|Dan Gunter, Principal Threat Analyst

Dan Gunter is a Principal Threat Analyst at the industrial cyber security company Dragos, Inc. where he discovers, analyzes and neutralizes threats inside of ICS/SCADA networks. In this capacity, he performs threat hunting, incident response, and malware analysis mission for the industrial community. Previous to his role at Dragos, Dan served in a variety of Information Security roles as a Cyber Warfare Officer in the United States Air Force with duties ranging from Incident Response at the Air Force Computer Emergency Response Team to developing innovative capabilities for multiple Department of Defense partners. Dan has over 12 years’ experience and has obtained the CISSP, GIAC GSEC, EC Council CEH and CompTIA Security+ certifications. He also holds a Bachelor of Science in Computer Science from Baylor University and a Master of Science in Computer Science from the University of Louisville. Dan previously presented at Blackhat and Shmoocon.
Stateful ICS analysis
Over the last decade, two instances of industrial control system (ICS) targeted malware successfully impacted operations. Most recently, CRASHOVERRIDE targeted a Ukrainian transmission substation in December of 2016. In both cases, attackers developed malware that crafted industrial protocol packets to manipulate control systems either by hijacking the legitimate master server or hooking the network stack. Defense against properly crafted packets presents a unique challenge as many existing approaches simply analyze the integrity of a single packet. This talk will focus on what stateful analysis is and how you can add it to your detection or hunting strategy to perform deep protocol analysis. We will cover the steps necessary to begin stateful analysis and dive into thresholds you might set for detection.
Schedule of Events