SSRF). There is no way to disable this feature through configuration alone, and there is no patch available. Mandiant reported the non-secure default configuration in xml-security-c to the Apache Software Foundation (ASF). The ASF did not issue a CVE or a new release of xml-security-c.

Microsoft, like many organizations, is under constant attack by sophisticated actors. Responding to attacks by sophisticated actors requires coordination across multiple groups with sometimes competing interests. In this session we identify the critical challenges experienced in dealing with a large-scale compromise including providing clear and actionable intelligence to multiple stakeholders while actively investigating, containing, and remediating the event, quickly addressing telemetry gaps or visibility gaps, and challenges associated with working with cross-disciplinary teams.

Security teams must be able to quickly adapt to emerging technologies and evolving attacker tactics. technologies continue to evolve, continue to increase in sophistication and engineering teams rapidly adopt new and innovative technologies. To meet these challenges, the Citadel Security Team prioritized the development of an automation platform that powers a growing number of capabilities across our security program. In this session, you’ll learn how Citadel uses threat intelligence, attack surface management, and other tools – to reimagine security automation, and scale their security program.

In this joint presentation, Mandiant, the FBI, and the U.S. Attorney's Office will present a case study on their successful collaboration to bring cybercriminal Jesse Kipf, aka Ghostmarket09, to justice. Mandiant identified Kipf attempting to sell access to state death registration systems and delivered a victim notification to the impacted States and provided evidence to the FBI, which opened an investigation. The talk will discuss how Mandiant supported the FBI's investigation and assisted federal prosecutors. In October 2023, Kipf was indicted on charges of computer fraud, identity theft, and bank fraud. In April 2024, Kipf pled guilty to computer fraud and identity theft for breaching death registration systems in multiple states. Speakers will share insights from this collaboration, discussing how cybersecurity vendors, law enforcement, and prosecutors can work together to identify, investigate and prosecute threat actors. They will highlight challenges of building a case and critical evidence needed for conviction.

Insider threats pose a significant and increasing risk to organizations across industries. The Insider Threat Pen Test is a novel approach to cyber security that proactively identifies and addresses vulnerabilities stemming from both accidental malicious insider and this presentation delves into the methodology behind this Pen Test, illustrating how it complements traditional external penetration testing by focusing on internal systems, processes, and human behavior. Through in-depth case studies from various sectors, we showcase the actionable insights gained from this approach. These insights empower organizations to strengthen their security culture, implement targeted mitigation strategies, and foster a proactive cyber security mindset. Attendees will learn how the Insider Threat Pen Test can be leveraged to reduce the risk of data breaches, intellectual property theft, operational disruptions, and other costly consequences of insider threats. Ultimately, this presentation demonstrates how the Insider Threat Pen Test serves as a business enabler, enhancing organizational resilience and safeguarding critical assets in an ever-evolving threat landscape.

Cyberattacks are now an inevitability, with Threat Actors targeting organizations of all sizes and sophistication.

This presentation confronts this reality, focusing on proactive defense strategies against these relentless threats. This presentation will go through real-world case studies, to dissect recent breaches and close calls, and what the defenders had to do in order to detect, respond and protect the organization.

The presentation goes beyond threat identification; it showcases successful real-world defense strategies, offering practical approaches to mitigate risks, detect anomalies, and respond dynamically to attacks. Topics covered include threat intelligence sharing, incident response protocols, and fostering a security-conscious culture all the way to the board level.

By showcasing organizations that have successfully defended against cyberattacks, the presentation inspires confidence and provides a roadmap for building resilient cybersecurity frameworks in todays rapidly changing environment.

This talk addresses a critical challenge for security operations centers (SOCs) and incident response (IR) teams in cloud environments: minimizing the permissions required for forensic investigations while maintaining efficient collaboration with cloud teams. Key topics include:

• The Power of Dedicated Forensics Accounts: Learn why creating dedicated GCP/AWS/Azure forensics accounts can be a best practice, along with implementation steps
• Extracting Data from Containers: Discover various methods to acquire data from containers, including sidecars, snapshots of the container filesystems, and the Kubernetes API
• Temporary Credentials for Secure Access: We'll delve into assigning temporary credentials for cloud resources, using virtual machine snapshots as an example
• Leveraging Tagging for Granular Permissions: Explore how tagging resources can minimize the permissions needed for specific investigations
• RBAC Best Practices for IAM: Gain insights into best practices for Role-Based Access Control (RBAC) within IAM, specifically tailored for security operations and incident response teams

A key skill we use every day is collaboration – but how can you collaborate if you don't have trust? I address this topic in "Gaining Trust in Zero Trust." Working in the cybersecurity space, we embrace the motto "zero trust" – but this mindset can creep into our everyday interactions. A whirlwind tour of history reveals how this concept evolved (for example Mikhail Gorbachev and President Ronald Reagan discussed "trust, but verify!") I offer a few tips to help gain trust with any type of research findings: don't embarrass anyone, don't speculate, and be genuine – report the actual findings, even if it's a bitter pill.

GenAI has created a dichotomy between risk and opportunity. AI enables threat actors to rapidly produce sophisticated attacks, while CISOs are concerned about weaponization, data leakage, model poisoning, and bias. This session investigates AI risks and how to build resilience with GenAI.

In the world of cybersecurity, staying compliant with the SEC Cyber rule is a top priority. But what does this mean for your company's cyber security efforts?

In this session, we'll delve into the impact of the SEC Cyber rule on your organization's cyber security strategy, process, and governance. But that's not all. We'll also explore the vital role that conducting robust ransomware exercises plays in refining your incident and annual disclosures.

Not only will we address the operational aspects of disclosure, but we'll also highlight how executive and board-level involvement is crucial in refining your cyber disclosures. Collaboration between roles tht have different perspectives, such as CISO, CIO, GC, and CFO, is essential when it comes to addressing ransomware incidents, ensuring effective cyber disclosures, and when to discuss these critical issues with the board.

Don't miss out on this opportunity to gain valuable insights, enhancing your understanding and impact of the SEC Cyber rule and enabling you to confidently address ransomware incidents and drive effective cyber disclosures.

Cyber Threat Simulation vs. Emulation: A Comparative Overview

Cyber Threat Simulation

• How it works: Simulates realistic attack scenarios within a controlled environment. This often involves deploying software agents or scripts that mimic the behaviors and techniques of real-world threats.
• Focus: Primarily assesses the effectiveness of existing security controls, incident response procedures, and employee awareness.
• Benefits: Safely tests defenses without risking damage to production systems. Provides valuable insights into potential weaknesses and areas for improvement. Offers a training ground for security teams to practice response and mitigation strategies.

Cyber Threat Emulation

• How it works: Replicates the specific behaviors and characteristics of known malware, specific attacker groups or attack tools.
• Focus: Deeper analysis of specific threats to understand their capabilities, propagation methods, and potential impact.
• Benefits: Allows for in-depth threat research and analysis. Aids in the development of more targeted detection and mitigation strategies. Can help assess the effectiveness of specific security products against known threats.

In an era of remote work and distributed IT environments, remote administration tools (RATs) and remote monitoring and management (RMM) tools have become indispensable for system admins and managed service providers (MSPs). However, the same features that make these tools efficient also make them attractive targets for malicious actors. Advanced threat actors are increasingly leveraging legitimate RATs and RMMs to gain unauthorized access to networks, bypassing traditional security controls and evading detection.

This presentation will provide an overview of the growing trend of weaponized remote access. Attendees will be guided through compelling real-world examples, dissecting the tactics, techniques, and procedures (TTPs) employed by adversaries to leverage these tools for malicious purposes. Furthermore, actionable insights will be provided, empowering organizations to enhance their detection capabilities and fortify their defenses against such sophisticated attacks. By understanding the evolving threat landscape and implementing effective countermeasures, attendees will be better equipped to safeguard their systems and data from the perils of weaponized remote access.

Managed Service Providers (MSPs) play a pivotal role in modern IT supply chains. However, law enforcement agencies, including the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), have repeatedly warned about the increasing focus of cybercriminals on MSPs. Given their ubiquitous access to client networks and industry-specific vulnerabilities, MSPs have rapidly become a target of choice for threat actors.

In this session, we will delve into the cybersecurity risks associated with outsourcing to an MSP and what your organization can do to mitigate these risks. By highlighting real-world incidents, we’ll review how organizations have been victimized, the key lessons learned (for both the client and MSP), and the essential steps to address similar attacks. By the end of this session, participants will have gained valuable insights into establishing clear rules of engagement and aligning ongoing security expectations with their MSP. This session is essential for both MSPs and the organizations that use them, as it emphasizes the importance of collaboration to ensure a resilient and secure IT environment.

Mandiant's front-line experiences in incident response reveal common overlooked areas leading to cloud compromises. Drawing on numerous technical case studies, we cover patterns and offer strategies to fortify cloud environments: 1) Living off the Land (in the Cloud): We observe that intrusions often stem from traditional on-premise systems like Active Directory, VMware infrastructure, and MDM/EDR tools. Our discussion will delve into how these platforms can be safeguarded to prevent such incidents. 2) Extended Attack Surface: Cloud and hybrid environments naturally extend organizational attack surfaces. This section will explore the challenges posed by inadequate controls, the sprawl of credentials and the array of tools attackers utilize to exploit these vulnerabilities. 3) Third-Party Access: 2023 has seen a significant rise in incidents involving third parties and Managed Service Providers. We'll tackle the critical question: How can organizations continue to engage third parties without compromising their security posture? We will also cover proactive defense strategies and robust incident response capabilities to protect and react swiftly to threats within cloud environments.

Experience Google Threat Intelligence's CTF game – a thrilling cybersecurity experience – at the mWISE Expo. Players dive into a simulated threat hunt using real-world data from CISA, ransom notes, and the dark web. This hands-on challenge lets you practice with tools and data used by real investigators. By solving puzzles and analyzing evidence, you'll capture flags while learning valuable cybersecurity skills. Whether you're a beginner or an expert, this CTF is your chance to test your knowledge, compete against others, and gain practical threat intelligence experience.

Artificial Intelligence is a pervasive part of our lives today and cybersecurity teams and adversaries alike have learned to harness the speed and power of machines to strengthen their capabilities. With machine learning becoming one of the most important tools of defense, leaders must balance the overwhelming speed and accuracy advantage of AI with the need for measured and intuitive interactions with a real-world human element. Join this session to discuss:

• What these trends mean for security teams.
• What happens when the velocity of innovation outpaces the capabilities of human intellect.
• The evolving role of automation in the effective practice of securing our digital world.

Sponsors PwC and Google Cloud Security host a special luncheon: Rewards of Risk Lunch with Guest Speaker Angie Morgan. Learn how to develop the clarity, confidence, and courage needed to bet on yourself. You will leave with the motivation and tools needed to develop a risk-taker mindset and begin building a more rewarding life. Join us 11:45 AM-1:15 PM in Room 505. RSVP here. (Limited seats available.)

Despite advancements in threat intelligence, users continue to struggle with data overload and deriving actionable insights from volumes of raw data.This talk discusses a strategic approach to implementing threat intelligence at the network sensor and the SIEM to address this persistent challenge.

Experience Google Threat Intelligence's CTF game – a thrilling cybersecurity experience – at the mWISE Expo. Players dive into a simulated threat hunt using real-world data from CISA, ransom notes, and the dark web. This hands-on challenge lets you practice with tools and data used by real investigators. By solving puzzles and analyzing evidence, you'll capture flags while learning valuable cybersecurity skills. Whether you're a beginner or an expert, this CTF is your chance to test your knowledge, compete against others, and gain practical threat intelligence experience.

In the ever-evolving world of cybersecurity, dealing with cyberattacks has become a daunting challenge for organizations across the globe. The aftermath of such attacks can be catastrophic, leaving organizations stymied for weeks or even months as they scramble to determine the true scope of an attack through recovering their data and systems. A game-changing partnership between Rubrik and Mandiant is set to turn the tables on these malicious actors, dramatically reducing the entire intrusion lifecycle from initial detection through full recovery – all with the goal of keeping businesses running during ransomware attacks.

Threat modeling is a key technique that is used to analyze what could go wrong in a given software architecture. More often than not, the main output of a threat modeling exercise is a list of mitigations for how to ensure that “what could go wrong” actually “doesn’t go wrong”. While critical, this process can be so much more. By fostering collaboration between security and product teams, threat modeling can strengthen relationships, build trust, and ultimately enhance your software's security. In this talk we outline how threat modeling can be used as a fitness function to iteratively improve the security posture of the software you are building. Instead of doing one shot threat models to enumerate and mitigate threats, we outline a new model where threat modeling takes input from a wide variety of other sources, ranging from threat intelligence to software development artifacts, and produces outputs in the form of mitigations, vulnerability research, and detections. We’ll then show how to tie these inputs and outputs into a feedback loop that improves the security posture of your organization over time while also building trust and better working relationships between teams.

In an ever-evolving threat landscape, organizations must proactively identify and mitigate security risks to safeguard their assets. This talk presents a practical roadmap for initiating and maturing threat modeling capabilities within an organization. We begin by demystifying threat modeling, emphasizing its role as a proactive risk management strategy rather than a reactive response to incidents. We outline a structured approach to introduce threat modeling, starting with identifying critical assets, defining scope, and conducting modeling exercises. Recognizing that threat modeling is an ongoing journey, we explore strategies for maturing capabilities over time. We delve into integrating threat modeling into the SDLC, fostering collaboration between security and developers, and continuously refining the modeling process based on lessons learned and emerging threats. This talk is designed for security professionals, developers, and decision-makers seeking actionable guidance on building a robust threat modeling program.

In this day and age, malicious threat actors and APTs are leaning ever harder on AI and automation to speed up and obfuscate their operations. By utilizing hashes created from content, headers, SOA records, Name servers, and more, threat hunters can uniquely identify both the characteristics of malicious infrastructure that is unlikely to change and that which is changing rapidly. Both of which can be of critical value for defenders.

Automatically generated phishing pages with minor, target-specific changes can be found en-masse, rapidly rotating infrastructure can be picked out like the blinding eyesore it is, and seemingly innocuous infrastructure can be caught hiding amongst the sheep so that the wolves never get (or stay) in the fence line.

This talk will cover (in depth) how our threat hunters have utilized hashes, fuzzy hashes, and similarity searches to protect our clients and mitigate attacks before they are launched. Case studies will include 1 or 2 of the following: Scattered Spider, Latrodectus, Prolific Puma, SocGholish, Duke Eugene’s Android Malware, Meduza Stealer, as well as the malicious fake trading apps that we’re tracking via this method.

Explore the critical vulnerabilities of IT Help Desks and Call Centers. Learn how to address the alarming trend of security breaches stemming from insufficient authentication practices. Organizations apply Multi-Factor Authentication (MFA) to their online and mobile experiences, while leaving the IT Help Desk protected only by weak security questions. This is comparable to locking the front door while leaving the window open. Bad actors have noticed the open window of the IT Help Desk in a BIG way this year, using it as an entry point for breaches. Learn from real-world breaches, discuss existing security gaps, and discover how to effectively apply cybersecurity strategies specifically to IT Help Desks and Call Centers to reduce risks and operational costs. Key points: Introduction to IT Help Desk Vulnerabilities Identifying the Challenges with Traditional Verification Methods Real-World Consequences of Inadequate Security Exploring secure caller verification methods Q&A session

The fight against online fraud is a relentless arms race, constantly evolving with new threats and sophisticated tactics. This session will provide a deep dive into the latest trends in bot attacks, account takeovers, payment fraud, and SMS toll fraud. We'll uncover the evolving tactics used by fraudsters, from advanced automation and AI-powered attacks to social engineering and phishing schemes.

You'll gain actionable insights into building a robust fraud defense strategy that adapts to the dynamic threat landscape. We'll cover best practices for detection, prevention, and mitigation, including leveraging machine learning, behavioral analytics, and real-time risk assessment. We'll also discuss the importance of layering security measures and staying ahead of the curve through continuous monitoring and adaptation.

This session will equip you with the knowledge and strategies to proactively combat fraud, protect your customers, and safeguard your bottom line.

As data flowing into security operations centers has exponentially increased, analysts are increasingly tasked with scaling far beyond the level their tools and organizational design allow. With the era of "new" AI at our doorstep, we risk further burying our SOC analysts in more and more "data" to sift through. In an effort to combat this, we'll attempt to layout an analyst-first perspective for the new SOC that must rise to meet this challenge - one in which the human behind the analysis is the fulcrum for this new AI-assisted leverage, rather than an inconvenience to be replaced.

To accomplish this, we focus our attention and technology on amplifying the core work products of analysts while using automation to drive the machine - ensuring that every piece of analysis flows back into the system, lightening the load for future analysts and establishing an institutional "SOC memory" which new analysts can seamlessly leverage in their daily efforts.

Cloud has changed the way we develop, deploy, and scale apps. Traditional perimeter and end-point security does not address the distributed and ephemeral nature of cloud. Blind spots leave room for adversaries to go undetected. Security teams need to address active cloud risk in real time. Tools, like Cloud Security Posture Management (CSPM), that rely on point-in-time assessments need to catch up in detecting and mitigating active threats.

This session will address the distinction between static and active cloud risks, common tactics used in cloud attacks, and the 555 framework that sets a new standard in detecting, prioritizing, and responding to active cloud risks and threats.

In modern cybersecurity operations, analysts face overwhelming challenges, with thousands of alerts generated per day and a proliferation of tools that complicate their workflows. The process of triaging these alerts can consume hours, severely impacting the efficiency of incident response. Moreover, when an attack originates from a browser, it often leaves no traceable evidence, further complicating detection and investigation efforts. This highlights the urgent need for more integrated and efficient security solutions that can streamline alert management and improve visibility into browser-based threats.

Will we reach a point where all text boxes are handled by a LLM? Even though most organizations are building on top of foundation models rather than trying to build their own. How can we build and maintain a security boundary with an intelligent system that can't really think? How do concepts like prompt injection, multi-stage exploits, SQLi, etc. mean to a loan application chatbot? What can a non-deterministic system do in a deterministic world?

Mandiant has exploited developer-assistance chatbots during its Red Team Assessments to gain privileges within a client environment. Its consultants have explored and bypassed protections built to restrict the scope of a financial services chatbot. How can these and other stories help improve the security of future applications built on top of GenAI and LLMs?

Topic: Strategies for Safeguarding Legal Privilege in In-House Counsel
Narrative: Retaining legal privilege during cross-border incident response efforts presents unique challenges. When local laws fail to recognize privilege for in-house counsel, preserving it becomes paramount. Moreover, when incidents span multiple countries with inconsistent privilege rules, maximizing protections requires finesse. This program delves into practical dos and don’ts during litigation, drawing from real-world war stories shared by seasoned panelists and will cover: 

• Preserving Privilege Amid Legal Ambiguity
• Navigating Cross-Border Privilege Challenges
• Dos and Don’ts During Litigation
• War Stories from the Trenches

In conclusion, safeguarding privilege requires vigilance, adaptability, and a keen understanding of legal nuances. By learning from real-world scenarios, in-house and external counsel can fortify their privilege protections and navigate the legal landscape effectively.

In the era of rapid AI adoption, new AI systems are increasingly becoming targets for threat actors, thereby creating fresh gaps in cybersecurity posture management. This Deloitte talk underscores the importance of a multi-layer, 'secure by design' approach, offering comprehensive protection across all layers of AI systems. We'll delve into every facet of the AI system from the model and its supply chain, architected for MLOps, to data provenance, to the infrastructure and management planes. Discover how this cross-industry framework not only ensures compliance with industry standards but also provides a roadmap to navigate the rapidly shifting threat landscape, including how we've used it to augment Google's Vertex AI AI-as-a-Service platform. We invite you to join us and explore the inherent value of a 'secure by design' approach in fortifying enterprise-wide security and resilience against emerging threats.

Every security program regardless of maturity deals with resource limitations — personnel, time, budget, etc. — and can’t possibly address every potential risk in their environment simultaneously. But every program must still answer the questions, “Are we working on the right things?” and “Are we getting better?” In this presentation, PlexTrac Founder and CTO and security industry veteran Dan DeCloss will present strategies for harnessing contextual scoring of proactive security and threat intelligence data to prioritize remediation based on business impact. He'll present practical methods for scoring risk without relying on "black box" algorithms, how to leverage risk frameworks like NIST, Mitre ATTACK, and PCI, the role AI and threat intelligence play in prioritized remediation, and how to measure the overall effectiveness of proactive security efforts over time.

The healthcare and life sciences (HCLS) industry has been under increasing levels of attack. We have seen a rapid rise in large system-wide disruptions in care due to ransomware and other destructive attacks. What began years ago as protected health information (PHI) data theft has now escalated into attacks that disrupt surgeries, divert patients from emergency care, and interrupt the drug supply. The threat landscape includes all sectors -- from payment and delivery, to medical devices and biologic drug development. In the face of these challenges, the industry is now thinking beyond attack avoidance towards resiliency in operations -- or as the President's Council of Advisors on Science and Technology (PCAST) noted in the recent Strategy for Cyber-Physical Resilience report. "the ability of a system to anticipate, withstand, recover from, and adapt to cyberattacks." In this panel, we will hear from security leaders across the industry about the current challenges, the cross-sector work that is underway, and what we can anticipate in the future to create a more resilient healthcare system.

As cloud security operations mature within the organizations, implementing effective metrics is vital for measuring cloud security posture and operational readiness. Organizations often face challenges in tracking security metrics without incurring resource overheads.

This talk discuss examples of both potentially effective and ineffective metrics based on real-life experiences, tailored to various business scenarios and risk appetite. We will explores how to prioritize metrics that inform leadership and drive continuous improvement in cloud security posture. The session also introduces concepts like the Exploit Prediction Scoring System (EPSS) for prioritizing vulnerability remediation and Protection Level Agreements (PLAs) for building effective KPIs. The goal is to not only measure but enhance cloud security operations, empowering teams to identify cloud security metrics truly matter to their business.

Learn how Mandiant Managed Defense provides continuous monitoring and expert analysis to identify and mitigate threats in real-time. Discover how Mandiant Hunt proactively hunts for hidden adversaries within your environment, uncovering the threats missed by other detection mechanisms. Through real-world examples and case studies, we'll illustrate how these services complement your security team to strengthen your security posture and ensure your organization remains resilient in the face of evolving threats.

In an era where AI adoption is accelerating across industries, ensuring robust security for AI systems is crucial. Join us for a panel discussion featuring experts from across Google who'll share firsthand insights from their customer interactions. They'll delve into real-world examples of the security challenges organizations grapple with when deploying AI, the lessons they've learned, and practical tips to improve security of your AI models, applications, and data. Get a clear, comprehensive picture of AI security from the people who help our customers protect their valuable AI systems.

Countering advanced persistent threats (APTs) and cyber threat actors (CTAs) has contextualized the ever-evolving landscape of counterintelligence (CI). Offensive cyber counterintelligence (OCCI) has clearly emerged as a critical component in the CI arsenal. A comprehensive understanding of OCCI’s effectiveness in addressing threats posed by APTs/CTAs remains elusive. This breakout aims to fill intelligence gaps in the digital threat landscape by examining the multifaceted variables and dynamics of OCCI. While OCCI is a crucial mechanism in the field of intelligence, there is a lack of research that systematically assesses the interplay between key variables influencing the efficacy of OCCI. What impact do attribution accuracy, operational timing, deterrence effectiveness, repercussions against the accused entity, and tactical adaptations have on the success of offensive cyber counterintelligence (OCCI) strategies against Advanced Persistent Threats (APTs) and Cyber Threat Actors (CTAs)? The breakout aims to provide nuanced insights that go beyond singular dimensions of CI. Further refining OCCI strategies will provide meaningful insight for policy decisions.

When conducting adversarial emulation engagements, making sense of all the data available to the attacker is THE biggest challenge. As a defender, if you don't know the needle in the haystack the threat actor will find even exists, how can you protect against it? How can you make sense of the vast amounts of structured and unstructured data to give yourself the advantage?

Data permeates the modern organization; structured data such as computer-readable output from tools and unstructured data; such as data from clients which is created by and for other employees. This data can be challenging to parse, process and understand from a security implication perspective but artificial Intelligence (AI) might just change all that.

Our presentation will focus on a number of case studies where we obtained unstructured data during our complex adversarial emulation engagements with global clients and how we processed this into structured data that could be used to better defend organizations using AI. We will showcase the lessons learned and key take-aways for other organizations and highlight other problems that can be solved with this approach both for red and blue teams.

AI is advancing rapidly, and it is important that risk management strategies evolve along with it. To help achieve this evolution, Google introduced the Secure AI Framework (SAIF). Join us to learn the top risks and how SAIF evolves to offer a practical approach to addressing them. We will also cover how to implement it for popular scenarios.

According to Gartner, 40% of companies developing proprietary applications will adopt an Application Security Posture Management (ASPM) solution by 2026. Why? Because with increasing cloud security complexity involving a multitude of scanners, languages, and frameworks, organizations are finding it more and more difficult to prioritize fixes amongst a sea of alerts. This lack of clarity leads to protracted risk windows. A survey conducted by the Cloud Security Alliance found that 18% of organizations reported taking more than 4 days to address critical vulnerabilities—with 3% exceeding two weeks. That’s too long for the well-being of your infrastructure, and that’s where ASPM can help. During the course of this session, we’ll take you through ASPM basics— what it is, who’s using it, how it differs from similar solutions (death by acronyms!), its benefits, the best-of-breed tools that can integrate with an ASPM solution, considerations and steps for implementing, and—what everyone’s buzzing about—how AI factors in to modern ASPM solutions.

Ditch the manual grind! Google Security Operations & Foresite unveil a revolutionary SOC powered by generative AI. This talk dives deep into empowering analysts & automating tedious tasks. Witness AI transform security:

• Automated Threat Detection & Response: Generative AI triages alerts, prioritizes threats, & automates initial response, freeing analysts for high-impact investigations.
• Enhanced Threat Hunting: Uncover hidden threats with AI-powered anomaly detection. Generative models can identify subtle patterns & entities invisible to traditional methods.
• Streamlined Incident Response: Generate investigative playbooks & automate repetitive tasks, expediting incident resolution & reducing analyst workload.
• Continuous Threat Intelligence: AI analyzes vast data sets to identify emerging threats & indicators of compromise (IOCs), keeping your defenses ahead of the curve.

This talk is a real world showcase of applications in practice.

Generative AI has given defenders an edge, but it's also opened new avenues for enabling cyber threat actors to conduct phishing, social engineering, vulnerability research, and other abusive activities. A cross-team collaboration spent months tracking, defending and learning from threat actors attempting to abuse Google's AI systems; tactics that can ultimately work across different AI systems.

In our talk, we will discuss the types of abusive behavior seen from threat actors, including novel-AI TTPs that haven't been publicly shared before, like jailbreak prompts and prompt injection attacks. We'll then share actionable best practices for how enterprises can be proactive in detecting and stopping abuse and exploitation of their AI systems, based on these learnings.

Audience members will walk away with the knowledge of which implementations to prioritize within their environments to stay ahead of the curve and retain their edge.

In an era where cyber threats are increasingly sophisticated, the need for security data collection and monitoring remains vital, but the SecOps landscape is evolving. This session offers a real and honest discussion about these shifting paradigms.

We'll delve into the strengths and weaknesses of SIEMs and data lakes, foundational components upon which your workflows are built, then cut through the marketing noise to explore how AI/ML are transforming SecOps, enhancing threat detection, and response capabilities. We'll provide insights into where these technologies are headed and how to position your organization today to take full advantage of them in the future.

The road to modernization is fraught with challenges. For those considering a SIEM or data lake migration, we'll discuss common pitfalls and effective strategies to navigate this complex process.

Attendees will walk away with a clear understanding of how to evaluate and choose the best solution for their organization's specific needs, whether it's a traditional SIEM, data lake, or hybrid approach. Step confidently into the next generation of cybersecurity with the tools and insights to outsmart evolving threats.

Threat actors like Raspberry Robin are known to conduct Fast Flux behaviors to hide their infrastructure. They quickly rotate a domain through numerous IPs across unique ASNs, which can make it harder for some defenders to find and block the infrastructure.

By focusing on IP / ASN diversity features (the number of unique ASNs/IPs a domain has been seen on over a specific period) and creating a simple domain regex filter for the 2-letter domain format used by Raspberry Robin for their infrastructure while bearing in mind the unique Name Server that they are known to use, we can easily create a ruleset that makes it possible for defenders to get lists of their domains that are Indicators of Future Attacks (IOFAs).

FastFlux behaviors create golden opportunities for defenders to hunt for IOFAs. In our research, we haven't found any legitimate enterprises that deploy FastFlux behaviors on their domains. Only threat actors are doing this. Silent Push has one of the only open data sets available for researchers that easily allow searching the open internet by IP / ASN diversity so that more threat analysts can dig through hosts doing these suspicious FastFlux DNS rotations.

Multi-faceted extortion via ransomware or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. These threats not only have a financial impact on organizations, but can also have long-lasting reputational and trust impacts. This presentation will focus on the core programmatic and technical controls that can not only protect organizations from these threats and risks, but also demonstrate a positive return on investment by better protecting the business.

The presentation will align scalable and actionable programmatic and technical controls that includes coverage for protecting and enhancing detections for:

• Identities
• Endpoints
• Network Architectures
• Remote Access Platforms
• Trusted Service Infrastructure (TSI)

The presentation will also highlight common challenges organizations face when ransomware has been deployed, including prolonged downtime, coupled with unforeseen expenses for restoration and recovery. The presentation will demonstrate the proactive processes, architecture designs, and technical controls organizations should consider to ensure the timely and secure recovery of business operations.

Most organisations use more than one public cloud to deploy infrastructure (AWS,Azure,GCP etc.).Having a large distributed deployment opens up avenues for attackers to exploit, misusing the lateral movement paths and inter-dependencies between the clouds. Mandiant has observed attackers compromise entire cloud environments by performing token theft-replay, AiTM attacks. Such compromises often involve abuse of user accounts exposed to multiple clouds, permissions leak, lateral movement paths, trust relationships and integrations between the cloud service providers. This session will walk through Mandiant’s frontline experience of such attacker paths across multi-cloud and delve into the proposed architecture to secure the cloud. This is meant to eliminate attacker paths of lateral movement and privileged escalation. It adopts tiering model practices for segregation of resources, endpoints, accounts, and applies it consistently across multiple cloud platforms. The session delves into security configurations, monitoring and detection mechanisms to secure and harden critical assets across multi-cloud.

Artificial intelligence (AI) is revolutionizing the way we approach security operations – allowing defenders to elevate their skills and boost productivity by accelerating threat detection, investigation, and response. AI isn’t a future concept: It’s here and available, with early user feedback showing that AI can reduce the time required for common analyst tasks such as triaging complex cases by 7x. In this session, we’ll dive into the real-world applications of AI in Security Operations with hands-on demonstrations and case studies.

In the landscape of cybersecurity, threat actors leverage deceptive techniques to orchestrate sophisticated attacks. This session explores the use of LNK, ISO and PEEXE files as a conduit to deliver hidden malware payloads while using PDF documents to trick the victim. By dissecting sandbox-generated artifacts for example in VirusTotal, we illuminate the strategies employed by adversaries, enabling practitioners to enhance threat detection and threat hunting methodologies to track this threats using artifacts generated during the execution of the initial payloads, helping with pivoting and hunting. We will see real examples of the PatchWork APT group and other crime groups.