Ryan Kazanciyan

Biography

Ryan Kazanciyan is the Chief Security Architect for Tanium, and has thirteen years of experience in incident response, forensic analysis, and security assessments. Ryan leads Tanium’s Endpoint Detection and Response team and oversees the strategy and roadmap for Tanium’s security product suite. Prior to joining Tanium, Ryan led investigation and remediation efforts at Mandiant, where he spent six years working with dozens of Fortune 500 organizations impacted by targeted attacks. Ryan has trained hundreds of incident response practitioners as instructor for Black Hat and the FBI’s cyber squad. He is a frequent speaker at industry events around the world, and was a contributing author for Incident Response and Computer Forensics 3rd Edition (McGraw-Hill, 2014).

Presentation Title

Presentation: “Hunting in the Dark”

Presentation Overview

“Hunting” is a key phase of the incident response lifecycle that aims to identify, on a proactive basis, unknown threats lurking in an environment. In practice, many hunting teams focus on searching for public or purchased IOCs¬ often representing intelligence that has already been burned. Hunting without specific leads is difficult, and every environment (and incident) has its own unique characteristics. This presentation will provide analytic techniques that can identify generic evidence of post¬-compromise activity, with focus on the contemporary approaches that targeted attackers employ for credential harvesting, persistence, and lateral movement in Windows environments. It will illustrate sources of evidence that are ideal for large¬-scale anomaly analysis, and provide examples of how to effectively collect data, reduce noise, and minimize dependencies on external threat feeds.