This page contains a list of selected presentations Phil has made or is scheduled to make, as well as other speaking engagements or appearances.

SANS Training Events

FOR572: Advanced Network Forensics and Analysis

Previous Events:

  • SANS Las Vegas 2017: January 23 – 28, 2017; Las Vegas, NV
  • SANS Munich Winter 2017: February 13-18, 2017; Munich, Germany
  • Private Event: February 27 – March 4, 2017; Augusta, GA
  • SANS vLive: February 28 – April 6, 2017; Online
  • SANS 2017: April 9 – 14, 2017; Orlando, FL
  • Threat Hunting and Incident Response Summit: April 20-25, 2017; New Orleans, LA
  • SANS Riyadh 2017: May 6 – 11, 2017; Riyadh, Saudi Arabia
  • SANS Stockholm 2017: May 29 – June 3, 2017; Stockholm, Sweden
  • SANS Secure Europe 2017: June 12 – 17, 2017; Amsterdam, Netherlands
  • Digital Forensics and Incident Response Summit: June 24 – 29, 2017; Austin, TX
  • SANS London July 2017: July 3 – 8, 2017; London, UK
  • SANSFIRE 2017: July 24 – 29, 2017; Washington, DC (With Simulcast)
  • SANS Network Security 2017: September 10 – 15, 2017; Las Vegas, NV
  • SANS EMEA DFIR Summit 2017: October 2 – 7, 2017: Prague, Czech Republic
  • SANS October Singapore 2017: October 16 – 21, 2017; Singapore, Singapore
  • SANS Tokyo Autumn 2017: October 23 – 28, 2017; Tokyo, Japan

Formal Presentations

The Tap House“: This is a series of talks that focus on new and emerging topics in the Network Forensics arena.  No two talks will be quite the same, so feel free to stop in and see what’s new if you’re attending a SANS or other event where we’re holding an event.

Packets move pretty fast. The field of Network Forensics needs to move fast, too. Whether you are investigating a known incident, hunting unidentified adversaries in your environment, or enriching forensic findings from disk- and memory-based examinations, it’s critical to stay abreast of the latest developments in the discipline.

In this SANS @Night series, Phil Hagen will discuss some of the latest technologies, techniques, and tools that you will want to know in pursuit of forensication nirvana.

Phil is also an avid craft beer fan, so there’s a good chance you will learn something about a new notable national or interesting local beer in the process.

This presentation will be helpful for those that wish to keep up-to-date on the most cutting-edge facets of Network Forensics.

  • None scheduled at this time

Previous Events:

  • Episode 0x02 – SANS @Night (SANS Las Vegas 2017): January 25, 2017; Las Vegas, NV
  • Episode 0x02 – SANS @Night (SANS Munich Winter 2017): February 14, 2017; Munich, Germany
  • Episode 0x02 – SANS @Night (SANS 2017): April 17, 2017; Orlando, FL
  • Episode 0x03 – SANS @Night (SANS Threat Hunting and Incident Response Summit 2017): April 22, 2017; New Orleans, LA
  • Episode 0x03 – SANS @Night (SANS Stockholm 2017): May 31, 2017; Stockholm, Sweden
  • Episode 0x03 – SANS @Night (SANS Secure Europe 2017): June 13, 2017; Amsterdam, Netherlands
  • Episode 0x04 – SANS @Night (SANS SANS EMEA DFIR Summit 2017): October 2, 2017; Prague, Czech Republic
  • Episode 0x04 – SANS @Night (SANS Secure October Singapore 2017): October 18, 2017; Singapore, Singapore
  • Episode 0x04 – SANS @Night (SANS Tokyo Autumn 2017): October 25, 2017; Tokyo, Japan

Threat Hunting with Indicators: Not for Prevention Anymore

Threat Hunting is essentially using new intelligence to examine existing data collections. Network data such as NetFlow, Logs, and Full-Packet Capture provides extremely useful source data to facilitate threat hunting and this webcast will show you how.

Traditionally, network defenders have used intelligence such as indicators to feed so-called prevention or real-time detection systems. However, the shelf-life for most threat intelligence is growing shorter – often being outdated as soon as it is released. Instead, security practitioners should use this intelligence as a means of searching for previous activity consistent with those newly-available indicators. This is the essence of hunting.

In this webcast, well explore some recent intelligence releases (possibly including GRIZZLY STEPPE, the Shadow Brokers, or similar). Using pre-collected network evidence, we will identify some false positives that can be ruled out, saving you precious time as well as some potentially suspicious actions that warrant further investigation.

Previous Events:

  • SANS Webcast: March 21, 2017; Online (Archived presentation available at link)

Elevating Your Analysis Tactics: The New Forensics Poster

Join FOR572: Advanced Network Forensics Analysis course author and instructor Phil Hagen as he introduces the brand-new SANS Network Forensic Poster, which will be mailed worldwide in late May. Phil will browse the poster contents and highlight use cases that will help improve your network forensic capabilities. He will also discuss the latest release of the free SOF-ELK analytics VM appliance and show some examples of how it can help make quick work of even massive volumes of forensic data – whether for Network Forensics, Disk-based Forensics, or Security Operations.

Previous Events:

  • SANS Webast: June 6, 2017; Online
  • SANS Webcast: July 20, 2017; Online

What’s new on the FOR572 Horizon – Stockholm and Beyond

The forensic worlds moves quickly, and SANS classes are updated frequently to address a rapidly changing landscape. FOR572, Advanced Network Forensics and Analysis, had been freshly updated to include new tools and analytic processes.

The new courseware includes a heavy focus on the SOF-ELK platform for efficient and effective “big data” processing for log and NetFlow evidence. Students will also use the Moloch full-packet capture and analysis platform, providing a free and efficient method of loading existing pcap data or capturing live content.

Numerous additional tools have been updates within the SANS Linux SIFT Workstation, with custom modifications focused on network traffic analysis processes.

The course material also incorporates new protocol variants for HTTP, SMB, and more. Labs have been overhauled to leverage the new tooling and processes as well – helping you to get good findings faster.

In, this webcast, you’ll learn what we’ve added as well as how FOR572 is continually evolving to meet the changing demands evident in your casework. Forensicators, security analysts, and investigators will all benefit. We’re looking forward to you joining the webcast and hope to see you in class at Stockholm or another upcoming event as well.

Previous Events:

  • SANS Webcast: March 7, 2017; Online (Archived presentation available at link)

Creators of Code…Why Not Kids?“: Presented with Genevieve Hagen, a 5th grade student from the Cape Henlopen School District and Lewes Tech employee #3.

This presentation will explain why coding is an important part of childhood education.  We will also cover some of the educational resources available to Cape students as well as the general public.

Previous Events: