SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #8
January 29, 2021North Korea Targeting Cybersecurity Researchers; Emotet Operations Disrupted; iOS Zero-days Actively Exploited; US CYBERCOM and NSA: Patch Sudo Now
*****************************************************************************
SANS NewsBites January 29, 2021 Vol. 23, Num. 008
*****************************************************************************
TOP OF THE NEWS
North Korean Threat Actors Targeting Cybersecurity Researchers
International Effort Disrupts Emotet Operations
Apple Releases Unscheduled iOS Update to Fix Zero-days
US CYBERCOM and NSA Urge Users to Patch Sudo Vulnerability
THE REST OF THE WEEK'S NEWS
NetWalker Ransomware Operations Disrupted
Mimecast Says Certificate Compromise Perpetrated by SolarWinds Threat Actors
Stack Overflow Discloses Additional Information About 2019 Breach
WestRock Discloses Ransomware Attack
ADT Fixes Vulnerabilities in Home Security Camera
NIST Risk-Based Guide on Information Exchange Security
Healthcare-Related Breach Roundup
Harris County, TX Will Replace Paperless Voting Machines With Machines that Produce a Paper Trail
USCellular Discloses Data Breach
INTERNET STORM CENTER TECH CORNER
******************** Sponsored By AWS Marketplace *****************************
Webcast | Tune in for our upcoming prerecorded webcast featuring SANS senior instructor, Dave Shackleford and Nam Le from AWS Marketplace, built to teach attendees how to understand cloud-specific data sources for threat intelligence such as static indicators and TTPs, and more! | February 9th @ 1:00 PM EST
| http://www.sans.org/info/218790
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
Register early to save up to $300 on Live Online courses.
See event pages for specific offers.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online/
OnDemand Training Special Offer
Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand training through February 10.
- https://www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
*****************************************************************************
TOP OF THE NEWS
--North Korean Threat Actors Targeting Cybersecurity Researchers
(January 26, 2021)
Google's Threat Analysis Group has detected an ongoing campaign launched by North Korean cyber threat actors against cybersecurity researchers. The threat actors created a blog and Twitter profiles to establish their credibility with the targeted researchers. After gaining their trust, the threat actors ask the researchers if they would like to work together on research projects. If they agree, the hackers send collaboration tools that include malware. Some researchers' computers were compromised after they visited the hackers' blog.
[Editor Comments]
[Pescatore] In the last SANS Top New Attacks and Threat Report (https://www.sans.org/reading-room/whitepapers/threats/paper/39520) we highlighted two active and sophisticated threat vectors: what I called Highly Targeted Phishing attacks, like this campaign against cybersecurity researchers; and a more dangerous variant that Ed Skoudis called "Very Deep Persistence" attacks, where malicious capabilities are buried within hardware, accessories, or components such as charging stations in public place, charging cables, or modified USB drives. While this news item focuses on cybersecurity researchers, these techniques have been used against CEOs, CFOs, and Boards of Directors - as well as researchers from many industries. Good topic for a mid-quarter special topic briefing or tabletop exercise with CXOs/boards.
[Neely] While I most often worry about social engineering scams that my family members would fall for, this one targets us as cybersecurity professionals, with pretty decent supporting research and credentials. This should be used as a teaching moment for colleagues newer to InfoSec. The actor's accounts are reportedly deactivated; even so, reference the Google blog list of social media accounts and make sure they're no longer connected with you. That blog also contains C2 site and hashes to incorporate in your detection tools.
[Murray] If cybersecurity "researchers" can be taken in by these "grooming" attacks, imagine the vulnerability of young people. Parents cannot monitor all the activity of children online but they should try to ensure that they do not correspond with "friends" that they meet online.
Read more in:
Google: New campaign targeting security researchers
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/amp/
Wired: North Korea Targets--and Dupes--a Slew of Cybersecurity Pros
https://www.wired.com/story/north-korea-hackers-target-cybersecurity-researchers/
Ars Technica: North Korea hackers use social media to target security researchers
https://arstechnica.com/information-technology/2021/01/north-korea-hackers-use-social-media-to-target-security-researchers/
Dark Reading: North Korean Attackers Target Security Researchers via Social Media: Google
https://www.darkreading.com/endpoint/north-korean-attackers-target-security-researchers-via-social-media-google/d/d-id/1339988
Vice: North Korean Hackers Hacked Famous Hackers With Fake Hacking Website, Google Says
https://www.vice.com/en/article/akdawb/north-korean-hackers-hacked-famous-hackers-with-fake-hacking-website-google-says
The Register: I was targeted by North Korean 0-day hackers using a Visual Studio project, vuln hunter tells El Reg
https://www.theregister.com/2021/01/26/north_korea_targeted_me_0_day/
--International Effort Disrupts Emotet Operations
(January 27, 2021)
Law enforcement agencies and judicial systems authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have worked together to disrupt functionality of the Emotet malware. The operation took control of Emotet's command-and-control infrastructure, which comprised hundreds of servers around the world. At least two people have been arrested in Ukraine in connection with the operation. Law enforcement officials in the Netherlands are delivering an Emotet update that will remove it from infected devices on April 25, 2021.
[Editor Comments]
[Neely] Emotet has been around since 2014, and was offered/sold to other threat actors as a polymorphic loader for their exploits. The Dutch National Police have released a tool (http://www.politie.nl/emocheck), based on the database of email, usernames and passwords they obtained, to check and see if your email address was among those exfiltrated using Emotet.
[Honan] These two operations are a great success of global law enforcement and send a clear message to criminals that they are not immune. To see how lucrative these schemes are for criminals have a look at the video published by the Ukrainian police of their raid (https://youtu.be/_BLOmClsSpc). In it you can see the gold bars and stacks of money the criminals have gathered.
Read more in:
Europol: World's Most Dangerous Malware Emotet Disrupted Through Global Action
https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
Washington Post: The Cybersecurity 202: International law enforcement took down a leading cybercrime gang
https://www.washingtonpost.com/politics/2021/01/28/cybersecurity-202-international-law-enforcement-took-down-leading-cybercrime-gang/
Wired: Cops Disrupt Emotet, the Internet's 'Most Dangerous Malware'
https://www.wired.com/story/emotet-botnet-takedown/
ZDNet: Authorities plan to mass-uninstall Emotet from infected hosts on April 25, 2021
https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-april-25-2021/
KrebsOnSecurity: International Action Targets Emotet Crimeware
https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware/
Dark Reading: Intl. Law Enforcement Operation Disrupts Emotet Botnet
https://www.darkreading.com/endpoint/intl-law-enforcement-operation-disrupts-emotet-botnet/d/d-id/1340000
Duo: Authorities Take Down Emotet Botnet
https://duo.com/decipher/authorities-take-down-emotet-botnet
--Apple Releases Unscheduled iOS Update to Fix Zero-days
(January 26 & 27, 2021)
Apple has released an emergency update for iOS to fix critical flaws that are being actively exploited in the wild. One of the vulnerabilities affects the iOS kernel; the other two affect the WebKit. A race-condition vulnerability affecting the kernel could be exploited to gain elevated privileges. The flaws affecting the WebKit could be exploited to allow arbitrary code execution. The newest versions of the affected operating systems are iOS 14.4 and iPadOS 14.4.
[Editor Comments]
[Neely] These flaws are being actively exploited, which means install the update post-haste. Make sure you're pushing the update to your Automated Device Enrollment (ADE, formerly DEP) devices along with a message requesting users to make sure it's installed. Even with automated updates enabled, there are cases where updates don't install, so you will need to monitor to ensure the update is installed.
Read more in:
Apple: About the security content of iOS 14.4 and iPadOS 14.4
https://support.apple.com/en-us/HT212146
The Register: Apple emits emergency iOS security updates while warning holes may have been exploited in wild by hackers
https://www.theregister.com/2021/01/26/apple_ios_zero_days/
SC Magazine: Apple Patches Three New iOS Zero-Days
https://www.scmagazine.com/home/security-news/mobile-security/apple-patches-three-new-ios-zero-days/
Threatpost: Apple Patches Three Actively Exploited Zero-Days, Part of iOS Emergency Update
https://threatpost.com/apple-patches-zero-days-ios-emergency-update/163374/
--US CYBERCOM and NSA Urge Users to Patch Sudo Vulnerability
(January 26 & 27, 2021)
The NSA and the US Defense Department's Cyber Command are both warning of a serious heap buffer overflow in the sudo utility that could be exploited to gain root privileges on vulnerable hosts. The vulnerability was detected by researchers at Qualys; it has been present in sudo since 2011. The issue "affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration." The issue is addressed in in sudo 1.9.5p2.
[Editor Comments]
[Neely] Don't forget to check for and apply updates on older or non-mainstream Linux distributions which are not on your regular patch cycle. The Qualys site includes links to the vendor bulletins for each OS variant. Note that vendor-fixed sudo updates are available which may have version numbers which appear to fall within the ranges identified above. Updating the packages is simple, but make sure any running copies of sudo are terminated after the update.
[Murray] Sudo is an essential utility for multi-user Unix systems.
Read more in:
Qualys: CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Threatpost: Sudo Bug Gives Root Access to Mass Numbers of Linux Systems
https://threatpost.com/sudo-bug-root-access-linux-2/163395/
Dark Reading: Critical Vulnerability Patched in 'sudo' Utility for Unix-Like OSes
https://www.darkreading.com/application-security/critical-vulnerability-patched-in-sudo-utility-for-unix-like-oses/d/d-id/1339996
Cyberscoop: Cyber Command, NSA warn to patch decade-old sudo vulnerability
https://www.cyberscoop.com/sudo-flaw-cyber-command-nsa-buffer-overflow/
Bleeping Computer: New Linux SUDO flaw lets local users gain root privileges
https://www.bleepingcomputer.com/news/security/new-linux-sudo-flaw-lets-local-users-gain-root-privileges/
Twitter: USCYBERCOM Security Alert
https://twitter.com/CNMF_CyberAlert/status/1354462820495208451
Sudo: Buffer overflow in command line unescaping
https://www.sudo.ws/alerts/unescape_overflow.html
******************************* SPONSORED LINKS ********************************
1) Webcast | Our upcoming webcast, "Using SOAR to Elevate Your Security Operations" is one that you don't want to miss! Join John Pescatore, Director of Emerging Security Trends at SANS, and Matthew Pahl, Security Researcher at DomainTools as they discuss the benefits of incorporating SOAR into your organization's security operations. | February 9th @ 3:30 PM EST
| http://www.sans.org/info/218795
2) Webcast | Join our upcoming webcast, "Best Practices for Securing Modern Cloud Native Application with ActiveCampaign CISO" where Chaim Mazal, ActiveCampaign CISO, shares his experience in the cloud native space and offers tips for others. | February 4th @ 10:30 AM EST
| http://www.sans.org/info/218800
3) Webcast | We invite you to join, "When Malware Source Code Leaks: Challenges & Solutions for Tracking New Variants." In this session, VMRay Labs Team will present their research and findings after tracking Ursnif/ISFB variants . | February 11th @ 10:30 AM
| http://www.sans.org/info/218805
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--NetWalker Ransomware Operations Disrupted
(January 27 & 28, 2021)
Authorities in the US and Bulgaria have seized a server used by NetWalker ransomware operators to communicate with victims and publish stolen data. They have also seized more than $450,000 in cryptocurrency. A Canadian individual allegedly connected to NetWalker ransomware attacks has been charged in US federal court.
Read more in:
ZDNet: US and Bulgarian authorities disrupt NetWalker ransomware operation
https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalker-ransomware-operation/
KrebsOnSecurity: Arrest, Seizures Tied to Netwalker Ransomware
https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware/
Cyberscoop: NetWalker ransomware investigation yields arrest, big cryptocurrency seizure
https://www.cyberscoop.com/netwalker-us-bulgaria-canada/
Justice: Department of Justice Launches Global Action Against NetWalker Ransomware
https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware
Gov Infosecurity: Another Takedown: NetWalker Ransomware Gang Disrupted
https://www.govinfosecurity.com/another-takedown-netwalker-ransomware-gang-disrupted-a-15875
--Mimecast Says Certificate Compromise Perpetrated by SolarWinds Threat Actors
(January 26 & 28, 2021)
Mimecast has confirmed that the certificate compromise reported earlier in January was carried out by the same threat actors responsible for the SolarWinds supply chain attack. In a blog post, Mimecast writes, "Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."
[Editor Comments]
[Pescatore] Two key points here: (1) The Russian attackers targeted and compromised at least two large security vendors, FireEye and Mimecast - all major security product and service procurements should be evaluating what security vendors in particular are doing to prevent this in the future, including evidence of external third-party active security assessments and acceptable scores from third party risk analysis services; (2) compromises of cloud service providers like Mimecast have been rare but they do happen. When they occur, they point out that when cloud services are in your supply chain, they have a lot of moving parts and interdependencies. The severe impact of the SolarWinds compromise has raised the visibility of the need for upgrades in supply chain security - good to add a special focus on the cloud services aspect.
[Neely] Mimecast is neither a small nor inexperienced security service provider. Both Mimecast and FireEye should be noted for their exemplary transparency, sharing lessons learned and proactive response to protect users and follow up. Do your service providers have a similar posture in the event of compromise? Also kudos to Microsoft's security team for reaching out to potential competitors when security problems were identified.
[Murray] Signing keys should not be stored online when not in use.
Read more in:
Mimecast: Important Security Update
https://www.mimecast.com/blog/important-security-update/
Cyberscoop: Mimecast confirms SolarWinds attackers breached security certificate, 'potentially exfiltrated' credentials
https://www.cyberscoop.com/mimecast-solarwinds-software-certificate-russia/
Gov Infosecurity: Mimecast Confirms SolarWinds Hackers Breached Company
https://www.govinfosecurity.com/mimecast-confirms-solarwinds-hackers-breached-company-a-15855
Threatpost: Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball
https://threatpost.com/mimecast-solarwinds-hack-security-vendor-victims/163431/
--Stack Overflow Discloses Additional Information About 2019 Breach
(January 25, 27, & 28, 2021)
Stack Overflow is now providing more details about the 2019 breach that compromised the site's code and data. On May 12, 2019, Stack Overflow became aware that a new user account had elevated privileges for all sites in the Stack Exchange Network. Their "response was to revoke privileges and to suspend this account and then set in motion a process to identify and audit the actions that led to the event." They "found that the escalation of privilege was just the tip of the iceberg and the attack had actually resulted in the exfiltration of our source code and the inadvertent exposure of the PII (email, real name, IP addresses) of 184 users of the Stack Exchange Network (all of whom were notified)." The blog post includes a detailed timeline.
Read more in:
Stack Overflow: A deeper dive into our May 2019 security incident
https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/
The Register: Stack Overflow 2019 hack was guided by advice from none other than... Stack Overflow
https://www.theregister.com/2021/01/27/stack_overflow_2019_hack_was/
ZDNet: Stack Overflow: Here's what happened when we were hacked back in 2019
https://www.zdnet.com/article/stack-overflow-heres-what-happened-when-we-were-hacked-back-in-2019/
--WestRock Discloses Ransomware Attack
(January 25 & 26, 2021)
Atlanta-based packaging company WestRock is dealing with a ransomware attack that affected some of its operational and information technology systems. The attack occurred on Saturday, January 23.
Read more in:
Dark Reading: Ransomware Disrupts Operations at Packaging Giant WestRock
https://www.darkreading.com/attacks-breaches/ransomware-disrupts-operations-at-packaging-giant-westrock/d/d-id/1339990
Seeking Alpha: WestRock Company (WRK) CEO Steve Voorhees on Q1 2021 Results - Earnings Call Transcript
https://seekingalpha.com/article/4401659-westrock-company-wrk-ceo-steve-voorhees-on-q1-2021-results-earnings-call-transcript
WestRock: WestRock Reports Ransomware Incident
https://ir.westrock.com/press-releases/press-release-details/2021/WestRock-Reports-Ransomware-Incident/default.aspx
WestRock: WestRock Provides Update on Ransomware Incident
https://ir.westrock.com/press-releases/press-release-details/2021/WestRock-Provides-Update-on-Ransomware-Incident/default.aspx
--ADT Fixes Vulnerabilities in Home Security Camera
(January 27, 2021)
Researchers at Bitdefender have disclosed vulnerabilities in ADT's LifeShield cameras that could be exploited to eavesdrop on conversations or access live video feeds. The issues affect a certain model of LifeShield DIY HD Video Doorbells, which allow users to answer the door remotely through the LifeShield app. Bitdefender notified ADT prior to disclosing the vulnerabilities; ADT released an automatic update in August 2020.
[Editor Comments]
[Neely] Doorbell camera vulnerabilities are a particular favorite for actors conducing swatting attacks. Make sure that you're using multi-factor access to your accounts and verify exactly who can access, view, or manipulate them.
Read more in:
Bitdefender: Cracking the LifeShield: Unauthorized Live-Streaming in your Home (PDF)
https://www.bitdefender.com/files/News/CaseStudies/study/375/Bitdefender-PR-Whitepaper-Lifeshield-creat4811-en-EN-GenericUse.pdf
Threatpost: ADT Security Camera Flaws Open Homes to Eavesdropping
https://threatpost.com/adt-security-camera-flaw-opened-homes-stores-to-eavesdropping/163378/
--NIST Risk-Based Guide on Information Exchange Security
(January 27, 2021)
The US National Institute of Standards and Technology (NIST) has released a publication titled Managing the Security of Information Exchanges. The draft document "provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information." NIST is accepting comments on the document until March 12, 2021.
[Editor Comments]
[Neely] While we talk about flowing down security requirements, often that doesn't come with a ready methodology to follow. Cloud migration and outsourcing activities, particularly of late, have organizations exchanging information more than ever before and with the pressure to deliver, it's important to use a consistent approach to ensure the information is properly handled. NIST's draft guidance addresses the lifecycle of an information exchange, from planning to termination. Compare this with your current processes to identify gaps or omissions, and if you've discovered a cool trick that will help others, provide comments before March 12th.
Read more in:
Health IT Security: NIST Shares Risk-Based Guide to Information Exchange Security
https://healthitsecurity.com/news/nist-shares-risk-based-guide-to-information-exchange-security
CSRC: Managing the Security of Information Exchanges
https://csrc.nist.gov/publications/detail/sp/800-47/rev-1/draft
NVL Pubs: Managing the Security of Information Exchanges (PDF)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-47r1-draft.pdf
--Healthcare-Related Breach Roundup
(January 26, 2021)
Health IT Security's weekly breach round-up includes a cyberattack against the Okanogan County (Washington) government computer system that has affected the county's Public Health department, and the Einstein Healthcare Network (Philadelphia area) notifying patients of an August 2020 data breach.
Read more in:
Health IT Security: Cyberattack Drives Okanogan County Public Health IT System Offline
https://healthitsecurity.com/news/cyberattack-drives-okanogan-county-public-health-it-system-offline
--Harris County, TX Will Replace Paperless Voting Machines With Machines that Produce a Paper Trail
(January 27, 2021)
Harris County, Texas, has signed a contract to purchase voting machines that create a paper audit trail. Harris County has until now been using voting machines that provide no paper records of votes for people voting in-person. Harris County, with 4.7 million residents, is the third most populous county in the US.
Read more in:
State Scoop: Harris County, Texas, ditches paperless voting machines
https://statescoop.com/harris-county-texas-ditches-paperless-voting-machines/
--USCellular Discloses Data Breach
(January 28, 2021)
Mobile network company USCellular has disclosed a data breach that compromised customers' account information and wireless phone number. USCellular said the incident stemmed from store employees being tricked into downloading malware onto a store computer. The hackers gained access to the company's CRM system. USCellular believes the attack occurred on January 4, 2021; it was detected two days later.
Read more in:
Bleeping Computer: USCellular hit by a data breach after hackers access CRM software
https://www.bleepingcomputer.com/news/security/uscellular-hit-by-a-data-breach-after-hackers-access-crm-software/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Critical sudo Vulnerability
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Quakbot (QBot) Update
https://isc.sans.edu/forums/diary/TA551+Shathak+Word+docs+push+Qakbot+Qbot/27030/
Emotet vs. Windows Attack Surface Reduction
https://isc.sans.edu/forums/diary/Emotet+vs+Windows+Attack+Surface+Reduction/27036/
Targeting Security Researchers
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
Apple Updates iOS, iPad, tvOS, watchOS, Xcode and iCloud for Windows
https://support.apple.com/en-us/HT201222
Go Lang Vulnerability
https://blog.golang.org/path-security
Azure Docker Escape
https://www.intezer.com/blog/research/how-we-hacked-azure-functions-and-escaped-docker/
New Cryptojacking Malware
https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/
SlipStreaming
https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/
Shadowsocks
https://shadowsocks.org/en/index.html
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
