Prior to moving to security, Ryan worked as a technical trainer for over five years. His stint as a full-time trainer prepared him for the rigors of life-long learning. He loves training and often assists with training development.
One of Ryan’s primary interests in the security realm is the exciting world of reverse engineering. “Malware has become pervasive,” he says, “and I relish in the ability to dissect, understand, and protect against evolving threats." Ryan loves finding all the new tricks that malware authors use to circumvent security appliances.
Ryan’s current passion is researching ransomware in order to help as many people as possible learn to deter, detect, and respond to it. In preparing the upcoming forensics course for SANS, FOR528: Ransomware for Incident Responders, Ryan is drawing on his extensive expertise with ransomware incidents. The course will feature numerous lab and Capture-the-Flag exercises and provides tools that can be used to share and collaborate on hunting queries between entities and disparate systems.
"When it comes to ransomware, the primary blocker for students will most likely be realizing that early detection often requires hunting," Ryan explains. "Many DFIR students who take the FOR528 course may not have experience with hunting, so the concept is simply new to them. We are not relying on alerting systems. We are relying on our ability to seek out and hunt the adversary within our own networks."
Ryan's association with SANS began when he took a course in 2013, a path that eventually led to him becoming a course instructor and author.
"These days it’s difficult to have a conversation concerning DFIR without referencing SANS in some way, shape, or form,” he says. “The power of SANS isn’t just behind the courses, but rather behind the family as a whole. The course authors, instructors, and folks in all other departments have come together to create an ever-evolving beast of a training institute."
As a teacher Ryan wants his students to walk away with a full understanding of the content covered in class. "I don’t want to teach people how to push buttons to get bananas. I aim for every student to understand the ‘why’ behind the ‘how.’ I want to ensure that students leave the class knowing why we look for VirtualAlloc and VirtualProtect calls in packed malware samples. I want my students to know WHY these are important function calls," he says.
Ryan also wants students to realize their potential for mastering the topics covered in class. "Be it general malware or ransomware analysis, I strive to instill confidence in my students. We learn the foundations of advanced topics. But these things are doable outside of the classroom, even at their daily jobs. My classes aren’t magical adventures that end when the class ends. Rather, these are skills that can be translated to the daily lives of every student."
When teaching FOR610 Ryan often stays after class on the day they cover the stack in order to discuss the topic in more detail using additional samples. Ryan even provides students with a recording of himself going over this content. He also provides additional resources such as vetted and trusted YouTube videos and articles that cover the stack in slightly different ways. "I tell any student struggling with the concept that it’s all about the practice and recognition of how the stack works. Thus, I provide plenty of samples to ensure that if they put in the time, the concept will solidify for them."
Ryan also leads a hacker and security conference in Arizona called CactusCon. Outside of work, he enjoys watching anime with his daughter and playing retro games.
- Principal Incident Response Consultant with Blackberry
- More than 10 years of experience in incident response, digital forensics investigations (host- and network-based forensics), and malware analysis
- Seasoned speaker at technical conferences including DefCon, various BSides events, CactusCon, Splunk Conference, and more
- Lead organizer for CactusCon, Arizona’s hacker/security conference
- Author of several PluralSight.com training courses
Ryan's Workshops, Blog Posts, and Podcasts:
- Read the Enterprise Security Tech Q&A where Ryan speaks on the Kaseya ransomware attack
- Watch Ryan's STAR Episode on "Ransomware" with host Katie Nickels
- Watch Ryan's latest panel discussion on ransomware, Ransomware - Do You Pay It Or Not? Experts Debate the Costs Ethics around Paying Ransomware
- Watch Ryan’s webcast, "LOCKED OUT! Detecting, Preventing, & Reacting to Human Operated Ransomware"
- Watch Ryan’s summit talk, "Hunting Human Operated Ransomware Operators"
- Watch Ryan’s webcast, "Oh You Silly Framework!: An Intro to Analyzing .NET Malware"
- Watch Ryan’s webcast, "Protect Your Workforce from Business Email Compromise"
- Listen to Ryan’s SANS Blueprint Podcast episode, "The Blue Teamer’s Blueprint for Malware Triage"
- Watch Ryan’s Positively Blue Team Podcast episodes, "Mythical Malware Analysis" and "SOC X – The Special""
- Watch Ryan’s podcast, "Ask Us Anything! Cyber Defense Live Q&A #2"
- Follow along with Ryan's hands-on workshops, "Understanding and Analyzing Carrier Files," "Exploit Kit Shenanigans: They're Cheeky!," "Network Forensics Workshop: Packet Pillaging Done Right!,!," and "Network Forensics Workshop Deux: Long Live Packet Pillaging!"
- Read Ryan's bog posts, "Testing Network Forensics Skills: Challenge Accepted" and Landing a Hands-On Security Gig Part 1 & 2"
Get to Know Ryan Chapman:
- 1st Place in SOCX Professional SOC Team Work Championship 2021 (team)
- 1st Place in Network Forensics Puzzle Contest at DefCon 23 and DefCon 22 (team)
- Master’s of Information Assurance from a NSA-certified Regis University
- GIAC Reverse Engineering Malware (GREM)
- GIAC Defending Advanced Threats (GDAT)
- GIAC Certified Incident Handler (GCIH)
- Splunk Certified Admin and Power User
- CompTIA Securtiy+ and Linux+
- Certified Linux Server Professional (LPIC-1)