SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #2
January 8, 2021SolarWinds Even More Victims; $2 Million In Scholarships for talented students interested in cyber
For students considering pursuing computer science or cybersecurity careers: A workshop on the new $2 million scholarship programs and key question son cyber education sponsored by the National Cyber Scholarship Foundation
Date and time: January 14, 2021 (3:30 PM Eastern)
Answers four questions commonly asked by high school students:
* What do I need to learn to get a good job in cybersecurity?
* Is there a way to find out if I have the aptitude to do well?
* Are there scholarships available?
* Where should I apply to college if I want to maximize my chances of getting a good job?
Registration: https://zoom.us/webinar/register/WN_K8uVRGDDQ8mh0o8em7zCrw
*****************************************************************************
SANS NewsBites January 8, 2021 Vol. 23, Num. 002
*****************************************************************************
SOLARWINDS AT THE TOP OF THE NEWS
SolarWinds: Federal Judiciary Electronic Records Possibly Breached
SolarWinds: DoJ eMail Accounts Breached
SolarWinds: FBI, NSA, ODNI, and CISA Point Finger at Russia
SolarWinds: CISA Guidance Update Requires Agencies to Conduct Forensic Analysis
THE REST OF THE WEEK'S NEWS
Hackney Data Stolen, Leaked in Ransomware Attack
Ransomware Hits Minnesota Lake Region Healthcare Network
House Passes FedRAMP Bill
Fired Healthcare Exec Sentenced to Prison for Sabotaging PPE Distribution
Nissan Source Code Possibly Exposed
NSA Guidance Urges Updating Outdated TLS Protocols
Legislators' Computers Left Unattended When They Were Evacuated
INTERNET STORM CENTER TECH CORNER
********************** Sponsored By Dragos, Inc. ********************************
Free Analyst Report: OT Cybersecurity Best Practices | Industrial digital transformation is exposing cybersecurity risks and new threats across many industries requiring new approaches to security efforts to ensure safety and reliability of critical OT environments. Read this complimentary report to learn about Gartner's recommendations for addressing the IT-OT cybersecurity gap.
| http://www.sans.org/info/218600
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Stay Sharp - Feb 1-4 CST
1-3 Day Management & Cloud Courses
- https://www.sans.org/event/stay-sharp-management-and-cloud-feb-2021/
SANS Pen Test & Offensive Training - Feb 8-13 CST
14 Courses | Core NetWars Tournament
- https://www.sans.org/event/pen-test-and-offensive-training-2021/
Open-Source Intelligence (OSINT) Summit & Training
FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST
- https://www.sans.org/event/osint-summit-2021/
OnDemand Training Special Offer
Get a iPad mini, an ASUS ZenScreen LED Monitor, or take $300 Off with OnDemand training through January 16.
- www.sans.org/specials/north-america/
Blue Team Operations Resources
Cheat Sheets, Papers, Podcasts, and more. View & Download
- https://www.sans.org/blue-team/
*****************************************************************************
TOP OF THE NEWS
--SolarWinds: Federal Judiciary Electronic Records Possibly Breached
(January 6 & 7, 2021)
The Administrative Offices of the US Courts is "adding new security procedures to protect highly sensitive confidential documents filed with the courts" following a possible compromise of its Case Management/Electronic Case Files (CM/ECF) system. The Judiciary is auditing the system along with the Department of Homeland Security (DHS).
Read more in:
US Courts: Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records
https://www.uscourts.gov/news/2021/01/06/judiciary-addresses-cybersecurity-breach-extra-safeguards-protect-sensitive-court
KrebsOnSecurity: Sealed U.S. Court Records Exposed in SolarWinds Breach
https://krebsonsecurity.com/2021/01/sealed-u-s-court-records-exposed-in-solarwinds-breach/
Bleeping Computer: US Judiciary adds safeguards after potential breach in SolarWinds hack
https://www.bleepingcomputer.com/news/security/us-judiciary-adds-safeguards-after-potential-breach-in-solarwinds-hack/
Cyberscoop: Federal courts are latest apparent victim of SolarWinds hack
https://www.cyberscoop.com/solarwinds-hack-us-courts/
The Hill: Federal judiciary likely compromised as part of SolarWinds hack
https://thehill.com/policy/cybersecurity/533177-federal-judiciary-likely-compromised-as-part-of-solarwinds-hack
MeriTalk: U.S. Courts Records System Breached in SolarWinds Hack
https://www.meritalk.com/articles/u-s-courts-records-system-breached-in-solarwinds-hack/
--SolarWinds: DoJ eMail Accounts Breached
(January 6, 2021)
The US Department of Justice (DoJ) says that the hackers behind the SolarWinds supply chain attack breached the department's Office 365 environment and compromised more than 3,000 email accounts. The DoJ Office of the Chief Information Officer (OCIO) detected malicious activity in late December 2020.
Read more in:
Justice: Department of Justice Statement on Solarwinds Update
https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update
FCW: DOJ says it was hit by SolarWinds hackers
https://fcw.com/articles/2021/01/06/doj-solarwinds-hack.aspx
The Hill: Justice Department confirms breach as part of SolarWinds hack, says emails were accessed
https://thehill.com/policy/cybersecurity/533000-justice-department-confirms-breach-as-part-of-solarwinds-hack-says
Cyberscoop: Justice Department confirms SolarWinds hackers accessed Department emails
https://www.cyberscoop.com/justice-department-solarwinds-russia-hackers-office365/
Ars Technica: DoJ says SolarWinds hackers breached its Office 365 system and read email
https://arstechnica.com/information-technology/2021/01/doj-says-solarwinds-hackers-breached-its-office-365-system-and-read-email/
ZDNet: SolarWinds fallout: DOJ says hackers accessed its Microsoft O365 email server
https://www.zdnet.com/article/solarwinds-fallout-doj-says-hackers-accessed-its-microsoft-o365-email-server/
Bleeping Computer: SolarWinds hackers had access to over 3,000 US DOJ email accounts
https://www.bleepingcomputer.com/news/security/solarwinds-hackers-had-access-to-over-3-000-us-doj-email-accounts/
--SolarWinds: FBI, NSA, ODNI, and CISA Point Finger at Russia
(January 5 & 6, 2021)
In a joint statement, the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and The National Security Agency (NSA) wrote, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks."
[Editor Comments]
[Murray and Paller] It is highly likely that at least one hostile nation state has gained persistent access to our infrastructure. While much of the access may never be exploited, its existence constitutes an existential threat to our national security. It is time to stop admiring the problem.
[Paller] Good cybersecurity tools can find the persistent presence of those nation states only when they are deeply and continuously adapted to local conditions by people with elite cyber talent like the folks who found the SolarWinds infection at Mandiant/FireEye. Tools don't find these problems without those hunters and tool adapters, and no nation will be able to withstand sustained cyber attacks without a cadre of world-class hunters. Hunters will be as important in future conflicts as fighter pilots were in World War II. The National Cyber Scholarship Foundation launched a $2 million scholarship program to identify and support the next generation of hunters; more than 25,000 high school students are participating this winter and spring. A parallel collegiate program will be announced in late January.
Read more in:
CISA: Joint Statement By The Federal Bureau of Investigation (FBI), The Cybersecurity And Infrastructure Security Agency (CISA), The Office Of The Director Of National Intelligence (ODNI), And The National Security Agency (NSA)
https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
Ars Technica: Bucking Trump, NSA and FBI say Russia was "likely" behind SolarWinds hack
https://arstechnica.com/tech-policy/2021/01/feds-say-that-russia-was-likely-behind-months-long-hack-of-us-agencies/
ZDNet: US government formally blames Russia for SolarWinds hack
https://www.zdnet.com/article/us-government-formally-blames-russia-for-solarwinds-hack/
Threatpost: Feds Pinpoint Russia as 'Likely' Culprit Behind SolarWinds Attack
https://threatpost.com/feds-russia-culprit-solarwinds/162785/
--SolarWinds: CISA Guidance Update Requires Agencies to Conduct Forensic Analysis
(December 6 & 7, 2021)
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its SolarWinds guidance. The January 6, 2021, "supplemental guidance v3 requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2021."
[Editor Comments]
[Neely] CISA has three categories of network/systems for response guidance as well as whether or not you were running an impacted version of SolarWinds. If you don't have the required forensic capabilities, CISA will help you locate a qualified provider. CISA also warns that there may be other vulnerabilities in SolarWinds Orion the threat actors have yet to exploit. The best plan for reintroduction of Orion into your environment is to build on freshly provisioned servers from the most current version. Before implementing CISA measures, make sure your organization is not taking a more conservative approach.
Read more in:
DHS: Supplemental Guidance v3
https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3
Fedscoop: CISA updates guidance on SolarWinds compromise
https://www.fedscoop.com/solarwinds-guidance-update-cisa/
MeriTalk: CISA Issues Updated Remediation Guidance to Feds for SolarWinds Hack
https://www.meritalk.com/articles/cisa-issues-updated-remediation-guidance-to-feds-for-solarwinds-hack/
******************************* SPONSORED LINKS ********************************
1) Register Now | January 22nd @ 9:00 AM EST | We invite you to join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will consist of presentations that focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today. | 4 CPE Credits
| http://www.sans.org/info/218605
2) Webcast | Network Detection and Response Solutions record all network activity and flag any anomalous behavior to detect threats before they can have a major business impact. Tune in to our upcoming webcast "Beyond Network Detection and Response (NDR)" to dive deeper into NDR. | January 13 @ 3:30 PM EST
| http://www.sans.org/info/218620
3) Webcast | Whether you're an ATT&CK beginner or expert, join us for "MITRE ATT&CK: The Magic of Mitigations and ATT&CK v8", a surprisingly engaging discussion on ATT&CK v8. We'll cover all the basics, but we'll also provide deeper insight into ATT&CK, its use cases, and great ways to get started. | January 14th @ 1:00 PM EST
| http://www.sans.org/info/218625
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Hackney Data Stolen, Leaked in Ransomware Attack
(January 7, 2021)
The ransomware operators responsible for an attack against the network of the Hackney council in London, UK have leaked stolen data. The ransomware attack occurred in October 2020. The council's services are still "significantly disrupted." The stolen information has reportedly been posted on the dark web.
Read more in:
ZDNet: Months after this 'serious' cyber-attack, stolen data has been leaked online by hackers
https://www.zdnet.com/article/months-after-this-serious-cyber-attack-stolen-data-has-been-leaked-online-by-hackers/
--Ransomware Hits Minnesota Lake Region Healthcare Network
(December 30, 2020, & January 7, 2021)
Lake Region Healthcare (LRHC) in Minnesota was the victim of a ransomware attack in late December 2020. The attack prompted LRHC to initiate HER downtime procedures. In a public statement, LRHC said they "are providing most of [their] services as usual by operating largely off alternative systems."
[Editor Comments]
[Murray] Given the number of successful attacks against healthcare institutions, it is fair to infer that far too many such institutions are accepting the risk of such attacks. While this may be justified, it simply cannot be acceptable to take that risk while also failing to have a plan for timely remediation.
Read more in:
Health IT Security: Minnesota's Lake Region Healthcare Recovering From Ransomware Attack
https://healthitsecurity.com/news/minnesotas-lake-region-healthcare-recovering-from-ransomware-attack
LRHC: Public Statement: Update from LRH CEO Kent Mattson about Ransomware Attack
https://www.lrhc.org/news/releases/public-statement-from-lrh-ceo-kent-mattson-about-ransomware-attack/
--House Passes FedRAMP Bill
(January 3, 5, & 6, 2021)
The US House of Representatives has passed a bill that codifies the Federal Risk and Authorization Management Program, or FedRAMP. The FedRAMP Authorization Act also establishes an advisory committee "to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities."
[Editor Comments]
[Neely] FedRAMP provides a level playing field for assessing the security of cloud services to a known standard, including ongoing monitoring and visibility to issues and responses, known as POA&Ms. Assessing the security of a FedRAMP authorized service is much easier than trying to exercise your "right to audit" and mapping their practices to your security standards. FedRAMP also adds the requirements to support strong authentication, e.g. PIV/SmartCard. Even so, it's up to the agency to either implement the use of smart cards or obtain approval not to from their authorizing official; all FedRAMP customer responsibilities must be addressed in order to obtain an approval to operate (ATO).
[Pescatore] In many areas of information security the federal government lags behind private industry. But FedRAMP and DMARC and DNSSEC are areas where the federal government used its buying power to drive higher levels of security in the broader commercial markets and led the way in adopting more secure use of the Internet and Internet-based services. I'd like to see application security and strong authentication get added to that list for future government adoption to drive markets.
[Murray] One agrees with John Pescatore on strong authentication. It resists the fraudulent reuse of compromised credentials, a pervasive risk. It is, at least arguably, our most efficient security measure. One also agrees that application security, especially applications common across enterprises, is essential, though much more difficult to specify or legislate. However, particularly on the desktop, applications are a small part of the attack surface. Most desktops have ten to a hundred times the amount of system code than is actually required by the applications. The vulnerabilities in this code are common and exploited across enterprises. Consider reducing your attack surface by eliminating gratuitous functions.
Read more in:
Executive Gov: House OKs Bill to Codify FedRAMP, Create Federal Cloud Advisory Panel
https://www.executivegov.com/2021/01/house-oks-bill-to-codify-fedramp-create-federal-cloud-advisory-panel/
FCW: House passes FedRAMP bill
https://fcw.com/articles/2021/01/05/fedramp-bill-passes-house.aspx
Nextgov: House Passes Bill to Codify and Revamp FedRAMP
https://www.nextgov.com/it-modernization/2021/01/house-passes-bill-codify-and-revamp-fedramp/171187/
Connolly: FedRAMP Authorization Act (PDF)
https://connolly.house.gov/uploadedfiles/fedramp.pdf
--Fired Healthcare Exec Sentenced to Prison for Sabotaging PPE Distribution
(January 6 & 7, 2021)
A former employee of Georgia-based Stradis Healthcare has pleaded guilty to computer intrusion for tampering with the company's computer systems. Christopher Dobbins used a secret account he had created to gain access to the Stradis network where he altered and deleted data, hobbling the company's efforts to distribute personal protective equipment (PPE) in spring 2020. Dobbins has been sentenced to one year in prison.
[Editor Comments]
[Neely] Stradis terminated Dobbins's regular accounts after he was terminated but missed the secret account he created. Accounts should be validated regularly. Not only after creation but on a regular basis to ensure only legitimate and active accounts are enabled. Account creation, particularly when assigned privileges, should create an alert or trigger an action.
[Pescatore] Hard to do anything but cheer the sentencing. But, the question of how a "secret account" existed should be a spur to making sure privileged accounts are limited and routinely audited - if not regularly revoked to require regular re-justification for access.
[Murray] Transparency and accountability are the primary controls over privileged users. In enterprises with more than one or two such users, consideration should be given to Privileged Access Management software.
Read more in:
ZDNet: Disgruntled former VP hacks company, disrupts PPE supply, earns jail term
https://www.zdnet.com/article/disgruntled-former-vp-hacks-company-disrupts-ppe-supply-earns-jail-term/
Threatpost: Fired Healthcare Exec Stalls Critical PPE Shipment for Months
https://threatpost.com/healthcare-exec-stalls-critical-ppe-shipment/162855/
FBI: Medical Equipment Packaging Company Hacker Sentenced
https://www.fbi.gov/news/stories/hacker-who-disrupted-ppe-shipments-sentenced-010621
--Nissan Source Code Possibly Exposed
(January 6, 2021)
Source code for Nissan North America mobile apps and diagnostic tools may have been exposed due to an improperly configured Git server. Nissan says it has secured the server.
[Editor Comments]
[Neely] The server had default (admin/admin) credentials. As much has been done of late to make services available to remote workers, verifying the security, including the presence of default credentials, has to be part of service delivery. Security also should be re-verified after installing patches, upgrades, or significant changes.
Read more in:
ZDNet: Nissan source code leaked online after Git repo misconfiguration
https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/
Cyberscoop: Nissan investigated source code exposure, says it plugged leak
https://www.cyberscoop.com/nissan-source-code-leak-exposure-investigation/
--NSA Guidance Urges Updating Outdated TLS Protocols
(January 5 & 6, 2021)
The US National Security Agency (NSA) has issued guidance urging system administrators to replace obsolete Transport Layer Security (TLS) protocols with updated versions. The guidance offers strategies for detecting obsolete TLS instances (TLS 1.0 and 1.1 as well as SL 2.0 and 3.0) and for replacing them with newer versions with strong encryption and authentication (TLS 1.2 and 1.3).
[Editor Comments]
[Ullrich] NSA Cyber also set up a valuable GitHub repo with tools (https://github.com/nsacyber/Mitigating-Obsolete-TLS). A tool that should probably be added is Zeek which is ideally suited to detect the use of outdated TLS configurations. It can also be used to verify that certain outdated versions and ciphers are no longer in use, and that it is safe to disable them.
[Neely] When implementing strong encryption, be sure to disable weak algorithms as well. The weak algorithms in TLS 1.2 are NULL, RC2, RC4, DES, IDEA, and TDES/3DES. While TLS 1.3 removes these, if you're also supporting TLS 1.2, use an external scanner verify they are disabled.
Read more in:
Defense: Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations (PDF)
https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF
Threatpost: NSA Urges SysAdmins to Replace Obsolete TLS Protocols
https://threatpost.com/nsa-urges-sysadmins-to-replace-obsolete-tls-protocols/162814/
Bleeping Computer: NSA shares guidance, tools to mitigate weak encryption protocols
https://www.bleepingcomputer.com/news/security/nsa-shares-guidance-tools-to-mitigate-weak-encryption-protocols/
MeriTalk: NSA Urges Federal Stakeholders to Update Obsolete TLS Configurations
https://www.meritalk.com/articles/nsa-urges-federal-stakeholders-to-update-obsolete-tls-configurations/
--Legislators' Computers Left Unattended When They Were Evacuated
(January 7, 2021)
When people stormed the US Capitol building on Wednesday, legislators' computers were left unattended. One senator has reported that a laptop was stolen from his office. It has not been determined what information the computer contains.
[Editor Comments]
[Ullrich] In emergency situations, in particular, it is important to have automated tools to secure systems. During an evacuation, people should focus on leaving the area, not securing their screen. This has happened at hotels when thieves used fire alarms to evacuate buildings before stealing laptops.
[Pescatore] Can't fault people fleeing violent mobs or burning airplanes for leaving the laptops on behind them, but this is a good news item for reminding decision makers why screenlock and timeout timers are beneficial to the health of the business in any instance where a computing device may be left unattended even in normal circumstances.
[Neely] The first priority during a crisis is preservation of life and limb. Typically drill/test scenarios don't include facility breach, so unlocked or unattended systems are not at risk. Even so, implementing idle timers which lock the screen have to be SOP. NIST SP 800-53 controls require this on federal information systems. Similar requirements stem from NIST SP 800-171 which apply to non-federal systems processing sensitive USG information.
Read more in:
Reuters: U.S. senator says Capitol building rioters made off with laptop
https://www.reuters.com/article/us-usa-election-cyber/u-s-senator-says-capitol-building-rioters-made-off-with-laptop-idUSKBN29C2GA
Nextgov: Capitol Riot Opens Congress to Potential IT Compromise
https://www.nextgov.com/cybersecurity/2021/01/capitol-riot-opens-congress-potential-it-compromise/171258/
Vice: Rioters Had Physical Access to Lawmakers' Computers. How Bad Is That?
https://www.vice.com/en/article/qjpwam/rioters-had-physical-access-to-lawmakers-computers-how-bad-is-that
Wired: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess
https://www.wired.com/story/capitol-riot-security-congress-trump-mob-clean-up/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Netfox Detective: An Alternative Open-Source Packet Analysis Tool
https://isc.sans.edu/forums/diary/Netfox+Detective+An+Alternative+OpenSource+Packet+Analysis+Tool/26950/
Using the NIST Database and API to Keep Up with Vulnerabilities
https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Part+1+of+3/26958/
Zyxel Exploitation Under Way
https://isc.sans.edu/forums/diary/Scans+for+Zyxel+Backdoors+are+Commencing/26954/
Brian Nishida: Ubuntu Artifacts Generated by Gnome Desktop Environment (PDF)
https://www.sans.org/reading-room/whitepapers/forensics/ubuntu-artifacts-generated-gnome-desktop-environment-40035
ElectroRAT Drains Cryptocurrency Accounts
https://www.intezer.com/blog/research/operation-ElectroRAT-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
Chrome Will Prefer HTTPS over HTTP By Default
https://chromium-review.googlesource.com/c/chromium/src/+/2568448
Android January Patch Day
https://source.android.com/security/bulletin/2021-01-01
Telegram Publishes Users' Locations Online
https://blog.ahmed.nyc/2021/01/if-you-use-this-feature-on-telegram.html
Fortinet Patches
https://www.fortiguard.com/psirt?date=01-2021
Foxit PhantomPDF Patches
https://www.foxitsoftware.com/support/security-bulletins.html
Firefox Android Updates
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/
Titan Security Key (PDF)
https://ninjalab.io/wp-content/uploads/2021/01/a_side_journey_to_titan.pdf
The Great Suspender Google Chrome Extension
https://www.theregister.com/2021/01/07/great_suspender_malware/
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
