Fal.Con 2018 is packed with 35+ educational sessions that will leave you informed, inspired and ready to take on your ever-advancing adversaries. Choose from a variety of tracks ranging from hands-on Falcon platform training to real-world case studies, or gain deep insights into today's adversaries. For help in convincing your boss to attend Fal.Con, click here for our justification letter.



CrowdStrike Falcon in AWS: Protection, Visibility and Response for Cloud Workloads

Amazon Web Services (AWS) provides customers with a secure environment in which to run all types of workloads on a global scale. A key feature of AWS is that customers can employ any security tools they choose, including Crowdstrike. At Fal.Con 2017, we showed you how AWS and Crowdstrike are ensuring the security of their platforms and helping customers make sure their organizations' data is secure.

In this session, we will provide more in-depth information, showing you how AWS and Crowdstrike are working together to deliver a robust security experience for our joint customers, including some new integrations that will help you get the most out of your AWS and Crowdstrike experience.

MACdoored: A First Look Into Real-World MacOS Intrusions

In the last few years, MacOS backdoors have become a hot topic in the industry. What used to be a rare occurrence in the wild is happening more and more frequently. As this topic grows in popularity, the details on post-exploitation of Mac intrusions remain a mystery. This talk aims to fill that gap by showing attendees a full Mac intrusion performed by a hostile adversary.

Process visualizations, command lines and other artifacts will be shared from real-world intrusions that are being discussed for the first time, publically. We will reveal how the attackers got in, what commands were used to move laterally, and how they manually set up their backdoors while trying to fly under the radar by using anti-forensics techniques. Linux attacks will be shared to illustrate how many tools, techniques and procedures (TTPs) are cross-platform.

Curing GDPR Headaches

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and compliance obligations are ongoing. This session offers a deep dive into the cybersecurity-focused obligations of GDPR and shows you how best practices may enhance your compliance posture. You might have more resources at your fingertips than you realize.

What's the Scenario? How to Design Cybersecurity Exercises That Achieve Results

In the past year, one financial institution lost a billion dollars to cyber thieves, another organization's corporate executives were blackmailed over compromising emails, an airline saw its entire fleet grounded by a ransomware attack and a drilling company's rigs were crippled by destructive malware. In each case, the victim was happy about it because each of these attacks occurred in the context of a simulation, designed to exercise and improve the organization's ability to respond to a cyber incident.

Exercises like these are becoming increasingly common and in some cases, they are required by regulators or the board. In fact, a good cybersecurity exercise is one of the most effective ways an organization can prepare to respond. But what makes for a good exercise and how can organizations make sure the benefits they reap from an exercise are worth the time and effort required? During this session, we will discuss the components that make an exercise worthwhile and discuss how to develop scenarios that meet the exercise goals. We will also present and critique samples from actual exercises we have conducted. In addition, we will show you how you can design and lead exercises in your own organizations that can reveal security gaps and help you improve security posture.

Adversary Tradecraft: Analyzing Threat Graph Data Through the Lens of the MITRE ATT&CK Framework

The security community is quickly adopting Mitre's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix as a framework for understanding and analyzing targeted intrusions. However, one of its potential limitations is the lack of robust historical intrusion data for developing accurate and thorough ATT&CK-based threat modeling. Falcon OverWatch analyzes threat behavior on a regular basis, and has amassed a rich data library of malicious activity that can be applied to the ATT&CK model.

The amount of OverWatch's interactive intrusion data is significant given the valuable telemetry delivered by Falcon's endpoint technology. The OverWatch Strategic Counter-Adversary Research (SCAR) team has evaluated all OverWatch intrusion data since January 1, 2018 through the lens of the ATT&CK framework. In this presentation, we will present our findings and highlight cases of unique adversary tactics, techniques and procedures (TTPs) use. The results of this analysis will deliver threat models that compare TTP use among various adversary groups, backed by hard data. We will note key differences and also discuss the limitations of this type of research. More information about Mitre's ATT&CK matrix is available online at:

Malware Analysis For The Masses

Every day, hundreds of thousands of new malware samples are found in the wild. This means organizations are inundated and impacted by malware attacks that are unknown and have never been seen before. To correctly understand the adversary and the attack, an organization must understand what the new sample is capable of doing and its potential impact on your network.

These tasks sound simple, but can be difficult to accomplish without straining your organization's resources. Join us to learn how Falcon Sandbox can not only speed this process via automation, but can provide key adversary information with the integration of Falcon Intelligence.

Deep Dive: Falcon Spotlight Product Roadmap

In this session, the CrowdStrike product team offers an in-depth discussion of Falcon Spotlight, Crowdstrike's vulnerability management solution. Join this session to gain insight into the development history of Spotlight, the current status of this solution, and CrowdStrike's roadmap for future vulnerability management capabilities.

Google Cloud Security – Challenges and Best Practices For Multi-Cloud Security

More than 80 percent of enterprises run in a multi-cloud or hybrid cloud environment. These environments present a complex threat surface that requires a different approach to risk management and threat mitigation. During this session, security experts from Google and Crowdstrike will discuss the security challenges of these cloud environments and offer best practices on how to ensure better security and threat defense in multi-cloud environments.

The Future of Container Security

Cloud containers are today's fastest growing data center technology and modern data centers are built using containers such as Docker. Unfortunately, traditional security has failed to secure containers due to its isolated architecture, making security one of the top factors hindering the adoption of container technology.

However, with the right solution, security doesn't have to be an obstacle. Join us for this session where we will discuss; what Docker is and why it's so popular; the security challenges Docker environments present; and best practices for securing Docker containers.

Securing Cloud Environments

Hear stories from the field about how CrowdStrike's commercial and government customers are using Falcon and Falcon on GovCloud to protect key assets in the public cloud. Learn how CrowdStrike leverages Falcon as part of our internal security program, to safeguard petabytes of data and thousands of critical production servers.

Don’t be a SOAR (Security Operation and Automation Response) Loser!

Did you know that by 2021 the expected cost of cybercrime will rise to $3 trillion? How about the fact that organizations are struggling to manage over 70 tools, while facing a very real shortage of cybersecurity specialists? With data on the rise, it’s easy to see why swivel chair syndrome might cause your head to spin.

Join us for a dynamic session focused on arming you with some best-of-breed SOC use cases. We’ll focus on the industry’s leading platform offerings from CrowdStrike Splunk and Phantom. This session will cover how to augment notable events in Splunk with Falcon event and audit data, enrich CrowdStrike with additional context from Splunk, and mitigate incidents using Phantom playbooks that query Falcon Sensor and Sandbox data.

Power Up Splunk with Falcon

This technical session will examine how the CrowdStrike Falcon Platform and Splunk can be integrated together to leverage the information and capabilities of both platforms. It will consist of three sections: Section One will provide an overview of the current methods for getting Falcon data into Splunk, where to get the tools and apps and what their capabilities are. In Section Two, we’ll examine the technical add-ons and the app from Splunkbase including how and where to deploy them within different Splunk environments.

You'll also learn how to properly configure the technical add-ons and app, typical installation pitfalls, how to troubleshoot and ultimately avoid them. In Section Three we’ll examine use cases on how to leverage the Falcon data both within and through Splunk. For example: creating custom dashboards, enriching firewall rules and leveraging security automation, orchestration and response (SOAR) platforms.

The No-Nonsense Threats to Industrial Controls

Although much is written these days about threats to industrial controls, it is often hyperbole that does little to give organizations the practical guidance they need to create a sound defense strategy. This session takes a no-nonsense perspective by focusing on four actual intrusion and destructive/disruptive events against industrial control systems in a range of industries, including manufacturing, electrical grids, and petrochemical facilities.

These four events reflect what we actually know about the threats to industrial environments and contain important lessons learned for defenders – offering real-world guidance for security professionals hoping to detect these threats and keep them out, as well as executives trying to understand the risk to their environments. By sticking to facts and evidence to understand industrial control threats, you’ll receive practical information that you can take back to your organization and use.

DRE - I Need a Doctor: Detection and Response Everywhere

Past and current breaches have proven that a prevention-only strategy can’t ensure 100 percent protection. When a breach is discovered, organizations spend weeks or months trying to remediate the incident because they lack the visibility required to see and understand exactly what happened, how it happened and how to fix it. Endpoint detection and response (EDR), pioneered by CrowdStrike, has changed the game by providing complete visibility and forensics across endpoints to find threats sooner, investigate the impact on the organization, and prevent an incident from happening again.

While these capabilities have been game-changing on the endpoint, detection and response capabilities need to be extended everywhere. Network detection and response (NDR) is a concept that allows organizations to benefit from full-packet forensics, threat detection and incident response workflows across the entire network — from traditional enterprises, to cloud, to industrial and manufacturing environments. By bringing together CrowdStrike Falcon Insight™ EDR and ProtectWise NDR we can provide a complete solution that enables the next-generation of security operations center (SOC) analysts to gain complete visibility, detection and response from endpoint to network. This integrated platform approach will allow an analyst to see the entire picture, the “how, when and what” of an attack, to make sure it doesn't happen again. This talk will cover the value of bringing EDR and NDR together and includes a real-world example of an investigation that leveraged endpoint and network detection and response, demonstrating the value to users of having detection and response everywhere to deliver an integrated platform for next-generation SOCs.

Remove Blind Spots & Combat Threats Enterprise-wide

ForeScout provides agentless device visibility, rich contextual insight and powerful policy-driven controls to combat threats across connected devices regardless of device type or network tier, including unmanaged, the IoT, BYOD and guest devices. Learn how you can capitalize on the ForeScout and CrowdStrike integration to expand your security coverage and reduce overall risk by extending visibility, increasing endpoint compliance and actively hunting for and responding to threats across both managed and unmanaged devices.


The Cyber Threat Landscape

Chollimas, Spiders, and Bears: There are a myriad of threats to your data and operations and knowing who your adversaries are, what they're after and how they operate is essential to defending your enterprise. In this session, VP of Intelligence Adam Meyers will provide an overview of today's cyber threat landscape and the threats his team has observed targeting critical industries such as finance, energy, technology, hospitality and more.

He will also provide an in-depth look at the adversaries and threats found in different geographic regions, with a focus on some of the prevalent threat actors active in 2018. In addition, Adam will brief participants on recent intelligence and global trends with an emphasis on operationalizing the information so you can effectively orchestrate your defense.

INDRIK SPIDER: Big Game Hunting - An Inside Look at the Proprietors of Dridex and BitPaymer

INDRIK SPIDER is a sophisticated eCrime actor that has been operating the infamous Dridex banking Trojan since mid-2014. However, a significant change in the group's modus operandi and Dridex operations was observed in early 2017 and subsequently, this eCrime actor launched a new ransomware dubbed BitPaymer in July 2017. This presentation will examine the history of INDRIK SPIDER operations, the move to targeted eCrime attacks and how they are now running two sophisticated campaigns to maximize their criminal profits.

Fully Automated Investigation and Attribution with Falcon X

This talk will highlight the current struggles and labor-intensive efforts involved in the incident response (IR) and intelligence processes. Currently, many resources are focused on understanding the threats and attacks aimed at your organization and the steps that should take precedence. The goal of this presentation and demo is to walk you through how Falcon X can take these processes, which normally take days or weeks, and shorten them to hours or even minutes, in some cases.

Olympic Destroyer Attribution Games

Olympic Destroyer burst onto the world stage in February, 2018, as malware designed to destroy data and disrupt the opening ceremony of the 2018 Winter Olympics. It also contained nested code artifacts that could be linked to tools used in operations by North Korean actors. Were these artifacts accidentally included, or part of the attribution games being played by the actors that were really responsible?

Perhaps the Olympic Athletes from Russia were not the only ones operating under a false flag. This session will examine how Olympic Destroyer works and the technical evidence uncovered by CrowdStrike, which points to an attribution theory for the activity and links to a wider complex of activity spanning several years.

North Korea's Cyber Threat: Breaking Down the CHOLLIMAs

This session will provide CrowdStrike Falcon Intelligence's comprehensive view of the CHOLLIMA adversary groups and how they operate in support of larger Democratic People's Republic of Korea (DPRK) goals, including espionage and financial gain. In this session, unique tooling, campaigns and behavior will be identified for each group to provide a better understanding of how CrowdStrike tracks each adversary. We will also discuss where these adversaries fit in the overall threats a customer faces in their specific industry sectors.

In addition, this session will present the Falcon Intelligence team's theory of DPRK "Code Legos." This observation is based on the identification of code reuse among different CHOLLIMA adversaries for different campaigns, suggesting a central code pool that is fairly unique to DPRK cyber operations. While such a system was likely formed due to the need to effectively allocate limited resources, it has also caused misattribution and confusion in the security community.

Attacking Trust and the Trojan Problem

The concept of a trojanized software program isn't new; for over 35 years computer scientists and security professionals have been discussing how seemingly legitimate applications run by users can harbor unanticipated malicious functionality, particularly when they have been obtained from untrusted sources. Although this technique fell out of favor in recent years, as security controls tighten and cybersecurity awareness levels increase, attackers have begun to re-explore trojan techniques to enable both highly targeted and large-scale campaigns.

Attacking user trust has been put back in the playbook of many sophisticated adversaries, who have compromised the infrastructure, distribution mechanisms, and supply chains of legitimate software to achieve their aims. This presentation discusses different classes of trust and how they can be exploited to deliver malicious code, and includes case studies derived from research conducted by the CrowdStrike Falcon Intelligence team. From one-on-one user interactions to the compromise of software update mechanisms and the associated wide-reaching consequences, we show you how user education and verified update mechanisms can augment your current network monitoring processes as part of an overall security strategy.

Actor-Agnostic TTP Analysis Informing the Broader Cyber Threat Landscape

Tracking events by compiling an all-inclusive timeline of incidents that occur during defined time periods (regardless of attribution) can provide a broader, more comprehensive look at the cyber threat landscape as whole. Such a high-level view calls attention to the adoption rate of tactics, techniques and procedures (TTPs), most notably seen in the use of exploits, from cyber espionage campaigns to eCrime operations, and vice versa. This session will provide examples of how actor-agnostic TTP trending has informed CrowdStrike Falcon Intelligence periodic reporting products and highlighted rising trends that affect all sectors.

Customer Case Study

Retail Customer Case Study: Using Falcon to Mitigate Insider Threats

The CrowdStrike Falcon platform is most commonly used to stop external threats, but threat hunting can take many forms and the broad visibility provided by an endpoint detection and response (EDR) system can also be used to investigate internal threats. This case study will discuss how CrowdStrike has leveraged the Falcon platform to start an insider threat program and how it enables us to assist organizations' human resources and legal departments with insider threat investigations.

Global Engineering and Technology Customer Case Study: Falcon Global Deployment, Utilizing Compliance, Soft skills and Lessons Learned

In this session, a Global Engineering and Technology Customer will provide insight into the seemingly simple task of deploying CrowdStrike Falcon agents into a global environment. The session will discuss vendor and customer relationships, expectations and interactions, gathering birds of a feather, stakeholder identification and partnerships. This session will also touch on compliance highlights, picking the right pilot and grouping the deployment into manageable targets on the path to success.

Verizon Customer Case Study: Process to Operationalize The CrowdStrike Falcon Platform

Come hear Verizon discuss why and how they displaced Symantec Endpoint Protection with Crowdstrike Falcon. The discussion will include the processes used to evaluate, POC, Deploy, Manage Updates, policies and work with their Threat Management Center.

Hospitality Customer Case Study: Stopping a Breach

Hear from from the CISO of a large hospitality customer and how he successfully mitigated a breach in their environment. He will discuss the lessons he learned along the way and how they utilized CrowdStrike Fal.Con to keep their organization safe and stop the breach.

Retail Customer Case Study: Using Falcon to Mitigate Insider Threats

A large retail customer will present a case study discussing insider threats that they have encountered in their environment. They will show how they utilize the CrowdStrike Falcon platform to mitigate these threats and stop breaches by trusted insiders.

Global Mining Customer Case Study: Stopping an Attempted Breach of a CrowdStrike Customer by The WICKED PANDA Adversary

Hear from CrowdStrike and a global diversified mining customer as they discuss a breach that occurred in the customer's environment perpetrated by the Chinese adversary WICKED PANDA. This session will provide an in-depth discussion of the incident from beginning to end, explaining how the company was alerted of the breach, the steps taken to respond to it, and the collaboration with CrowdStrike that empowered this customer to stop the adversary.


Don't Hate. Remediate. - Using Falcon Real Time Response(RTR) for Remote Remediation

The need to perform system rebuilds due to malware infections is a thing of the past and security operations center (SOC) teams should be remediating infected systems with confidence. Unfortunately, users are still opening malicious email attachments and clicking links, and systems are still being compromised. During this session, we will discuss endpoint remediation using CrowdStrike Falcon Real Time Response (RTR) and show you how this solution reduces both user downtime and IT support staff overhead.

No Macros, No Problem. Attackers Use Outlook Forms for Lateral Movement and Persistence

This session will provide an in-depth look at a novel adversary attack method, including its background and a step-by-step walkthrough of how it is used for lateral movement and persistence in victim environments. The attack leverages customized forms – not macros – in Microsoft Outlook that allows Visual Basic code to execute on a system just by opening or previewing an email message.

The walk-through will highlight how CrowdStrike Services identified the attack, including the tell-tale signs of the attack from both a system and network perspective. This session will also highlight forensic artifacts that can aid in the detection and prevention of the Outlook Forms attack, allowing organizations to better defend themselves against it.

Falcon Training

Phishing Emails and Web Exploits – Attack Scenario

In this session, you’ll learn how to use the Falcon platform to detect, prevent and remediate email-phishing attacks and web exploits. We will look at an actual attack and show you how Falcon can provide rich details on adversary activity, including the appropriate steps to take for remediation and future prevention. This session will also provide an update on the top threat actors and the tactics, techniques and procedures(TTPs) behind the most advanced attacks. You will also learn best practices that can show you how to leverage intelligence to protect your networks and endpoints.

Intel Ninja Skills – How to Become a Falcon Intel Master

Gaining a full understanding of the threat landscape involves much more than mastering the "button-ology" of the Falcon interface. Learn how to extract the right information at the right time and how to consume Falcon Intelligence products to gain a better understanding of the threats your organization faces. This session will also briefly cover the concept of creating an Intelligence Framework and how the Falcon Intelligence application can be the foundation of your cyber threat program.

Getting the Most Out Real Time Response (RTR)

When a cyberattack is discovered, security operations center (SOC) teams have two urgent goals: first, to understand the threat quickly and second, to take action to remediate it. Real Time Response (RTR) is a new feature in the Falcon platform that accomplishes the second goal. Listing and remediation of processes, registry edits and file administration are just a few of the many features RTR provides. In this session, we will look at those features and how to put them to work in your incident response plan.

Falcon and the MITRE ATT&CK Framework – Better Together; Feature Update

When the Falcon platform detects malicious activity it is typically categorized as a specific "activity type." CrowdStrike has expanded this capability of providing information associated with detection activity, to offer rich, additional details. This session will cover the expanded datasets available for each detection and explain how they can be used in a typical analysis workflow.

How To Build A World-Class Threat Hunting Team

This session will focus on the fundamentals of building and operationalizing an adversary threat hunting program. During this session we will discuss the latest advanced adversary techniques and tradecraft. In addition, we will explain the processes, required skill sets and methodologies that CrowdStrike Services employs to hunt for adversaries in customer environments. Don't miss this opportunity to advance your threat hunting skills and methods and take your organization's ability to detect and hunt to the next level.

Falcon Training - Optional Add-On

From Falcon to OSINT – Conducting Open Source Intelligence Collection from Falcon-Derived Artifacts

The Falcon Intelligence application contains an enormous number of artifacts and indicators to properly attribute attacks. However, you can still supplement Falcon Intelligence reporting with your own open source information to provide your organization with holistic and customized intelligence reports. This four-hour session will offer hands-on training that will cover the basic concepts of secure online access and can help you protect your collection efforts. In addition, we will introduce numerous tools and techniques to enhance your reporting framework based on openly accessible information from the Internet.

Event Searching in Endpoint Activity Monitoring (EAM) with Splunk

Whether you are an analyst, responder or threat hunter, event searching in EAM data can provide a wealth of information and insight into the activity on your endpoints. Using simple techniques, we will perform statistical analysis to identify outliers, trends and other indicators of adversary activity. Attendees will leave this four-hour session with an understanding of the event search syntax, as well as how data is stored and how it is related. We will also build queries to perform analytics on this data and display it in an understandable form.