mwise.mandiant.com
Open in
urlscan Pro
2606:4700:300b::a29f:f17d
Public Scan
Submitted URL: https://pages.mandiant.com/NTY1LVBFSS05NTIAAAGHGVCtkyMkBl3smqGJ1fv84GljsF_58A72UhsGUsk1X_bppTfWYjp-EG1qjyAWVpeyVagOeSg=
Effective URL: https://mwise.mandiant.com/event/d4bc98ec-f502-4acc-afc7-d9e9b960bb18/websitePage:a325af6e-7b84-43b6-bd10-ddf565509e0f?utm_...
Submission: On September 26 via api from US — Scanned from DE
Effective URL: https://mwise.mandiant.com/event/d4bc98ec-f502-4acc-afc7-d9e9b960bb18/websitePage:a325af6e-7b84-43b6-bd10-ddf565509e0f?utm_...
Submission: On September 26 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to main content * Home * Agenda * Passes & Pricing * Speakers * Expo & Sponsors * Resources * About mWISE REGISTRATION IN-PERSON mWISE REGISTRATION DIGITAL mWISE CONFERENCE 2022 | OCTOBER 18-20, 2022 | WASHINGTON HILTON, WASHINGTON, D.C. Session Catalog mWISE™ Conference 2022 will feature over 70 sessions across two and a half days. There will be keynotes, sessions across seven tracks, including our sponsor track, and lunch & learn’s. Tailor your schedule to create your personal experience. Peruse our session catalog now. Note: Some sessions will be announced and published closer to the event dates. We will hold some speaking slots to bring you any late breaking topics. Search for sessions... Category October 16, 2022 Pre-Conference Training Breakfast 8:00 AM-9:00 AM ET Meals Concourse Foyer | BP-01 Essentials of Malware Analysis - Day 1 9:00 AM-5:00 PM ET Pre-Conference Training Lincoln West | PRE-05a Director, Malware Operations, FLARE Mandiant Research Engineer Mandiant This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a malicious program by analyzing decompilation and Windows API sequences. Attendees will learn how to extract host and network-based indicators from malware samples. Students will learn about Windows management technologies and Windows APIs most often used by malware authors for stealthy techniques such as "Fileless Malware". Each section features in-class demonstrations and hands-on labs with actual malware where the students practice what they have learned. Windows Enterprise Incident Response - Day 1 9:00 AM-5:00 PM ET Pre-Conference Training Lincoln East | PRE-06a Senior Technical Instructor Mandiant Principal Consultant - Incident Response Mandiant This intensive course is designed to teach the fundamental investigative techniques needed to respond to today’s cyber threats. The fast-paced course is built upon a series of hands-on labs that highlight the phases of a targeted attack, sources of evidence and principles of analysis. Examples of skills taught include how to conduct rapid triage on a system to determine whether it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, and investigate an incident throughout an enterprise. Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency. Intelligence Research II—Open Source Intelligence (OSINT) - Day 1 9:00 AM-5:00 PM ET Pre-Conference Training Jefferson East | PRE-04a Analyst Mandiant Senior Intel Enablement Consultant Mandiant This foundational course teaches students to identify and develop pivot points or leads in investigations across multiple use cases. Students will review the basic functions of open source tools and learn when and why to use them in their research. They will apply their skills to several scenarios drawn from frontline experience, including executive-level RFIs, incident response investigations and information operation campaigns. As they work through these scenarios in a lab environment, students will apply their knowledge of tools such as VirusTotal, Alienvault, PassiveTotal and Facebook, and use advanced search engine techniques. Ultimate Hide and Seek in ThreatSpace - Day 1 9:00 AM-5:00 PM ET Pre-Conference Training Jefferson West | PRE-03a Senior Manager, Consulting - Education Mandiant Sr. Threatspace Technical Instructor Mandiant A ThreatSpace Cyber Range training experience makes it possible for you to see if you have what it takes to respond to real-world threats. Assess your ability to respond to an attack in a consequence-free environment. Using a virtualized environment that simulates typical IT infrastructure such as network segments, workstations, servers, and applications, you will use ThreatSpace to assess your technical capabilities, processes and procedures as you investigate simulated attack scenarios with fellow learners. To heighten the sense of realism, ThreatSpace engagements involve all aspects of an incident response team, not just the incident responders themselves. Executives, threat intelligence analysts, legal counsel, and all other stakeholders are represented virtually in the engagement. The scenarios, based on extensive Mandiant incident response experience responding to thousands of breaches, include the latest adversary tactics, techniques and procedures (TTPs) and test a security team’s ability to detect, scope, and remediate a targeted attack. Throughout the process, Mandiant incident response experts provide real-time feedback and coaching to help improve the security team’s ability to respond to cyber attacks. Are you up for the challenge? Incident Response for Everyone - Day 1 9:00 AM-5:00 PM ET Pre-Conference Training Georgetown West | PRE-01a Incident Response / Threat Intel Mandiant Senior Cyber Security Instructor Mandiant Principal Consultant - Global Government Security Programs Mandiant Senior Technical Instructor Mandiant This two-day course is designed to teach non-technical support staff how to respond to an incident and how to work with investigators during an incident response event. This course includes a series of hands-on exercises that highlight all phases of the investigation lifecycle. Participants will learn how to respond to a detected incident, describe the incident to stakeholders, differentiate among different evidence acquisition methods, understand how investigators conduct an investigation, evaluate different remediation methods, and review an investigative report. By the end of this course, participants will be able to actively provide non-technical support to an investigation by understanding the full scope of incident response processes and procedures. Fundamentals of Industrial Control Systems (ICS) Security - Day 1 9:00 AM-5:00 PM ET Pre-Conference Training Georgetown East | PRE-02a Principal Consultant - Industrial Control Systems Security Mandiant Director, ICS/OT Security Consulting Mandiant This two-day course provides IT security professionals and ICS/ OT engineers interested in ICS/OT security with the fundamental knowledge and skills required to build and expand an ICS/OT security team. Learners will become familiar with ICS/OT security concepts, secure architecture, threat models and ICS/OT security standards and best practices. The course will also discuss today’s security trends and the current threat landscape. Throughout the course, exercises and demonstrations inspired by actual cases and incidents in the ICS world will enable learners to advance their knowledge in their day jobs. Pre-Conference Training Lunch 12:30 PM-1:30 PM ET Meals Concourse Foyer | LP-01 Pre-Conference Training Reception 5:00 PM-6:00 PM ET Meals Heights Courtyard, Lobby Level | HAP-01 Happy hour for our Pre-Conference Training Attendees. Join us for food and drinks and valuable connections with other security professionals and colleagues. October 17, 2022 Pre-Conference Training Breakfast 8:00 AM-9:00 AM ET Meals Concourse Foyer | BP-02 Fundamentals of Industrial Control Systems (ICS) Security - Day 2 9:00 AM-5:00 PM ET Pre-Conference Training Georgetown East | PRE-02b Principal Consultant - Industrial Control Systems Security Mandiant Director, ICS/OT Security Consulting Mandiant This two-day course provides IT security professionals and ICS/ OT engineers interested in ICS/OT security with the fundamental knowledge and skills required to build and expand an ICS/OT security team. Learners will become familiar with ICS/OT security concepts, secure architecture, threat models and ICS/OT security standards and best practices. The course will also discuss today’s security trends and the current threat landscape. Throughout the course, exercises and demonstrations inspired by actual cases and incidents in the ICS world will enable learners to advance their knowledge in their day jobs. Intelligence Research II—Open Source Intelligence (OSINT) - Day 2 9:00 AM-5:00 PM ET Pre-Conference Training Jefferson East | PRE-04b Analyst Mandiant Senior Intel Enablement Consultant Mandiant This foundational course teaches students to identify and develop pivot points or leads in investigations across multiple use cases. Students will review the basic functions of open source tools and learn when and why to use them in their research. They will apply their skills to several scenarios drawn from frontline experience, including executive-level RFIs, incident response investigations and information operation campaigns. As they work through these scenarios in a lab environment, students will apply their knowledge of tools such as VirusTotal, Alienvault, PassiveTotal and Facebook, and use advanced search engine techniques. Ultimate Hide and Seek in ThreatSpace - Day 2 9:00 AM-5:00 PM ET Pre-Conference Training Jefferson West | PRE-03b Senior Manager, Consulting - Education Mandiant Sr. Threatspace Technical Instructor Mandiant A ThreatSpace Cyber Range training experience makes it possible for you to see if you have what it takes to respond to real-world threats. Assess your ability to respond to an attack in a consequence-free environment. Using a virtualized environment that simulates typical IT infrastructure such as network segments, workstations, servers, and applications, you will use ThreatSpace to assess your technical capabilities, processes and procedures as you investigate simulated attack scenarios with fellow learners. To heighten the sense of realism, ThreatSpace engagements involve all aspects of an incident response team, not just the incident responders themselves. Executives, threat intelligence analysts, legal counsel, and all other stakeholders are represented virtually in the engagement. The scenarios, based on extensive Mandiant incident response experience responding to thousands of breaches, include the latest adversary tactics, techniques and procedures (TTPs) and test a security team’s ability to detect, scope, and remediate a targeted attack. Throughout the process, Mandiant incident response experts provide real-time feedback and coaching to help improve the security team’s ability to respond to cyber attacks. Are you up for the challenge? Essentials of Malware Analysis - Day 2 9:00 AM-5:00 PM ET Pre-Conference Training Lincoln West | PRE-05b Director, Malware Operations, FLARE Mandiant Research Engineer Mandiant This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a malicious program by analyzing decompilation and Windows API sequences. Attendees will learn how to extract host and network-based indicators from malware samples. Students will learn about Windows management technologies and Windows APIs most often used by malware authors for stealthy techniques such as "Fileless Malware". Each section features in-class demonstrations and hands-on labs with actual malware where the students practice what they have learned. Windows Enterprise Incident Response - Day 2 9:00 AM-5:00 PM ET Pre-Conference Training Lincoln East | PRE-06b Senior Technical Instructor Mandiant Principal Consultant - Incident Response Mandiant This intensive course is designed to teach the fundamental investigative techniques needed to respond to today’s cyber threats. The fast-paced course is built upon a series of hands-on labs that highlight the phases of a targeted attack, sources of evidence and principles of analysis. Examples of skills taught include how to conduct rapid triage on a system to determine whether it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, and investigate an incident throughout an enterprise. Although the course is focused on analyzing Windows-based systems and servers, the techniques and investigative processes are applicable to all systems and applications. The course includes detailed discussions of common forms of endpoint, network and file-based forensic evidence collection and their limitations as well as how attackers move around in a compromised Windows environment. The course also explores information management that enriches the investigative process and bolsters an enterprise security program. Discussion topics include the containment and remediation of a security incident, and the connection of short-term actions to longer-term strategies that improve organizational resiliency. Incident Response for Everyone - Day 2 9:00 AM-5:00 PM ET Pre-Conference Training Georgetown West | PRE-01b Incident Response / Threat Intel Mandiant Senior Cyber Security Instructor Mandiant Principal Consultant - Global Government Security Programs Mandiant Senior Technical Instructor Mandiant This two-day course is designed to teach non-technical support staff how to respond to an incident and how to work with investigators during an incident response event. This course includes a series of hands-on exercises that highlight all phases of the investigation lifecycle. Participants will learn how to respond to a detected incident, describe the incident to stakeholders, differentiate among different evidence acquisition methods, understand how investigators conduct an investigation, evaluate different remediation methods, and review an investigative report. By the end of this course, participants will be able to actively provide non-technical support to an investigation by understanding the full scope of incident response processes and procedures. Pre-Conference Training Lunch 12:30 PM-1:30 PM ET Meals Concourse Foyer | LP-02 Registration 1:00 PM-6:00 PM ET General Terrace Foyer | REG-01 October 18, 2022 Registration 7:00 AM-12:00 PM ET General Terrace Foyer | REG-02 Expo Hours 8:00 AM-6:30 PM ET General Columbia | EX-01 Breakfast & Expo 8:00 AM-8:45 AM ET Meals Columbia | BE-18 Opening Keynotes 9:00 AM-11:00 AM ET Keynotes International Ballroom | KN-01 VP of Security SolarWinds SVP & CTO Mandiant CSO Kaseya CEO Mandiant Partner Hunton Andrews Kurth Chief Information Security Officer Colonial Pipeline Chief Information Security Officer Google Cloud Opening Remarks * Kevin Mandia, Chief Executive Officer, Mandiant Fireside Chat: Future of Cybersecurity Industry * Kevin Mandia, Chief Executive Officer, Mandiant * Phil Venables, Chief Information Security Officer, Google Cloud Panel: Regaining Trust after High-profile Security Incidents A panel of security leaders will discuss the steps they took to strengthen their security programs and regain public trust following high-profile security incidents. They will discuss their security initiatives, ways they were able to further integrate security into the corporate culture, expectations of their boards and government regulators, and the challenges they faced along the way. You’ll learn from the leaders defending against some of the world’s most aggressive adversaries. Participants * Moderator Charles Carmakal, Senior Vice President and Chief Technology Officer at Mandiant * Tim Brown, Chief Information Security Officer at SolarWinds * Jason Manar, Chief Information Security Officer at Kaseya * Lisa Sotto, Partner at Hunton Andrews Kurth LLP, * Adam Tice, Chief Information Security Officer at Colonial Pipeline Cracking the Beacon: Automating the extraction of implant configurations 11:30 AM-12:15 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-01 Senior Data Engineer Elastic Principal Security Research Engineer Elastic Cobalt Strike is a premium offensive security tool leveraged by penetration testers and red team members as a way to emulate adversary behavior. The goal is to validate security detection capabilities and processes by replicating a real-world intrusion. While Cobalt Strike is a legitimate tool, it is often abused by threat actors as a way to gain and maintain persistence in targeted networks. To manage command and control, Cobalt Strike leverages an implant that uses a beacon configuration known as a Malleable Command and Control (Malleable C2) profile. A Malleable C2 profile contains a tremendous amount of valuable information for a defender as a way to dismantle intrusion campaigns and proactively defend networks. This talk will focus on collecting Cobalt Strike beacon payloads from the memory of targeted Windows endpoints, extracting and parsing the beacon configurations, writing the configuration data back into an open-source data analytic platform, and use cases on how defenders can use this data to impose cost on adversary activities and campaigns. The collection, extraction, parsing, and analysis will be accomplished by using an open-source tool we have released. Debunking Common Myths About XDR 11:30 AM-12:15 PM ET Breakout Track - Security Engineering Lincoln | SE-01 Technology Strategist SentinelOne There has been a tremendous buzz across the cybersecurity community about the emerging technology known as XDR (eXtended Detection & Response). Unfortunately for the practitioner, there has yet to be a single definition widely accepted by both analysts and vendors purporting to be knowledgeable on the subject. What is XDR and why should I consider the technology in my enterprise security stack? What should I expect from vendors who claim to have built the perfect mousetrap? What is reality, and what is just hype? This session is intended to walk the audience through some generally accepted value statements associated with XDR while attempting to debunk a few common myths that continue to muddy the the water for security teams. Autonomic Approach to SOC: Applying SRE Lessons to Security Operations 11:30 AM-12:15 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-01 Senior Staff Consultant at Office of the CISO Google Global Head of Autonomic Security Operations Google Adapting to the exponential signal volume and complex nature of the evolving technology landscape will require a fundamental shift in how we build scalable security operations programs. In this session, we'll discuss why the battle against adversaries will be centered around people adopting the principles, practices, and tools of autonomic security operations. We will also cover how we apply the principles that Site Reliability Engineering (SRE) and DevOps teams already learned in IT transformation to evolve security operations. Anatomy of a Ransomware Attack 11:30 AM-12:15 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-01 Managing Director Mandiant This talk intends to give a Ransomware Attack 101 lesson to the folks who don't understand the intricate details of what goes on in a real ransomware attack. Since we see all phases of the kill chain/attack life cycle, the goal of this talk is to demo the technical parts of the attack and also share anecdotes on common human reactions on major events from the discovery of ransom note and systems outage due to ransomware attack. The demos will be on infiltration, internal reconnaissance, privilege escalation, lateral movement, tunneling tools for persistent access, data reconnaissance and data exfiltration. The human stories would be around the reactions on major events from discovery of ransom note to hiring outside counsel, forensics firm and ransom negotiators, to major decision making based on forensic findings and comms with the threat actor. After listening to this session, the audience would have a greater understanding of the attack lifecycle of a ransomware attack and what they might want to prepare for in light of a potential ransomware attack. Engineers, not Jedis 11:30 AM-12:15 PM ET Breakout Track - Software Development Security Georgetown | SDS-01 President Shostack + Associates This provocative talk will make a case for a better way of thinking about threat actions, and that we must ask every engineer to take responsibility for the security of their code. As software organizations try to bring security earlier in the development processes, what can or should software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they’ll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable. This session will cover: 1. A tiered model of expertise. 2. What are the criteria for an engineer’s knowledge? 3. Types of knowledge we might want 4. The core must be threat actions: what can go wrong? 5. STRIDE, predictability, parsing, kill chains 6. limits of the model & when we need more jedi Navigating the New Normal In Cyber Insurance: From Application to Ensuring Robust Coverage 11:30 AM-12:15 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-01 Chair, Cybersecurity & Data Privacy Practice Woods Rogers From war exclusions to applications asking for the nuances of network protections down to the names of software providers, the cyber insurance market in 2022 has emerged as particularly daunting. Walk through lessons learned with a cybersecurity attorney who has sat through the 2022 underwriter calls in $100M scenarios, seeing the ins and outs of coverage from the vantage point of an objective witness (i.e., not an insurance sales person). Learn what to look for and why every CISO needs to be in the room for coverage discussions. Take away talking points to bring to your leadership teams to advocate for security involvement in the underwriting process beyond just filling out the insurance application. Learn how to add your own robust incident response teams at the time of binding coverage - even if they are not on the insurance carrier's panel - and how to get the best bang for your insurance buck. Running a captive insurance program? Talk real risk and how to leverage policies as additional layers of protection. This session will be fast-paced with true takeaways to improve your cyber insurance posture. Lessons from how BlackRock built a Threat Actor Detection Lifecycle 11:30 AM-12:15 PM ET Breakout Track - Sponsor Jefferson | SP-01 VP Managed Solutions Mandiant VP Security Engineering BlackRock Understanding threat intelligence and knowing how well your organization is protected is a constant battle in cyber defense operations. You need to know who or what may be targeting your organization. How well is your current toolset blocking or detecting adversaries in your environment? Do you know how to prioritize resources for the most effective cyber protection? Explore how investment management firm BlackRock successfully operationalized threat intelligence and security controls testing with custom detections to confidently answer the question, “Are we prepared?” Hear how BlackRock VP Rebecca Quinn worked with Mandiant to enable her SecOps team to be consistently and immediately effective, whether the Board asks for information or if the next zero-day attack happens. Lunch & Learn: Another Year – Another Ransomware 12:15 PM-1:30 PM ET Meals Monroe | LL-02 Senior Principal Reverse Engineer Mandiant The ransomware has been wide spread in the past years with new variants emerging every year. Some of those are highly advanced software capable of spreading laterally throughout the affected network endpoints. In this talk we’ll go over a comprehensive and recent ransomware sample focusing on its encryption and spreading capabilities. Lunch & Learn: Your Routers: Operational Relay Boxes and Anonymization Networks 12:15 PM-1:30 PM ET Meals Cabinet | LL-01 Senior Reverse Engineer Mandiant This talk presents a sophisticated router implant involved in a campaign that utilized compromised small office / home office routers as operational relays. We discuss some of the challenges and tips associated with reverse engineering a MIPS-based sample involving several statically linked libraries. We then dissect the protocol used to construct and maintain the anonymization network as well as the implant's functionalities, paying close attention to the OPSEC discipline imposed on the malware. Lunch & Expo 12:15 PM-1:30 PM ET Meals LE-18 Everything you Thought you Knew about Stealing IP is Wrong 1:45 PM-2:30 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-02 Director, Security and Business Intelligence DTEX Systems DTEX Global i3 Team Lead DTEX Systems This session defines the difference between insider ‘risks’ versus ‘threats,’ and highlights a new threat persona–the Super Malicious Insider. The session outlines how organizations can identify and track common Indicators of Intent that lead to malicious or unintentional insider threats, with a specific focus on Super Malicious Insiders. Specific examples of actions taken by Super Malicious Insiders that signal malicious intent and are likely to lead to data loss/IP theft – providing real life insight into what analysts need to know to tackle this expanding issue in security. New research that details the most common red flag behaviors that signal malicious/unintentional insiders and how specific combinations of actions increase the likelihood that an organization has a serious insider threat issue in their environment will be included. The research is driven by real data observed through recent investigations at real customers with whom the DTEX i3 team detected and responded to potential insider risk incidents before a breach occurred. Scaling SaaS Security with Cloud Native Security Tools 1:45 PM-2:30 PM ET Breakout Track - Security Engineering Lincoln | SE-02 Head of DevSecOps and Governance Metallic.io Sr. Director and Head of Security Strategy Metallic.io Most enterprises are using a hybrid cloud model for their technology services today including SaaS based service models. At Metallic, we protect our customer’s Crown Jewels – their data, which is why Metallic’s Security Posture must be impenetrable. In this session, we will share our security strategies and outline deep technical security best practices to secure cloud environments using Secure-by-design Security Engineering approaches. You will learn how to secure critical cloud services according to latest security guidelines, standards and methodologies including NIST 800-53, ISO27001:2013 and others. Topics covered: * Security Architecture * Identity and Governance * Security Monitoring - logging of all user activity & threats * Continuous patching to ensure the most secure version of the service is deployed * Continuous vulnerability monitoring, intrusion detection, and Malware protection * Backup and Recovery – not an afterthought but a bedrock of Security-in-Depth * Edge protection – DDoS, WAF * Adopt deception tech 11 Strategies of a World-Class Cybersecurity Operations Center 1:45 PM-2:30 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-02 Department Manager MITRE Investigations Team Lead Microsoft You’ve just found out the smart-lights in the cafeteria are connected to your corporate network and can be dimmed from anywhere in the world, the sales team has been spinning up unmanaged AWS accounts to do customer demos, and CISA says you need to put your Shields Up. You know you need to accelerate building your detection and response capabilities - and you can’t risk making mistakes while you sort out your priorities. Today’s cybersecurity operations centers (SOCs) are under more pressure than ever to adjust defense and detection techniques on-the-fly to address adversaries hiding in the corners of your IT. To help you accelerate, we’ve cultivated an actionable strategic roadmap for any size organization to up their security ops game. This is based on in-depth interviews with dozens of SOC teams in a broad range of environments, and decades of working in SOCs ourselves. Attendees will leave this presentation with practical, pragmatic action items to help their SOC to excel at these challenges. At the end, a link will be provided to a completely free, newly released book that discusses all of this in greater detail. Old Services, New Tricks: Cloud Metadata Abuse by Threat Actors 1:45 PM-2:30 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-02 Principal Consultant - Incident Response Mandiant Senior Manager - Incident Response & Remediation Mandiant Since July 2021, Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Although the threat actor specifically targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of similar attacks. Related threat actor motives and operations are gaining prominence as enterprises continue their migration to cloud hosting services. Mandiant has tracked access attempts by the threat actors to access S3 buckets and additional cloud resources using the stolen credentials. This presentation covers how threat actors performed the exploitation and IMDS abuse, as well as related security hardening guidance on how to detect, remediate, and prevent this type of instance metadata abuse in an organization’s environment. As part of this presentation, we will walk through a demo of the web application that was abused and show how easy it is to obtain credentials if the organization is using the legacy version of IMDS. Then, we will show how by performing the remediation techniques mentioned in the presentation. A Four-Step Process for SDLC Security 1:45 PM-2:30 PM ET Breakout Track - Software Development Security Georgetown | SDS-02 Director, Technical Product Management GrammaTech Software must be protected from the inside out beginning in the earliest stages of the software development life cycle (SDLC). This session will present the following four-step process for SDLC security. Program planning that covers how the application will be used, what sensitive data will be processed, mapping application interdependencies, code components and libraries. Use SAST (static application security testing) to build security into the SDLC at the code layer. Software composition analysis (SCA) to analyze the makeup of source code, including third-party and open source, and determine if components are introducing risk by checking for N-day or Zero-day vulnerabilities, and improper versioning and licensing. Create a Software Bill of Materials (SBOM) that identifies the use of open source components. This should be done in both the custom code as well any third-party code in the software. Run a final vulnerability analysis to check for any vulnerabilities that may be hiding in open source components or the application functions, and remediate them, to ensure that software being released into production does not contain hidden exploitable vulnerabilities. Supply Chain Risk: Do You Go Deep Enough? 1:45 PM-2:30 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-02 Vice President Architecture & Engineering Capital One Software Supply Chain Security has always been about the physical elements. Outsourcing first tier, second tier is where most companies focused on their resiliency and continuity plans. Now with the recent introductions of Solarwinds, Log4J, and Spring, it is an area of Software Supply Chain Security that needs to change how deep you go as you build out your 3rd party risk and vendor management capabilities. What Cyber Leaders Need to Know to Execute a Successful Transformation 1:45 PM-2:30 PM ET Breakout Track - Sponsor Jefferson | SP-02 McKinsey & Company Associate Partner, Cyber Expert McKinsey & Company Organizations are facing several major cybersecurity shifts (e.g., cyber as a competitive advantage, increased scrutiny from stakeholders, growth of cloud technologies, regulatory constraints, evolving threat landscape). Chief information Security Officers and other cyber executives can successfully navigate this new reality and deliver with impact using a well-articulated strategy and intentional execution, while demonstrating results in a way that resonates with business leaders. This session will cover the steps needed to execute a strategic transformation, while defining critical dimensions of focus that drive success. Inside ContiLeaks: Mapping Human Intelligence to Technical Data 2:45 PM-3:30 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-03 Director, Mandiant Intelligence Mandiant Nothing illustrated the complexities of the cybercrime ecosystem more than the hundreds of thousands of threat actor communications that were leaked in March 2022. While they were widely hailed as the “ContiLeaks,” the chats contained information pertaining to a much broader set of malware activity and provided direct insight into their divisions of labor including tasks such as spam distribution, crypting, development, infrastructure set-up, hacking, recruitment, and management. This type of human intelligence is rarely available and instead, we commonly rely on technical observations alone to make assessments about threat activity. The leaks of these private chat messages, however, give us a mechanism to retroactively ask questions like who, how, and why. In this talk, we will look at the chats through this unique lens and focus on mapping technical data collected from some previously observed campaigns and intrusions to specific conversations that occurred between the actors involved. Why all Speed and No Security Make IaC a Risky Business 2:45 PM-3:30 PM ET Breakout Track - Security Engineering Lincoln | SE-03 Chief Technology Officer oak9 Over the last five years software delivery has transformed. Today, infrastructure is designed and delivered as-code. That code represents the entire application architecture and enables development teams to deliver infrastructure capabilities in an agile manner where foundational architectural changes are made from release to release at an incredible velocity. In many cases, resource-constrained security teams are not positioned to support this new speed of modern development. Join us to hear practical steps for how security teams can adapt when their dev organizations adopt infrastructure as code. We will outline typical challenges security teams face before diving into specific automation approaches that ensure security designs evolve as application architectures change and how to build architectures that are secure and compliant by-design. You will walkaway with an understanding of: 1. Key approaches for security design and engineering teams to better support the adoption of infrastructure as code 2. Best practices for cloud-native infrastructure security 3. How to assess your cloud-native architecture against your design patterns through automation Is Network Evidence Really Needed for Security Operations? 2:45 PM-3:30 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-03 Federal CTO Corelight Regardless of form factor (copper, fiber, RF, etc), networks are the transport fabric for all IT. This is true in the modern world of cloud apps and distributed teams, even if networks have become harder to access and monitor. Attackers inevitably leave traces on the network, and for this reason defenders understand the value of high-quality network evidence. But given the rise of encryption, digital transformation, Zero Trust architectures, and SASE… is it even feasible to collect network evidence anymore? Maybe we should throw in the towel and do without it? In this talk, I’ll make the argument that network evidence has never been more relevant to security operations teams, but our techniques for gathering and analyzing it need to evolve, as application architectures and access patterns continue to change. Network evidence needs to be readily available within cloud-native architectures such as Kubernetes, and it should offer insight even when the traffic being analyzed must remain encrypted. We need a revolution in thinking about the ways and means by which network evidence can be collected. In some sense the boundaries between host and network may dissolve. Certified Fresh: NOBELIUM’s Methodology to Maintain Organizational Access 2:45 PM-3:30 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-03 Cybersecurity Consultant Microsoft Senior Cybersecurity Consultant Microsoft Principal Cybersecurity Consultant Microsoft DART has recently observed tradecraft that illustrated the NOBELIUM Threat Actor’s resourcefulness and knack for leveraging shared secrets (credentials and certificates) to gain and establish access to customer networks. Join us as we share case studies that illustrate how this actor harvested and subsequently leveraged organizational data (such as email and internal documentation) to cyclically maintain access -- despite ongoing eviction efforts -- specifically targeting assumed security boundaries (such as VPNs) to keep their foothold. We will also discuss the TTPs used across the attack chain and review common issues and mitigations regarding secrets hygiene. Adversarial Mindset 2:45 PM-3:30 PM ET Breakout Track - Software Development Security Georgetown | SOP-04 SVP & Chief Security Officer Mandiant Chief Information Security Officer Wiz A shift needs to occur in how we think about cyber security. With data as the new currency, highly-motivated adversaries are hunting for access – directly or through your supply chain. Success is very lucrative for them, and cause nightmares for your team. In this panel, three top CISOs at the forefront of cyber defense will provide insights into what needs to change to get in front of these attackers. Hear how to activate threat intelligence in organizations to successfully stop these cyber criminals. Attendees will also learn how to assess the level of adversarial activity and the potential impact to an organization along with how to develop strategies to protect their customers, employees and assets. Helping Critical Infrastructure Understand and Protect Against Cyber Attacks 2:45 PM-3:30 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-03 Director of Cybersecurity & Enterprise Architecture Centerpoint Energy Vice President Consulting Mandiant Cybersecurity challenges in the critical infrastructure sector are increasingly significant. Power outages, service disruptions, and theft of sensitive operational and business information from ransomware, cyber extortion, denial of service attacks and destructive malware are cause for alarm for critical infrastructure companies. The shut down of pipelines and other essential services due to ransomware is a wake-up call for organizations that are getting increasingly concerned about managing risks associated with cyber attacks. In this session, our panel of speakers will discuss the threat and legal landscape affecting critical infrastructure, walk participants through a critical infrastructure cyber attack (including lessons learned from forensic investigations and negotiation tactics), and discuss how to effectively communicate with affected stakeholders. We also will discuss proactive measures critical infrastructure companies can take to protect against cyber attacks. The session includes speakers from all perspectives — legal, forensic, communications, and law enforcement. Living Security With Trellix XDR 2:45 PM-3:30 PM ET Breakout Track - Sponsor Jefferson | SP-03 VP, Strategy Trellix XDR is one of the hottest buzzwords in cybersecurity. But what really is XDR and how will it help organization better protect their users, assets, and data? In this talk, we will discuss the current customer landscape, challenges customers face and the outcomes they desire, and how XDR optimizes the SOC experience. Learn about Trellix’s native and open XDR platform and see the future of the SOC. On Your Left: How Target Collects and Processes Cyber Threat Intelligence 4:00 PM-4:45 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-04 Director, Cyber Threat Intelligence Target Principal Engineer Target Corp. One of the biggest challenges that cyber threat Intelligence (CTI) teams face each day is how to unpack and action on the massive amount of information available to them. Being left of the kill chain means identifying what information your security team is collecting and processing before an attack occurs. Prioritizing what information is collected and processed is critical to avoid being overwhelmed by the vast amount of data available to analysts today. Target has developed automation to address the collection and processing of raw information, which typically consumes most of the work in the intelligence cycle. This presentation will provide insight on the diverse technology stack Target uses to automate intelligence collection for their CTI team. Specific examples will be provided of how Target’s CTI team uses this tech stack to produce analysis and detection for high priority threat actors (e.g. FIN7). Signed, Sealed, Delivered: Abusing Trust in Software Supply Chain Attacks 4:00 PM-4:45 PM ET Breakout Track - Security Engineering Lincoln | TPCR-04 Threat Intel Specialist TD Bank “Software is eating the world,” Marc Andreessen wrote in 2011. Today we're building code, deploying containers, running cloud services for innovation. Given our increasing reliance on third party code, open source libraries and shared repositories, we’re looking at a rising tide of software supply chain compromises that we’ll fail to detect because we trust but we don’t verify those sources. Recent attacks show how easy it is to create confusion and send malicious code undetected through automated channels to trusting recipients. Software supply chain attacks aren't new. They take time, resources, and skill to plan - the purvue of state-sponsored threat actors, especially from Russia and China. Historically, Chinese threat actors have been behind some of the biggest attacks, leveraging certificate abuse and code signing. As was shown by SolarWinds, attacks on tech companies can lead to third-party compromise of enterprise customers via automated software supply chain updates. Attackers take the time to seek out our mistakes, weakness and inherent trust to exploit. Where is the weakest link in your software supply chains of trust? What Works For SIEM — An Evidence-Based Study 4:00 PM-4:45 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-05 VP, Cyber Security Evangelist Securonix Like it or not, the SIEM is a common tool in the security arsenal and many organizations use it as the foundation of their SOC. It has been around for more than 20 years, going through a continuous evolution, from relational databases to cloud based big data technologies. But do we really know how to use it appropriately? The good thing about running a cloud SIEM is you can get a lot of insights from data aggregated from all tenants. We looked at this data set and asked ourselves, "what can we get from this data to help organizations drive their SIEM deployment, regardless of which product is being used, and use so they will actually get value from it?" This session will present the results of this study based on hundreds of SIEM deployments showing REAL SIEM use best practices. What are the data sources that provide the best threat detection results? Does it make sense to use Threat Intelligence matching as a detection method? What about custom use cases, are they worth the effort to develop? Does the Machine Learning based use cases really deliver what is promised by the vendors? Intelligence Driven Incident Response 4:00 PM-4:45 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-04 Incident Responder Mandiant This presentation will focus on Incident Response and Intelligence and will explain how the usage of effective threat intelligence enables organizations to efficiently identify and eradicate Advanced Persistent Threats. The first section will discuss the response processes that should be implemented to investigate, respond, and eradicate cyber threats. The second section will focus on threat intelligence and how effective intelligence helps organizations to gain strategical, operational, and tactical advantage on the adversaries. It will also include best practices on how intelligence should be handled and processed to be integrated into the cyber defense functions. The last section of this presentation will discuss a real-live engagement illustrating how accurate, timely, actionable intelligence permits to identify APT 39 cyber espionage activities while investigating an unrelated ransomware attack. How to Design and Secure The Multi-Cloud Enterprise 4:00 PM-4:45 PM ET Breakout Track - Software Development Security Georgetown | SDS-03 Head of Security Solutions Management Google Head of Operations, Autonomic Security Operations Google When it comes to cybersecurity, one size doesn't fit all. Organizations moving to the cloud need to adopt controls and capabilities to meet their security and compliance objectives. As they move to a multi-cloud environment, they need the knowledge and operating expertise to achieve and maintain their desired security and risk posture. They also know that taking advantage of cloud-native security controls can help transform and modernize their security program. * In this session learn how to: * Build on a secure-by-design cloud foundation * Take advantage of a constantly expanding array of security controls and capabilities to help meet policy, regulatory, and business objectives * Leverage prescriptive guidance - from a cloud and security ecosystem - in designing and securing the multi-cloud enterprise Security and Privacy Team Engagement; Overrated Collaboration or Underleveraged Alliance? 4:00 PM-4:45 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-05 Vice President, Chief Information Security Officer Intermountain Healthcare Chief Privacy Officer The University of Chicago Medicine & Biological Sciences Differences in operational approaches between security and privacy can, at times, make collaboration challenging. It can be comfortable for the two teams to work independent of each other despite often sharing similar critical initiatives. The lack of understanding has impact on business goals and efforts. Ultimately though the two teams share a common motivation at the organizational level. This session will define the differences and similarities between security and privacy. It will provide an innovative, strategic approach to leverage the strengths of each team in combination with each other specifically in the areas of training and education, data governance, third party risk and incident response. The talk will offer a framework of best practices for engaging with each other to offer joint strategies for enterprise risk management, enhanced practices that lead to operational efficiencies and mitigation practices. The presenters will combine direct knowledge sharing in conjunction with audience engagement. Real life scenarios will be presented and discussed. The session is suited for those looking to influence risk strategy and practice from a leadership level. How to Ensure Recovery Objectives By Managing a Forensic Image Time Series 4:00 PM-4:45 PM ET Breakout Track - Sponsor Jefferson | SP-04 GTM Tech Lead - Security Rubrik Cyber attacks are a matter of when, not if – this is the crux of the “assume breach” mentality. Many organizations have strong capabilities around prevention and detection but are still maturing their preparedness in responding to data breaches. Improving your cyber resilience begins with an effective data protection strategy aligned with your recovery point and recovery time objectives. In addition, security blind spots can be addressed by detecting malicious changes to data over time. Join this session to learn how to minimize incident response time and data loss by being prepared to recover safely, quickly, and precisely. Welcome Reception 5:00 PM-6:30 PM ET Evening Events Columbia | EVNG-01 Join us on the expo floor to mix with fellow attendees and our sponsoring partners. October 19, 2022 Registration 7:00 AM-6:00 PM ET General Terrace Foyer | REG-03 Expo Hours 8:00 AM-5:45 PM ET General Columbia | EX-02 Breakfast & Expo 8:00 AM-8:45 AM ET Meals Columbia | BE-19 Keynotes 9:00 AM-11:15 AM ET Keynotes International Ballroom | KN-02 Investigative Reporter Reuters News Vice President, Intelligence Analysis Mandiant SVP, Intelligence CrowdStrike Director of Intelligence Red Canary Strategist, Professor, Founder & Partner New America, Arizona State University, Useful Fiction LLC Panel: Cyber Intelligence in a Rapidly Changing World The work of cyber intelligence teams is becoming more pertinent, yet increasingly difficult as major geopolitical events and new technical demands transform the landscape. During this session cyber intelligence leaders will discuss these challenges and the anticipated opportunities. Participants * Moderator Chris Bing, Reporter at Thomson Reuters * John Hultquist, Vice President of Intelligence Analysis at Mandiant * Adam Meyers, Senior Vice President of Intelligence at CrowdStrike * Katie Nickels, Director of Intelligence at Red Canary P. W. Singer, New York Times bestselling author and expert on the future of tech and conflict, will speak to the rise of social media manipulation and emergent threats. Patterns of Malicious Infrastructure (Re)Use in Ukraine-Themed Domains 11:45 AM-12:30 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-05 Senior Data Engineer DomainTools Security Evangelist DomainTools At the 2021 Mandiant Summit, we presented the concept of "Domain Blooms," patterns of large numbers of domains related to a specific theme, which rise rapidly, peak, then settle down to a background level. Some of these blooms show higher-than-average domain risk. This presentation examines a bloom whose beginning coincided with the Russian invasion of Ukraine; the domain names in the bloom all contain the word "Ukraine" or variants of it. The analysis shows an elevated risk level compared to the Internet as a whole, but perhaps more importantly, we found "hotspots" of even more concentrated phishing, malware, and spam activity tied to certain features (IP address, name server, ASN, etc). Moreover, by analyzing connections found in some of these values, we identified other clusters of malicious infrastructure that extended beyond the Ukraine theme, pointing toward other campaigns centered on patterns such as cryptocurrency, spoofing of legitimate enterprises (technology companies, banks, gaming, etc). The work underscores the continuing value of infrastructure analysis as an approachable method for identifying and isolating harmful assets threatening protected environments. The Security Mindset...To Survive In An Ever Changing Threat Landscape 11:45 AM-12:30 PM ET Breakout Track - Security Engineering Lincoln | SE-04 Systems Security Engineering Manager ASELSAN Inc. Whenever "Human Factor" is a subject in Cyber Security it always addresses the end user. But this session puts the Security Professionals itself under the spotlight and addresses them as the weakest link. The technical controls are not always the answer to the complex security problems yet they were always the number 1 solution. This session focuses on how cyber security professionals fail with this approach and proposes another perspective. And explores the mindset a cyber security professional must possess to survive in today's cyber world. Python for Incident Response 11:45 AM-12:30 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-06 Principal Consultant Mandiant Find out how to use Python along side Jupyter Labs and Pandas to enhance the Incident Response process from predefined "Playbooks" that can integrate multiple products, to managing structured data in a quick meaningful manner. The talk will cover: * Intro to Jupyter Labs and how to utilize Jupyter Labs for a SOC * Intro into Python Pandas for the incident response role * Learn how to use Jupyter Labs to enhance the incident response process * Learn about real world cases where Python enhanced the IR process Cookie Monsters: A Year of Investigating Session Cookie Replay 11:45 AM-12:30 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-05 Senior Principal Consultant Microsoft Principal Cybersecurity Delivery Manager Microsoft In the past year, DART has observed three Threat Actor groups leveraging session cookie theft and replay techniques to pivot from on-premises to cloud (specifically, Azure) resources. These groups have ranged in their level of sophistication – from nation states like NOBELIUM and HAFNIUM, to criminal and ransomware groups. In this talk, you’ll hear about DART’s incident response analysis in the form of case studies of each of these groups and the specifics of their methodologies and motivations. We’ll also discuss the significance of commodity malware in the Threat Actor ecosystem as a pathway used to gain initial access, especially as organizations adopt hybrid work arrangements and BYOD. Finally, we’ll discuss key strategies on the authentication and authorization layers, as well as the changes made to Microsoft products intended to detect and mitigate the use of this technique. Anatomy of Software Exposure 11:45 AM-12:30 PM ET Breakout Track - Software Development Security Georgetown | SDS-04 Director of Product Security Attack Surface Management InferSight Having worked with several software development organizations using a broad range of Development Security Operations solutions there is a common disconnect between these processes and cyber security teams. Rarely do we find a SOC with strong ties to development systems. The advent of cloud environments and dynamic infrastructure further separate these exposure risks from integrated detection and response capabilities. The Growing Impact of Supply Chain Risk on Organizations Globally 11:45 AM-12:30 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-06 Founder & CEO Interos CEO Mandiant Over the past 24 months the world has seen the sustained impacts that unforeseen shocks can have on our global supply chains, including spiking commodity prices, lack of access to essential goods, cyber supply chain turmoil, and other essential areas. Organizations on average reported that they were impacted by three significant supply chain events within the last 12 months. For instance, more than 450 firms in the U.S. and Europe were shown to have direct supplier relationships in Ukraine that were threatened with disruption during the Russian invasion. In this presentation, Interos CEO Jennifer Bisceglie and Mandiant CEO, Kevin Mandia will review original research that shows the direct impacts of events like Ukraine, resurgent pandemic lockdowns, geopolitical conflicts, and escalating trade friction with China have had on global supply chain networks. As global volatility around supply chain continues and blackswan events become the norm, they will also discuss tactics for leaders to build resilience into their operations around security, ESG, and access to materials. Lunch & Learn: Wipe It Like You Mean It 12:30 PM-2:00 PM ET Meals Monroe | LL-03 Senior Principal Reverse Engineer Mandiant The beginning of the 2022 was marked with extensive cyber warfare targeting entities in Ukraine. In one such event, the attackers used a tool capable of destroying the compromised system by wiping the hard disks at low level. In this talk we will go over the malware’s capabilities while focusing on the parts that sets this tool apart from the others. Lunch & Learn: Bait-and-Crawl: The Anatomy of a USB Worm 12:30 PM-2:00 PM ET Meals Cabinet | LL-04 Senior Reverse Engineer Mandiant This talk presents a slick USB worm that hooks unsuspecting users with a well-crafted bait to spread itself. We analyze its infection chain by going through the cycle of USB infection to host infection and discuss the clever strategies implemented by the malware to perform update propagation and data exfiltration in an air-gapped environment. Elevate: How Leaders Prioritize Purpose and People for Growth Impact 12:30 PM-2:00 PM ET Meals Jefferson | ELVT SVP, Strategy and Alliances Mandiant CEO and Cofounder, Delivering Happiness and Bestselling Author Beyond Happiness This is a Mandiant sponsored event, that requires separate registration. Please register here: https://www.mandiant.com/elevate/luncheon In-Person space is limited. Lunch will be served during this session. Lunch & Expo 12:30 PM-2:00 PM ET Meals LE-19 Taking Over Domains - Dangling DNS 2:15 PM-3:00 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-06 CEO Silent Push Inc. CTO Silent Push Inc. With the proliferation of new malware-less criminal activity taking advantage of session cookies and social engineering, there are avenues that we should shut down for threat actors. Recent events (Lapsus$ as an example) showed that there is a proliferation of session cookies for sale. One easy way to harvest cookies is through subdomain takeovers. We'll go through how we uncover subdomains ready for takeover. How we choose soft targets in our search. Then how attackers can abuse these soft targets with a full proof of concept. How can people clean up all this dangling infrastructure? Simplify Your Security Stack, Reduce Risk & TCO 2:15 PM-3:00 PM ET Breakout Track - Security Engineering Lincoln | SE-05 Group Manager Avanade Senior Director Avanade As with most technology, segregated, independent best-of-breed platforms are ultimately supplanted by integrated tech with a cohesive architecture and single platform. Look no farther than the smart phone to see what used to be separate camera, pager, phone, calculator, PDA, scanner & payment card. In security, the age of Best of Breed is over, and it's time to move to cloud-hosted security models where shared policies, data, attributes & architecture enables dramatic improvements over monolithic silo'd security security solutions. While the presenters believe there is a strong business case for most organizations to look to Azure to leverage existing O365 investments and collaboration, this isn't a "Move to Microsoft" story, it's a cloud-agnostic journey. The speaker will discuss a process for analyzing & optimizing their security portfolio, with case studies where organizations were able to achieve dramatic TCO savings while improving security by moving from a security menagerie to an integrated model. Finally, the speaker will discuss takeaway lessons for the participants to enable their security portfolio optimization journey, with 30/90/180 day deliverables. Human + Machine: Combining Human Expertise and Machine Learning to Triage Security Data 2:15 PM-3:00 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-07 Director, Data Science Research Mandiant Security Research Architect, Automated Defense Mandiant Technical Director Mandiant Security analysts are faced with a constant stream of telemetry, threat intelligence, and alert data. To identify the most relevant and actionable information, analysts require advanced decision support tools that allow them to filter low-quality information, assess severity of security signals, and prioritize to match their organization’s unique risks and business needs. In this presentation, we describe a threat scoring framework that combines human expertise and data-driven machine learning models to help analysts filter and triage their security data along three dimensions: confidence, severity, and customization. For each of these dimensions, we show how machine learning models can be used to intelligently augment and scale human expertise to provide a better solution than either approach could achieve on its own. Furthermore, we explore how these three components can be developed and maintained independently, and later combined with one another in a reusable design pattern for creating scoring systems that are tailored to each organization’s risk profile. We concretely demonstrate these principles via a case study leveraging the framework to triage security alerts. Why Browser Monoculture and Plugins are Putting us all at Risk 2:15 PM-3:00 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-06 CTO Novacoast, Inc. With a stronger reliance on the web and less reliance on individual applications, the threats brought directly from browsers has increased dramatically. Along with that complexity, brings a desire to allow expanded functionality within the browser. The issue with plugins is that various browser manufactures have allowed them to be developed with a very loose set of rules, requirements, and security standards. Today malware is rampant inside browser plugins and the security of a plugin is, difficult to determine. Vulnerabilities are present but go unnoticed and malicious browser plugins are loaded from both browser store fronts (Mozilla, Google, Microsoft, others) and side loaded from unknown sources. This talk will discuss methods for detection of plugins, how scanning should happen, why the industry is failing and what practitioners should do about it in their own environments. Maturity Model Assessments: Building Security into Developer Culture 2:15 PM-3:00 PM ET Breakout Track - Software Development Security Georgetown | SDS-05 Application Security Evangelist Ford Motor Co The need for secure software in the digital age is growing, while the actual security of code written globally is not improving, as seen by application security professionals. The shift to Agile and DevOps software development methodologies exacerbates this as more code is released and more rapidly than ever. Without a robust application security culture being baked into development, this increased speed of delivery increases vulnerabilities inside software products. Developers are left with less time to deliver more features equipped with few security skills to improve quality. The gap in understanding, priorities, and culture between security professionals and developers has not improved. We see this truth in older security models with multiple gate tests late in the Software Development Life Cycle (SDLC) that chaff against Agile developers. The complex problem of culture changes requires measurement to track improvement. This is best done with a neutral non-biased maturity model that covers the entire SDLC. The Software Assurance Maturity Model (SAMM) published by OWASP used collaboratively in assessments with development teams can empower them to improve their own culture. Don't Let Metrics Mislead You 2:15 PM-3:00 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-07 Sr. Technical Director Mandiant Sr. Director, Services and Solutions Mandiant Organizations are flooded with poor and often misleading cyber security metrics. To identify meaningful metrics, you must start with what goal you are trying to achieve. Are you striving for cyber defense effectiveness, compliance, reducing costs? If so, then make sure the metrics you gather are aligned to those objectives. Don’t get caught up with maturity scores and red, yellow, green charts. Focus on the measurements needed to drive the change you desire. In this session, we will walk through examples of meaningful metrics used to drive action to achieving different business goals. We will uncover misleading metrics that should be avoided and explain how they can actually cause harm and motivate the wrong behaviors. Finally, we will propose an easy process for defining and evaluating metrics including business goals, audience and the cost of gathering metrics. Cloud Native Security Operations 2:15 PM-3:00 PM ET Breakout Track - Sponsor Jefferson | SP-05 Director, Product Management, Threat Detection & Response (Google Cloud) Google Security is inherently a big data problem today. As SOC analysts investigate attacks the ability to correlate data across a variety of sources is critical, and doing that well requires a scalable platform that can provide the vehicle for investigation and analytics. In addition, security operations tools need to beyond just providing a generic data lake and also provide the right capability around threat intelligence, detection analytics, and access to quality IR personnel. This session will review how next generation SOC platforms running natively in the cloud are uniquely positioned to solve customer challenges vs. traditional SIEM platforms. Intelligently Building Your Cyber Threat Analyst Workforce 3:15 PM-4:00 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-07 Principal Intelligence Enablement Consultant Mandiant The cyber threat intelligence (CTI) analyst role is arguably the most recent entrant to emerge under the cyber security career tracks with the job role, responsibilities, and skill requirements wide ranging and not well understood by organization leadership or cyber security peers. During this talk, we use the newly developed, open sourced, Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework, to showcase the predicate knowledge, skills, and abilities (KSAs) requirements for analysts to aptly support organizational risk exposure reduction and cyber defense initiatives. We examine key tasks and support CTI teams are often asked to provide to strategic, operational, and tactical audiences and align them against the Framework's 4 underpinning pillars: Problem Solving, Professional Effectiveness, Technical Literacy, and Cyber Threat Proficiency. We map these skills KSAs to job titles and subsequently map those to specific cyber defense support functions. We conclude by walking through development pathways to guide growth in an organization's existing analytic cadre to support employee retention, intelligently inform future training requests, and aid in hiring decisions. The Time to Build your Passwordless Future is Now 3:15 PM-4:00 PM ET Breakout Track - Security Engineering Lincoln | SE-06 Principal Program Manager Microsoft Associate Director Accenture Senior Product Marketing Manager Microsoft The era of passwords is over. Every organization today faces password-related challenges—phishing campaigns, productivity loss, and password management costs to name just a few. In fact, as of May 2022, there’re 921 password attacks every second—nearly doubling in frequency over the past 12 months. As we learned from many deployments that we supported, the best way to protect your organizations from password-related attacks is to stop using passwords altogether. In this session we will share insights from the passwordless deployments we supported, explore effective strategies to roll-out passwordless authentication, and discuss what’s next for the industry with the new interoperable standards like passkey. Leveling up your Detection Engineering 3:15 PM-4:00 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-08 CTO SnapAttack Detection Lead, Mandiant Managed Defense Mandiant Detection engineering is equal parts art and science. Being able to create high confidence, low false positive signatures historically required someone with rare and diverse skills in offensive tradecraft, forensic analysis, and threat intelligence, as well as the under-appreciated IT skills to configure lab infrastructure resources. With the increasing demand for these skills and widely publicized infosec labor shortages, companies have shifted towards splitting these tasks across deeply specialized teams as well as looking for technology to gain efficiency. This construct not only scales, but also ushers in unexpected benefits like higher overall quality, process repeatability, resiliency, robust coverage, and ability to show effectiveness and ROI reporting. In this talk, we'll discuss the 3 KPIs for measuring quality detections, share our detection engineering lifecycle, review the most common pitfalls for ‘shallow’ detections and how to avoid them, as well as provide a technical demo of our best-kept secret – leveraging attack emulation frameworks to jumpstart detection engineering and identify gaps your security posture. Ransomware Targeting Virtualization Infrastructure 3:15 PM-4:00 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-07 Principal Consultant Mandiant As documented in Mandiant M-Trends 2022, in 2021, Mandiant observed ransomware attackers using new tactics, techniques and procedures (TTPs) to deploy ransomware rapidly and efficiently throughout business environments. The pervasive use of virtualization infrastructure in corporate environments creates a prime target for ransomware attackers. By accessing virtualization platforms, ransomware attackers can rapidly encrypt many virtual machines without needing to directly login or deploy encryptors within each machine. Throughout 2021, Mandiant observed VMWare vSphere and ESXi platforms being targeted by multiple threat actors, including those associated with Hive, Conti, Blackcat, and DarkSide. This session will provide details and demonstrate these attacker TTPs. In addition, this session will provide recommended monitoring strategies and possible risk mitigations that can be utilized by businesses to harden their environments. Black Hole Programming 3:15 PM-4:00 PM ET Breakout Track - Software Development Security Georgetown | SDS-06 CEO Software Engineering Services, Inc The concept of secure coding is not new, but add the added layer of complexity of doing that in a network where the internet is not accessible can prove to be a challenging, and approaching an impossible task in todays connected world. There are few developers in the world that can craft perfect solutions to problems encountered in the real world and even fewer that are affordable for everyday development in a secure environment. The current state of software development employs libraries and packages that have been developed and shared by others. In a wide open development network environment this is a simple task of just downloading with your favorite tool like git or pip or whatever… In a secured “black hole” network, this is not possible without some careful planning and environmental considerations. This presentation is a method developed for this purpose that allows for connectivity to a protected cloud environment for public access to needed libraries and packages and a private assembly and build area for the development and deployment of applications using DevSecOps at the core of the methodology. The Evolving Regulatory Landscape 3:15 PM-4:00 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-08 Attorney Buckley LLP Counsel Buckley LLP Partner Buckley LLP Regulated entities are facing ever increasing expanded technical requirements imposed by regulators with respect to cybersecurity programs. To compound the issue, new guidance by the U.S. Department of the Treasury and state agencies on compliance with U.S. sanctions and anti-money laundering laws when facilitating or making ransomware payments. With the increasing range of sanctions in light of the Russia-Ukraine conflict and the immediacy of the implementation of such sanctions adjustments to security and compliance programs is necessary to address the regulatory risk associated with such payments and new regulations Regulated entities that monitor transactions as required under FinCEN may be involved in multi-structured payments that flow between the United States banking system, cryptocurrency exchanges, and ransomware actors, and the failure to deploy strategies to report, block, and investigate such payments may also trigger a range of regulatory penalties, as previously demonstrated in enforcement actions. We discuss helpful strategies and best practices from a programs perspective to avoid sanctions violations, regulatory scrutiny of cyber programs. Low Hanging Fruit -- How Better AD Visibility Improves Your Defense against All Types of Attackers 3:15 PM-4:00 PM ET Breakout Track - Sponsor Jefferson | SP-06 VP, Field Technical Ops SentinelOne We read about successful cyber and ransomware attacks every day. Most organizations do not realize that these attacks all have ONE thing in common and that there are simple, rapid, and inexpensive/free actions they can take which will dramatically improve their defense. This presentation will discuss key challenges with improving AD security and offer real solutions. The Elusive Rosetta Stone: The Challenges of Standardizing Threat Group Names 4:30 PM-5:15 PM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-08 Analyst Mandiant Cyber Crime Analysis Manager Mandiant Cyber threat intelligence producers and consumers often maintain a "rosetta stone" that maps multiple aliases for a given threat actor using information gleaned from open-source reporting and information sharing. Tracking these overlaps may help organizations overcome intelligence gaps, yet these mappings have limitations. Even two organizations using the same name for a threat group often do not base this label on the same underlying dataset or assessments, leading to differences in how the organizations define the threat group. These differences arise from four main factors. First, organizations may have different thresholds for attributing malicious activity to a particular threat actor. Second, no two organizations or researchers have the same visibility. Third, the granularity of attribution and threat group boundaries are based on the attributing organization’s level of insight and use case. Finally, threat actors themselves evolve over time through changes in their mandate, personnel, and resources. We’ll explore these factors through examples and case studies spanning the cyber espionage and financial crime threat landscape. Why you need Cyber Range as a Service 4:30 PM-5:15 PM ET Breakout Track - Security Engineering Lincoln | SE-07 Founder and CTO Technical Systems Integrators The key to the successful deployment of a cyber range infrastructure is to implement a methodology that manages the infrastructure using an agile life cycle approach offering standardization and centralization of management and consumer activities, while giving developers, administrators, and users appropriate control and automation of their worlds with the ability to share cyber range infrastructure resources, networks, and automation IP across many use cases. An agile based, highly automated, and lifecycle managed cyber range delivers maximum utilization of the services to allow for the greatest return on the investment. Trust and Transparency in Incident Response, A Bittersweet Symphony 4:30 PM-5:15 PM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-09 SVP, Detection and Response Salesforce Salesforce No security incident will be handled 100% perfectly, but what matters is learning how to respond better in the future. Salesforce responded to a large complex incident in a time where companies are being closely observed by their customers and the public on how they respond. The world expects transparency, but there is a fine line to walk when responding to an active security incident. This presentation will share what works and what doesn't in when responding to large, complex incidents and what we learned about trying to keep customers informed while actively investigating the incident. Reputational Risks in Incident Response - How a Cyber Crisis Can Make or Break a Company's License 4:30 PM-5:15 PM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-08 Global Co-Head of Information Governance, Privacy and Cybersecurity Norton Rose Fulbright LLP Co-head of Cybersecurity & Data Privacy Communications FTI Consulting Managing Director of Incident Response Mandiant Chief Information Security Officer Colonial Pipeline Panelists, who have worked together in various capacities on some of the most headline grabbing cybersecurity attacks around the world, will share war stories from the front lines on how to collaborate across functions to effectively manage stakeholder communications after an incident. Attendees will learn how an incident response team should be structured - comprising legal, forensics, crisis communications and in-house security roles - and how they can work together so that information flows between workstreams in an efficient but privileged manner. Panelists, who each represent one critical component of an incident response team, have successfully navigated some of the stickiest communications situations resulting from a cyberattack, including Congressional investigations, disclosing root cause and ransom payments to the press, customers putting the victimized company in the penalty box, having to stay ahead of evolving threat actor pressure tactics, investor relations issues and more. Speakers will share what they have seen go well and where they tend to see companies fall short in terms of protecting their reputations and valued relationships with key stakeholders. Implausible Deniability: Finding NDAA and OFAC listed Companies through OSINT 4:30 PM-5:15 PM ET Breakout Track - Software Development Security Georgetown | ICA-09 Threat Intelligence Analyst Chevron Cyber Threat Intel Analyst Chevron Cyber Threat Intel Analyst Capgemini This presentation will cover how to identify and protect your organization from sanctioned companies identified by the US government as national threats. We will cover how a company becomes part of a US government published “blacklist,” the relationship between nation-states and sanctioned companies, examples and consequences, and how to search internally to secure your business. Good Things Come in Small Packages: Mini-Tabletop Exercises to Validate Your DFIR Program 4:30 PM-5:15 PM ET Breakout Track - Third Party and Cyber Risk Management Columbia 3 & 4 | TPCR-09 Consultant - Strategic Services Mandiant Senior Manager - Incident Response & Remediation Mandiant You can't predict the future, but you can prepare for it. It is vital that organizations focus on being proactive rather than reactive when it comes to the ever-evolving threat landscape. Typically, an organization will conduct a tabletop exercise annually on a relevant scenario. While tabletop exercises are valuable, due to the increased diversity of attacks Mandiant sees from the frontlines, the number of topics addressed did not sufficiently meet the rapidly changing TTPs by threat actors. This requirement became the catalyst for the formation of mini tabletop exercises(mTTXs). mTTXs allows for a larger range of incidents to be covered, thus, evaluating your organization’s cyber crisis processes, tools, and proficiencies in responding to additional cyber-attacks. mTTXs give organizations the opportunity to observe a multitude of gameplay iterations due to the shortened duration which will, in turn, encourage attentive listening and increased participation. mTTXs can be catered to both a technical and executive-level audience, and this presentation will highlight the strategic, technical, and logistical benefits of having mTTXs. Digital Transformation: Inspiring Brilliance on the Basics 4:30 PM-5:15 PM ET Breakout Track - Sponsor Jefferson | SP-07 Security Operations Practice Lead Accenture Federal Services Senior Principal Architect Ardalyst Chief Technology Officer Ardalyst President Ardalyst Investigations Team Lead Microsoft Imagine that you are the CISO of a new enterprise organization. You are now responsible for designing and implementing the organization's cyber security program from scratch. What would be the core design principles that would inspire your design, unencumbered by the past? In this panel discussion, Ardalyst takes the audience on a thought experiment: exploring concepts, approaches, and technologies that in combination offer resilient defense against today's threats. We will explore the importance of zero trust and cloud native solutions, the efficiency of well-instrumented threat-informed defense, the objectivity of out-of-band monitoring, and the insights of API security. Because there’s no silver-bullet security solution, we will discuss the importance of architectural patterns that combine capabilities of leading industry solutions into decision aids that enable clarity, focus, and speed of maneuver when the stakes are high. We aim to demonstrate that the concepts you might draw upon when designing a system from scratch are the very things within reach for digital transformation journeys of varying shapes and sizes. In this sense, these design patterns offer a new set of fundamentals for cybersecurity practitioners needing to defend their organizations as they implement digital transformations. Evening at the Museum - Shuttles Looping 6:00 PM-10:00 PM ET Evening Events Terrace Foyer | EVNG-02a Join us at the mWISE Evening at the Museum at the Smithsonian National Museum of Natural History. Shuttles to and from the Washington Hilton and museum will be provided. Starting at 6:00 pm, shuttle bus pick up will be in the Terrace Entrance by event registration and hospitality desk. Evening at the Museum 7:00 PM-10:00 PM ET Evening Events Smithsonian National Museum of Natural History | EVNG-02 Kick off our first mWISE Conference on Tuesday night on the expo floor. Learn about our sponsors’ powerful solutions, listen to the DJ, enjoy food and drink, and connect with colleagues! On Wednesday evening, join us for a private Evening at the Museum at the Smithsonian National Museum of Natural History. Explore and discover the exhibits and enjoy music and refreshments at this private event. Shuttles to the museum will be provided and will depart directly from the Washington Hilton. You won't want to miss this fun evening at this iconic venue. October 20, 2022 Registration 7:00 AM-12:00 PM ET General Terrace Foyer | REG-04 Expo Hours 8:00 AM-12:00 PM ET General Columbia | EX-03 Breakfast & Expo 8:00 AM-8:45 AM ET Meals Columbia | BE-20 Closing Keynote 9:00 AM-10:00 AM ET Keynotes International Ballroom | KN-03 Host and Creator NPR’s Hidden Brain Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), will discuss the importance of operational collaboration between government and industry in cyberspace. Shankar Vedantam, the host and creator of NPR’s Hidden Brain, will be our mWISE Conference closing keynote speaker. Cyber Threat Intelligence for Policymakers: The Forgotten Use Case 10:15 AM-11:00 AM ET Breakout Track - Intelligence Columbia 1 & 2 | ICA-10 Senior Threat Intelligence Advisor Mandiant CSIS Senior Director of Government Affairs Mandiant Commercial cyber threat intelligence (CTI) is primarily consumed by network defenders, yet its application to the cyber policy community remains underestimated and untapped. The cyber policy formulation process is undoubtedly enhanced through engagement with those that have direct experience of cyber threats. CTI therefore has an exciting role to play in providing the ground truth and operational context to inform smarter cyber policy solutions to today’s most pressing security challenges. We will draw on real world examples where commercial CTI has played an active role in informing cyber policy. For example, where CTI has helped to inform legislation developed in the aftermath of Solar Winds. We will also explore how private sector contributions have provided greater situational awareness to governments during the Russia-Ukraine crisis. The opportunities and benefits of further collaboration between CTI and policymaking communities are enormous. This talk will provide practical advice on how to make this a reality. Cloud Agnostic Micro-Segmentation Approach using Open-Source Tools for a Zero Trust Foundation 10:15 AM-11:00 AM ET Breakout Track - Security Engineering Lincoln | SE-08 Lead Cloud Security Architect Humana Inc. Associate VP, Head of Cloud Security, Innovation, R&D Humana Inc. Unsegmented, flat networks with a large blast radius in the enterprise carry a significant security risk and availability issues of critical information assets. The complex needs for applications and post-pandemic changes in workforce dynamics promoting the adoption of many 'as-a-service' solutions require embracing solid security foundations using the concepts of zero trust and segmentation. It has become imperative to segment the network and compute in a practical, effective, sustainable, and manageable way to improve security posture and reduce data exposure risk. The problem statement is simple, but the solution is complicated because of the increased adoption of containerized applications using state-of-the-art microservices and service mesh solutions. Industry offerings are not mature across all the compute options like physical, virtual, containers (managed Kubernetes), and serverless space. This presentation will focus on the real-life challenges of the enterprise, vendor roadmap issues and present a cloud-agnostic micro-segmentation approach using open-source tools and minimal automation. The DevSecOps Approach Cloud Native Threat Detection and Response 10:15 AM-11:00 AM ET Breakout Track - Security Operations Columbia 11 & 12 | SOP-10 SVP Cloud Security FireMon Every SOC on the planet is grappling with the challenges of integrating detection techniques and response processes for public cloud computing. This session will delve into the details with a framework for modernizing response operations, combined with technical details and examples. * Understanding the key cloud security feeds of the big 3 providers and how to collect them without falling behind attackers. * How, and why, to treat cloud misconfigurations as threats. * Building cloud IoCs, including top examples and why they matter. * The role of key security feeds and response tools from AWS, Azure, and GCP. * Balancing log volume and storage locations. * Top tips for integrating cloud events into an existing SOC. * Leveraging DevOps techniques for a distributed response process, and how engaging cloud teams will reduce SOC pressure while improving response. This session will include technical demonstrations (using AWS native capabilities) to illustrate key concepts. Attendees should have existing response experience and be familiar with major cloud computing features on at least one of the major providers (e.g. CloudTrail or Defender for Cloud). Taking the “ware” out of Ransomware 10:15 AM-11:00 AM ET Breakout Track - Security Threats And Exploits International Ballroom | STE-09 Senior Consultant | Lead Investigator Microsoft Senior Consultant Microsoft Over the past year, DART has conducted numerous investigations into a new variety of extortion and “malwareless” ransomware actors. They are not sophisticated in their techniques, and have adopted a “back to the basics” methodology to gain initial access and cause organizational damage nonetheless. In this talk, we will discuss how hybrid work arrangements (including BYOD) established during the pandemic have contributed to the rise of this new class of criminal activity. In addition, we will discuss novel (but still not sophisticated!) techniques related to data exfiltration and persistence in the cloud, as well as how improper data governance and controls have bred new risks and openings for Threat Actors to take advantage of. Finally, we will review detection opportunities and strategies to reduce risk in your cloud environments. Managing Risk of Open Source Libraries using Mandiant Vulnerability Intelligence 10:15 AM-11:00 AM ET Breakout Track - Software Development Security Georgetown | SDS-07 CEO Nucleus Security, Inc Today nearly every organization has a growing internal software development team to ensure the business remains competitive. With a global shortage of software engineering talent that is showing no signs of improving, and increasing demands for software teams to ship code faster, the use of open source libraries has grown tremendously over the last decade. Open source libraries enable development teams to quickly deploy new functionality with minimal effort, however they also introduce new application security risks that must be managed. Many vulnerability scanning tools will identify and monitor open source libraries for vulnerabilities, however the volume of findings, combined with the lack of context about the vulnerabilities, makes it increasingly difficult to determine which vulnerabilities should be fixed, and what their priorities are. In this talk we discuss the value of vulnerability intelligence correlated to open source library vulnerabilities, and how our customers have been able to minimize the time their development teams spend researching vulnerabilities and enable them to focus on updating the libraries that matter most. Home About Agenda-at-a-glance Keynotes Session Catalog Pre-Conference Training Passes & Registration Keynote Speakers Session Tracks Session Speakers Program Committee Expo & Sponsors FAQs Code of Conduct Health & Safety Terms & Conditions Contact Us If you have any questions please contact the . © 2022 Mandiant, Inc. All rights reserved. Mandiant is a registered trademark of Mandiant, Inc. in the United States and other countries. mWISE is a trademark of Mandiant, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. Loading...