This presentation examines a Cyber Threat Intel (CTI) team designed to integrate seamlessly with Incident Response (IR) and Security Operation Center (SOC) teams based on real world experiences from Mandiant’s Advanced Practices team. CTI provides organizations with context needed to understand adversaries, their tactics, and the industry or assets they target. Attendees will gain insight to help develop a CTI function of value to frontline defenders.

Key insights:

• Action: Identify intel directly enhancing IR and SOC operations
• Structure: Outline CTI team roles & skills needed to support frontline operations
• Insights: Translate data into actionable intel 
• Integration: Embed workflows & outputs into IR playbooks and SOC alert triage
• Peril: Lessons from 15+ years of frontline CTI support

Attendee takeaways:

• A CTI team blueprint, purpose-built for frontline operations
• Methods to ensure output is timely, relevant, and actionable
• Seamless frontline services integration strategies
• Benefit from years of frontline CTI support experience

Ideal Audience: Security leads, CTI managers, SOC analysts & incident responders interested in maximizing CTI value

Most organisations use more than one public cloud to deploy infrastructure (AWS,Azure,GCP etc.).Having a large distributed deployment opens up avenues for attackers to exploit, misusing the lateral movement paths and inter-dependencies between the clouds. Mandiant has observed attackers compromise entire cloud environments by performing token theft-replay, AiTM attacks. Such compromises often involve abuse of user accounts exposed to multiple clouds, permissions leak, lateral movement paths, trust relationships and integrations between the cloud service providers. This session will walk through Mandiant’s frontline experience of such attacker paths across multi-cloud and delve into the proposed architecture to secure the cloud. This is meant to eliminate attacker paths of lateral movement and privileged escalation. It adopts tiering model practices for segregation of resources, endpoints, accounts, and applies it consistently across multiple cloud platforms. The session delves into security configurations, monitoring and detection mechanisms to secure and harden critical assets across multi-cloud.

Countering advanced persistent threats (APTs) and cyber threat actors (CTAs) has contextualized the ever-evolving landscape of counterintelligence (CI). Offensive cyber counterintelligence (OCCI) has clearly emerged as a critical component in the CI arsenal. A comprehensive understanding of OCCI’s effectiveness in addressing threats posed by APTs/CTAs remains elusive. This breakout aims to fill intelligence gaps in the digital threat landscape by examining the multifaceted variables and dynamics of OCCI. While OCCI is a crucial mechanism in the field of intelligence, there is a lack of research that systematically assesses the interplay between key variables influencing the efficacy of OCCI. What impact do attribution accuracy, operational timing, deterrence effectiveness, repercussions against the accused entity, and tactical adaptations have on the success of offensive cyber counterintelligence (OCCI) strategies against Advanced Persistent Threats (APTs) and Cyber Threat Actors (CTAs)? The breakout aims to provide nuanced insights that go beyond singular dimensions of CI. Further refining OCCI strategies will provide meaningful insight for policy decisions.

Explore the critical vulnerabilities of IT Help Desks and Call Centers. Learn how to address the alarming trend of security breaches stemming from insufficient authentication practices. Organizations apply Multi-Factor Authentication (MFA) to their online and mobile experiences, while leaving the IT Help Desk protected only by weak security questions. This is comparable to locking the front door while leaving the window open. Bad actors have noticed the open window of the IT Help Desk in a BIG way this year, using it as an entry point for breaches. Learn from real-world breaches, discuss existing security gaps, and discover how to effectively apply cybersecurity strategies specifically to IT Help Desks and Call Centers to reduce risks and operational costs. Key points: Introduction to IT Help Desk Vulnerabilities Identifying the Challenges with Traditional Verification Methods Real-World Consequences of Inadequate Security Exploring secure caller verification methods Q&A session

In this day and age, malicious threat actors and APTs are leaning ever harder on AI and automation to speed up and obfuscate their operations. By utilizing hashes created from content, headers, SOA records, Name servers, and more, threat hunters can uniquely identify both the characteristics of malicious infrastructure that is unlikely to change and that which is changing rapidly. Both of which can be of critical value for defenders. Automatically generated phishing pages with minor, target-specific changes can be found en-masse, rapidly rotating infrastructure can be picked out like the blinding eyesore it is, and seemingly innocuous infrastructure can be caught hiding amongst the sheep so that the wolves never get (or stay) in the fence line. This talk will cover (in depth) how our threat hunters have utilized hashes, fuzzy hashes, and similarity searches to protect our clients and mitigate attacks before they are launched. Case studies will include 1 or 2 of the following: Scattered Spider, Latrodectus, Prolific Puma, SocGholish, Duke Eugene’s Android Malware, Meduza Stealer, as well as the malicious fake trading apps that we’re tracking via this method.

Generative AI is shifting the defender landscape–from how practitioners do their job, to the user experience of the tooling, to how we think about securing AI workloads in the cloud. In this session, Google Cloud Security leaders will surface insights from conversations with CISOs, the latest Mandiant research, and Google DeepMind innovations to elucidate macro trends seen at the intersection of security and AI and what they mean for your organization. At a time when 88% of organizations have a difficult time investigating and responding to threats in a timely manner, you will also gain an understanding of real-world use cases for how AI is evolving the security lifecycle to be semi-autonomous, so defenders gain and maintain the upper-hand as threats continue to evolve.

Ditch the manual grind! Google Security Operations & Foresite unveil a revolutionary SOC powered by generative AI. This talk dives deep into empowering analysts & automating tedious tasks. Witness AI transform security: Automated Threat Detection & Response: Generative AI triages alerts, prioritizes threats, & automates initial response, freeing analysts for high-impact investigations. Enhanced Threat Hunting: Uncover hidden threats with AI-powered anomaly detection. Generative models can identify subtle patterns & entities invisible to traditional methods. Streamlined Incident Response: Generate investigative playbooks & automate repetitive tasks, expediting incident resolution & reducing analyst workload. Continuous Threat Intelligence: AI analyzes vast data sets to identify emerging threats & indicators of compromise (IOCs), keeping your defenses ahead of the curve. This talk is a real world showcase of applications in practice.

As data flowing into security operations centers has exponentially increased, analysts are increasingly tasked with scaling far beyond the level their tools and organizational design allow. With the era of "new" AI at our doorstep, we risk further burying our SOC analysts in more and more "data" to sift through. In an effort to combat this, we'll attempt to layout an analyst-first perspective for the new SOC that must rise to meet this challenge - one in which the human behind the analysis is the fulcrum for this new AI-assisted leverage, rather than an inconvenience to be replaced. To accomplish this, we focus our attention and technology on amplifying the core work products of analysts while using automation to drive the machine - ensuring that every piece of analysis flows back into the system, lightening the load for future analysts and establishing an institutional "SOC memory" which new analysts can seamlessly leverage in their daily efforts.

The fight against online fraud is a relentless arms race, constantly evolving with new threats and sophisticated tactics. This session will provide a deep dive into the latest trends in bot attacks, account takeovers, payment fraud, and SMS toll fraud. We'll uncover the evolving tactics used by fraudsters, from advanced automation and AI-powered attacks to social engineering and phishing schemes. You'll gain actionable insights into building a robust fraud defense strategy that adapts to the dynamic threat landscape. We'll cover best practices for detection, prevention, and mitigation, including leveraging machine learning, behavioral analytics, and real-time risk assessment. We'll also discuss the importance of layering security measures and staying ahead of the curve through continuous monitoring and adaptation. This session will equip you with the knowledge and strategies to proactively combat fraud, protect your customers, and safeguard your bottom line.

In the world of cybersecurity, staying compliant with the SEC Cyber rule is a top priority. But what does this mean for your company's cyber security efforts? In this session, we'll delve into the impact of the SEC Cyber rule on your organization's cyber security strategy, process, and governance. But that's not all. We'll also explore the vital role that conducting robust ransomware exercises plays in refining your incident and annual disclosures. Not only will we address the operational aspects of disclosure, but we'll also highlight how executive and board-level involvement is crucial in refining your cyber disclosures. Collaboration between roles that have different perspectives, such as CISO, CIO, GC, and CFO, is essential when it comes to addressing ransomware incidents, ensuring effective cyber disclosures, and when to discuss these critical issues with the board. Don't miss out on this opportunity to gain valuable insights, enhancing your understanding and impact of the SEC Cyber rule and enabling you to confidently address ransomware incidents and drive effective cyber disclosures.

Hacktivism has been present in the threat landscape for decades but since 2022 it has significantly changed to geopolitical motivated activity. This presentation provides understanding of the hacktivist landscape and provides some innovative methodologies to track and monitor the threat landscape. This talk will explore what the geopolitical catalyst was for the shift in Hacktivist activity. How hacktivism has changed. What type of attacks we see and the type of groups using them. What the overall intent and motivations of the Hacktivist groups are. It will explain that Hacktivist activity and information operations are largely entwined. It will explain a new methodology on how to track and monitor Hacktivist groups, by putting them into categories - with four key ones being presented. This talk will challenge traditional views on cyber threats, by shifting the focus from technical indicators and capability to looking at intent to drive analysis. Many organizations are struggling to understand how to view hacktivism in terms of the threat landscape, this talk aims to clarify misconceptions and provide clearer understandings of the Hacktivist threat landscape.

A key skill we use every day is collaboration – but how can you collaborate if you don't have trust? I address this topic in "Gaining Trust in Zero Trust." Working in the cybersecurity space, we embrace the motto "zero trust" – but this mindset can creep into our everyday interactions. A whirlwind tour of history reveals how this concept evolved (for example Mikhail Gorbachev and President Ronald Reagan discussed "trust, but verify!") I offer a few tips to help gain trust with any type of research findings: don't embarrass anyone, don't speculate, and be genuine – report the actual findings, even if it's a bitter pill.

Large Language Models (LLMs) have been transformational, but their increasing complexity and integration into critical systems have opened up a new attack surface for malicious actors. This session delves into the evolving threat landscape of LLM attacks, focusing on how industry leaders like Google Cloud and SAP are proactively securing generative AI technologies. Key Topics: Understanding Vulnerabilities and Attacks unique to LLMs: Prompt injection attacks, data poisoning, model theft, and adversarial examples. Defense Strategies in Google Cloud: We examine a multi-layered approach to securing its LLMs. This includes robust input validation and sanitization techniques, adversarial training to make models more resilient, and differential privacy mechanisms to protect sensitive user data. Preventative and detective policies based on NIST and Model Armor on Google Cloud. SAP’s Security Framework: We’ll highlight Gen AI embedded in SAP’s products (AI tools like Joule) and how those products are delivered securely. Industry Standards: We discuss the evolving OWASP top 10 for LLM , NIST AI RMF, Cloud Security Alliance and MITRE frameworks for securing GenAI.

We'll delve into the critical intersection of artificial intelligence and cybersecurity. AI is revolutionizing industries, but it also introduces new attack surfaces and vulnerabilities that traditional security measures may not fully address. We'll explore how proactive threat hunting can be a powerful tool in identifying and mitigating AI-related risks. This session will cover: The Evolving Threat Landscape: An overview of the latest AI-driven threats, including prompt injection, adversarial attacks, data poisoning, and the unique challenges they pose to security teams. Threat Hunting Fundamentals: A refresher on the core principles of threat hunting, its methodologies, and how it differs from traditional reactive security approaches. AI-Specific Threat Hunting Techniques: Identifying anomalies and suspicious patterns in AI model behavior. Detecting unauthorized access or manipulation of AI training data. Monitoring for signs of adversarial attacks, such as model evasion or poisoning. Practical Tools and Strategies: A look at the tools and technologies that can aid in AI threat hunting, including log analysis, machine learning algorithms, and threat intelligence platforms.

When conducting adversarial emulation engagements, making sense of all the data available to the attacker is THE biggest challenge. As a defender, if you don’t know the needle in the haystack the threat actor will find even exists, how can you protect against it? How can you make sense of the vast amounts of structured and unstructured data to give yourself the advantage? Data permeates the modern organization; structured data such as computer-readable output from tools and unstructured data; such as data from clients which is created by and for other employees. This data can be challenging to parse, process and understand from a security implication perspective but artificial Intelligence (AI) might just change all that. Our presentation will focus on a number of case studies where we obtained unstructured data during our complex adversarial emulation engagements with global clients and how we processed this into structured data that could be used to better defend organizations using AI. We will showcase the lessons learned and key take-aways for other organizations and highlight other problems that can be solved with this approach both for red and blue teams.

In an increasingly sophisticated era of cyber threats, having complete visibility into applications, API, and data is paramount. However, enterprises have their applications running across hundreds of hosts in multiple subdomains and building an inventory of such apps and data flows is very difficult, if not impossible. Enter eBPF (Extended Berkeley Packet Filter), a revolutionary technology that extends the capabilities of the Linux kernel, enabling real-time visibility into running apps regardless of their language and framework. This talk explores the transformative power of eBPF in modern security engineering. Attendees will learn how eBPF's dynamic tracing and filtering capabilities provide unparalleled visibility into application, data flow, and API behaviour, allowing for proactive vulnerability detection and risk assessment. Discover how integrating eBPF into your security strategy can safeguard your applications and data against evolving cyber threats, ensuring robust and resilient protection for your digital assets. Join us to unlock the full potential of eBPF and step into the future of app and data security.

On April 10, 2024, Palo Alto Networks disclosed a zero-day vulnerability (CVE-2024-3400) in its VPN product after observing active exploitation at multiple organizations. This vulnerability is just one of many to be disclosed in recent months (Cisco, Ivanti and likely others) resulting in organizations to take rapid action to reduce the likelihood of exploitation. Steven Taylor, who recently led Incident Management at Palo Alto Networks and now a Consulting Director at MorganFranklin Cyber, plans to share insights from the frontline (publicly available), ongoing persistence from threat actors and practical steps to reduce cyber risk when a critical vulnerability is disclosed by a software provider.

The cloud is secure, right? Well, yes and no. Cloud providers invest heavily in security, largely exceeding what most organizations can achieve on their own. Yet, headlines scream of cloud breaches and leaks. What gives? The truth is, cloud security isn't merely a shared responsibility; it's a shared opportunity. The "customer's fault" narrative is too simplistic. It's not just about misconfigurations (though those are a major problem). It's about a fundamental disconnect between the cloud's potential for security and the realities of how organizations use it. In this talk, we'll dive into this paradox. We'll explore:

• The Myth of "Set It and Forget It": Why cloud security requires ongoing vigilance and adaptation, not just ticking boxes.
• The Shared Responsibility Model and Shared Fate: What you're truly responsible for, where the cloud provider steps in, and where you have to work together.
• Secure by Design, Insecure by Default?: How to leverage cloud-native security features and avoid common misconfigurations.

Cybersecurity defenders face a constant challenge: balancing the need to adopt innovative technologies with the imperative to protect their organizations. Recent examples like Supply Chain Security, Large Language Models, and Generative AI highlight the tension between business demands and security concerns. This talk presents a practical framework for evaluating and integrating new technologies into existing security programs and risk registers. We will address key decision points for ensuring safe and productive implementation within an organization. Attendees will learn how to: Cut through the hype cycle and assess new technologies objectively. Identify potential risks and develop mitigation strategies. Communicate effectively with stakeholders, including CIOs, about the benefits and challenges of new technology adoption. Make informed decisions that enable innovation while maintaining security. By the end of this talk, attendees will be equipped to confidently navigate the introduction of new technologies without compromising their organization's security posture.

This panel will discuss the record-breaking number of supply chain attacks in the summer of 2023, highlighting key incidents such as 3CX, MOVEit, and Barracuda. The panel will discuss lessons learned, emerging trends, increased global cooperation and the shift in government expectations. The panel will address cyber preparedness and risk tolerance. The panel will offer thoughts on minimizing legal exposure, cyber reporting obligations, and handling threat actor communications, especially if company officials or family member are approached or threatened. Finally, the panel will discuss how cyber investigators can approach multi-cloud environments despite the many challenges these types of investigations present and how they can enhance incident response in complex environments. The panel will discuss the need for enhanced data protection and methods for enhancing security posture and incident preparedness. The panel will also address how the increase in supply chain attacks affected the way a company and counsel think about risks as well as the need to understand legal, regulatory, and contractual requirements in a complex environment.

Delve into the trenches with a pragmatic guide to implement quantitative risk management. Gain knowledge of methods for quantitative program design that comprise risk primitives, analysis approach, and workflow design. Risk primitives such as capacity, appetite, tolerance, and KRIs are described. Understand what modifications can be made to simplify operational use of FAIR for first timers and how to embrace Python and R for analysis with an open source approach. Be empowered to address workflow challenges using a simplified approach to the entire risk lifecycle from assessment intake and management to modeling and reporting output and finally risk decisions with trending and ROI analysis. Additionally, learn implementation and operation of the program design through people, process, and technology. Finally, close the gap for the last mile of transition to quant risk management and learn how to communicate and report risk from the boardroom to the team room.

The ethical and secure disclosure of vulnerabilities in AI has emerged as a pivotal challenge, compounded by the need to address biases and misinformation that often cloud the true nature of these vulnerabilities. This talk delves into the intricate dynamics of vulnerability disclosure within AI, balancing transparency with security. We'll dissect the unique challenges AI presents, such as data bias exploitation and model manipulation, which can amplify the impact of vulnerabilities. Through a lens of real-world examples and recent disclosures, we'll navigate the complexities of responsible vulnerability management in AI. Our discussion will not only aim to shed light on these critical issues but also inspire a unified approach to refining disclosure processes. This concerted effort is vital for enhancing the integrity of AI systems and bolstering public trust in their use.

Join April Mardock, CISO for Seattle Public Schools, as she teaches how to run a cyber incident response tabletop session with the help of Generative AI. April will provide both a tabletop session that you can participate in dynamically, as well as teach you how to lead your own tabletop, and tune the exercise for your organization's strengths and weaknesses.

Preventing, detecting, and responding to cybersecurity events increasingly depends on an organizations ability to match security operations needs with the correct people, process, and technology requirements. At the heart of this dependency is the robust, mature, and capable Security Operations Center (SOC). However, existing cybersecurity frameworks are limited and not designed for developing capable, effective SOCs. This is because there is no single approach to SOC development. Organizational needs are unique and therefore the roles, services, and tools needed for the SOC to support organizational mission and goals must also be unique. Developing or improving a SOC is a process which must be flexible. To assist organizations is this process, the SEI has developed OSCAR – the Ontology for SOC Creation Assistance and Replication. OSCAR is a structured knowledge base developed using description logics which organizes SOC knowledge in to 5 domains and more than 80 classes. Built based on interviews with SOC experts and years of institutional knowledge and experience, OSCAR provide new perspectives on SOC development and a new tool for teams to use when developing SOC capabilities.

The infamous Russian hacktivist group, Killnet, operated as a rabid cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinged on identifying a critical vulnerability – its connection to the Russian illegal drug marketplace - Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet's leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism.

Threat actors like Raspberry Robin are known to conduct Fast Flux behaviors to hide their infrastructure. They quickly rotate a domain through numerous IPs across unique ASNs, which can make it harder for some defenders to find and block the infrastructure. By focusing on IP / ASN diversity features (the number of unique ASNs/IPs a domain has been seen on over a specific period) and creating a simple domain regex filter for the 2-letter domain format used by Raspberry Robin for their infrastructure while bearing in mind the unique Name Server that they are known to use, we can easily create a ruleset that makes it possible for defenders to get lists of their domains that are Indicators of Future Attacks (IOFAs). FastFlux behaviors create golden opportunities for defenders to hunt for IOFAs. In our research, we haven’t found any legitimate enterprises that deploy FastFlux behaviors on their domains. Only threat actors are doing this. Silent Push has one of the only open data sets available for researchers that easily allow searching the open internet by IP / ASN diversity so that more threat analysts can dig through hosts doing these suspicious FastFlux DNS rotations.

The cybersecurity industry celebrates the reduction of dwell times. The latest M-Trends report states the global median dwell time is 10 days; however, more than 10% of incidents investigated had dwell times of more than 6 months—with some at over 5 years. In this session we will discuss the motivations and tactics behind attacks with various dwell times, and the impact these attacks can have on organizations. Guidance will be provided for how to hunt for these types of intrusions, as well as steps to take to temper these squatters.

Ransomware is evolving, challenging old paradigms and reshaping power dynamics. Our talk, "RaaS is Dead, Long Live RaaS," explores the shift from a hierarchical Ransomware as a Service (RaaS) to a decentralized model where affiliates gain autonomy. RaaS platforms, adapting to this change, now offer better incentives and support to attract skilled affiliates. We'll discuss how law enforcement crackdowns and the rapid advancement of hacking techniques have catalyzed these changes. The presentation will also examine the ransomware industry's resilience and innovation, considering the implications for cybersecurity defenses. We aim to provide insights into the adaptability of digital extortion and its impact on future security strategies. Join us for a detailed look at the ransomware market's transformation and what it signifies for the fight against cybercrime.

Topic: Strategies for Safeguarding Legal Privilege in In-House Counsel
Narrative: Retaining legal privilege during cross-border incident response efforts presents unique challenges. When local laws fail to recognize privilege for in-house counsel, preserving it becomes paramount. Moreover, when incidents span multiple countries with inconsistent privilege rules, maximizing protections requires finesse. This program delves into practical dos and don’ts during litigation, drawing from real-world war stories shared by seasoned panelists and will cover: 

• Preserving Privilege Amid Legal Ambiguity
• Navigating Cross-Border Privilege Challenges
• Dos and Don’ts During Litigation
• War Stories from the Trenches

In conclusion, safeguarding privilege requires vigilance, adaptability, and a keen understanding of legal nuances. By learning from real-world scenarios, in-house and external counsel can fortify their privilege protections and navigate the legal landscape effectively.

Insider threats pose a significant and increasing risk to organizations across industries. The Insider Threat Pen Test is a novel approach to cyber security that proactively identifies and addresses vulnerabilities stemming from both accidental malicious insider and this presentation delves into the methodology behind this Pen Test, illustrating how it complements traditional external penetration testing by focusing on internal systems, processes, and human behavior. Through in-depth case studies from various sectors, we showcase the actionable insights gained from this approach. These insights empower organizations to strengthen their security culture, implement targeted mitigation strategies, and foster a proactive cyber security mindset. Attendees will learn how the Insider Threat Pen Test can be leveraged to reduce the risk of data breaches, intellectual property theft, operational disruptions, and other costly consequences of insider threats. Ultimately, this presentation demonstrates how the Insider Threat Pen Test serves as a business enabler, enhancing organizational resilience and safeguarding critical assets in an ever-evolving threat landscape.

Contrary to popular beliefs and despite their promises, healthcare has and will continue to be under attack by threat actors looking to profit from the vulnerabilities our health system continues to expose. There was a time where criminals and nation states teased that they'd "not attack healthcare", we knew this was a lie. The gloves have never been on. Healthcare needs a lift. During this talk, Taylor Lehmann (Google) and Luke McNamara (Mandiant Intelligence) with leaders from the Health ISAC, MedISAO, and Bio-ISAC will host a panel that gets deeply into the sector's challenges, identify threats, get into detail where the greatest vulnerabilities are and what we can do to establish collective defenses that work. We'll unpack the recent Health Sector cyber performance goals and incentive programs coming to US healthcare cyber-security and what they mean. This will be a panel discussion featuring the CISO and CSOs from the Health ISAC, MedISAO, Bio-ISAC.

Cyberattacks are now an inevitability, with Threat Actors targeting organizations of all sizes and sophistication. This presentation confronts this reality, focusing on proactive defense strategies against these relentless threats. This presentation will go through real-world case studies, to dissect recent breaches and close calls, and what the defenders had to do in order to detect, respond and protect the organization. The presentation goes beyond threat identification; it showcases successful real-world defense strategies, offering practical approaches to mitigate risks, detect anomalies, and respond dynamically to attacks. Topics covered include threat intelligence sharing, incident response protocols, and fostering a security-conscious culture all the way to the board level. By showcasing organizations that have successfully defended against cyberattacks, the presentation inspires confidence and provides a roadmap for building resilient cybersecurity frameworks in todays rapidly changing environment

This talk addresses a critical challenge for security operations centers (SOCs) and incident response (IR) teams in cloud environments: minimizing the permissions required for forensic investigations while maintaining efficient collaboration with cloud teams. Key topics include:

• The Power of Dedicated Forensics Accounts: Learn why creating dedicated GCP/AWS/Azure forensics accounts can be a best practice, along with implementation steps
• Extracting Data from Containers: Discover various methods to acquire data from containers, including sidecars, snapshots of the container filesystems, and the Kubernetes API
• Temporary Credentials for Secure Access: We'll delve into assigning temporary credentials for cloud resources, using virtual machine snapshots as an example
• Leveraging Tagging for Granular Permissions: Explore how tagging resources can minimize the permissions needed for specific investigations
• RBAC Best Practices for IAM: Gain insights into best practices for Role-Based Access Control (RBAC) within IAM, specifically tailored for security operations and incident response teams

This interactive workshop reveals how AI agents create new cyber risks for online businesses, often overlooked amidst the focus on technical defenses. Attendees will analyze their own business model through the lens of adversarial AI, pinpointing areas where dependency, automation, or customer interactions offer new attack vectors. We'll discuss both defense strategies and how to leverage AI for your own cyber resilience. Gain a practical framework to evaluate emerging AI technologies and build a strategy that secures your organization's future regardless of disruptions.

Will we reach a point where all text boxes are handled by a LLM? Even though most organizations are building on top of foundation models rather than trying to build their own. How can we build and maintain a security boundary with an “intelligent” system that can’t really think? How do concepts like prompt injection, multi-stage exploits, SQLi, etc. mean to a loan application chatbot? What can a non-deterministic system do in a deterministic world? Mandiant has exploited developer-assistance chatbots during its Red Team Assessments to gain privileges within a client environment. Its consultants have explored and bypassed protections built to restrict the scope of a financial services chatbot. How can these and other stories help improve the security of future applications built on top of GenAI and LLMs?

Shared libraries are common in code development to increase efficiency, and provide a well-developed set of subroutines and functions. When a vulnerability is discovered in a shared library, it poses a serious risk to any organization that used that library – think Log4j. But, in the scenario that the vulnerability is not disclosed or fixed by the open source project and developers are unaware that they need to reconfigure it, this exposes organizations to even greater risk. In this session Mandiant and Ivanti will detail the discovery, remediation and disclosure of a vulnerability in the Apache XML Security for C++ library, which is part of the Apache Santuario project. By default, the library resolves references to external URIs passed in Extensible Markup Language (XML) signatures, allowing for server-side request forgery (SSRF). There is no way to disable this feature through configuration alone, and there is no patch available. Mandiant reported the non-secure default configuration in xml-security-c to the Apache Software Foundation (ASF). The ASF did not issue a CVE or a new release of xml-security-c.

Managed Service Providers (MSPs) play a pivotal role in modern IT supply chains. However, law enforcement agencies, including the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), have repeatedly warned about the increasing focus of cybercriminals on MSPs. Given their ubiquitous access to client networks and industry-specific vulnerabilities, MSPs have rapidly become a target of choice for threat actors.

In this session, we will delve into the cybersecurity risks associated with outsourcing to an MSP and what your organization can do to mitigate these risks. By highlighting real-world incidents, we’ll review how organizations have been victimized, the key lessons learned (for both the client and MSP), and the essential steps to address similar attacks. By the end of this session, participants will have gained valuable insights into establishing clear rules of engagement and aligning ongoing security expectations with their MSP. This session is essential for both MSPs and the organizations that use them, as it emphasizes the importance of collaboration to ensure a resilient and secure IT environment.

Recent prominent breaches at healthcare organizations have proven that the healthcare sector is a primary target for financially motivated threat actors. The extended recovery times associated with these incidents have demonstrated that there exists opportunities for improvement in the incident response and management programs. Using the NIST incident response framework as a template, we will highlight improvements in preparation, detection, containment, and recovery phases as applicable to the healthcare sector. Healthcare is a critical industry quite literally impacting people’s lives. Ensuring that this important service is available to the public at all times is a necessity. Through the changes suggested in this talk, an incident response program will be able to meet goals of confidentiality, integrity, and availability. To highlight an example of the talk, we will discuss building automations through a Security Orchestration and Response tool to automate containment of suspected infected hosts.

In an era of remote work and distributed IT environments, remote administration tools (RATs) and remote monitoring and management (RMM) tools have become indispensable for system admins and managed service providers (MSPs). However, the same features that make these tools efficient also make them attractive targets for malicious actors. Advanced threat actors are increasingly leveraging legitimate RATs and RMMs to gain unauthorized access to networks, bypassing traditional security controls and evading detection. This presentation will provide an overview of the growing trend of weaponized remote access. Attendees will be guided through compelling real-world examples, dissecting the tactics, techniques, and procedures (TTPs) employed by adversaries to leverage these tools for malicious purposes. Furthermore, actionable insights will be provided, empowering organizations to enhance their detection capabilities and fortify their defenses against such sophisticated attacks. By understanding the evolving threat landscape and implementing effective countermeasures, attendees will be better equipped to safeguard their systems and data from the perils of weaponized remote access.

As cloud security operations mature within the organizations, implementing effective metrics is vital for measuring cloud security posture and operational readiness. Organizations often face challenges in tracking security metrics without incurring resource overheads. This talk discuss examples of both potentially effective and ineffective metrics based on real-life experiences, tailored to various business scenarios and risk appetite. We will explores how to prioritize metrics that inform leadership and drive continuous improvement in cloud security posture. The session also introduces concepts like the Exploit Prediction Scoring System (EPSS) for prioritizing vulnerability remediation and Protection Level Agreements (PLAs) for building effective KPIs. The goal is to not only measure but enhance cloud security operations, empowering teams to identify cloud security metrics truly matter to their business.

Serverless computing revolutionizes app development, but introduces unique security challenges due to its dynamic nature and reliance on third-party services. Drawing on insights from Google Cloud's security practices and real-world incidents, this talk explores the root causes of significant vulnerabilities exploited over the past decade. We'll delve into critical issues such as insecure coding practices, supply chain attacks, and misconfigurations, illustrating their potential consequences. Through data-driven insights attendees will gain actionable recommendations for hardening serverless security. Serverless security is not solely about safeguarding individual applications; it has far-reaching implications for the entire cloud ecosystem. The interconnected nature of serverless architectures means that a vulnerability in one component can cascade, potentially compromising multiple services and users. Therefore, a holistic approach to serverless security is essential, encompassing not only secure coding practices within applications but also robust protection for the underlying infrastructure, data storage, and network communications.

Mandiant's front-line experiences in incident response reveal common overlooked areas leading to cloud compromises. Drawing on numerous technical case studies, we cover patterns and offer strategies to fortify cloud environments: 1) Living off the Land (in the Cloud): We observe that intrusions often stem from traditional on-premise systems like Active Directory, VMware infrastructure, and MDM/EDR tools. Our discussion will delve into how these platforms can be safeguarded to prevent such incidents. 2) Extended Attack Surface: Cloud and hybrid environments naturally extend organizational attack surfaces. This section will explore the challenges posed by inadequate controls, the sprawl of credentials and the array of tools attackers utilize to exploit these vulnerabilities. 3) Third-Party Access: 2023 has seen a significant rise in incidents involving third parties and Managed Service Providers. We'll tackle the critical question: How can organizations continue to engage third parties without compromising their security posture? We will also cover proactive defense strategies and robust incident response capabilities to protect and react swiftly to threats within cloud environments.

As cyber threats become increasingly sophisticated, driven by generative AI, organizations need robust, proactive defenses. This session reveals how AI-powered collaboration tools using the principles of Zero Trust provide a critical first line of defense against email-based attacks, empowering secure work from anywhere.

This talk exposes a sophisticated cyber-espionage campaign orchestrated by a North Korean threat actor targeting a cryptocurrency company. Threat actor tactics, techniques, and procedures (TTPs), that inclued social engineering to gain initial access, in-depth source code reviews, and exploitation of a logical vulnerability that resulted in the exfiltration of millions of dollars worth of cryptocurrency. Through the lens of real-world investigations, the threat actor's motivations and the broader implications of their activities will be analysed. Furthermore, this talk will shed light on the lack of robust security monitoring in cloud environments, a critical factor that contributed to the success of this attack. The importance of implementing comprehensive security measures in cloud infrastructures to mitigate the risk of similar attacks in the future will also be discussed. Attendees will gain valuable insights into the evolving landscape of cyber threats, and the vulnerabilities often present in cloud environments. This knowledge will empower organizations to better understand and defend against sophisticated cyber attacks targeting their valuable digital assets.

In this joint presentation, Mandiant, the FBI, and the U.S. Attorney's Office will present a case study on their successful collaboration to bring cybercriminal Jesse Kipf, aka Ghostmarket09, to justice. Mandiant identified Kipf attempting to sell access to state death registration systems and delivered a victim notification to the impacted States and provided evidence to the FBI, which opened an investigation. The talk will discuss how Mandiant supported the FBI's investigation and assisted federal prosecutors. In October 2023, Kipf was indicted on charges of computer fraud, identity theft, and bank fraud. In April 2024, Kipf pled guilty to computer fraud and identity theft for breaching death registration systems in multiple states. Speakers will share insights from this collaboration, discussing how cybersecurity vendors, law enforcement, and prosecutors can work together to identify, investigate and prosecute threat actors. They will highlight challenges of building a case and critical evidence needed for conviction.

Drowning in data is a common problem in Threat Intelligence investigations. When faced with potentially hundreds or thousands of potentially relevant pieces of information, how does an analyst group them together or pull apart useful and relevant bits of that pile of data? This talk will offer a few tools to answer those questions, focusing on victim/target identification in a large set of DNS names. In particular, we will focus on a set of domain names registered by the "Disneyland team". It will walk through Machine Learning techniques for addressing multiple problems, such as finding homoglyph domains, clustering domains, clustering subdomains, TF-IDF of groups of domains, levenshtein distance between names, etc. The talk will use open source tools to do all of this work, and will include code to allow others to do this work themselves.

Generative AI has given defenders an edge, but it's also opened new avenues for enabling cyber threat actors to conduct phishing, social engineering, vulnerability research, and other abusive activities. A cross-team collaboration spent months tracking, defending and learning from threat actors attempting to abuse Google’s AI systems; tactics that can ultimately work across different AI systems. In our talk, we will discuss the types of abusive behavior seen from threat actors, including novel-AI TTPs that haven't been publicly shared before, like jailbreak prompts and prompt injection attacks. We'll then share actionable best practices for how enterprises can be proactive in detecting and stopping abuse and exploitation of their AI systems, based on these learnings. Audience members will walk away with the knowledge of which implementations to prioritize within their environments to stay ahead of the curve and retain their edge.

Application teams often have to navigate a complex web of security teams and requirements in order to launch a secure and compliant solution. Once the solution has been launched, the teams have to survive audits and maintain the security of the application while keeping up with changing requirements and implementations, all while working hard to run and grow their business. While regulatory complexity is a large contributor to the challenge, it can be further exacerbated by the lack of a clear, well lit path provided by legal, compliance, and security teams. Application teams often receive conflicting requirements and priorities from various teams, or follow a path that leads to them launching a solution that is ‘secure’ but not compliant, or vise-versa? Security teams are often frustrated with the focus on compliance requirements, rather than leveraging them to meet shared goals. Russ Ayres (Equifax) and Derek Coulson (Mandiant) will review how Equifax simplified its control requirements framework to help internal customers navigate security requirements more easily and enable proper auditing scoping at response using the Equifax Security Controls Framework.

In the landscape of cybersecurity, threat actors leverage deceptive techniques to orchestrate sophisticated attacks. This session explores the use of LNK, ISO and PEEXE files as a conduit to deliver hidden malware payloads while using PDF documents to trick the victim. By dissecting sandbox-generated artifacts for example in VirusTotal, we illuminate the strategies employed by adversaries, enabling practitioners to enhance threat detection and threat hunting methodologies to track this threats using artifacts generated during the execution of the initial payloads, helping with pivoting and hunting. We will see real examples of the PatchWork APT group and other crime groups.

In an era where cyber threats are increasingly sophisticated, the need for security data collection and monitoring remains vital, but the SecOps landscape is evolving. This session offers a real and honest discussion about these shifting paradigms. We’ll delve into the strengths and weaknesses of SIEMs and data lakes, foundational components upon which your workflows are built, then cut through the marketing noise to explore how AI/ML are transforming SecOps, enhancing threat detection, and response capabilities. We'll provide insights into where these technologies are headed and how to position your organization today to take full advantage of them in the future. The road to modernization is fraught with challenges. For those considering a SIEM or data lake migration, we’ll discuss common pitfalls and effective strategies to navigate this complex process. Attendees will walk away with a clear understanding of how to evaluate and choose the best solution for their organization's specific needs, whether it's a traditional SIEM, data lake, or hybrid approach. Step confidently into the next generation of cybersecurity with the tools and insights to outsmart evolving threats.

Threat modeling is a key technique that is used to analyze what could go wrong in a given software architecture. More often than not, the main output of a threat modeling exercise is a list of mitigations for how to ensure that “what could go wrong” actually “doesn’t go wrong”. While critical, this process can be so much more. By fostering collaboration between security and product teams, threat modeling can strengthen relationships, build trust, and ultimately enhance your software's security.

In this talk we outline how threat modeling can be used as a fitness function to iteratively improve the security posture of the software you are building. Instead of doing one shot threat models to enumerate and mitigate threats, we outline a new model where threat modeling takes input from a wide variety of other sources, ranging from threat intelligence to software development artifacts, and produces outputs in the form of mitigations, vulnerability research, and detections. We’ll then show how to tie these inputs and outputs into a feedback loop that improves the security posture of your organization over time while also building trust and better working relationships between teams.

Cloud Encryption is seen as a valuable component of a robust data security strategy. But what does cloud encryption actually offer in terms of security? Cloud Encryption has multiple different types including Cloud Service Provider Managed and Customer Managed. Depending on the type - the security offered can range from another robust layer of access control to a false sense of security.

In this talk, we’ll cover the following:

• Types of encryption (such as CSP Managed, Customer Managed)
• Default encryption for services in cloud.
• How cloud encryption impacts data perimeters.
• How cloud encryption translates into and impacts cloud identity and access management.
• Best practices and considerations for how to implement cloud encryption and data security in cloud.