Filter by

Reset

11:00 AM - 11:45 AM
Blurred (Identity) Lines: Encryption in Cloud and Impact on Security and Data

Cloud Encryption is seen as a valuable component of a robust data security strategy. But what does cloud encryption actually offer in terms of security? Cloud Encryption has multiple different types including Cloud Service Provider Managed and Customer Managed. Depending on the type - the security offered can range from another robust layer of access control to a false sense of security.

In this talk, we’ll cover the following:

  • Types of encryption (such as CSP Managed, Customer Managed)
  • Default encryption for services in cloud.
  • How cloud encryption impacts data perimeters.
  • How cloud encryption translates into and impacts cloud identity and access management.
  • Best practices and considerations for how to implement cloud encryption and data security in cloud.
Jason Kao
Jason Kao, Founder, Fog Security
Cloud Security
11:00 AM - 11:45 AM
Build a High Value Quantitative Risk Management Program on a Budget

Delve into the trenches with a pragmatic guide to implement quantitative risk management. Gain knowledge of methods for quantitative program design that comprise risk primitives, analysis approach, and workflow design. Risk primitives such as capacity, appetite, tolerance, and KRIs are described. Understand what modifications can be made to simplify operational use of FAIR for first timers and how to embrace Python and R for analysis with an open source approach. Be empowered to address workflow challenges using a simplified approach to the entire risk lifecycle from assessment intake and management to modeling and reporting output and finally risk decisions with trending and ROI analysis. Additionally, learn implementation and operation of the program design through people, process, and technology. Finally, close the gap for the last mile of transition to quant risk management and learn how to communicate and report risk from the boardroom to the team room.

Tim Anderson
Tim Anderson, VP of Compliance and Risk, ID.me
Matthew Harding
Matthew Harding, Dir, Risk Management, ID.me
Third Party and Cyber Risk Management
11:00 AM - 11:45 AM
Developing Effective SOC Capabilities using a Knowledge-Based Approach to People, Processes, and Technology

Preventing, detecting, and responding to cybersecurity events increasingly depends on an organizations ability to match security operations needs with the correct people, process, and technology requirements. At the heart of this dependency is the robust, mature, and capable Security Operations Center (SOC). However, existing cybersecurity frameworks are limited and not designed for developing capable, effective SOCs. This is because there is no single approach to SOC development. Organizational needs are unique and therefore the roles, services, and tools needed for the SOC to support organizational mission and goals must also be unique. Developing or improving a SOC is a process which must be flexible. To assist organizations is this process, the SEI has developed OSCAR – the Ontology for SOC Creation Assistance and Replication. OSCAR is a structured knowledge base developed using description logics which organizes SOC knowledge in to 5 domains and more than 80 classes. Built based on interviews with SOC experts and years of institutional knowledge and experience, OSCAR provide new perspectives on SOC development and a new tool for teams to use when developing SOC capabilities.

Justin Novak
Justin Novak, Senior Security Operations Researcher, Software Engineering Institute, Carnegie Mellon University
Security Operations
11:00 AM - 11:45 AM
Geopolitical Catalyst - How the Russia-Ukraine War has changed the Hacktivist Landscape

Hacktivism has been present in the threat landscape for decades but since 2022 it has significantly changed to geopolitical motivated activity. This presentation provides understanding of the hacktivist landscape and provides some innovative methodologies to track and monitor the threat landscape. This talk will explore what the geopolitical catalyst was for the shift in Hacktivist activity. How hacktivism has changed. What type of attacks we see and the type of groups using them. What the overall intent and motivations of the Hacktivist groups are. It will explain that Hacktivist activity and information operations are largely entwined. It will explain a new methodology on how to track and monitor Hacktivist groups, by putting them into categories - with four key ones being presented. This talk will challenge traditional views on cyber threats, by shifting the focus from technical indicators and capability to looking at intent to drive analysis. Many organizations are struggling to understand how to view hacktivism in terms of the threat landscape, this talk aims to clarify misconceptions and provide clearer understandings of the Hacktivist threat landscape.

Davyn Baumann
Davyn Baumann, Senior Analyst, Mandiant, Part of Google Cloud
Intelligence
11:00 AM - 11:45 AM
Long Live: Effects of the Longtail of Dwell Times

The cybersecurity industry celebrates the reduction of dwell times. The latest M-Trends report states the global median dwell time is 10 days; however, more than 10% of incidents investigated had dwell times of more than 6 months—with some at over 5 years. In this session we will discuss the motivations and tactics behind attacks with various dwell times, and the impact these attacks can have on organizations. Guidance will be provided for how to hunt for these types of intrusions, as well as steps to take to temper these squatters.

Kirstie Failey
Kirstie Failey, Principal Threat Analyst, Mandiant (now part of Google Cloud)
Kerry Matre
Kerry Matre, Head of Mandiant PMM, Mandiant, Google Cloud Security
Security Threats and Exploits
11:00 AM - 11:45 AM
Security Controls: Stupid but Important

Application teams often have to navigate a complex web of security teams and requirements in order to launch a secure and compliant solution. Once the solution has been launched, the teams have to survive audits and maintain the security of the application while keeping up with changing requirements and implementations, all while working hard to run and grow their business. While regulatory complexity is a large contributor to the challenge, it can be further exacerbated by the lack of a clear, well lit path provided by legal, compliance, and security teams. Application teams often receive conflicting requirements and priorities from various teams, or follow a path that leads to them launching a solution that is ‘secure’ but not compliant, or vise-versa? Security teams are often frustrated with the focus on compliance requirements, rather than leveraging them to meet shared goals. Russ Ayres (Equifax) and Derek Coulson (Mandiant) will review how Equifax simplified its control requirements framework to help internal customers navigate security requirements more easily and enable proper auditing scoping at response using the Equifax Security Controls Framework.

Derek Coulson
Derek Coulson, Technical Leader, Mandiant
Russ Ayres
Russ Ayres, SVP, Cyber Security and Deputy CISO, Equifax
Next Gen CISO
11:00 AM - 11:45 AM
Secure Remote Identity Verification in the Era of Generative AI

In the digital era, safeguarding remote identity verification is critical. Inherence-based security factors are the most trusted way of verifying users whether they’re customers or the workforce, but deepfakes and synthetic media pose significant challenges. To combat deepfake attacks, science-based biometrics as a service can enable remote identification for customers and workforce that is reliable, easy to administer, and almost effortless to use. This should start at onboarding and continue at risk-based inflection points throughout the identity lifecycle. This talk will explore challenges to enabling remote identity across the enterprise and share best practices from customers in the most security conscious organizations around the world By understanding the implications of generative AI on remote identity verification, organizations can develop effective strategies to ensure the security and integrity of their remote identity verification systems, protecting against deepfakes and other synthetic media-based attacks, and maintaining user trust and privacy.

Andrew Bud
Andrew Bud, CEO & Founder, iProov
Intersection of AI and Cybersecurity
1:30 PM - 2:15 PM
From Job Interview to Crypto Heist: How North Korea sponsored threat actor stole crypto currencies

This talk exposes a sophisticated cyber-espionage campaign orchestrated by a North Korean threat actor targeting a cryptocurrency company. Threat actor tactics, techniques, and procedures (TTPs), that inclued social engineering to gain initial access, in-depth source code reviews, and exploitation of a logical vulnerability that resulted in the exfiltration of millions of dollars worth of cryptocurrency. Through the lens of real-world investigations, the threat actor's motivations and the broader implications of their activities will be analysed. Furthermore, this talk will shed light on the lack of robust security monitoring in cloud environments, a critical factor that contributed to the success of this attack. The importance of implementing comprehensive security measures in cloud infrastructures to mitigate the risk of similar attacks in the future will also be discussed. Attendees will gain valuable insights into the evolving landscape of cyber threats, and the vulnerabilities often present in cloud environments. This knowledge will empower organizations to better understand and defend against sophisticated cyber attacks targeting their valuable digital assets.

Yi Han Ang
Yi Han Ang, Senior Consultant, Mandiant
Sun Pu
Sun Pu, Security Consultant, Google Cloud - Mandiant
Security Operations
1:30 PM - 2:15 PM
I've Got 99 Problems but a Prompt Injection Ain't Peach

The ethical and secure disclosure of vulnerabilities in AI has emerged as a pivotal challenge, compounded by the need to address biases and misinformation that often cloud the true nature of these vulnerabilities. This talk delves into the intricate dynamics of vulnerability disclosure within AI, balancing transparency with security. We'll dissect the unique challenges AI presents, such as data bias exploitation and model manipulation, which can amplify the impact of vulnerabilities. Through a lens of real-world examples and recent disclosures, we'll navigate the complexities of responsible vulnerability management in AI. Our discussion will not only aim to shed light on these critical issues but also inspire a unified approach to refining disclosure processes. This concerted effort is vital for enhancing the integrity of AI systems and bolstering public trust in their use.

Chloe Messdaghi
Chloe Messdaghi, Head of Threat Intelligence, HiddenLayer
Kasimir Schulz
Kasimir Schulz, Principal Security Researcher, HiddenLayer
Intersection of AI and Cybersecurity
1:30 PM - 2:15 PM
Leverage Your Threat Intel Providers and Gain a Competitive Advantage!

Digital transformation not only fundamentally changed the way we work, but it’s also expanded the current threat landscape exponentially. Today’s enterprise attack surface is dynamic, transitory, and has far more available for attackers to target than ever before, making it even harder to defend against threats.  How can you leverage your threat intel and make it a competitive advantage?

Join Erin Joe, Office of the CISO at Google Cloud and former SVP at Mandiant as she discusses today’s threat landscape and the role threat intelligence plays in securing vulnerabilities in your attack surface with partners, Robert Boyce, Global Managing Director, Cyber Resilience at Accenture;  and Michael Leland, Chief Cybersecurity Evangelist at SentinelOne.

Erin Joe
Erin Joe, Senior Executive, OCISO, Google Cloud
Intelligence
1:30 PM - 2:15 PM
Unlocking eBPF: The Future of App and Data Security

In an increasingly sophisticated era of cyber threats, having complete visibility into applications, API, and data is paramount. However, enterprises have their applications running across hundreds of hosts in multiple subdomains and building an inventory of such apps and data flows is very difficult, if not impossible. Enter eBPF (Extended Berkeley Packet Filter), a revolutionary technology that extends the capabilities of the Linux kernel, enabling real-time visibility into running apps regardless of their language and framework. This talk explores the transformative power of eBPF in modern security engineering. Attendees will learn how eBPF's dynamic tracing and filtering capabilities provide unparalleled visibility into application, data flow, and API behaviour, allowing for proactive vulnerability detection and risk assessment. Discover how integrating eBPF into your security strategy can safeguard your applications and data against evolving cyber threats, ensuring robust and resilient protection for your digital assets. Join us to unlock the full potential of eBPF and step into the future of app and data security.

Kiran Sama
Kiran Sama, Staff Security Engineer, Coupang
Buchi Reddy Busi Reddy
Buchi Reddy Busi Reddy, Founder, Levo.ai
Security Engineering
1:30 PM - 2:15 PM
The Cloud Security Paradox: Secure Cloud, Insecure Use?

The cloud is secure, right? Well, yes and no. Cloud providers invest heavily in security, largely exceeding what most organizations can achieve on their own. Yet, headlines scream of cloud breaches and leaks. What gives? The truth is, cloud security isn't merely a shared responsibility; it's a shared opportunity. The "customer's fault" narrative is too simplistic. It's not just about misconfigurations (though those are a major problem). It's about a fundamental disconnect between the cloud's potential for security and the realities of how organizations use it. In this talk, we'll dive into this paradox. We'll explore:

  • The Myth of "Set It and Forget It": Why cloud security requires ongoing vigilance and adaptation, not just ticking boxes.
  • The Shared Responsibility Model and Shared Fate: What you're truly responsible for, where the cloud provider steps in, and where you have to work together.
  • Secure by Design, Insecure by Default?: How to leverage cloud-native security features and avoid common misconfigurations.
Anton Chuvakin
Anton Chuvakin, Senior Staff Consultant, Google Cloud
Cloud Security
1:30 PM - 2:15 PM
RaaS is Dead, Long Live RaaS: Evolution and Resilience in the Ransomware Landscape

Ransomware is evolving, challenging old paradigms and reshaping power dynamics. Our talk, "RaaS is Dead, Long Live RaaS," explores the shift from a hierarchical Ransomware as a Service (RaaS) to a decentralized model where affiliates gain autonomy. RaaS platforms, adapting to this change, now offer better incentives and support to attract skilled affiliates. We'll discuss how law enforcement crackdowns and the rapid advancement of hacking techniques have catalyzed these changes. The presentation will also examine the ransomware industry's resilience and innovation, considering the implications for cybersecurity defenses. We aim to provide insights into the adaptability of digital extortion and its impact on future security strategies. Join us for a detailed look at the ransomware market's transformation and what it signifies for the fight against cybercrime.

John Fokker
John Fokker, Head of Threat Intelligence, Trellix
Security Threats and Exploits
1:30 PM - 2:15 PM
Generative AI Cyber Incident Response Tabletop Exercise

Join April Mardock, CISO for Seattle Public Schools, as she teaches how to run a cyber incident response tabletop session with the help of Generative AI. April will provide both a tabletop session that you can participate in dynamically, as well as teach you how to lead your own tabletop, and tune the exercise for your organization's strengths and weaknesses.

April Mardock
April Mardock, CISO, Seattle Public Schools
Next Gen CISO
2:30 PM - 3:15 PM
Lessons Learned from the Summer of Supply Chain Attacks

This panel will discuss the record-breaking number of supply chain attacks in the summer of 2023, highlighting key incidents such as 3CX, MOVEit, and Barracuda. The panel will discuss lessons learned, emerging trends, increased global cooperation and the shift in government expectations. The panel will address cyber preparedness and risk tolerance. The panel will offer thoughts on minimizing legal exposure, cyber reporting obligations, and handling threat actor communications, especially if company officials or family member are approached or threatened. Finally, the panel will discuss how cyber investigators can approach multi-cloud environments despite the many challenges these types of investigations present and how they can enhance incident response in complex environments. The panel will discuss the need for enhanced data protection and methods for enhancing security posture and incident preparedness. The panel will also address how the increase in supply chain attacks affected the way a company and counsel think about risks as well as the need to understand legal, regulatory, and contractual requirements in a complex environment.

Erin Joe
Erin Joe, Senior Executive, OCISO, Google Cloud
Lyn Brown
Lyn Brown, Of Counsel, Wiley Rein
Jennifer Burnside
Jennifer Burnside, Practice Leader, Crisis Communications, Google Cloud Security
Third Party and Cyber Risk Management
2:30 PM - 3:15 PM
Understanding the ORBs: PRC Actors, Obfuscation Networks, and the Coming IOC Extinction

Since 2020 Chinese Espionage operations have fundamentally changed. Gone are the days of actor registered infrastructure and command and control reuse. A new practice of "Operational Relay Box" (ORB) networks has risen to obfuscate CNE network traffic via a TOR like network of registered VPS space and compromised end of life home routers.

This presentation will:

  • Demonstrate the ways ORBs have made blocking network IOCs Extinct
  • Provide a 4 quadrant signature and detection approach that will allow defenders and threat hunters to pivot through these complex networks. (Censys, YARA, Netflow, Active Scanning)
  • Define a scalable universal anatomy for talking about ORB networks and map signature types to these components.
  • Utilize an active PLA and MSS leveraged ORB network to provide real world examples of what manifestations of these ORB networks look like.
  • And Finally Shift the world view of network defenders from IOC blocking to detecting ephemeral infrastructure networks leveraged by multiple malicious APT actors.
Michael Raggi
Michael Raggi, PRINCIPAL Threat Analyst, Mandiant, Google Cloud
Intelligence
2:30 PM - 3:15 PM
Versus Killnet

The infamous Russian hacktivist group, Killnet, operated as a rabid cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinged on identifying a critical vulnerability – its connection to the Russian illegal drug marketplace - Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet's leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism.

Alex Holden
Alex Holden, Chief Information Security Officer, Hold Security, LLC
Security Threats and Exploits
2:30 PM - 3:15 PM
How GenAI is Shifting the Defender Landscape

Generative AI is shifting the defender landscape–from how practitioners do their job, to the user experience of the tooling, to how we think about securing AI workloads in the cloud. In this session, Google Cloud Security leaders will surface insights from conversations with CISOs, the latest Mandiant research, and Google DeepMind innovations to elucidate macro trends seen at the intersection of security and AI and what they mean for your organization. At a time when 88% of organizations have a difficult time investigating and responding to threats in a timely manner, you will also gain an understanding of real-world use cases for how AI is evolving the security lifecycle to be semi-autonomous, so defenders gain and maintain the upper-hand as threats continue to evolve.

Steph Hay
Steph Hay, Sr Director UX, Google Cloud
Umesh Shankar
Umesh Shankar, Chief Technologist, Google Cloud Security
Intersection of AI and Cybersecurity
2:30 PM - 3:15 PM
Looking Around Corners and Defending Against 'the security hotness'

Cybersecurity defenders face a constant challenge: balancing the need to adopt innovative technologies with the imperative to protect their organizations. Recent examples like Supply Chain Security, Large Language Models, and Generative AI highlight the tension between business demands and security concerns. This talk presents a practical framework for evaluating and integrating new technologies into existing security programs and risk registers. We will address key decision points for ensuring safe and productive implementation within an organization. Attendees will learn how to: Cut through the hype cycle and assess new technologies objectively. Identify potential risks and develop mitigation strategies. Communicate effectively with stakeholders, including CIOs, about the benefits and challenges of new technology adoption. Make informed decisions that enable innovation while maintaining security. By the end of this talk, attendees will be equipped to confidently navigate the introduction of new technologies without compromising their organization's security posture.

Taylor Lehmann
Taylor Lehmann, Director, Security Engineering, Office of the CISO, Google
Tim Crothers
Tim Crothers, Director, Office of the CISO, Google Cloud, Google
Next Gen CISO
2:30 PM - 3:15 PM
Supercharge Your Frontlines: Purpose-Built CTI for IR & SOC Success

This presentation examines a Cyber Threat Intel (CTI) team designed to integrate seamlessly with Incident Response (IR) and Security Operation Center (SOC) teams based on real world experiences from Mandiant’s Advanced Practices team. CTI provides organizations with context needed to understand adversaries, their tactics, and the industry or assets they target. Attendees will gain insight to help develop a CTI function of value to frontline defenders.

Key insights:

  • Action: Identify intel directly enhancing IR and SOC operations
  • Structure: Outline CTI team roles & skills needed to support frontline operations
  • Insights: Translate data into actionable intel 
  • Integration: Embed workflows & outputs into IR playbooks and SOC alert triage
  • Peril: Lessons from 15+ years of frontline CTI support

Attendee takeaways:

  • A CTI team blueprint, purpose-built for frontline operations
  • Methods to ensure output is timely, relevant, and actionable
  • Seamless frontline services integration strategies
  • Benefit from years of frontline CTI support experience

Ideal Audience: Security leads, CTI managers, SOC analysts & incident responders interested in maximizing CTI value

Nick Richard
Nick Richard, Senior Manager, Mandiant, now part of Google Cloud
Security Operations
3:45 PM - 4:30 PM
Analyzing VirusTotal's Malware Executables Collection with LLMs
VirusTotal has been using Large Language Models (LLMs) to analyze malware for over a year, starting with macros and scripts. This experience gave us a good grasp of what LLMs can and can't do. But the real challenge was always executables. So, we took on a huge task: disassembling all the binaries and memory dumps in VirusTotal and using LLMs to figure out how they work. In this talk, we'll share what we've learned from this massive project. We'll be upfront about the challenges of using LLMs on complex malware and the wins we've had, including how LLMs provide an approach for pivoting that shows very promising early results. Come hear our story and get a glimpse of the future of malware analysis with AI. We'll have a real talk about how (besides the hype) there are areas where LLMs are making a real difference and what's next in this exciting field.
Vicente Diaz
Vicente Diaz, Threat Intel Strategist, VirusTotal
Intelligence
3:45 PM - 4:30 PM
At the breaking point: is your email safe against ransomware and state-sponsored attacks?

As cyber threats become increasingly sophisticated, driven by generative AI, organizations need robust, proactive defenses. This session reveals how AI-powered collaboration tools using the principles of Zero Trust provide a critical first line of defense against email-based attacks, empowering secure work from anywhere.

Rancho Iyer
Rancho Iyer, Specialists Customer Engineering Manager, Google
Adam Ehret
Adam Ehret, SVP IT, Equifax
Security Engineering
3:45 PM - 4:30 PM
Secure-by-Default: Tackling Shared Libraries

Shared libraries are common in code development to increase efficiency, and provide a well-developed set of subroutines and functions. When a vulnerability is discovered in a shared library, it poses a serious risk to any organization that used that library – think Log4j. But, in the scenario that the vulnerability is not disclosed or fixed by the open source project and developers are unaware that they need to reconfigure it, this exposes organizations to even greater risk. In this session Mandiant and Ivanti will detail the discovery, remediation and disclosure of a vulnerability in the Apache XML Security for C++ library, which is part of the Apache Santuario project. By default, the library resolves references to external URIs passed in Extensible Markup Language (XML) signatures, allowing for server-side request forgery (SSRF). There is no way to disable this feature through configuration alone, and there is no patch available. Mandiant reported the non-secure default configuration in xml-security-c to the Apache Software Foundation (ASF). The ASF did not issue a CVE or a new release of xml-security-c.

Jacob Thompson
Jacob Thompson, Staff Vulnerability Engineer, Mandiant
Security Threats and Exploits
3:45 PM - 4:30 PM
The Dark Side of Innovation: Generative AI in Cybercrime
The landscape of cyber threats is undergoing a transformative shift with the integration of Generative AI (GenAI) technologies by cybercriminals. This presentation delves into how GenAI tools are increasingly being adopted in the cybercrime arena, highlighting specific cases where these technologies have been utilized for malicious purposes. We will explore a range of examples including phishing attacks crafted with AI-generated content, the use of deepfakes for identity fraud, and AI-driven network intrusion techniques. The presentation will then pivot to discuss future predictions, suggesting potential new vectors of cyber attacks powered by further advancements in AI technologies.It will also critically analyze the escalating arms race between cybersecurity measures and AI-enhanced cybercrime methodologies. Finally we will challenge the audience to consider whether the rise of AI in cybercrime is a trend of necessity or opportunity, and what this means for the future of both cybersecurity strategies and criminal tactics. We will delve into the implications of AI's dual-use nature, reflecting on how its potential for misuse shapes the evolving landscape of cybersecurity.
John Fokker
John Fokker, Head of Threat Intelligence, Trellix
Intersection of AI and Cybersecurity
3:45 PM - 4:30 PM
Improving Healthcare Incident Response in the Wake of Recent Healthcare Breaches

Recent prominent breaches at healthcare organizations have proven that the healthcare sector is a primary target for financially motivated threat actors. The extended recovery times associated with these incidents have demonstrated that there exists opportunities for improvement in the incident response and management programs. Using the NIST incident response framework as a template, we will highlight improvements in preparation, detection, containment, and recovery phases as applicable to the healthcare sector. Healthcare is a critical industry quite literally impacting people’s lives. Ensuring that this important service is available to the public at all times is a necessity. Through the changes suggested in this talk, an incident response program will be able to meet goals of confidentiality, integrity, and availability. To highlight an example of the talk, we will discuss building automations through a Security Orchestration and Response tool to automate containment of suspected infected hosts.

Christopher Tanzer
Christopher Tanzer, Director, Cyber Investigations & Response, McKesson
Lawrence Taub
Lawrence Taub, Consulting Leader, Mandiant
Security Operations
3:45 PM - 4:30 PM
Serverless Security: A Holistic Approach to Managing Risk in the Cloud

Serverless computing revolutionizes app development, but introduces unique security challenges due to its dynamic nature and reliance on third-party services. Drawing on insights from Google Cloud's security practices and real-world incidents, this talk explores the root causes of significant vulnerabilities exploited over the past decade. We'll delve into critical issues such as insecure coding practices, supply chain attacks, and misconfigurations, illustrating their potential consequences. Through data-driven insights attendees will gain actionable recommendations for hardening serverless security. Serverless security is not solely about safeguarding individual applications; it has far-reaching implications for the entire cloud ecosystem. The interconnected nature of serverless architectures means that a vulnerability in one component can cascade, potentially compromising multiple services and users. Therefore, a holistic approach to serverless security is essential, encompassing not only secure coding practices within applications but also robust protection for the underlying infrastructure, data storage, and network communications.

Charles DeBeck
Charles DeBeck, Cyber Threat Intelligence Expert, Google LLC
Cloud Security
4:45 PM - 5:30 PM
Threat Hunting in the Age of AI: Proactive Defense Against Emerging Risks

We'll delve into the critical intersection of artificial intelligence and cybersecurity. AI is revolutionizing industries, but it also introduces new attack surfaces and vulnerabilities that traditional security measures may not fully address. We'll explore how proactive threat hunting can be a powerful tool in identifying and mitigating AI-related risks. This session will cover: The Evolving Threat Landscape: An overview of the latest AI-driven threats, including prompt injection, adversarial attacks, data poisoning, and the unique challenges they pose to security teams. Threat Hunting Fundamentals: A refresher on the core principles of threat hunting, its methodologies, and how it differs from traditional reactive security approaches. AI-Specific Threat Hunting Techniques: Identifying anomalies and suspicious patterns in AI model behavior. Detecting unauthorized access or manipulation of AI training data. Monitoring for signs of adversarial attacks, such as model evasion or poisoning. Practical Tools and Strategies: A look at the tools and technologies that can aid in AI threat hunting, including log analysis, machine learning algorithms, and threat intelligence platforms.

Jonathan Paykoc
Jonathan Paykoc, Senior Customer Engineer, Security, Google
Kanna Sekar
Kanna Sekar, Senior Customer Engineer, Security, Google
Security Operations
4:45 PM - 5:30 PM
Gaining Trust in Zero Trust

A key skill we use every day is collaboration – but how can you collaborate if you don't have trust? I address this topic in "Gaining Trust in Zero Trust." Working in the cybersecurity space, we embrace the motto "zero trust" – but this mindset can creep into our everyday interactions. A whirlwind tour of history reveals how this concept evolved (for example Mikhail Gorbachev and President Ronald Reagan discussed "trust, but verify!") I offer a few tips to help gain trust with any type of research findings: don't embarrass anyone, don't speculate, and be genuine – report the actual findings, even if it's a bitter pill.

Luis Rodriguez
Luis Rodriguez, Lead Research Practitioner, Trellix
Next Gen CISO
4:45 PM - 5:30 PM
It's a Small Cluster After All - Analyzing the Disneyland Team with Machine Learning

Drowning in data is a common problem in Threat Intelligence investigations. When faced with potentially hundreds or thousands of potentially relevant pieces of information, how does an analyst group them together or pull apart useful and relevant bits of that pile of data? This talk will offer a few tools to answer those questions, focusing on victim/target identification in a large set of DNS names. In particular, we will focus on a set of domain names registered by the "Disneyland team". It will walk through Machine Learning techniques for addressing multiple problems, such as finding homoglyph domains, clustering domains, clustering subdomains, TF-IDF of groups of domains, levenshtein distance between names, etc. The talk will use open source tools to do all of this work, and will include code to allow others to do this work themselves.

Aaron Gee-Clough
Aaron Gee-Clough, Senior Data Engineer, DomainTools
Intelligence
4:45 PM - 5:30 PM
Knock Knock... Who's There? Threat Actors! Real-World Case Studies in Cyber Defense

Cyberattacks are now an inevitability, with Threat Actors targeting organizations of all sizes and sophistication. This presentation confronts this reality, focusing on proactive defense strategies against these relentless threats. This presentation will go through real-world case studies, to dissect recent breaches and close calls, and what the defenders had to do in order to detect, respond and protect the organization. The presentation goes beyond threat identification; it showcases successful real-world defense strategies, offering practical approaches to mitigate risks, detect anomalies, and respond dynamically to attacks. Topics covered include threat intelligence sharing, incident response protocols, and fostering a security-conscious culture all the way to the board level. By showcasing organizations that have successfully defended against cyberattacks, the presentation inspires confidence and provides a roadmap for building resilient cybersecurity frameworks in todays rapidly changing environment

Ryan Malfara
Ryan Malfara, Principal Consultant, Google
Lyle Sudin
Lyle Sudin, Managing Director and Senior Client Advisor, Mandiant (part of Google Cloud)
Security Threats and Exploits
4:45 PM - 5:30 PM
Minimizing Permissions for Cloud Forensics: A Practical Guide for Tightening Access in the Cloud

This talk addresses a critical challenge for security operations centers (SOCs) and incident response (IR) teams in cloud environments: minimizing the permissions required for forensic investigations while maintaining efficient collaboration with cloud teams. Key topics include:

  • The Power of Dedicated Forensics Accounts: Learn why creating dedicated GCP/AWS/Azure forensics accounts can be a best practice, along with implementation steps
  • Extracting Data from Containers: Discover various methods to acquire data from containers, including sidecars, snapshots of the container filesystems, and the Kubernetes API
  • Temporary Credentials for Secure Access: We'll delve into assigning temporary credentials for cloud resources, using virtual machine snapshots as an example
  • Leveraging Tagging for Granular Permissions: Explore how tagging resources can minimize the permissions needed for specific investigations
  • RBAC Best Practices for IAM: Gain insights into best practices for Role-Based Access Control (RBAC) within IAM, specifically tailored for security operations and incident response teams
Christopher Doman
Christopher Doman, CTO, Cado Security Ltd
Cloud Security
4:45 PM - 5:30 PM
Unmasking the Hidden Danger: The Critical Role of Insider Threat Penetration Testing

Insider threats pose a significant and increasing risk to organizations across industries. The Insider Threat Pen Test is a novel approach to cyber security that proactively identifies and addresses vulnerabilities stemming from both accidental malicious insider and this presentation delves into the methodology behind this Pen Test, illustrating how it complements traditional external penetration testing by focusing on internal systems, processes, and human behavior. Through in-depth case studies from various sectors, we showcase the actionable insights gained from this approach. These insights empower organizations to strengthen their security culture, implement targeted mitigation strategies, and foster a proactive cyber security mindset. Attendees will learn how the Insider Threat Pen Test can be leveraged to reduce the risk of data breaches, intellectual property theft, operational disruptions, and other costly consequences of insider threats. Ultimately, this presentation demonstrates how the Insider Threat Pen Test serves as a business enabler, enhancing organizational resilience and safeguarding critical assets in an ever-evolving threat landscape.

Ian Trimble
Ian Trimble, Insider Risk Manager, Google
Shahzad Azad
Shahzad Azad, Technical Manager - Insider Risk Services, Mandiant
Third Party and Cyber Risk Management
11:00 AM - 11:45 AM
Outsmarting AI-Driven Cyber Risk: A Resilience Framework for Online Businesses

This interactive workshop reveals how AI agents create new cyber risks for online businesses, often overlooked amidst the focus on technical defenses. Attendees will analyze their own business model through the lens of adversarial AI, pinpointing areas where dependency, automation, or customer interactions offer new attack vectors. We'll discuss both defense strategies and how to leverage AI for your own cyber resilience. Gain a practical framework to evaluate emerging AI technologies and build a strategy that secures your organization's future regardless of disruptions.

Elizabeth Stephens
Elizabeth Stephens, CE/TO, DBS Cyber LLC
Intersection of AI and Cybersecurity
11:00 AM - 11:45 AM
Tales of Cloud Compromise: Lessons Learned from Mandiant Investigations in 2023

Mandiant's front-line experiences in incident response reveal common overlooked areas leading to cloud compromises. Drawing on numerous technical case studies, we cover patterns and offer strategies to fortify cloud environments: 1) Living off the Land (in the Cloud): We observe that intrusions often stem from traditional on-premise systems like Active Directory, VMware infrastructure, and MDM/EDR tools. Our discussion will delve into how these platforms can be safeguarded to prevent such incidents. 2) Extended Attack Surface: Cloud and hybrid environments naturally extend organizational attack surfaces. This section will explore the challenges posed by inadequate controls, the sprawl of credentials and the array of tools attackers utilize to exploit these vulnerabilities. 3) Third-Party Access: 2023 has seen a significant rise in incidents involving third parties and Managed Service Providers. We'll tackle the critical question: How can organizations continue to engage third parties without compromising their security posture? We will also cover proactive defense strategies and robust incident response capabilities to protect and react swiftly to threats within cloud environments.

Will Silverstone
Will Silverstone, Senior Consultant, Mandiant
Omar ElAhdan
Omar ElAhdan, Principal, Mandiant/Google Cloud
Cloud Security
11:00 AM - 11:45 AM
The Good, the Bad, and the “What the Hell Were you Thinking': Clarifying the Rules of Engagement when Working with Managed Service Providers

Managed Service Providers (MSPs) play a pivotal role in modern IT supply chains. However, law enforcement agencies, including the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), have repeatedly warned about the increasing focus of cybercriminals on MSPs. Given their ubiquitous access to client networks and industry-specific vulnerabilities, MSPs have rapidly become a target of choice for threat actors.

In this session, we will delve into the cybersecurity risks associated with outsourcing to an MSP and what your organization can do to mitigate these risks. By highlighting real-world incidents, we’ll review how organizations have been victimized, the key lessons learned (for both the client and MSP), and the essential steps to address similar attacks. By the end of this session, participants will have gained valuable insights into establishing clear rules of engagement and aligning ongoing security expectations with their MSP. This session is essential for both MSPs and the organizations that use them, as it emphasizes the importance of collaboration to ensure a resilient and secure IT environment.

Brian Horton
Brian Horton, Founder, Managing Director, Breadcrumb Cybersecurity
Third Party and Cyber Risk Management
11:00 AM - 11:45 AM
Weaponized Convenience: Inside the Rise of Remote Tool Abuse

In an era of remote work and distributed IT environments, remote administration tools (RATs) and remote monitoring and management (RMM) tools have become indispensable for system admins and managed service providers (MSPs). However, the same features that make these tools efficient also make them attractive targets for malicious actors. Advanced threat actors are increasingly leveraging legitimate RATs and RMMs to gain unauthorized access to networks, bypassing traditional security controls and evading detection. This presentation will provide an overview of the growing trend of weaponized remote access. Attendees will be guided through compelling real-world examples, dissecting the tactics, techniques, and procedures (TTPs) employed by adversaries to leverage these tools for malicious purposes. Furthermore, actionable insights will be provided, empowering organizations to enhance their detection capabilities and fortify their defenses against such sophisticated attacks. By understanding the evolving threat landscape and implementing effective countermeasures, attendees will be better equipped to safeguard their systems and data from the perils of weaponized remote access.

Fernando Tomlinson
Fernando Tomlinson, Technical Manager, Incident Response, Mandiant/ Google Cloud
Nader Zaveri
Nader Zaveri, Senior Manager - Incident Response & Remediation, Mandiant/Google
Security Threats and Exploits
11:00 AM - 11:45 AM
Navigating the SEC Cyber Rule: Exercising to drive compliance

In the world of cybersecurity, staying compliant with the SEC Cyber rule is a top priority. But what does this mean for your company's cyber security efforts? In this session, we'll delve into the impact of the SEC Cyber rule on your organization's cyber security strategy, process, and governance. But that's not all. We'll also explore the vital role that conducting robust ransomware exercises plays in refining your incident and annual disclosures. Not only will we address the operational aspects of disclosure, but we'll also highlight how executive and board-level involvement is crucial in refining your cyber disclosures. Collaboration between roles that have different perspectives, such as CISO, CIO, GC, and CFO, is essential when it comes to addressing ransomware incidents, ensuring effective cyber disclosures, and when to discuss these critical issues with the board. Don't miss out on this opportunity to gain valuable insights, enhancing your understanding and impact of the SEC Cyber rule and enabling you to confidently address ransomware incidents and drive effective cyber disclosures.

Matt Gorham
Matt Gorham, Senior Managing Director, PwC
Security Operations
1:30 PM - 2:15 PM
Evolving Fraud Landscape: Trends, Tactics, and Tools for Staying Ahead

The fight against online fraud is a relentless arms race, constantly evolving with new threats and sophisticated tactics. This session will provide a deep dive into the latest trends in bot attacks, account takeovers, payment fraud, and SMS toll fraud. We'll uncover the evolving tactics used by fraudsters, from advanced automation and AI-powered attacks to social engineering and phishing schemes. You'll gain actionable insights into building a robust fraud defense strategy that adapts to the dynamic threat landscape. We'll cover best practices for detection, prevention, and mitigation, including leveraging machine learning, behavioral analytics, and real-time risk assessment. We'll also discuss the importance of layering security measures and staying ahead of the curve through continuous monitoring and adaptation. This session will equip you with the knowledge and strategies to proactively combat fraud, protect your customers, and safeguard your bottom line.

Josue (Sway) Fontanez
Josue (Sway) Fontanez, Product Manager, Google
Kwaku Sefa-Dedeh
Kwaku Sefa-Dedeh, Senior Product Manager, Google
Cloud Security
1:30 PM - 2:15 PM
Addressing Security Threats with Enhanced Caller Verification Methods

Explore the critical vulnerabilities of IT Help Desks and Call Centers. Learn how to address the alarming trend of security breaches stemming from insufficient authentication practices. Organizations apply Multi-Factor Authentication (MFA) to their online and mobile experiences, while leaving the IT Help Desk protected only by weak security questions. This is comparable to locking the front door while leaving the window open. Bad actors have noticed the open window of the IT Help Desk in a BIG way this year, using it as an entry point for breaches. Learn from real-world breaches, discuss existing security gaps, and discover how to effectively apply cybersecurity strategies specifically to IT Help Desks and Call Centers to reduce risks and operational costs. Key points: Introduction to IT Help Desk Vulnerabilities Identifying the Challenges with Traditional Verification Methods Real-World Consequences of Inadequate Security Exploring secure caller verification methods Q&A session

Tracey Nyholt
Tracey Nyholt, CEO and Founder, TechJutsu
Security Threats and Exploits
1:30 PM - 2:15 PM
Ghostmarket09 - The United States v. Jesse Kipf: A Case Study in Collaboration

In this joint presentation, Mandiant, the FBI, and the U.S. Attorney's Office will present a case study on their successful collaboration to bring cybercriminal Jesse Kipf, aka Ghostmarket09, to justice. Mandiant identified Kipf attempting to sell access to state death registration systems and delivered a victim notification to the impacted States and provided evidence to the FBI, which opened an investigation. The talk will discuss how Mandiant supported the FBI's investigation and assisted federal prosecutors. In October 2023, Kipf was indicted on charges of computer fraud, identity theft, and bank fraud. In April 2024, Kipf pled guilty to computer fraud and identity theft for breaching death registration systems in multiple states. Speakers will share insights from this collaboration, discussing how cybersecurity vendors, law enforcement, and prosecutors can work together to identify, investigate and prosecute threat actors. They will highlight challenges of building a case and critical evidence needed for conviction.

Andrew Satornino
Andrew Satornino, Special Agent, FBI
Austin Larsen
Austin Larsen, Senior Threat Analyst, Google
Intelligence
1:30 PM - 2:15 PM
Threat Modeling as a Fitness Function - Iteratively Improving the Security Posture of your Software

Threat modeling is a key technique that is used to analyze what could go wrong in a given software architecture. More often than not, the main output of a threat modeling exercise is a list of mitigations for how to ensure that “what could go wrong” actually “doesn’t go wrong”. While critical, this process can be so much more. By fostering collaboration between security and product teams, threat modeling can strengthen relationships, build trust, and ultimately enhance your software's security.

In this talk we outline how threat modeling can be used as a fitness function to iteratively improve the security posture of the software you are building. Instead of doing one shot threat models to enumerate and mitigate threats, we outline a new model where threat modeling takes input from a wide variety of other sources, ranging from threat intelligence to software development artifacts, and produces outputs in the form of mitigations, vulnerability research, and detections. We’ll then show how to tie these inputs and outputs into a feedback loop that improves the security posture of your organization over time while also building trust and better working relationships between teams.

Meador Inge
Meador Inge, Staff Security Engineer, Google
Security Engineering
1:30 PM - 2:15 PM
The Data Must Flow: An Analyst-First Perspective on the Next Age for SOCs

As data flowing into security operations centers has exponentially increased, analysts are increasingly tasked with scaling far beyond the level their tools and organizational design allow. With the era of "new" AI at our doorstep, we risk further burying our SOC analysts in more and more "data" to sift through. In an effort to combat this, we'll attempt to layout an analyst-first perspective for the new SOC that must rise to meet this challenge - one in which the human behind the analysis is the fulcrum for this new AI-assisted leverage, rather than an inconvenience to be replaced. To accomplish this, we focus our attention and technology on amplifying the core work products of analysts while using automation to drive the machine - ensuring that every piece of analysis flows back into the system, lightening the load for future analysts and establishing an institutional "SOC memory" which new analysts can seamlessly leverage in their daily efforts.

Austin Baker
Austin Baker, Senior Staff Security Engineer, LinkedIn
Intersection of AI and Cybersecurity
1:30 PM - 2:15 PM
Wholesome Hashes for a DNS Breakfast: How to Chew Through Adversary Automation

In this day and age, malicious threat actors and APTs are leaning ever harder on AI and automation to speed up and obfuscate their operations. By utilizing hashes created from content, headers, SOA records, Name servers, and more, threat hunters can uniquely identify both the characteristics of malicious infrastructure that is unlikely to change and that which is changing rapidly. Both of which can be of critical value for defenders. Automatically generated phishing pages with minor, target-specific changes can be found en-masse, rapidly rotating infrastructure can be picked out like the blinding eyesore it is, and seemingly innocuous infrastructure can be caught hiding amongst the sheep so that the wolves never get (or stay) in the fence line. This talk will cover (in depth) how our threat hunters have utilized hashes, fuzzy hashes, and similarity searches to protect our clients and mitigate attacks before they are launched. Case studies will include 1 or 2 of the following: Scattered Spider, Latrodectus, Prolific Puma, SocGholish, Duke Eugene’s Android Malware, Meduza Stealer, as well as the malicious fake trading apps that we’re tracking via this method.

Kasey Best
Kasey Best, Director of Threat Intelligence, Silent Push
Security Operations
2:30 PM - 3:15 PM
Red Teaming for AI

Will we reach a point where all text boxes are handled by a LLM? Even though most organizations are building on top of foundation models rather than trying to build their own. How can we build and maintain a security boundary with an “intelligent” system that can’t really think? How do concepts like prompt injection, multi-stage exploits, SQLi, etc. mean to a loan application chatbot? What can a non-deterministic system do in a deterministic world? Mandiant has exploited developer-assistance chatbots during its Red Team Assessments to gain privileges within a client environment. Its consultants have explored and bypassed protections built to restrict the scope of a financial services chatbot. How can these and other stories help improve the security of future applications built on top of GenAI and LLMs?

Brice Daniels
Brice Daniels, Senior Regional Leader, Mandiant, Google Cloud
Security Operations
2:30 PM - 3:15 PM
Breaking the Chain: Navigating VPN Vulnerabilities

On April 10, 2024, Palo Alto Networks disclosed a zero-day vulnerability (CVE-2024-3400) in its VPN product after observing active exploitation at multiple organizations. This vulnerability is just one of many to be disclosed in recent months (Cisco, Ivanti and likely others) resulting in organizations to take rapid action to reduce the likelihood of exploitation. Steven Taylor, who recently led Incident Management at Palo Alto Networks and now a Consulting Director at MorganFranklin Cyber, plans to share insights from the frontline (publicly available), ongoing persistence from threat actors and practical steps to reduce cyber risk when a critical vulnerability is disclosed by a software provider.

Steven Taylor
Steven Taylor, Director, Cyber Security, Morgan Franklin Consulting
Security Threats and Exploits
2:30 PM - 3:15 PM
Building Resilience: Healthcare Industry

Contrary to popular beliefs and despite their promises, healthcare has and will continue to be under attack by threat actors looking to profit from the vulnerabilities our health system continues to expose. There was a time where criminals and nation states teased that they'd "not attack healthcare", we knew this was a lie. The gloves have never been on. Healthcare needs a lift. During this talk, Taylor Lehmann (Google) and Luke McNamara (Mandiant Intelligence) with leaders from the Health ISAC, MedISAO, and Bio-ISAC will host a panel that gets deeply into the sector's challenges, identify threats, get into detail where the greatest vulnerabilities are and what we can do to establish collective defenses that work. We'll unpack the recent Health Sector cyber performance goals and incentive programs coming to US healthcare cyber-security and what they mean. This will be a panel discussion featuring the CISO and CSOs from the Health ISAC, MedISAO, Bio-ISAC.

Mike Kijewski
Mike Kijewski, CEO, Medcrypt
Bill Reid
Bill Reid, Advisor, Office of the CISO, Google
Intelligence
2:30 PM - 3:15 PM
I Wish I'd Known This Before We Got Sued

Topic: Strategies for Safeguarding Legal Privilege in In-House Counsel
Narrative: Retaining legal privilege during cross-border incident response efforts presents unique challenges. When local laws fail to recognize privilege for in-house counsel, preserving it becomes paramount. Moreover, when incidents span multiple countries with inconsistent privilege rules, maximizing protections requires finesse. This program delves into practical dos and don’ts during litigation, drawing from real-world war stories shared by seasoned panelists and will cover: 

  • Preserving Privilege Amid Legal Ambiguity
  • Navigating Cross-Border Privilege Challenges
  • Dos and Don’ts During Litigation
  • War Stories from the Trenches

In conclusion, safeguarding privilege requires vigilance, adaptability, and a keen understanding of legal nuances. By learning from real-world scenarios, in-house and external counsel can fortify their privilege protections and navigate the legal landscape effectively.

Chris Bloomfield
Chris Bloomfield, Associate, Eversheds Sutherland
Rachel Reid
Rachel Reid, Partner, Eversheds Sutherland
Third Party and Cyber Risk Management
2:30 PM - 3:15 PM
Metrics that Matter: How to Choose Cloud Security KPIs For Your Business

As cloud security operations mature within the organizations, implementing effective metrics is vital for measuring cloud security posture and operational readiness. Organizations often face challenges in tracking security metrics without incurring resource overheads. This talk discuss examples of both potentially effective and ineffective metrics based on real-life experiences, tailored to various business scenarios and risk appetite. We will explores how to prioritize metrics that inform leadership and drive continuous improvement in cloud security posture. The session also introduces concepts like the Exploit Prediction Scoring System (EPSS) for prioritizing vulnerability remediation and Protection Level Agreements (PLAs) for building effective KPIs. The goal is to not only measure but enhance cloud security operations, empowering teams to identify cloud security metrics truly matter to their business.

Emma Yuan Fang
Emma Yuan Fang, Senior Manager, Senior Cloud Security Architect, EPAM Systems
Cloud Security
2:30 PM - 3:15 PM
Securing the Future: A Secure by Design Approach to AI Systems

In the era of rapid AI adoption, new AI systems are increasingly becoming targets for threat actors, thereby creating fresh gaps in cybersecurity posture management. This talk underscores the importance of a multi-layer, 'secure by design' approach, offering comprehensive protection across all layers of AI systems. We'll delve into every facet of the AI system from the model and its supply chain, architected for MLOps, to data provenance, to the infrastructure and management planes. Discover how this cross-industry framework not only ensures compliance with industry standards but also provides a roadmap to navigate the rapidly shifting threat landscape, including how we've used it to augment Google's Vertex AI AI-as-a-Service platform. We invite you to join us and explore the inherent value of a 'secure by design' approach in fortifying enterprise-wide security and resilience against emerging threats.

David Caswell
David Caswell, Managing Director, Deloitte
Arnav Jain
Arnav Jain, Cyber Risk Manager, Deloitte & Touche LLP
Intersection of AI and Cybersecurity
3:45 PM - 4:30 PM
SAIF From Day One: Lessons from Securing AI
AI is advancing rapidly, and it is important that risk management strategies evolve along with it. To help achieve this evolution, Google introduced the Secure AI Framework (SAIF). Join us to learn the top risks and how SAIF evolves to offer a practical approach to addressing them. We will also cover how to implement it for popular scenarios.
Anton Chuvakin
Anton Chuvakin, Senior Staff Consultant, Google Cloud
Taylor Lehmann
Taylor Lehmann, Director, Security Engineering, Office of the CISO, Google
Security Threats and Exploits
3:45 PM - 4:30 PM
Turning Chaos into Privileges: Processing Attacker Data with AI

When conducting adversarial emulation engagements, making sense of all the data available to the attacker is THE biggest challenge. As a defender, if you don’t know the needle in the haystack the threat actor will find even exists, how can you protect against it? How can you make sense of the vast amounts of structured and unstructured data to give yourself the advantage? Data permeates the modern organization; structured data such as computer-readable output from tools and unstructured data; such as data from clients which is created by and for other employees. This data can be challenging to parse, process and understand from a security implication perspective but artificial Intelligence (AI) might just change all that. Our presentation will focus on a number of case studies where we obtained unstructured data during our complex adversarial emulation engagements with global clients and how we processed this into structured data that could be used to better defend organizations using AI. We will showcase the lessons learned and key take-aways for other organizations and highlight other problems that can be solved with this approach both for red and blue teams.

Jay Christiansen
Jay Christiansen, Senior Manager, EMEA Red Team Lead, Mandiant, part of Google Cloud
Matthijs Gielen
Matthijs Gielen, Senior Consultant, Google Cloud
Security Operations
3:45 PM - 4:30 PM
Offensive Cyber Counterintelligence: Approach Mapping the Strategic Targeting, Confrontation, and Neutralization of 21st Century Spies

Countering advanced persistent threats (APTs) and cyber threat actors (CTAs) has contextualized the ever-evolving landscape of counterintelligence (CI). Offensive cyber counterintelligence (OCCI) has clearly emerged as a critical component in the CI arsenal. A comprehensive understanding of OCCI’s effectiveness in addressing threats posed by APTs/CTAs remains elusive. This breakout aims to fill intelligence gaps in the digital threat landscape by examining the multifaceted variables and dynamics of OCCI. While OCCI is a crucial mechanism in the field of intelligence, there is a lack of research that systematically assesses the interplay between key variables influencing the efficacy of OCCI. What impact do attribution accuracy, operational timing, deterrence effectiveness, repercussions against the accused entity, and tactical adaptations have on the success of offensive cyber counterintelligence (OCCI) strategies against Advanced Persistent Threats (APTs) and Cyber Threat Actors (CTAs)? The breakout aims to provide nuanced insights that go beyond singular dimensions of CI. Further refining OCCI strategies will provide meaningful insight for policy decisions.

Benjamin Nixon
Benjamin Nixon, Intelligence Officer, Defense Intelligence Agency
Intelligence
3:45 PM - 4:30 PM
ASPM from A to…M! Your Application Security Posture Management Crash Course

According to Gartner, 40% of companies developing proprietary applications will adopt an Application Security Posture Management (ASPM) solution by 2026. Why? Because with increasing cloud security complexity involving a multitude of scanners, languages, and frameworks, organizations are finding it more and more difficult to prioritize fixes amongst a sea of alerts. This lack of clarity leads to protracted risk windows. A survey conducted by the Cloud Security Alliance found that 18% of organizations reported taking more than 4 days to address critical vulnerabilities—with 3% exceeding two weeks. That’s too long for the well-being of your infrastructure, and that’s where ASPM can help. During the course of this session, we’ll take you through ASPM basics— what it is, who’s using it, how it differs from similar solutions (death by acronyms!), its benefits, the best-of-breed tools that can integrate with an ASPM solution, considerations and steps for implementing, and—what everyone’s buzzing about—how AI factors in to modern ASPM solutions.

Eyal Golombek
Eyal Golombek, Field CTO, Dazz
Cloud Security
3:45 PM - 4:30 PM
Securing AI Systems: Detecting and Stopping GenAI-Enabled Threat Actors

Generative AI has given defenders an edge, but it's also opened new avenues for enabling cyber threat actors to conduct phishing, social engineering, vulnerability research, and other abusive activities. A cross-team collaboration spent months tracking, defending and learning from threat actors attempting to abuse Google’s AI systems; tactics that can ultimately work across different AI systems. In our talk, we will discuss the types of abusive behavior seen from threat actors, including novel-AI TTPs that haven't been publicly shared before, like jailbreak prompts and prompt injection attacks. We'll then share actionable best practices for how enterprises can be proactive in detecting and stopping abuse and exploitation of their AI systems, based on these learnings. Audience members will walk away with the knowledge of which implementations to prioritize within their environments to stay ahead of the curve and retain their edge.

Jonathan Looi
Jonathan Looi, Security Engineer, Google
Security Engineering
3:45 PM - 4:30 PM
From Manual Mayhem to AI-Powered SOC: How Generative AI is Revolutionizing Security Operations

Ditch the manual grind! Google Security Operations & Foresite unveil a revolutionary SOC powered by generative AI. This talk dives deep into empowering analysts & automating tedious tasks. Witness AI transform security: Automated Threat Detection & Response: Generative AI triages alerts, prioritizes threats, & automates initial response, freeing analysts for high-impact investigations. Enhanced Threat Hunting: Uncover hidden threats with AI-powered anomaly detection. Generative models can identify subtle patterns & entities invisible to traditional methods. Streamlined Incident Response: Generate investigative playbooks & automate repetitive tasks, expediting incident resolution & reducing analyst workload. Continuous Threat Intelligence: AI analyzes vast data sets to identify emerging threats & indicators of compromise (IOCs), keeping your defenses ahead of the curve. This talk is a real world showcase of applications in practice.

Jeremy Hehl
Jeremy Hehl, Vice President, Business Development, Foresite Cybersecurity, Inc.
Intersection of AI and Cybersecurity
4:45 PM - 5:30 PM
The SIEM Isn't Dead: Comparing SIEMs and Data Lakes in Modern Cybersecurity

In an era where cyber threats are increasingly sophisticated, the need for security data collection and monitoring remains vital, but the SecOps landscape is evolving. This session offers a real and honest discussion about these shifting paradigms. We’ll delve into the strengths and weaknesses of SIEMs and data lakes, foundational components upon which your workflows are built, then cut through the marketing noise to explore how AI/ML are transforming SecOps, enhancing threat detection, and response capabilities. We'll provide insights into where these technologies are headed and how to position your organization today to take full advantage of them in the future. The road to modernization is fraught with challenges. For those considering a SIEM or data lake migration, we’ll discuss common pitfalls and effective strategies to navigate this complex process. Attendees will walk away with a clear understanding of how to evaluate and choose the best solution for their organization's specific needs, whether it's a traditional SIEM, data lake, or hybrid approach. Step confidently into the next generation of cybersecurity with the tools and insights to outsmart evolving threats.

Tim Nary
Tim Nary, Co-Founder and Chief Product Officer, SnapAttack
Fred Frey
Fred Frey, CTO, SnapAttack
Security Operations
4:45 PM - 5:30 PM
Attacks on LLMs: How Google Cloud and SAP secure Generative AI

Large Language Models (LLMs) have been transformational, but their increasing complexity and integration into critical systems have opened up a new attack surface for malicious actors. This session delves into the evolving threat landscape of LLM attacks, focusing on how industry leaders like Google Cloud and SAP are proactively securing generative AI technologies.
Key Topics:
Understanding Vulnerabilities and Attacks unique to LLMs: Prompt injection attacks, data poisoning, model theft, and adversarial examples. 
Defense Strategies in Google Cloud: We examine a multi-layered approach to securing its LLMs. This includes robust input validation and sanitization techniques, adversarial training to make models more resilient, and differential privacy mechanisms to protect sensitive user data. Preventative and detective policies based on NIST and Model Armor on Google Cloud.

Amit Verma
Amit Verma, GenAI Solutions Architect, Google
Manish Kumar Yadav
Manish Kumar Yadav, Senior Security engineer, SAP
Security Engineering
4:45 PM - 5:30 PM
Fast Flux: Catching Universally Bad Behavior, Raspberry Robin

Threat actors like Raspberry Robin are known to conduct Fast Flux behaviors to hide their infrastructure. They quickly rotate a domain through numerous IPs across unique ASNs, which can make it harder for some defenders to find and block the infrastructure. By focusing on IP / ASN diversity features (the number of unique ASNs/IPs a domain has been seen on over a specific period) and creating a simple domain regex filter for the 2-letter domain format used by Raspberry Robin for their infrastructure while bearing in mind the unique Name Server that they are known to use, we can easily create a ruleset that makes it possible for defenders to get lists of their domains that are Indicators of Future Attacks (IOFAs). FastFlux behaviors create golden opportunities for defenders to hunt for IOFAs. In our research, we haven’t found any legitimate enterprises that deploy FastFlux behaviors on their domains. Only threat actors are doing this. Silent Push has one of the only open data sets available for researchers that easily allow searching the open internet by IP / ASN diversity so that more threat analysts can dig through hosts doing these suspicious FastFlux DNS rotations.

Zach Edwards
Zach Edwards, Senior Threat Analyst, Silent Push
Security Threats and Exploits
4:45 PM - 5:30 PM
Practical use cases for AI in Security Operations

Artificial intelligence (AI) is revolutionizing the way we approach security operations – allowing defenders to elevate their skills and boost productivity by accelerating threat detection, investigation, and response. AI isn’t a future concept: It’s here and available, with early user feedback showing that AI can reduce the time required for common analyst tasks such as triaging complex cases by 7x. In this session, we’ll dive into the real-world applications of AI in Security Operations with hands-on demonstrations and case studies.

Payal Chakravarty
Payal Chakravarty, Practical use cases for AI in Security Operations, Google
Spencer Lichtenstein
Spencer Lichtenstein, Senior Product Manager, Google
Intersection of AI and Cybersecurity
4:45 PM - 5:30 PM
Standardizing a Privileged Access Model for a Multi-Cloud environment

Most organisations use more than one public cloud to deploy infrastructure (AWS,Azure,GCP etc.).Having a large distributed deployment opens up avenues for attackers to exploit, misusing the lateral movement paths and inter-dependencies between the clouds. Mandiant has observed attackers compromise entire cloud environments by performing token theft-replay, AiTM attacks. Such compromises often involve abuse of user accounts exposed to multiple clouds, permissions leak, lateral movement paths, trust relationships and integrations between the cloud service providers. This session will walk through Mandiant’s frontline experience of such attacker paths across multi-cloud and delve into the proposed architecture to secure the cloud. This is meant to eliminate attacker paths of lateral movement and privileged escalation. It adopts tiering model practices for segregation of resources, endpoints, accounts, and applies it consistently across multiple cloud platforms. The session delves into security configurations, monitoring and detection mechanisms to secure and harden critical assets across multi-cloud.

Rupanjana Mukherjee
Rupanjana Mukherjee, Principal Security Architect, Google Asia Pacific Pte. Ltd.
Jon Sabberton
Jon Sabberton, Senior Manager, Mandiant
Cloud Security
4:45 PM - 5:30 PM
Unveiling Threat Actor Methods: Investigating Sandbox Artifacts and LNK-to-PDF Malware Delivery

In the landscape of cybersecurity, threat actors leverage deceptive techniques to orchestrate sophisticated attacks. This session explores the use of LNK, ISO and PEEXE files as a conduit to deliver hidden malware payloads while using PDF documents to trick the victim. By dissecting sandbox-generated artifacts for example in VirusTotal, we illuminate the strategies employed by adversaries, enabling practitioners to enhance threat detection and threat hunting methodologies to track this threats using artifacts generated during the execution of the initial payloads, helping with pivoting and hunting. We will see real examples of the PatchWork APT group and other crime groups.

Jose Luis Sanchez Martinez
Jose Luis Sanchez Martinez, Security Engineer, Google
Intelligence

Filter by

Reset

8:00 AM - 10:00 AM
Blurred (Identity) Lines: Encryption in Cloud and Impact on Security and Data

Cloud Encryption is seen as a valuable component of a robust data security strategy. But what does cloud encryption actually offer in terms of security? Cloud Encryption has multiple different types including Cloud Service Provider Managed and Customer Managed. Depending on the type - the security offered can range from another robust layer of access control to a false sense of security.

In this talk, we’ll cover the following:

  • Types of encryption (such as CSP Managed, Customer Managed)
  • Default encryption for services in cloud.
  • How cloud encryption impacts data perimeters.
  • How cloud encryption translates into and impacts cloud identity and access management.
  • Best practices and considerations for how to implement cloud encryption and data security in cloud.
Jason Kao
Jason Kao, Founder, Fog Security
Cloud Security
11:00 AM - 11:45 AM
Long Live: Effects of the Longtail of Dwell Times

The cybersecurity industry celebrates the reduction of dwell times. The latest M-Trends report states the global median dwell time is 10 days; however, more than 10% of incidents investigated had dwell times of more than 6 months—with some at over 5 years. In this session we will discuss the motivations and tactics behind attacks with various dwell times, and the impact these attacks can have on organizations. Guidance will be provided for how to hunt for these types of intrusions, as well as steps to take to temper these squatters.

Kirstie Failey
Kirstie Failey, Principal Threat Analyst, Mandiant (now part of Google Cloud)
Kerry Matre
Kerry Matre, Head of Mandiant PMM, Mandiant, Google Cloud Security
Security Threats and Exploits
11:00 AM - 11:45 AM
Developing Effective SOC Capabilities using a Knowledge-Based Approach to People, Processes, and Technology

Preventing, detecting, and responding to cybersecurity events increasingly depends on an organizations ability to match security operations needs with the correct people, process, and technology requirements. At the heart of this dependency is the robust, mature, and capable Security Operations Center (SOC). However, existing cybersecurity frameworks are limited and not designed for developing capable, effective SOCs. This is because there is no single approach to SOC development. Organizational needs are unique and therefore the roles, services, and tools needed for the SOC to support organizational mission and goals must also be unique. Developing or improving a SOC is a process which must be flexible. To assist organizations is this process, the SEI has developed OSCAR – the Ontology for SOC Creation Assistance and Replication. OSCAR is a structured knowledge base developed using description logics which organizes SOC knowledge in to 5 domains and more than 80 classes. Built based on interviews with SOC experts and years of institutional knowledge and experience, OSCAR provide new perspectives on SOC development and a new tool for teams to use when developing SOC capabilities.

Justin Novak
Justin Novak, Senior Security Operations Researcher, Software Engineering Institute, Carnegie Mellon University
Security Operations
11:00 AM - 11:45 AM
Geopolitical Catalyst - How the Russia-Ukraine War has changed the Hacktivist Landscape

Hacktivism has been present in the threat landscape for decades but since 2022 it has significantly changed to geopolitical motivated activity. This presentation provides understanding of the hacktivist landscape and provides some innovative methodologies to track and monitor the threat landscape. This talk will explore what the geopolitical catalyst was for the shift in Hacktivist activity. How hacktivism has changed. What type of attacks we see and the type of groups using them. What the overall intent and motivations of the Hacktivist groups are. It will explain that Hacktivist activity and information operations are largely entwined. It will explain a new methodology on how to track and monitor Hacktivist groups, by putting them into categories - with four key ones being presented. This talk will challenge traditional views on cyber threats, by shifting the focus from technical indicators and capability to looking at intent to drive analysis. Many organizations are struggling to understand how to view hacktivism in terms of the threat landscape, this talk aims to clarify misconceptions and provide clearer understandings of the Hacktivist threat landscape.

Davyn Baumann
Davyn Baumann, Senior Analyst, Mandiant, Part of Google Cloud
Intelligence
11:00 AM - 11:45 AM
Build a High Value Quantitative Risk Management Program on a Budget

Delve into the trenches with a pragmatic guide to implement quantitative risk management. Gain knowledge of methods for quantitative program design that comprise risk primitives, analysis approach, and workflow design. Risk primitives such as capacity, appetite, tolerance, and KRIs are described. Understand what modifications can be made to simplify operational use of FAIR for first timers and how to embrace Python and R for analysis with an open source approach. Be empowered to address workflow challenges using a simplified approach to the entire risk lifecycle from assessment intake and management to modeling and reporting output and finally risk decisions with trending and ROI analysis. Additionally, learn implementation and operation of the program design through people, process, and technology. Finally, close the gap for the last mile of transition to quant risk management and learn how to communicate and report risk from the boardroom to the team room.

Tim Anderson
Tim Anderson, VP of Compliance and Risk, ID.me
Matthew Harding
Matthew Harding, Dir, Risk Management, ID.me
Third Party and Cyber Risk Management
11:00 AM - 11:45 AM
Security Controls: Stupid but Important

Application teams often have to navigate a complex web of security teams and requirements in order to launch a secure and compliant solution. Once the solution has been launched, the teams have to survive audits and maintain the security of the application while keeping up with changing requirements and implementations, all while working hard to run and grow their business. While regulatory complexity is a large contributor to the challenge, it can be further exacerbated by the lack of a clear, well lit path provided by legal, compliance, and security teams. Application teams often receive conflicting requirements and priorities from various teams, or follow a path that leads to them launching a solution that is ‘secure’ but not compliant, or vise-versa? Security teams are often frustrated with the focus on compliance requirements, rather than leveraging them to meet shared goals. Russ Ayres (Equifax) and Derek Coulson (Mandiant) will review how Equifax simplified its control requirements framework to help internal customers navigate security requirements more easily and enable proper auditing scoping at response using the Equifax Security Controls Framework.

Derek Coulson
Derek Coulson, Technical Leader, Mandiant
Russ Ayres
Russ Ayres, SVP, Cyber Security and Deputy CISO, Equifax
Next Gen CISO
11:00 AM - 11:45 AM
Secure Remote Identity Verification in the Era of Generative AI

In the digital era, safeguarding remote identity verification is critical. Inherence-based security factors are the most trusted way of verifying users whether they’re customers or the workforce, but deepfakes and synthetic media pose significant challenges. To combat deepfake attacks, science-based biometrics as a service can enable remote identification for customers and workforce that is reliable, easy to administer, and almost effortless to use. This should start at onboarding and continue at risk-based inflection points throughout the identity lifecycle. This talk will explore challenges to enabling remote identity across the enterprise and share best practices from customers in the most security conscious organizations around the world By understanding the implications of generative AI on remote identity verification, organizations can develop effective strategies to ensure the security and integrity of their remote identity verification systems, protecting against deepfakes and other synthetic media-based attacks, and maintaining user trust and privacy.

Andrew Bud
Andrew Bud, CEO & Founder, iProov
Intersection of AI and Cybersecurity
1:30 PM - 2:15 PM
Leverage Your Threat Intel Providers and Gain a Competitive Advantage!

Digital transformation not only fundamentally changed the way we work, but it’s also expanded the current threat landscape exponentially. Today’s enterprise attack surface is dynamic, transitory, and has far more available for attackers to target than ever before, making it even harder to defend against threats.  How can you leverage your threat intel and make it a competitive advantage?

Join Erin Joe, Office of the CISO at Google Cloud and former SVP at Mandiant as she discusses today’s threat landscape and the role threat intelligence plays in securing vulnerabilities in your attack surface with partners, Robert Boyce, Global Managing Director, Cyber Resilience at Accenture;  and Michael Leland, Chief Cybersecurity Evangelist at SentinelOne.

Erin Joe
Erin Joe, Senior Executive, OCISO, Google Cloud
Intelligence
1:30 PM - 2:15 PM
I've Got 99 Problems but a Prompt Injection Ain't Peach

The ethical and secure disclosure of vulnerabilities in AI has emerged as a pivotal challenge, compounded by the need to address biases and misinformation that often cloud the true nature of these vulnerabilities. This talk delves into the intricate dynamics of vulnerability disclosure within AI, balancing transparency with security. We'll dissect the unique challenges AI presents, such as data bias exploitation and model manipulation, which can amplify the impact of vulnerabilities. Through a lens of real-world examples and recent disclosures, we'll navigate the complexities of responsible vulnerability management in AI. Our discussion will not only aim to shed light on these critical issues but also inspire a unified approach to refining disclosure processes. This concerted effort is vital for enhancing the integrity of AI systems and bolstering public trust in their use.

Chloe Messdaghi
Chloe Messdaghi, Head of Threat Intelligence, HiddenLayer
Kasimir Schulz
Kasimir Schulz, Principal Security Researcher, HiddenLayer
Intersection of AI and Cybersecurity
1:30 PM - 2:15 PM
RaaS is Dead, Long Live RaaS: Evolution and Resilience in the Ransomware Landscape

Ransomware is evolving, challenging old paradigms and reshaping power dynamics. Our talk, "RaaS is Dead, Long Live RaaS," explores the shift from a hierarchical Ransomware as a Service (RaaS) to a decentralized model where affiliates gain autonomy. RaaS platforms, adapting to this change, now offer better incentives and support to attract skilled affiliates. We'll discuss how law enforcement crackdowns and the rapid advancement of hacking techniques have catalyzed these changes. The presentation will also examine the ransomware industry's resilience and innovation, considering the implications for cybersecurity defenses. We aim to provide insights into the adaptability of digital extortion and its impact on future security strategies. Join us for a detailed look at the ransomware market's transformation and what it signifies for the fight against cybercrime.

John Fokker
John Fokker, Head of Threat Intelligence, Trellix
Security Threats and Exploits
1:30 PM - 2:15 PM
From Job Interview to Crypto Heist: How North Korea sponsored threat actor stole crypto currencies

This talk exposes a sophisticated cyber-espionage campaign orchestrated by a North Korean threat actor targeting a cryptocurrency company. Threat actor tactics, techniques, and procedures (TTPs), that inclued social engineering to gain initial access, in-depth source code reviews, and exploitation of a logical vulnerability that resulted in the exfiltration of millions of dollars worth of cryptocurrency. Through the lens of real-world investigations, the threat actor's motivations and the broader implications of their activities will be analysed. Furthermore, this talk will shed light on the lack of robust security monitoring in cloud environments, a critical factor that contributed to the success of this attack. The importance of implementing comprehensive security measures in cloud infrastructures to mitigate the risk of similar attacks in the future will also be discussed. Attendees will gain valuable insights into the evolving landscape of cyber threats, and the vulnerabilities often present in cloud environments. This knowledge will empower organizations to better understand and defend against sophisticated cyber attacks targeting their valuable digital assets.

Yi Han Ang
Yi Han Ang, Senior Consultant, Mandiant
Sun Pu
Sun Pu, Security Consultant, Google Cloud - Mandiant
Security Operations
1:30 PM - 2:15 PM
The Cloud Security Paradox: Secure Cloud, Insecure Use?

The cloud is secure, right? Well, yes and no. Cloud providers invest heavily in security, largely exceeding what most organizations can achieve on their own. Yet, headlines scream of cloud breaches and leaks. What gives? The truth is, cloud security isn't merely a shared responsibility; it's a shared opportunity. The "customer's fault" narrative is too simplistic. It's not just about misconfigurations (though those are a major problem). It's about a fundamental disconnect between the cloud's potential for security and the realities of how organizations use it. In this talk, we'll dive into this paradox. We'll explore:

  • The Myth of "Set It and Forget It": Why cloud security requires ongoing vigilance and adaptation, not just ticking boxes.
  • The Shared Responsibility Model and Shared Fate: What you're truly responsible for, where the cloud provider steps in, and where you have to work together.
  • Secure by Design, Insecure by Default?: How to leverage cloud-native security features and avoid common misconfigurations.
Anton Chuvakin
Anton Chuvakin, Senior Staff Consultant, Google Cloud
Cloud Security
1:30 PM - 2:15 PM
Unlocking eBPF: The Future of App and Data Security

In an increasingly sophisticated era of cyber threats, having complete visibility into applications, API, and data is paramount. However, enterprises have their applications running across hundreds of hosts in multiple subdomains and building an inventory of such apps and data flows is very difficult, if not impossible. Enter eBPF (Extended Berkeley Packet Filter), a revolutionary technology that extends the capabilities of the Linux kernel, enabling real-time visibility into running apps regardless of their language and framework. This talk explores the transformative power of eBPF in modern security engineering. Attendees will learn how eBPF's dynamic tracing and filtering capabilities provide unparalleled visibility into application, data flow, and API behaviour, allowing for proactive vulnerability detection and risk assessment. Discover how integrating eBPF into your security strategy can safeguard your applications and data against evolving cyber threats, ensuring robust and resilient protection for your digital assets. Join us to unlock the full potential of eBPF and step into the future of app and data security.

Kiran Sama
Kiran Sama, Staff Security Engineer, Coupang
Buchi Reddy Busi Reddy
Buchi Reddy Busi Reddy, Founder, Levo.ai
Security Engineering
1:30 PM - 2:15 PM
Generative AI Cyber Incident Response Tabletop Exercise

Join April Mardock, CISO for Seattle Public Schools, as she teaches how to run a cyber incident response tabletop session with the help of Generative AI. April will provide both a tabletop session that you can participate in dynamically, as well as teach you how to lead your own tabletop, and tune the exercise for your organization's strengths and weaknesses.

April Mardock
April Mardock, CISO, Seattle Public Schools
Next Gen CISO
2:30 PM - 3:15 PM
Supercharge Your Frontlines: Purpose-Built CTI for IR & SOC Success

This presentation examines a Cyber Threat Intel (CTI) team designed to integrate seamlessly with Incident Response (IR) and Security Operation Center (SOC) teams based on real world experiences from Mandiant’s Advanced Practices team. CTI provides organizations with context needed to understand adversaries, their tactics, and the industry or assets they target. Attendees will gain insight to help develop a CTI function of value to frontline defenders.

Key insights:

  • Action: Identify intel directly enhancing IR and SOC operations
  • Structure: Outline CTI team roles & skills needed to support frontline operations
  • Insights: Translate data into actionable intel 
  • Integration: Embed workflows & outputs into IR playbooks and SOC alert triage
  • Peril: Lessons from 15+ years of frontline CTI support

Attendee takeaways:

  • A CTI team blueprint, purpose-built for frontline operations
  • Methods to ensure output is timely, relevant, and actionable
  • Seamless frontline services integration strategies
  • Benefit from years of frontline CTI support experience

Ideal Audience: Security leads, CTI managers, SOC analysts & incident responders interested in maximizing CTI value

Nick Richard
Nick Richard, Senior Manager, Mandiant, now part of Google Cloud
Security Operations
2:30 PM - 3:15 PM
Lessons Learned from the Summer of Supply Chain Attacks

This panel will discuss the record-breaking number of supply chain attacks in the summer of 2023, highlighting key incidents such as 3CX, MOVEit, and Barracuda. The panel will discuss lessons learned, emerging trends, increased global cooperation and the shift in government expectations. The panel will address cyber preparedness and risk tolerance. The panel will offer thoughts on minimizing legal exposure, cyber reporting obligations, and handling threat actor communications, especially if company officials or family member are approached or threatened. Finally, the panel will discuss how cyber investigators can approach multi-cloud environments despite the many challenges these types of investigations present and how they can enhance incident response in complex environments. The panel will discuss the need for enhanced data protection and methods for enhancing security posture and incident preparedness. The panel will also address how the increase in supply chain attacks affected the way a company and counsel think about risks as well as the need to understand legal, regulatory, and contractual requirements in a complex environment.

Erin Joe
Erin Joe, Senior Executive, OCISO, Google Cloud
Lyn Brown
Lyn Brown, Of Counsel, Wiley Rein
Jennifer Burnside
Jennifer Burnside, Practice Leader, Crisis Communications, Google Cloud Security
Third Party and Cyber Risk Management
2:30 PM - 3:15 PM
Versus Killnet

The infamous Russian hacktivist group, Killnet, operated as a rabid cyber army, orchestrated by a select few to create chaos and inflict harm. Despite its notoriety, investigating the true operators behind Killnet proved to be a significant challenge, given its checkered history and inconsistent behavior. However, through an in-depth investigation and direct confrontation with the gang, we shed the veil of secrecy shrouding the group and will share a compelling personal account detailing how we disrupted Killnet, plunging it into a death spiral. Our strategy to dismantle this cyber army hinged on identifying a critical vulnerability – its connection to the Russian illegal drug marketplace - Solaris. By exposing this nefarious link and diverting proceeds from the Russian drug operation to support a Ukrainian charity, we triggered widespread questioning of Killnet's leadership and actions. This created an instability and within the group and beyond, ultimately leading to loss of support of the Russian government and breaking of financial ties. As of the beginning of this year, Killnet changed drastically, leaving behind remnants of a group once synonymous with disruptive hacktivism.

Alex Holden
Alex Holden, Chief Information Security Officer, Hold Security, LLC
Security Threats and Exploits
2:30 PM - 3:15 PM
How GenAI is Shifting the Defender Landscape

Generative AI is shifting the defender landscape–from how practitioners do their job, to the user experience of the tooling, to how we think about securing AI workloads in the cloud. In this session, Google Cloud Security leaders will surface insights from conversations with CISOs, the latest Mandiant research, and Google DeepMind innovations to elucidate macro trends seen at the intersection of security and AI and what they mean for your organization. At a time when 88% of organizations have a difficult time investigating and responding to threats in a timely manner, you will also gain an understanding of real-world use cases for how AI is evolving the security lifecycle to be semi-autonomous, so defenders gain and maintain the upper-hand as threats continue to evolve.

Steph Hay
Steph Hay, Sr Director UX, Google Cloud
Umesh Shankar
Umesh Shankar, Chief Technologist, Google Cloud Security
Intersection of AI and Cybersecurity
2:30 PM - 3:15 PM
Understanding the ORBs: PRC Actors, Obfuscation Networks, and the Coming IOC Extinction

Since 2020 Chinese Espionage operations have fundamentally changed. Gone are the days of actor registered infrastructure and command and control reuse. A new practice of "Operational Relay Box" (ORB) networks has risen to obfuscate CNE network traffic via a TOR like network of registered VPS space and compromised end of life home routers.

This presentation will:

  • Demonstrate the ways ORBs have made blocking network IOCs Extinct
  • Provide a 4 quadrant signature and detection approach that will allow defenders and threat hunters to pivot through these complex networks. (Censys, YARA, Netflow, Active Scanning)
  • Define a scalable universal anatomy for talking about ORB networks and map signature types to these components.
  • Utilize an active PLA and MSS leveraged ORB network to provide real world examples of what manifestations of these ORB networks look like.
  • And Finally Shift the world view of network defenders from IOC blocking to detecting ephemeral infrastructure networks leveraged by multiple malicious APT actors.
Michael Raggi
Michael Raggi, PRINCIPAL Threat Analyst, Mandiant, Google Cloud
Intelligence
2:30 PM - 3:15 PM
Looking Around Corners and Defending Against 'the security hotness'

Cybersecurity defenders face a constant challenge: balancing the need to adopt innovative technologies with the imperative to protect their organizations. Recent examples like Supply Chain Security, Large Language Models, and Generative AI highlight the tension between business demands and security concerns. This talk presents a practical framework for evaluating and integrating new technologies into existing security programs and risk registers. We will address key decision points for ensuring safe and productive implementation within an organization. Attendees will learn how to: Cut through the hype cycle and assess new technologies objectively. Identify potential risks and develop mitigation strategies. Communicate effectively with stakeholders, including CIOs, about the benefits and challenges of new technology adoption. Make informed decisions that enable innovation while maintaining security. By the end of this talk, attendees will be equipped to confidently navigate the introduction of new technologies without compromising their organization's security posture.

Taylor Lehmann
Taylor Lehmann, Director, Security Engineering, Office of the CISO, Google
Tim Crothers
Tim Crothers, Director, Office of the CISO, Google Cloud, Google
Next Gen CISO
3:45 PM - 4:30 PM
Serverless Security: A Holistic Approach to Managing Risk in the Cloud

Serverless computing revolutionizes app development, but introduces unique security challenges due to its dynamic nature and reliance on third-party services. Drawing on insights from Google Cloud's security practices and real-world incidents, this talk explores the root causes of significant vulnerabilities exploited over the past decade. We'll delve into critical issues such as insecure coding practices, supply chain attacks, and misconfigurations, illustrating their potential consequences. Through data-driven insights attendees will gain actionable recommendations for hardening serverless security. Serverless security is not solely about safeguarding individual applications; it has far-reaching implications for the entire cloud ecosystem. The interconnected nature of serverless architectures means that a vulnerability in one component can cascade, potentially compromising multiple services and users. Therefore, a holistic approach to serverless security is essential, encompassing not only secure coding practices within applications but also robust protection for the underlying infrastructure, data storage, and network communications.

Charles DeBeck
Charles DeBeck, Cyber Threat Intelligence Expert, Google LLC
Cloud Security
3:45 PM - 4:30 PM
The Dark Side of Innovation: Generative AI in Cybercrime

The landscape of cyber threats is undergoing a transformative shift with the integration of Generative AI (GenAI) technologies by cybercriminals. This presentation delves into how GenAI tools are increasingly being adopted in the cybercrime arena, highlighting specific cases where these technologies have been utilized for malicious purposes. We will explore a range of examples including phishing attacks crafted with AI-generated content, the use of deepfakes for identity fraud, and AI-driven network intrusion techniques. The presentation will then pivot to discuss future predictions, suggesting potential new vectors of cyber attacks powered by further advancements in AI technologies.It will also critically analyze the escalating arms race between cybersecurity measures and AI-enhanced cybercrime methodologies. Finally we will challenge the audience to consider whether the rise of AI in cybercrime is a trend of necessity or opportunity, and what this means for the future of both cybersecurity strategies and criminal tactics. We will delve into the implications of AI's dual-use nature, reflecting on how its potential for misuse shapes the evolving landscape of cybersecurity.

John Fokker
John Fokker, Head of Threat Intelligence, Trellix
Intersection of AI and Cybersecurity
3:45 PM - 4:30 PM
Analyzing VirusTotal's Malware Executables Collection with LLMs

VirusTotal has been using Large Language Models (LLMs) to analyze malware for over a year, starting with macros and scripts. This experience gave us a good grasp of what LLMs can and can't do. But the real challenge was always executables. So, we took on a huge task: disassembling all the binaries and memory dumps in VirusTotal and using LLMs to figure out how they work. In this talk, we'll share what we've learned from this massive project. We'll be upfront about the challenges of using LLMs on complex malware and the wins we've had, including how LLMs provide an approach for pivoting that shows very promising early results. Come hear our story and get a glimpse of the future of malware analysis with AI. We'll have a real talk about how (besides the hype) there are areas where LLMs are making a real difference and what's next in this exciting field.

Vicente Diaz
Vicente Diaz, Threat Intel Strategist, VirusTotal
Intelligence
3:45 PM - 4:30 PM
At the breaking point: is your email safe against ransomware and state-sponsored attacks?

As cyber threats become increasingly sophisticated, driven by generative AI, organizations need robust, proactive defenses. This session reveals how AI-powered collaboration tools using the principles of Zero Trust provide a critical first line of defense against email-based attacks, empowering secure work from anywhere.

Rancho Iyer
Rancho Iyer, Specialists Customer Engineering Manager, Google
Adam Ehret
Adam Ehret, SVP IT, Equifax
Security Engineering
3:45 PM - 4:30 PM
Improving Healthcare Incident Response in the Wake of Recent Healthcare Breaches

Recent prominent breaches at healthcare organizations have proven that the healthcare sector is a primary target for financially motivated threat actors. The extended recovery times associated with these incidents have demonstrated that there exists opportunities for improvement in the incident response and management programs. Using the NIST incident response framework as a template, we will highlight improvements in preparation, detection, containment, and recovery phases as applicable to the healthcare sector. Healthcare is a critical industry quite literally impacting people’s lives. Ensuring that this important service is available to the public at all times is a necessity. Through the changes suggested in this talk, an incident response program will be able to meet goals of confidentiality, integrity, and availability. To highlight an example of the talk, we will discuss building automations through a Security Orchestration and Response tool to automate containment of suspected infected hosts.

Christopher Tanzer
Christopher Tanzer, Director, Cyber Investigations & Response, McKesson
Lawrence Taub
Lawrence Taub, Consulting Leader, Mandiant
Security Operations
3:45 PM - 4:30 PM
Secure-by-Default: Tackling Shared Libraries

Shared libraries are common in code development to increase efficiency, and provide a well-developed set of subroutines and functions. When a vulnerability is discovered in a shared library, it poses a serious risk to any organization that used that library – think Log4j. But, in the scenario that the vulnerability is not disclosed or fixed by the open source project and developers are unaware that they need to reconfigure it, this exposes organizations to even greater risk. In this session Mandiant and Ivanti will detail the discovery, remediation and disclosure of a vulnerability in the Apache XML Security for C++ library, which is part of the Apache Santuario project. By default, the library resolves references to external URIs passed in Extensible Markup Language (XML) signatures, allowing for server-side request forgery (SSRF). There is no way to disable this feature through configuration alone, and there is no patch available. Mandiant reported the non-secure default configuration in xml-security-c to the Apache Software Foundation (ASF). The ASF did not issue a CVE or a new release of xml-security-c.

Jacob Thompson
Jacob Thompson, Staff Vulnerability Engineer, Mandiant
Security Threats and Exploits
4:45 PM - 5:30 PM
Knock Knock... Who's There? Threat Actors! Real-World Case Studies in Cyber Defense

Cyberattacks are now an inevitability, with Threat Actors targeting organizations of all sizes and sophistication. This presentation confronts this reality, focusing on proactive defense strategies against these relentless threats. This presentation will go through real-world case studies, to dissect recent breaches and close calls, and what the defenders had to do in order to detect, respond and protect the organization. The presentation goes beyond threat identification; it showcases successful real-world defense strategies, offering practical approaches to mitigate risks, detect anomalies, and respond dynamically to attacks. Topics covered include threat intelligence sharing, incident response protocols, and fostering a security-conscious culture all the way to the board level. By showcasing organizations that have successfully defended against cyberattacks, the presentation inspires confidence and provides a roadmap for building resilient cybersecurity frameworks in todays rapidly changing environment

Ryan Malfara
Ryan Malfara, Principal Consultant, Google
Lyle Sudin
Lyle Sudin, Managing Director and Senior Client Advisor, Mandiant (part of Google Cloud)
Security Threats and Exploits
4:45 PM - 5:30 PM
Threat Hunting in the Age of AI: Proactive Defense Against Emerging Risks

We'll delve into the critical intersection of artificial intelligence and cybersecurity. AI is revolutionizing industries, but it also introduces new attack surfaces and vulnerabilities that traditional security measures may not fully address. We'll explore how proactive threat hunting can be a powerful tool in identifying and mitigating AI-related risks. This session will cover: The Evolving Threat Landscape: An overview of the latest AI-driven threats, including prompt injection, adversarial attacks, data poisoning, and the unique challenges they pose to security teams. Threat Hunting Fundamentals: A refresher on the core principles of threat hunting, its methodologies, and how it differs from traditional reactive security approaches. AI-Specific Threat Hunting Techniques: Identifying anomalies and suspicious patterns in AI model behavior. Detecting unauthorized access or manipulation of AI training data. Monitoring for signs of adversarial attacks, such as model evasion or poisoning. Practical Tools and Strategies: A look at the tools and technologies that can aid in AI threat hunting, including log analysis, machine learning algorithms, and threat intelligence platforms.

Jonathan Paykoc
Jonathan Paykoc, Senior Customer Engineer, Security, Google
Kanna Sekar
Kanna Sekar, Senior Customer Engineer, Security, Google
Security Operations
4:45 PM - 5:30 PM
Minimizing Permissions for Cloud Forensics: A Practical Guide for Tightening Access in the Cloud

This talk addresses a critical challenge for security operations centers (SOCs) and incident response (IR) teams in cloud environments: minimizing the permissions required for forensic investigations while maintaining efficient collaboration with cloud teams. Key topics include:

  • The Power of Dedicated Forensics Accounts: Learn why creating dedicated GCP/AWS/Azure forensics accounts can be a best practice, along with implementation steps
  • Extracting Data from Containers: Discover various methods to acquire data from containers, including sidecars, snapshots of the container filesystems, and the Kubernetes API
  • Temporary Credentials for Secure Access: We'll delve into assigning temporary credentials for cloud resources, using virtual machine snapshots as an example
  • Leveraging Tagging for Granular Permissions: Explore how tagging resources can minimize the permissions needed for specific investigations
  • RBAC Best Practices for IAM: Gain insights into best practices for Role-Based Access Control (RBAC) within IAM, specifically tailored for security operations and incident response teams
Christopher Doman
Christopher Doman, CTO, Cado Security Ltd
Cloud Security
4:45 PM - 5:30 PM
It's a Small Cluster After All - Analyzing the Disneyland Team with Machine Learning

Drowning in data is a common problem in Threat Intelligence investigations. When faced with potentially hundreds or thousands of potentially relevant pieces of information, how does an analyst group them together or pull apart useful and relevant bits of that pile of data? This talk will offer a few tools to answer those questions, focusing on victim/target identification in a large set of DNS names. In particular, we will focus on a set of domain names registered by the "Disneyland team". It will walk through Machine Learning techniques for addressing multiple problems, such as finding homoglyph domains, clustering domains, clustering subdomains, TF-IDF of groups of domains, levenshtein distance between names, etc. The talk will use open source tools to do all of this work, and will include code to allow others to do this work themselves.

Aaron Gee-Clough
Aaron Gee-Clough, Senior Data Engineer, DomainTools
Intelligence
4:45 PM - 5:30 PM
Unmasking the Hidden Danger: The Critical Role of Insider Threat Penetration Testing

Insider threats pose a significant and increasing risk to organizations across industries. The Insider Threat Pen Test is a novel approach to cyber security that proactively identifies and addresses vulnerabilities stemming from both accidental malicious insider and this presentation delves into the methodology behind this Pen Test, illustrating how it complements traditional external penetration testing by focusing on internal systems, processes, and human behavior. Through in-depth case studies from various sectors, we showcase the actionable insights gained from this approach. These insights empower organizations to strengthen their security culture, implement targeted mitigation strategies, and foster a proactive cyber security mindset. Attendees will learn how the Insider Threat Pen Test can be leveraged to reduce the risk of data breaches, intellectual property theft, operational disruptions, and other costly consequences of insider threats. Ultimately, this presentation demonstrates how the Insider Threat Pen Test serves as a business enabler, enhancing organizational resilience and safeguarding critical assets in an ever-evolving threat landscape.

Ian Trimble
Ian Trimble, Insider Risk Manager, Google
Shahzad Azad
Shahzad Azad, Technical Manager - Insider Risk Services, Mandiant
Third Party and Cyber Risk Management
4:45 PM - 5:30 PM
Gaining Trust in Zero Trust

A key skill we use every day is collaboration – but how can you collaborate if you don't have trust? I address this topic in "Gaining Trust in Zero Trust." Working in the cybersecurity space, we embrace the motto "zero trust" – but this mindset can creep into our everyday interactions. A whirlwind tour of history reveals how this concept evolved (for example Mikhail Gorbachev and President Ronald Reagan discussed "trust, but verify!") I offer a few tips to help gain trust with any type of research findings: don't embarrass anyone, don't speculate, and be genuine – report the actual findings, even if it's a bitter pill.

Luis Rodriguez
Luis Rodriguez, Lead Research Practitioner, Trellix
Next Gen CISO
11:00 AM - 11:45 AM
Outsmarting AI-Driven Cyber Risk: A Resilience Framework for Online Businesses

This interactive workshop reveals how AI agents create new cyber risks for online businesses, often overlooked amidst the focus on technical defenses. Attendees will analyze their own business model through the lens of adversarial AI, pinpointing areas where dependency, automation, or customer interactions offer new attack vectors. We'll discuss both defense strategies and how to leverage AI for your own cyber resilience. Gain a practical framework to evaluate emerging AI technologies and build a strategy that secures your organization's future regardless of disruptions.

Elizabeth Stephens
Elizabeth Stephens, CE/TO, DBS Cyber LLC
Intersection of AI and Cybersecurity
11:00 AM - 11:45 AM
The Good, the Bad, and the “What the Hell Were you Thinking': Clarifying the Rules of Engagement when Working with Managed Service Providers

Managed Service Providers (MSPs) play a pivotal role in modern IT supply chains. However, law enforcement agencies, including the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), have repeatedly warned about the increasing focus of cybercriminals on MSPs. Given their ubiquitous access to client networks and industry-specific vulnerabilities, MSPs have rapidly become a target of choice for threat actors.

In this session, we will delve into the cybersecurity risks associated with outsourcing to an MSP and what your organization can do to mitigate these risks. By highlighting real-world incidents, we’ll review how organizations have been victimized, the key lessons learned (for both the client and MSP), and the essential steps to address similar attacks. By the end of this session, participants will have gained valuable insights into establishing clear rules of engagement and aligning ongoing security expectations with their MSP. This session is essential for both MSPs and the organizations that use them, as it emphasizes the importance of collaboration to ensure a resilient and secure IT environment.

Brian Horton
Brian Horton, Founder, Managing Director, Breadcrumb Cybersecurity
Third Party and Cyber Risk Management
11:00 AM - 11:45 AM
Weaponized Convenience: Inside the Rise of Remote Tool Abuse

In an era of remote work and distributed IT environments, remote administration tools (RATs) and remote monitoring and management (RMM) tools have become indispensable for system admins and managed service providers (MSPs). However, the same features that make these tools efficient also make them attractive targets for malicious actors. Advanced threat actors are increasingly leveraging legitimate RATs and RMMs to gain unauthorized access to networks, bypassing traditional security controls and evading detection. This presentation will provide an overview of the growing trend of weaponized remote access. Attendees will be guided through compelling real-world examples, dissecting the tactics, techniques, and procedures (TTPs) employed by adversaries to leverage these tools for malicious purposes. Furthermore, actionable insights will be provided, empowering organizations to enhance their detection capabilities and fortify their defenses against such sophisticated attacks. By understanding the evolving threat landscape and implementing effective countermeasures, attendees will be better equipped to safeguard their systems and data from the perils of weaponized remote access.

Fernando Tomlinson
Fernando Tomlinson, Technical Manager, Incident Response, Mandiant/ Google Cloud
Nader Zaveri
Nader Zaveri, Senior Manager - Incident Response & Remediation, Mandiant/Google
Security Threats and Exploits
11:00 AM - 11:45 AM
Tales of Cloud Compromise: Lessons Learned from Mandiant Investigations in 2023

Mandiant's front-line experiences in incident response reveal common overlooked areas leading to cloud compromises. Drawing on numerous technical case studies, we cover patterns and offer strategies to fortify cloud environments: 1) Living off the Land (in the Cloud): We observe that intrusions often stem from traditional on-premise systems like Active Directory, VMware infrastructure, and MDM/EDR tools. Our discussion will delve into how these platforms can be safeguarded to prevent such incidents. 2) Extended Attack Surface: Cloud and hybrid environments naturally extend organizational attack surfaces. This section will explore the challenges posed by inadequate controls, the sprawl of credentials and the array of tools attackers utilize to exploit these vulnerabilities. 3) Third-Party Access: 2023 has seen a significant rise in incidents involving third parties and Managed Service Providers. We'll tackle the critical question: How can organizations continue to engage third parties without compromising their security posture? We will also cover proactive defense strategies and robust incident response capabilities to protect and react swiftly to threats within cloud environments.

Will Silverstone
Will Silverstone, Senior Consultant, Mandiant
Omar ElAhdan
Omar ElAhdan, Principal, Mandiant/Google Cloud
Cloud Security
11:00 AM - 11:45 AM
Navigating the SEC Cyber Rule: Exercising to drive compliance

In the world of cybersecurity, staying compliant with the SEC Cyber rule is a top priority. But what does this mean for your company's cyber security efforts? In this session, we'll delve into the impact of the SEC Cyber rule on your organization's cyber security strategy, process, and governance. But that's not all. We'll also explore the vital role that conducting robust ransomware exercises plays in refining your incident and annual disclosures. Not only will we address the operational aspects of disclosure, but we'll also highlight how executive and board-level involvement is crucial in refining your cyber disclosures. Collaboration between roles that have different perspectives, such as CISO, CIO, GC, and CFO, is essential when it comes to addressing ransomware incidents, ensuring effective cyber disclosures, and when to discuss these critical issues with the board. Don't miss out on this opportunity to gain valuable insights, enhancing your understanding and impact of the SEC Cyber rule and enabling you to confidently address ransomware incidents and drive effective cyber disclosures.

Matt Gorham
Matt Gorham, Senior Managing Director, PwC
Security Operations
1:30 PM - 2:15 PM
Addressing Security Threats with Enhanced Caller Verification Methods

Explore the critical vulnerabilities of IT Help Desks and Call Centers. Learn how to address the alarming trend of security breaches stemming from insufficient authentication practices. Organizations apply Multi-Factor Authentication (MFA) to their online and mobile experiences, while leaving the IT Help Desk protected only by weak security questions. This is comparable to locking the front door while leaving the window open. Bad actors have noticed the open window of the IT Help Desk in a BIG way this year, using it as an entry point for breaches. Learn from real-world breaches, discuss existing security gaps, and discover how to effectively apply cybersecurity strategies specifically to IT Help Desks and Call Centers to reduce risks and operational costs. Key points: Introduction to IT Help Desk Vulnerabilities Identifying the Challenges with Traditional Verification Methods Real-World Consequences of Inadequate Security Exploring secure caller verification methods Q&A session

Tracey Nyholt
Tracey Nyholt, CEO and Founder, TechJutsu
Security Threats and Exploits
1:30 PM - 2:15 PM
Ghostmarket09 - The United States v. Jesse Kipf: A Case Study in Collaboration

In this joint presentation, Mandiant, the FBI, and the U.S. Attorney's Office will present a case study on their successful collaboration to bring cybercriminal Jesse Kipf, aka Ghostmarket09, to justice. Mandiant identified Kipf attempting to sell access to state death registration systems and delivered a victim notification to the impacted States and provided evidence to the FBI, which opened an investigation. The talk will discuss how Mandiant supported the FBI's investigation and assisted federal prosecutors. In October 2023, Kipf was indicted on charges of computer fraud, identity theft, and bank fraud. In April 2024, Kipf pled guilty to computer fraud and identity theft for breaching death registration systems in multiple states. Speakers will share insights from this collaboration, discussing how cybersecurity vendors, law enforcement, and prosecutors can work together to identify, investigate and prosecute threat actors. They will highlight challenges of building a case and critical evidence needed for conviction.

Andrew Satornino
Andrew Satornino, Special Agent, FBI
Austin Larsen
Austin Larsen, Senior Threat Analyst, Google
Intelligence
1:30 PM - 2:15 PM
Wholesome Hashes for a DNS Breakfast: How to Chew Through Adversary Automation

In this day and age, malicious threat actors and APTs are leaning ever harder on AI and automation to speed up and obfuscate their operations. By utilizing hashes created from content, headers, SOA records, Name servers, and more, threat hunters can uniquely identify both the characteristics of malicious infrastructure that is unlikely to change and that which is changing rapidly. Both of which can be of critical value for defenders. Automatically generated phishing pages with minor, target-specific changes can be found en-masse, rapidly rotating infrastructure can be picked out like the blinding eyesore it is, and seemingly innocuous infrastructure can be caught hiding amongst the sheep so that the wolves never get (or stay) in the fence line. This talk will cover (in depth) how our threat hunters have utilized hashes, fuzzy hashes, and similarity searches to protect our clients and mitigate attacks before they are launched. Case studies will include 1 or 2 of the following: Scattered Spider, Latrodectus, Prolific Puma, SocGholish, Duke Eugene’s Android Malware, Meduza Stealer, as well as the malicious fake trading apps that we’re tracking via this method.

Kasey Best
Kasey Best, Director of Threat Intelligence, Silent Push
Security Operations
1:30 PM - 2:15 PM
The Data Must Flow: An Analyst-First Perspective on the Next Age for SOCs

As data flowing into security operations centers has exponentially increased, analysts are increasingly tasked with scaling far beyond the level their tools and organizational design allow. With the era of "new" AI at our doorstep, we risk further burying our SOC analysts in more and more "data" to sift through. In an effort to combat this, we'll attempt to layout an analyst-first perspective for the new SOC that must rise to meet this challenge - one in which the human behind the analysis is the fulcrum for this new AI-assisted leverage, rather than an inconvenience to be replaced. To accomplish this, we focus our attention and technology on amplifying the core work products of analysts while using automation to drive the machine - ensuring that every piece of analysis flows back into the system, lightening the load for future analysts and establishing an institutional "SOC memory" which new analysts can seamlessly leverage in their daily efforts.

Austin Baker
Austin Baker, Senior Staff Security Engineer, LinkedIn
Intersection of AI and Cybersecurity
1:30 PM - 2:15 PM
Evolving Fraud Landscape: Trends, Tactics, and Tools for Staying Ahead

The fight against online fraud is a relentless arms race, constantly evolving with new threats and sophisticated tactics. This session will provide a deep dive into the latest trends in bot attacks, account takeovers, payment fraud, and SMS toll fraud. We'll uncover the evolving tactics used by fraudsters, from advanced automation and AI-powered attacks to social engineering and phishing schemes. You'll gain actionable insights into building a robust fraud defense strategy that adapts to the dynamic threat landscape. We'll cover best practices for detection, prevention, and mitigation, including leveraging machine learning, behavioral analytics, and real-time risk assessment. We'll also discuss the importance of layering security measures and staying ahead of the curve through continuous monitoring and adaptation. This session will equip you with the knowledge and strategies to proactively combat fraud, protect your customers, and safeguard your bottom line.

Josue (Sway) Fontanez
Josue (Sway) Fontanez, Product Manager, Google
Kwaku Sefa-Dedeh
Kwaku Sefa-Dedeh, Senior Product Manager, Google
Cloud Security
1:30 PM - 2:15 PM
Threat Modeling as a Fitness Function - Iteratively Improving the Security Posture of your Software

Threat modeling is a key technique that is used to analyze what could go wrong in a given software architecture. More often than not, the main output of a threat modeling exercise is a list of mitigations for how to ensure that “what could go wrong” actually “doesn’t go wrong”. While critical, this process can be so much more. By fostering collaboration between security and product teams, threat modeling can strengthen relationships, build trust, and ultimately enhance your software's security.

In this talk we outline how threat modeling can be used as a fitness function to iteratively improve the security posture of the software you are building. Instead of doing one shot threat models to enumerate and mitigate threats, we outline a new model where threat modeling takes input from a wide variety of other sources, ranging from threat intelligence to software development artifacts, and produces outputs in the form of mitigations, vulnerability research, and detections. We’ll then show how to tie these inputs and outputs into a feedback loop that improves the security posture of your organization over time while also building trust and better working relationships between teams.

Meador Inge
Meador Inge, Staff Security Engineer, Google
Security Engineering
2:30 PM - 3:15 PM
Securing the Future: A Secure by Design Approach to AI Systems

In the era of rapid AI adoption, new AI systems are increasingly becoming targets for threat actors, thereby creating fresh gaps in cybersecurity posture management. This talk underscores the importance of a multi-layer, 'secure by design' approach, offering comprehensive protection across all layers of AI systems. We'll delve into every facet of the AI system from the model and its supply chain, architected for MLOps, to data provenance, to the infrastructure and management planes. Discover how this cross-industry framework not only ensures compliance with industry standards but also provides a roadmap to navigate the rapidly shifting threat landscape, including how we've used it to augment Google's Vertex AI AI-as-a-Service platform. We invite you to join us and explore the inherent value of a 'secure by design' approach in fortifying enterprise-wide security and resilience against emerging threats.

David Caswell
David Caswell, Managing Director, Deloitte
Arnav Jain
Arnav Jain, Cyber Risk Manager, Deloitte & Touche LLP
Intersection of AI and Cybersecurity
2:30 PM - 3:15 PM
Breaking the Chain: Navigating VPN Vulnerabilities

On April 10, 2024, Palo Alto Networks disclosed a zero-day vulnerability (CVE-2024-3400) in its VPN product after observing active exploitation at multiple organizations. This vulnerability is just one of many to be disclosed in recent months (Cisco, Ivanti and likely others) resulting in organizations to take rapid action to reduce the likelihood of exploitation. Steven Taylor, who recently led Incident Management at Palo Alto Networks and now a Consulting Director at MorganFranklin Cyber, plans to share insights from the frontline (publicly available), ongoing persistence from threat actors and practical steps to reduce cyber risk when a critical vulnerability is disclosed by a software provider.

Steven Taylor
Steven Taylor, Director, Cyber Security, Morgan Franklin Consulting
Security Threats and Exploits
2:30 PM - 3:15 PM
I Wish I'd Known This Before We Got Sued

Topic: Strategies for Safeguarding Legal Privilege in In-House Counsel
Narrative: Retaining legal privilege during cross-border incident response efforts presents unique challenges. When local laws fail to recognize privilege for in-house counsel, preserving it becomes paramount. Moreover, when incidents span multiple countries with inconsistent privilege rules, maximizing protections requires finesse. This program delves into practical dos and don’ts during litigation, drawing from real-world war stories shared by seasoned panelists and will cover: 

  • Preserving Privilege Amid Legal Ambiguity
  • Navigating Cross-Border Privilege Challenges
  • Dos and Don’ts During Litigation
  • War Stories from the Trenches

In conclusion, safeguarding privilege requires vigilance, adaptability, and a keen understanding of legal nuances. By learning from real-world scenarios, in-house and external counsel can fortify their privilege protections and navigate the legal landscape effectively.

Chris Bloomfield
Chris Bloomfield, Associate, Eversheds Sutherland
Rachel Reid
Rachel Reid, Partner, Eversheds Sutherland
Third Party and Cyber Risk Management
2:30 PM - 3:15 PM
Metrics that Matter: How to Choose Cloud Security KPIs For Your Business

As cloud security operations mature within the organizations, implementing effective metrics is vital for measuring cloud security posture and operational readiness. Organizations often face challenges in tracking security metrics without incurring resource overheads. This talk discuss examples of both potentially effective and ineffective metrics based on real-life experiences, tailored to various business scenarios and risk appetite. We will explores how to prioritize metrics that inform leadership and drive continuous improvement in cloud security posture. The session also introduces concepts like the Exploit Prediction Scoring System (EPSS) for prioritizing vulnerability remediation and Protection Level Agreements (PLAs) for building effective KPIs. The goal is to not only measure but enhance cloud security operations, empowering teams to identify cloud security metrics truly matter to their business.

Emma Yuan Fang
Emma Yuan Fang, Senior Manager, Senior Cloud Security Architect, EPAM Systems
Cloud Security
2:30 PM - 3:15 PM
Building Resilience: Healthcare Industry

Contrary to popular beliefs and despite their promises, healthcare has and will continue to be under attack by threat actors looking to profit from the vulnerabilities our health system continues to expose. There was a time where criminals and nation states teased that they'd "not attack healthcare", we knew this was a lie. The gloves have never been on. Healthcare needs a lift. During this talk, Taylor Lehmann (Google) and Luke McNamara (Mandiant Intelligence) with leaders from the Health ISAC, MedISAO, and Bio-ISAC will host a panel that gets deeply into the sector's challenges, identify threats, get into detail where the greatest vulnerabilities are and what we can do to establish collective defenses that work. We'll unpack the recent Health Sector cyber performance goals and incentive programs coming to US healthcare cyber-security and what they mean. This will be a panel discussion featuring the CISO and CSOs from the Health ISAC, MedISAO, Bio-ISAC.

Mike Kijewski
Mike Kijewski, CEO, Medcrypt
Bill Reid
Bill Reid, Advisor, Office of the CISO, Google
Intelligence
2:30 PM - 3:15 PM
Red Teaming for AI

Will we reach a point where all text boxes are handled by a LLM? Even though most organizations are building on top of foundation models rather than trying to build their own. How can we build and maintain a security boundary with an “intelligent” system that can’t really think? How do concepts like prompt injection, multi-stage exploits, SQLi, etc. mean to a loan application chatbot? What can a non-deterministic system do in a deterministic world? Mandiant has exploited developer-assistance chatbots during its Red Team Assessments to gain privileges within a client environment. Its consultants have explored and bypassed protections built to restrict the scope of a financial services chatbot. How can these and other stories help improve the security of future applications built on top of GenAI and LLMs?

Brice Daniels
Brice Daniels, Senior Regional Leader, Mandiant, Google Cloud
Security Operations
3:45 PM - 4:30 PM
Offensive Cyber Counterintelligence: Approach Mapping the Strategic Targeting, Confrontation, and Neutralization of 21st Century Spies

Countering advanced persistent threats (APTs) and cyber threat actors (CTAs) has contextualized the ever-evolving landscape of counterintelligence (CI). Offensive cyber counterintelligence (OCCI) has clearly emerged as a critical component in the CI arsenal. A comprehensive understanding of OCCI’s effectiveness in addressing threats posed by APTs/CTAs remains elusive. This breakout aims to fill intelligence gaps in the digital threat landscape by examining the multifaceted variables and dynamics of OCCI. While OCCI is a crucial mechanism in the field of intelligence, there is a lack of research that systematically assesses the interplay between key variables influencing the efficacy of OCCI. What impact do attribution accuracy, operational timing, deterrence effectiveness, repercussions against the accused entity, and tactical adaptations have on the success of offensive cyber counterintelligence (OCCI) strategies against Advanced Persistent Threats (APTs) and Cyber Threat Actors (CTAs)? The breakout aims to provide nuanced insights that go beyond singular dimensions of CI. Further refining OCCI strategies will provide meaningful insight for policy decisions.

Benjamin Nixon
Benjamin Nixon, Intelligence Officer, Defense Intelligence Agency
Intelligence
3:45 PM - 4:30 PM
Securing AI Systems: Detecting and Stopping GenAI-Enabled Threat Actors

Generative AI has given defenders an edge, but it's also opened new avenues for enabling cyber threat actors to conduct phishing, social engineering, vulnerability research, and other abusive activities. A cross-team collaboration spent months tracking, defending and learning from threat actors attempting to abuse Google’s AI systems; tactics that can ultimately work across different AI systems. In our talk, we will discuss the types of abusive behavior seen from threat actors, including novel-AI TTPs that haven't been publicly shared before, like jailbreak prompts and prompt injection attacks. We'll then share actionable best practices for how enterprises can be proactive in detecting and stopping abuse and exploitation of their AI systems, based on these learnings. Audience members will walk away with the knowledge of which implementations to prioritize within their environments to stay ahead of the curve and retain their edge.

Jonathan Looi
Jonathan Looi, Security Engineer, Google
Security Engineering
3:45 PM - 4:30 PM
From Manual Mayhem to AI-Powered SOC: How Generative AI is Revolutionizing Security Operations

Ditch the manual grind! Google Security Operations & Foresite unveil a revolutionary SOC powered by generative AI. This talk dives deep into empowering analysts & automating tedious tasks. Witness AI transform security: Automated Threat Detection & Response: Generative AI triages alerts, prioritizes threats, & automates initial response, freeing analysts for high-impact investigations. Enhanced Threat Hunting: Uncover hidden threats with AI-powered anomaly detection. Generative models can identify subtle patterns & entities invisible to traditional methods. Streamlined Incident Response: Generate investigative playbooks & automate repetitive tasks, expediting incident resolution & reducing analyst workload. Continuous Threat Intelligence: AI analyzes vast data sets to identify emerging threats & indicators of compromise (IOCs), keeping your defenses ahead of the curve. This talk is a real world showcase of applications in practice.

Jeremy Hehl
Jeremy Hehl, Vice President, Business Development, Foresite Cybersecurity, Inc.
Intersection of AI and Cybersecurity
3:45 PM - 4:30 PM
Turning Chaos into Privileges: Processing Attacker Data with AI

When conducting adversarial emulation engagements, making sense of all the data available to the attacker is THE biggest challenge. As a defender, if you don’t know the needle in the haystack the threat actor will find even exists, how can you protect against it? How can you make sense of the vast amounts of structured and unstructured data to give yourself the advantage? Data permeates the modern organization; structured data such as computer-readable output from tools and unstructured data; such as data from clients which is created by and for other employees. This data can be challenging to parse, process and understand from a security implication perspective but artificial Intelligence (AI) might just change all that. Our presentation will focus on a number of case studies where we obtained unstructured data during our complex adversarial emulation engagements with global clients and how we processed this into structured data that could be used to better defend organizations using AI. We will showcase the lessons learned and key take-aways for other organizations and highlight other problems that can be solved with this approach both for red and blue teams.

Jay Christiansen
Jay Christiansen, Senior Manager, EMEA Red Team Lead, Mandiant, part of Google Cloud
Matthijs Gielen
Matthijs Gielen, Senior Consultant, Google Cloud
Security Operations
3:45 PM - 4:30 PM
ASPM from A to…M! Your Application Security Posture Management Crash Course

According to Gartner, 40% of companies developing proprietary applications will adopt an Application Security Posture Management (ASPM) solution by 2026. Why? Because with increasing cloud security complexity involving a multitude of scanners, languages, and frameworks, organizations are finding it more and more difficult to prioritize fixes amongst a sea of alerts. This lack of clarity leads to protracted risk windows. A survey conducted by the Cloud Security Alliance found that 18% of organizations reported taking more than 4 days to address critical vulnerabilities—with 3% exceeding two weeks. That’s too long for the well-being of your infrastructure, and that’s where ASPM can help. During the course of this session, we’ll take you through ASPM basics— what it is, who’s using it, how it differs from similar solutions (death by acronyms!), its benefits, the best-of-breed tools that can integrate with an ASPM solution, considerations and steps for implementing, and—what everyone’s buzzing about—how AI factors in to modern ASPM solutions.

Eyal Golombek
Eyal Golombek, Field CTO, Dazz
Cloud Security
3:45 PM - 4:30 PM
SAIF From Day One: Lessons from Securing AI

AI is advancing rapidly, and it is important that risk management strategies evolve along with it. To help achieve this evolution, Google introduced the Secure AI Framework (SAIF). Join us to learn the top risks and how SAIF evolves to offer a practical approach to addressing them. We will also cover how to implement it for popular scenarios.

Anton Chuvakin
Anton Chuvakin, Senior Staff Consultant, Google Cloud
Taylor Lehmann
Taylor Lehmann, Director, Security Engineering, Office of the CISO, Google
Security Threats and Exploits
4:45 PM - 5:30 PM
Fast Flux: Catching Universally Bad Behavior, Raspberry Robin

Threat actors like Raspberry Robin are known to conduct Fast Flux behaviors to hide their infrastructure. They quickly rotate a domain through numerous IPs across unique ASNs, which can make it harder for some defenders to find and block the infrastructure. By focusing on IP / ASN diversity features (the number of unique ASNs/IPs a domain has been seen on over a specific period) and creating a simple domain regex filter for the 2-letter domain format used by Raspberry Robin for their infrastructure while bearing in mind the unique Name Server that they are known to use, we can easily create a ruleset that makes it possible for defenders to get lists of their domains that are Indicators of Future Attacks (IOFAs). FastFlux behaviors create golden opportunities for defenders to hunt for IOFAs. In our research, we haven’t found any legitimate enterprises that deploy FastFlux behaviors on their domains. Only threat actors are doing this. Silent Push has one of the only open data sets available for researchers that easily allow searching the open internet by IP / ASN diversity so that more threat analysts can dig through hosts doing these suspicious FastFlux DNS rotations.

Zach Edwards
Zach Edwards, Senior Threat Analyst, Silent Push
Security Threats and Exploits
4:45 PM - 5:30 PM
Practical use cases for AI in Security Operations

Artificial intelligence (AI) is revolutionizing the way we approach security operations – allowing defenders to elevate their skills and boost productivity by accelerating threat detection, investigation, and response. AI isn’t a future concept: It’s here and available, with early user feedback showing that AI can reduce the time required for common analyst tasks such as triaging complex cases by 7x. In this session, we’ll dive into the real-world applications of AI in Security Operations with hands-on demonstrations and case studies.

Payal Chakravarty
Payal Chakravarty, Practical use cases for AI in Security Operations, Google
Spencer Lichtenstein
Spencer Lichtenstein, Senior Product Manager, Google
Intersection of AI and Cybersecurity
4:45 PM - 5:30 PM
Standardizing a Privileged Access Model for a Multi-Cloud environment

Most organisations use more than one public cloud to deploy infrastructure (AWS,Azure,GCP etc.).Having a large distributed deployment opens up avenues for attackers to exploit, misusing the lateral movement paths and inter-dependencies between the clouds. Mandiant has observed attackers compromise entire cloud environments by performing token theft-replay, AiTM attacks. Such compromises often involve abuse of user accounts exposed to multiple clouds, permissions leak, lateral movement paths, trust relationships and integrations between the cloud service providers. This session will walk through Mandiant’s frontline experience of such attacker paths across multi-cloud and delve into the proposed architecture to secure the cloud. This is meant to eliminate attacker paths of lateral movement and privileged escalation. It adopts tiering model practices for segregation of resources, endpoints, accounts, and applies it consistently across multiple cloud platforms. The session delves into security configurations, monitoring and detection mechanisms to secure and harden critical assets across multi-cloud.

Rupanjana Mukherjee
Rupanjana Mukherjee, Principal Security Architect, Google Asia Pacific Pte. Ltd.
Jon Sabberton
Jon Sabberton, Senior Manager, Mandiant
Cloud Security
4:45 PM - 5:30 PM
The SIEM Isn't Dead: Comparing SIEMs and Data Lakes in Modern Cybersecurity

In an era where cyber threats are increasingly sophisticated, the need for security data collection and monitoring remains vital, but the SecOps landscape is evolving. This session offers a real and honest discussion about these shifting paradigms. We’ll delve into the strengths and weaknesses of SIEMs and data lakes, foundational components upon which your workflows are built, then cut through the marketing noise to explore how AI/ML are transforming SecOps, enhancing threat detection, and response capabilities. We'll provide insights into where these technologies are headed and how to position your organization today to take full advantage of them in the future. The road to modernization is fraught with challenges. For those considering a SIEM or data lake migration, we’ll discuss common pitfalls and effective strategies to navigate this complex process. Attendees will walk away with a clear understanding of how to evaluate and choose the best solution for their organization's specific needs, whether it's a traditional SIEM, data lake, or hybrid approach. Step confidently into the next generation of cybersecurity with the tools and insights to outsmart evolving threats.

Tim Nary
Tim Nary, Co-Founder and Chief Product Officer, SnapAttack
Fred Frey
Fred Frey, CTO, SnapAttack
Security Operations
4:45 PM - 5:30 PM
Attacks on LLMs: How Google Cloud and SAP secure Generative AI

Large Language Models (LLMs) have been transformational, but their increasing complexity and integration into critical systems have opened up a new attack surface for malicious actors. This session delves into the evolving threat landscape of LLM attacks, focusing on how industry leaders like Google Cloud and SAP are proactively securing generative AI technologies.
Key Topics:
Understanding Vulnerabilities and Attacks unique to LLMs: Prompt injection attacks, data poisoning, model theft, and adversarial examples. 
Defense Strategies in Google Cloud: We examine a multi-layered approach to securing its LLMs. This includes robust input validation and sanitization techniques, adversarial training to make models more resilient, and differential privacy mechanisms to protect sensitive user data. Preventative and detective policies based on NIST and Model Armor on Google Cloud.

Amit Verma
Amit Verma, GenAI Solutions Architect, Google
Manish Kumar Yadav
Manish Kumar Yadav, Senior Security engineer, SAP
Security Engineering
4:45 PM - 5:30 PM
Unveiling Threat Actor Methods: Investigating Sandbox Artifacts and LNK-to-PDF Malware Delivery

In the landscape of cybersecurity, threat actors leverage deceptive techniques to orchestrate sophisticated attacks. This session explores the use of LNK, ISO and PEEXE files as a conduit to deliver hidden malware payloads while using PDF documents to trick the victim. By dissecting sandbox-generated artifacts for example in VirusTotal, we illuminate the strategies employed by adversaries, enabling practitioners to enhance threat detection and threat hunting methodologies to track this threats using artifacts generated during the execution of the initial payloads, helping with pivoting and hunting. We will see real examples of the PatchWork APT group and other crime groups.

Jose Luis Sanchez Martinez
Jose Luis Sanchez Martinez, Security Engineer, Google
Intelligence