OpenDNS was recently represented both on and off the stage (by Andrew Hay and Kevin Bottomley) at the 2015 Digital Forensics and Incident Response (DFIR) SANS Summit forensics-logo-cowboyin Austin, Texas. Held at the Hilton Hotel, a block away from the energetic 6th street corridor, the conference is a two day event that focuses on recent issues involving computer security and digital forensics. The conference brings together some of the most well known names in DFIR to discuss new and innovative techniques, situations, and tactics used in the field.

Following the two days of talks, the Summit also hosts training sessions including Windows, Memory, and Network Forensics, as well as the Reverse Engineering Malware courses. These classes offer valuable training to anyone involved with DFIR.

Throughout the course of the event, there were about 25 talks spread amongst two tracks. The Summit was kicked off Tuesday morning by Keynote speaker James Dunn, the Director of the Global Investigate and Forensic Services arm for Sony Pictures Entertainment discussing the work done outside of the kill chain scope, and how to handle the aftermath of a security breach. Dunn also covered how to make sure organizations learn and adapt their policies from the information uncovered during an investigation, and how to prepare for the worst.

While it would have been nice to attend every talk during the conference, sometimes you have to pick and choose since the talks were usually running parallel to each other time wise. A few of the talks we attended included:

  • Dmitry Bestuzhev’s talk on researching advanced attacks and the techniques used to find indicators and assign attribution and then use the discovered information to present clear, tangible reports that can help escalate protection to customers.

  • Sara Newcomer covered performing OS X digital forensics, and how Incident Responders can navigate through the system using Finder looking for key indicators and files much in the same way one would in a Windows OS, and how the same theory of investigative approaches can be applied to discover which files had been accessed, even if the user account has been removed.
  • Alan Ho and Kelvin Wong discussed building a framework which aids in building up information about attacker profiles ingested from relevant data being investigated, and then passing that through information gleaned from such places as PassiveTotal, PhishTank, and VirusTotal to build up a ‘confidence level’ to identify the attackers.
  • Scott Roberts went over the importance of good communication through out the course of an investigation, including examples of both how it should, and should not be done, and how to make a comprehensive communications plan.

ahaydfirAlso speaking at the event was OpenDNS’s very own Andrew Hay, Director of Security Research. Speaking Tuesday morning, Andrew discussed different techniques used by the OpenDNS Security Labs team to identify and track malicious activity in addition to findings from recently published research – such as Jeremiah O’Connor’s work on NLPRankour recent 2015 Internet of Things in the Enterprise Report, and hints at things that Labs team is working on.

The talk was very well received as we observed a number of tweets from attendees and fielded several questions after the session. Some of the more interesting tweets saw after the session are shown below.

Matt Bromiley’s talk looks really interesting but @andrewsmhay is “Walk Softly and Carry 26 Trillion Sticks”…HUGE data? #DFIRSummit

— Barry Anderson (@z3ndrag0n) July 8, 2015

. @andrewsmhay with @OpenDNSLabs talking about key findings from 2014 #dfirsummit pic.twitter.com/Y8dxhkZqAO

— DFIRSummit (@DFIRSummit) July 8, 2015

        #DFIRSummit @andrewsmhay Pretty graphics pic.twitter.com/0dYjmykUBF

        — Vern (@malanalysis) July 8, 2015

        Fairly convinced @andrewsmhay should drop the mic (sorry AV team!) this talk was AWESOME! #DFIRSummit

        — Barry Anderson (@z3ndrag0n) July 8, 2015

The conference, as it was last year, was excellent. We hope that SANS will invite us back next year to speak on some of our research and discoveries since the 2015 event.

This post is categorized in: