Profile
Prior to moving to security, Ryan worked as a technical trainer for six years. His stint as a full-time trainer prepared him for the rigors of life-long learning. He loves training and often assists with training development.
Ryan’s current passion is researching ransomware in order to help as many people as possible learn to deter, detect, and respond to the threat. In preparing for development of FOR528, Ryan has drawn on his extensive expertise working ransomware incidents. The course features numerous labs, a full-day Capture the Flag exercise, and provides tools that can be used to share and collaborate on hunting queries between entities and disparate systems.
"When it comes to ransomware, the primary blocker for students is realizing that early detection often requires hunting," Ryan explains. "Some DFIR students who take the FOR528 course may not have experience with hunting, so the concept is simply new to them. We are not just relying on alerting systems. Rather, we are relying on our ability to seek out and hunt the adversary within our networks."
Outside of ransomware, one of Ryan’s interests in the security realm is the exciting world of reverse engineering. “Malware has become pervasive,” he says, “and I relish in the ability to dissect, understand, and protect against evolving threats." Ryan loves finding all the new tricks that malware authors use to circumvent security appliances.
Ryan's association with SANS began when he took a course in 2013, a path that eventually led to him becoming a course instructor and author.
"These days it’s difficult to have a conversation concerning DFIR without referencing SANS in some way, shape, or form,” he says. “The power of SANS isn’t just behind the courses, but rather behind the family as a whole. The course authors, instructors, and folks in all other departments have come together to create an ever-evolving beast of a training institute."
As a teacher Ryan wants his students to walk away with a full understanding of the content covered in class. "I don’t want to teach people how to push buttons to get bananas. I aim for every student to understand the ‘why’ behind the ‘how.’ For example, I want to ensure that students leave the class knowing why we look for VirtualAlloc and VirtualProtect calls in packed malware samples. I want my students to know WHY these are important function calls," he says.
Ryan also wants students to recognize their potential for mastering the topics covered in class. "Be it ransomware or general malware analysis, I strive to instill confidence in my students. Sure, we learn the foundations and advanced topics. But these things are doable outside of the classroom, even at their daily jobs. My classes aren’t magical adventures that end when the class concludes. Rather, these are skills that can be translated to the daily lives of every student."
When teaching, Ryan often stays after class to provide additional examples of the topics covered each day. He provides additional resources such as vetted and trusted YouTube videos and articles that cover the topics in slightly different ways. "I tell any student struggling with a given concept that it’s all about the practice and recognition of the activity involved. Thus, I provide plenty of examples to ensure that if they put in the time, the concept will solidify for them."
Ryan also previously led a hacker and security conference in Arizona called CactusCon. Outside of work, he enjoys watching anime with his daughter, mountain biking, and collecting retro video games.
Qualifications Summary:
- 13 years of experience in incident response, digital forensics investigations (host- and network-based forensics), and malware analysis
- Seasoned speaker at technical conferences including DefCon, BSides events, CactusCon, Splunk conferences, and more
- Former lead organizer for CactusCon, Arizona’s hacker/security conference
- Faculty member at the SANS Technology Institute
- Author of several PluralSight.com training courses
Ryan's Workshops and Webcasts (his favorites!):
- Watch Ryan’s overview of the FOR528 course, "Learning to Combat Ransomware"
- Watch Ryan’s video, "Hands-on Ransomware: Exploring Cybercime", with John Hammond
- Watch Ryan’s video, "PikaBot Malware Analysis: Debugging in Visual Studio", with John Hammond
- Check out Ryan’s various ransomware-oriented episodes of the "SANS Wait Just an Infosec" live stream playlist
- Watch Ryan’s @Night talk, "Handling Ransomware Incidents: What YOU Need to Know!"
- Watch Ryan’s @Night talk, "Detecting & Hunting Ransomware Operator Tools: It Is Easier Than You Think!"
- Watch Ryan’s SANS livestream, "The Truth about Ransomware: It’s not Complicated!"
- Watch Ryan’s, "Stay Ahead of Ransomware Livestream Series – Episode 2" video
- Watch Ryan’s, "Stay Ahead of Ransomware Livestream Series – Episode 1" video
- Watch Ryan's panel discussion on ransomware, "Ransomware - Do You Pay It Or Not? Experts Debate the Costs Ethics around Paying Ransomware"
- Watch Ryan’s webcast, "LOCKED OUT! Detecting, Preventing, & Reacting to Human Operated Ransomware"
- Watch Ryan’s summit talk, "Hunting Human Operated Ransomware Operators"
- Watch Ryan’s webcast, "Oh You Silly Framework!: An Intro to Analyzing .NET Malware"
- Follow along with Ryan's hands-on workshops, "Understanding and Analyzing Carrier Files," "Exploit Kit Shenanigans: They're Cheeky!," and "Network Forensics Workshop: Packet Pillaging Done Right!"
Ryan Chapman's Accomplishments:
- Presented a workshop at DefCon 5 years running
- 1st Place in SOCX Professional SOC Team Work Championship 2021 (team)
- 1st Place in Network Forensics Puzzle Contest at DefCon 23 and DefCon 22 (team)
- Masters of Information Assurance from a NSA-certified Regis University
- GIAC Reverse Engineering Malware (GREM)
- GIAC Defending Advanced Threats (GDAT)
- GIAC Certified Incident Handler (GCIH)
- CompTIA Security+ and Linux+
- Learn more about Ryan at his website: https://incidentresponse.training/