FireEye Cyber Defense Summit 2016: The Incident Response Track – Technical Details and Solutions that Work

2016 has been a year of significant change to the cyber security landscape. The rapid proliferation of ransomware and the emergence of Internet of Things mass compromise has changed the landscape for responders. Similarly, existing threats have become more brazen, with nation-state actors publishing the results of their campaigns publicly and financial threat actors leaving no piece of PII behind.

While the average global identification time for compromise by advanced attackers has continued to decrease from 206 days in 2014 to 146 days in 2015, it’s still unacceptably long to protect the data that matters for an organization. As an incident responder at Mandiant for the past four years, I have personally worked on cases in 2016 where attackers were able to break into an organization and complete their mission in record time.

Skilled and trained incident responders with access to the latest information on threats, adversaries and tools are one of the best lines of defense in keeping an environment secure and terminating a threat as it happens. With that in mind, for the FireEye Cyber Defense Summit 2016 Incident Response track, I sought to cultivate a group of practitioners who could share their experiences, research and successes with the greater incident response community.


Join us at the FireEye Cyber Defense Summit!

Join FireEye at the Washington Hilton in Washington, DC for the cyber security event of the year. Hear from the security experts at FBI, Visa and the US AAG


The Incident Response track starts with DomainTools’s Tim Helming presenting new research on phishing domain patterns harvested from their global database of DNS information. Next, FireEye Red-Teamer Evan Pena will walk us through sustained attack workflows and how organizational defenders were able to detect and adapt. Following him, Glen Jones from Visa will discuss how Visa has leveraged intelligence-led defense to fight against modern payment breaches. The first day concludes with a talk from Charles Carmakal of Mandiant on lessons learned from responding to real-world disruptive breaches.

On the next day, David Cowen from G-C Partners and SANS fame will kick things off with a talk on leveraging open-source solutions for automated forensic artifact collection. In the following session, Mandiant’s Christopher Glyer will dissect MBR rookits leveraged by advanced attackers. Next, Stephen Jou of Interset shows how behavior and analytics can identify attackers in real-world scenarios. After him, Red & Blue come together as Mandiant’s Matthew Dunwoody and Daniel Bohannon discuss PowerShell’s frequently evolving detections and evasions. Finally, Mandiant’s Devon Kerr and John Miller of FireEye iSIGHT Intelligence will expose the tactics of FIN7, a financially motivated hacker group that FireEye tracked throughout 2016.

Cutting-edge tactics, real world attacks and solutions that work will all be discussed in technical depth at the FireEye Cyber Defense Summit 2016 Incident Response track. You can get more details and register for the event here.