Monday, November 10

Time

Session

Speaker

Room

1:00 p.m.-1:15 p.m.

Welcome

Barry Hensley

Athens

1:15 p.m. – 2:15 p.m.

Adversary Reactions to Technical Events

Four case studies will demonstrate how threat groups responded to stimulus introduced into the victim organization’s environment. See each threat group's reaction to a number of stimuli such as response to removing excel files, removing their malware, removing access points, response to eviction and more.

Aaron Shelmire & Phil Burdette

Athens

2:15 p.m. -3:00 p.m.

Anatomy of an APT

By taking a deep dive into the various elements that make up an advanced threat, this session will expose the driving factors behind today's cybercrime and demonstrate exactly how such malware is infiltrating networks. This discussion will examine the characteristics of both commodity (SQLi, XSS, exploit kits, etc.) and the killchain of an advanced persistent threats.

Dennis Dwyer

Athens

3:00 p.m. -3:15 p.m.

BREAK

3:15 p.m. - 4:00 p.m.

Malware Targeting ATMs

Recently, threat actors have been showing interest in developing and deploying logical attacks on Automated Teller Machines (ATMs). Logical or digital attacks are those carried out by criminals using malicious software designed to attack the ATM processing network or the software (operating system or application software) and firmware of the ATM Unit. This presentation will cover technical details of malware specifically designed to target ATMs along with the TTPs threat actors have used to deploy and execute such attacks.

Eric Kumar

Athens

4:00 p.m. -5:00 p.m.

Lateral Movement

After credentials have been obtained and a foothold established, multiple methods exist for an attacker to expand control of the environment.  This session will cover the TTP attackers use from command line or shell and present issues this creates in detection of the expanded control.  Novel techniques from actual cases will be shown along with methods of defense.

Harlan Carvey

Athens

6:00 p.m. - 10:00 p.m.

Cocktails and Dinner

Clyde’s of Gallery Place
707 7^th Street NW, Washington, D.C. 20001  

*Meet in the lobby at 5:45 to walk over as a group

Tuesday, November 11

Time

Session

Speaker

Room

7:00 a.m. - 8:00 a.m.

BREAKFAST

Paris

8:00 a.m. – 9:00 a.m.

Operation Tovar and Public/Private Partnership in Botnet Takedowns

Tom Grasso, FBI

Jeff Williams, Dell SecureWorks

Athens

9:00 a.m. – 10:00 a.m.

Who Watches the Watchers

Memory capture and analysis during an IR engagement proves to be in invaluable data source that many organizations often overlook. CTU researchers will demonstrate its value and show how tools such as Volatility can be used to uncover threat actors' actions on objectives. This presentation is backed by a real world IR engagement where memory analysis was used to determine that threat actors were remotely accessing hosts using Altiris.

Phil Burdette

Athens

10:00 a.m. – 10:15 a.m.

BREAK

10:15 a.m. – 11:15 a.m.

POS Malware Attacks

During the past few years, the retail market has seen consistent ever-growing attacks from threat actors developing malware targeting Point-of-Sale (POS) systems in order to steal customer information and credit card data. This presentation will do a deep dive into the past and current POS malware attack trends and TTPs such as entry vector, lateral movement, host and network level evasion techniques, and data exfiltration. Recommended security controls to deploy and mitigation strategies will also be presented in order to minimize attack surface and thwart such attacks.

Eric Kumar

Athens

11:15 a.m. -12:15 a.m.

TTPs of a CTU Malware Analyst

This demo-rich presentation will cover the various tools and techniques used by CTU for the extraction of threat indicators used to create countermeasures to protect our clients.  The content will include coverage of the collection of samples, their analysis, gathering indicators and assessment of threat intelligence as well as how we leverage this process to iterate and find additional threat detail.  Coverage will include detection (YARA, Snort, AttackerDB), Static and Dynamic analysis with a variety of tools (OllyDbg, IDA-Pro, Cerebro, and others) as well as our Threat Intelligence Management System (TIMS).

Param Singh

Athens

12:15 p.m. -1:30 p.m.

LUNCH

Paris

1:30 p.m. - 3:30 p.m.

Panel of CTU Researchers with Q&A

TBD

Athens

3:30 p.m. – 3:45 p.m.

Conclusion

Athens