Crowdstrike presents on the current e-crime landscape and procedures used by APT actors

Monday January 6th, 2020 / 6 PM - 9 PM

WHO: Southwest CyberSec Forum

WHEN: 1st Monday of each month 6:00 PM - 9:00 PM

WHERE: UAT theater at 2625 W Baseline Rd, Tempe, AZ 85283

WHY: To stay current with new cyber threats, explore new security technologies, and network with your peers.

FREE: No membership fees, no RSVP’s, food and drinks provided by our sponsors.

Sponsor: CrowdStrike 

Our thanks to CrowdStrike for sponsoring this months meeting!

Contact: Grace Bergen
SLED Marketing Manager


[5:30-6:30 PM]

Pizza and Networking in the UAT common area

  • Open to the public and UAT students
  • Pizza and Drink provided.
  • No food or drink in the UAT Theater (Please)

[6:30-6:50 PM]

Announcements and Sponsor Segment

  • Review of Community CyberEvents (~5 min)
  • Short presentation by our sponsor, Luke Zeman of Crowdstrike (~15 min)

[6:50-7:00 PM]

Cyber Security Community updates

  • Cyber threat update with Erik Graham (~15 min)

[7-7:45 PM]

The Not So Itsy Bitsy Spider

by Matt Russell, Threat Intelligence Advisory Lead- The Americas, Crowdstrike


Matt Russell an internationally seasoned business and technology executive. He combines the exceptional leadership skills he learned leading and training intelligence teams in US Special Operations, with his commercial experience in consulting and industry to successfully operate across a variety of business domains, geographic boundaries, and cultural landscapes. Matt spent 5 years living and working in Asia and possesses advanced fluency in both Korean and Spanish.


Wizard Spider, made famous by their commodity banking malware “TrickBot” and “Ryuk”, is a notorious threat actor that conducts high impact attacks across a variety of industry verticals and sectors. We’ll start off with an overview of the current e-crime landscape and emerging trends, and the begin to breakdown the tactics, techniques, and procedures that Wizard Spider leverages as they conduct operations across the globe. Focus will be on the TrickBot, Ryuk, and AnchorDNS malware families, providing high-level overviews of their functionality and deployment. A victimology case study will provide a deep-dive into a real world scenario where both the failures and lessons learned will be on display. This talk will conclude with defensive strategies to help mitigate the threat, as well as, an interactive question and answer session.

[7:45-8:45 PM]

The Need for Advanced Incident Response Tools and Capabilities

Michael McAndrews Bio Pic

by Michael McAndrews, Vice President, Network Security Services, WGM Associates


Michael McAndrews has been involved in Information Technology and Security for more than 25 years. Michael worked in the financial services, manufacturing and pharmaceutical industries before joining the Federal Bureau of Investigation in 2006 as a Special Agent. During his time with the FBI, he investigated numerous violations, but focused primarily on computer crimes such as intrusions, Internet frauds and intellectual property violations. He was also a member of the FBI's Cyber Action Team, a group of selected agents who would deploy worldwide for the most critical of intrusions. With experience in both the National Security and Criminal arenas, Michael left the FBI in December 2013 to rejoin the private sector. He now works as an expert in the field using leading edge security devices and performing awareness training to groups worldwide.

Michael is a Certified Information Systems Security Professional (CISSP) and has been certified by GIAC as a GSEC professional, an Intrusion Analyst (GCIA), and Incident Handler (GCIH). Michael also holds the A+ and Network+ certifications from Comptia.


With the ongoing epidemic of cyber security breaches, the need to successfully execute an incident response plan is of the utmost importance to shorted the time between breech and recovery and lower the overall risk to the organization. Michael will discuss incident response and how full network packet capture and end-point detection/response technologies can be leveraged together as a powerful combination to improve the investigative and remediation process. Actual scenarios will be shared where WGM and CrowdStrike have worked together on an international Incident Response engagement.


[8:45-9:00 PM]



Detecting APT with NAC, Sandboxing & SIEM-Part I + Zeek/Bro Log Collection

Monday November 4th, 2019 / 6 PM – 9 PM

WHO: Southwest CyberSec Forum

WHEN: 1st Monday of each month 6:00 PM – 9:00 PM

WHERE: UAT theater at 2625 W Baseline Rd, Tempe, AZ 85283

WHY: To stay current with new cyber threats, explore new security technologies, and network with your peers.

FREE: No membership fees, no RSVP’s, food and drinks provided by our sponsors.


Sponsor: Fortinet 

Our thanks to Fortinet for sponsoring this months meeting!

Fortinet Logo


Debbie Lite Trauter
Channel Account Manager – Mountain Desert
M: 714.336.9695
Skype: Debbie Lite Trauter
NSE Certified : Level 3
899 Kifer Road | Sunnyvale, CA 94086

[7:15-8 PM]

Detecting APT with NAC, Sandboxing and SIEM – Part 1

Bio Placeholder Pic
Image Pending

by Cory  Sober, Systems Engineering Manager, Fortinet

Join Cory for the first in a two part series on Advanced Persistent Threats and how to detect them is something every large organization struggles with.  Yes, you have a wide variety of tools but how do you get them to all work together to get rapid answers to the time critical question of “Do I have a compromise and what is my exposure?”   Join Cory in this first of a two part series where he does a deep dive in how to use modern commercial tools including Network Access Control, Sandbox technology and full fledged Security Information and Event Management (SIEM) to detect Advanced Persistent Threats so you can quickly isolate and remediate compromises.

Cory is a Systems Engineering Manager at Fortinet with decades of hands on experience and holds several technical certifications relating to security, networking and systems.

In addition to being a security and networking expert, Cory is a graduate of the Reserve Officers Law Enforcement Academy and a member of Infragard

[8-8:45 PM]

Security Monitoring with Zeek and Bro IDS

Tim Garcia Profile Pic

by Tim Garcia, SANS instructor (Tool Time with Tim) VP-CISSP,GSEC,GCDA,GCCC,GMON,GCED

Can a 20 year old technology help give you strategic visibility into a modern enterprise netowork?  The answer is yes!.  Welcome to a powerful network monitoring/logging tool most people have never heard of.

Tim Garcia will review the capabilities and use of the the Zeek and Bro IDS (two seperte tools that are often used together) for security threat hunting.

(Originally the presentation was to be on the use of the Yara scripting tool to identify maleware signatures but the Zeek/Bro topic won out due to popular demand).

Tim is SANS Instructor primarily focused on blue team activities, ethical hacking, incident handling, security management and general information security principles.   Instructor in Information Systems Security, Systems Analysis and Project Management for several local universities in the Phoenix area.