Please note that this conference agenda is subject to change. If you’re viewing this from a desktop, you can hold shift and click on multiple columns to sort them at the same time. All times below are in Mountain Time (MT).
Attendees will be able to watch our keynote presentations and talks, learn some new tools at the Toolshed, and can participate in workshops, labs, an Escape Room, calf-roping, mechanical bull riding, and the MetaCTF Capture the Flag event.
Don’t forget, attendees will be invited to a private Discord server facilitating all the virtual conference fun. Join the Discord server and visit the #getting-started channel which contains a quick index of the many conference activities as well as a short getting started video.
Note: Track and Workshop streaming links can be found in the #track-links channel on the WWHF Deadwood 2022 Discord server. Attendees will also receive these links via email.
| Day | Start | End | Title | Presenter(s) | Type | Location | Abstract/Description | Presenter Bio(s) |
|---|---|---|---|---|---|---|---|---|
| Weds | 2:00PM | 6:00PM | Registration | Registration | Second Floor (conference level) | |||
| Weds | 5:00PM | 9:00PM | Capture the Flag hosted by MetaCTF | MetaCTF | Fun & Games | General Session | ||
| Weds | 5:15PM | 5:45PM | WWHF Pre-Con Flash CTF Walkthrough | John Strand Serena DiPenti |
Walk-through | General Session | ||
| Weds | 5:45PM | 6:00PM | Welcome with Ean Meyer | Ean Meyer | Welcome | General Session | ||
| Weds | 6:00PM | 8:00PM | Sponsor Stampede | Fun & Games | General Session | |||
| Weds | 7:00PM | 9:00PM | Welcome Wagon | Fun & Games | General Session | Play POGs, meet attendees, and win prizes at Deadwood Mountain Grand! | ||
| Thurs | 7:30AM | 6:30PM | Registration | Registration | Second Floor (conference level) | |||
| Thurs | 7:50AM | 8:00AM | Welcome & Announcements | John Strand | General Session | |||
| Thurs | 8:00AM | 8:50AM | Hackers In The Boardroom | Alyssa Miller | Keynote | General Session | In a world where corporate boardrooms are filled with stuffy shirts and suits, one form of security executive subverts these spaces with much needed chaos. This is the story of a life-long hacker who once felt the only way to climb the corporate ladder was to hide her devious past but discovers that this identity is actually the key to breaking into those exclusive conversations. By embracing the hacker culture that carried her through her adolescence, she’s now challenging broken systems and pwn’ing the boardrooms. She’s learned how to exploit the foundations of conservative organizations to bring real change to their security posture. In her keynote Alyssa Miller comes home to her hacker family to share the lessons she’s learned in how embracing our hacker identity gives us power and influence in the boardroom. Hold on tight as she demonstrates how the same attack techniques we use to expose flaws in IoT devices, poorly written mobile apps, or vulnerable networks can be put to use conquering executive and board member perceptions. See how she has achieved not only trust but admiration of the directors and advisors just by owning her own hacker roots and advocating for those ideals credibly with those business leaders. Coming soon to organizations near you, it’s Hackers in the Boardroom. | Alyssa Miller is a hacker who, in her pre-teens, bought her first computer and hacked her way into a paid dial-up community platform. She grew up in hacker culture, finding her hacker family in IRC channels during her adolescent years. While IT was not her original career plan, she ended up working as a developer and later a penetration tester in the financial services industry. As she moved into consulting, her focus on defending technology systems and personal privacy grew to the point where she was advising fortune 100 companies on how to build comprehensive security programs.
Alyssa is now the CISO at New York based Epiq Global. Still very much a hacker to this day, she’s built on that identity to grow her career. She is an internationally recognized public speaker and author of “Cybersecurity Career Guide”. She’s an advocate for helping others make a career out of their passion for hacking and security in general. She’s also a proponent for the open sharing of ideas and perspectives on improving our technologically connected world. |
| Thurs | 9:00AM | 9:50AM | It’s just Kerberos delegation…Trust me… | Darryl Baker | Talk | Track 1 | Recently, many Active Directory vulnerabilities have been discovered that span every type of Kerberos delegation. Attacks such as Bronze Bit and PrintNightmare rely on common misconfigurations of these delegations. An emerging attack vector is compromising delegations that cross security boundaries (e.g. AD Trusts or in a hybrid AD environment). Microsoft has recently made the announcement of native Kerberos authentication in Azure AD. While this brings a lot of security benefits around authentication, this also means that existing Kerberos vulnerabilities can extend from an on-premise AD environment to exploit an object in Azure (such as impersonation via delegation). The opposite is also possible with on-premise objects (such as an application proxy) having the ability to impersonate cloud users. I will discuss some of these newer vectors of attack. | Darryl G. Baker is a “swiss army knife of technology”. After serving in the U.S. army for 10 years, Darryl went on to pursue a career in technology. He has worked in a variety of roles ranging from back-of-the-house break/fix to data center manager and everything in between. Due to the prevalence of Active Directory misconfigurations in recent major cybersecurity attacks, Darryl shifted his focus towards security and understanding why these types of attacks are so common. For the last few years, Darryl has worked as a security consultant and researcher specializing in Active Directory. He has written blogs on AD security as well as spoken on the subject on multiple occasions. He is on the board of several cybersecurity organizations and is the host/creator of Identity Village (also known as AD Hacking Village). He currently holds several security certifications including CISSP, Certified Ethical Hacker, CCSP, and Certified Professional Forensic Analyst. When Darryl is not looking for new security vulnerabilities, he enjoys building radios/satellites, as well as playing competitive pool. |
| Thurs | 9:00AM | 9:50AM | Getting the most ouf of Sysmon | Amanda Berlin | Talk | Track 2 | The default logging capabilities from Microsoft are only helpful to a certain extent. This session will discuss how to utilize the Sysinternals tool Sysmon for threat hunting, testing detections and more. The session will explain use cases and look at real examples of Sysmon successfully detection malicious behavior in the wild. | Amanda Berlin is the Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author of a Blue Team best practices book called “Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible. Amanda is an avid volunteer and mental health advocate. She has presented at a large number of conventions, meetings and industry events. While she doesn’t have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quickly to new technologies. |
| Thurs | 9:00AM | 12:00PM | Supercharging SSH – Hands-on! | Bill Sterns Naomi Goddard Keith Chew |
Workshop | The School Room | It’s a pretty safe bet that all of us have used ssh at least once to let us type keystrokes and see the screen results on another computer. That’s great – it’s an encrypted and authenticated channel that protects that conversation. But SSH can do so much more! Using SSH as just a terminal is like buying a $400,000 supercar and only driving it in first gear!
We want to introduce you to the other gears in that Lamborghini: automating logins, running commands on multiple machines, file transfers, tunneling other types of traffic, and a whole bunch of advanced techniques. The entire session will be at your own pace; you’ll have a series of hands-on labs where you’re given a goal along with optional hints and steps to complete the lab. By doing this on your own laptop and accessing a throwaway cloud server, you can try these techniques in a safe environment to get comfortable with them. We’ll have lab mentors available for both in-person and virtual attendees so you can ask for help with any piece of these labs or find out how a particular technique would work in your environment. Feel free to skip any labs where you already know the material so you can jump right to the interesting stuff – the techniques that will help you do your job better! Prerequisites: a laptop that either has ssh installed or one where you have the ability to install a command line or graphical (*) ssh client. You can use your own account or you can set up a dummy account on the laptop. We’ll provide an account on a cloud server that you can access to do the labs (or use your own if you prefer). You’ll need Internet access to do these labs – the conference/hotel wifi will be fine. * The screenshots we provide in the lab book focus on command line ssh, though we’ll try to help you find the equivalents in a graphical ssh client. |
Bill Stearns Bill provides Customer Support, Development, and Training for Active Countermeasures. He has authored numerous articles and tools for client use. Bill was the chief architect of one commercial and two open-source firewalls and is an active contributor to multiple projects in the Linux development effort. His spare time is spent coordinating and feeding a major anti-spam blacklist. Bill’s articles and tools can be found in online journals at http://github.com/activecm/ and http://www.stearns.org.Naomi Goddard Naomi has a bachelor’s degree in Computer Science from Dakota State University. She specializes in modern full-stack development and likes to dabble in iOS development. Her interests include oil painting, Swedish ciders, paddleboarding, retro hardware game modding with her husband, and adventuring with her two Siberian Huskies.Keith Chew Keith joined the ACM team in 2018 and describes his career at Active Countermeasures as his dream job. His fascination with computing and processes stems from working with his first personal computer in 1982 – a TI-99/4A. Keith sees himself as fortunate for the opportunity to apply his passion towards a career that assists in the advance of technology. Beyond computing and electronics, Keith also enjoys anything with an engine, wheels, or wings. |
| Thurs | 9:00AM | 9:40AM | Campfire Talk: You’re Not Broken…Just Different: Don’t Let Undiagnosed Neurodivergence Ruin Your Life | Chris Culling | Talk | The Forge | Have you ever felt that there’s something different as to how your brain works, but you can’t quite put a finger on it? That you excel in some parts of life, but fall behind in others?
The type of person drawn to InfoSec seems to include a lot of folks from the neurodivergent side of the tracks. Autism, ADHD, anxiety, depression, dyslexia, Tourette’s, bipolar disorder, and OCD are some of the more common types of neurodivergence. However, many folks are unaware of their own neurodiversity and how to live with it. If left undiagnosed and untreated, it can cause untold harm to them, their families, and their careers. I was undiagnosed…and I fell into addictive behaviors and substance abuse to self-medicate away the pain of not knowing what was different about me. But I found help. And after finding the right medication, along with therapy, I can mostly function these days…and without the substance abuse. This short presentation will explain neurodiversity and show some of the issues that undiagnosed neurodivergents face and how they can be overcome…using my own life as a case study. |
I currently work for Gigamon as a Senior Technical Success Manager. I’m retired U.S. Army (Military Intelligence), live in Stevensville, Maryland, and have been working as a government contractor for the last ten years in the areas of operations management, SOC operations, and CTI analysis. I’ve been married for 31 years to a very patient woman, have three adult children (two who are married and have yet to bless me with any grandkids), two cats, a dog, and a Vietnamese pot-bellied pig. |
| Thurs | 9:50AM | 10:05AM | Campfire Talk: Hey, I’m throwing the party: Hacking Electronic Tickets | Etizaz Mohsin | Talk | The Forge | When it comes to security, e-ticketing platforms in the entertainment industry are not a notable victim. E-ticketing online portals store a large amount of personal information about users, making them a possible target for malicious actors. Companies also hack their rival firm’s systems to choke off their business and increase their revenue like we have seen in the case of Ticketmaster, as they had hacked their rival business. In this presentation, we will demonstrate how we were able to compromise a popular e-ticketing platform using different techniques, which could have allowed malicious actors to access a large amount of personal data, steal money and generate and print tickets through kiosk systems installed in movie theatres and event venues. Finally, we’ll see how a cyber-attack on such a ticketing system could have resulted in a war between two countries. | Etizaz Mohsin, a Pakistani cyber security researcher who is the first to demonstrate the remote compromise of luxury hotels around the world putting millions of guests at risk demystifying the DarkHotel APT. His work has been featured by local and international media like Al Jazeera and TechCrunch. He has presented his research at multiple top-tier international cyber security conferences in United States, Canada, Europe, Middle East and East Asia including Defcon, Hitcon, Athack, Hacktivity, DeepSec, Sector, GreHack, HackFest, Arab Security Conference, Texas Cyber Summit, BSides etc. He has achieved industry certifications, the prominent of which are OSEE, OSWE, OSCE, OSCP, OSWP, CREST CRT, CPSA, EWPTX. |
| Thurs | 10:00AM | 10:50AM | Hackers Helping the Helpers: Cybersecurity as Volunteer Public Service | Ray Davidson | Talk | Track 1 | For the past 6 years, Michigan has developed a program to leverage the skills of volunteer infosec professionals to assist local and regional governments in the event of cyber disruptions. Legislation has been passed and updated, and the program is getting national attention after being featured at the National Governor’s Association meeting in June. Other states are pursuing similar efforts. This is a great way to use your hax0r powers for good! Come hear how you can be part of the movement! | Ray Davidson, PhD served as dean at the SANS Technology Institute during its founding,and now leads the Michigan Cyber Civilian Corps – the first completely civilian, state sponsored team of incident responders in the country. He continues to serve as a mentor, subject matter expert and technical reviewer for the SANS Institute, and for anyone else who will listen. He holds a doctorate in Chemical Engineering, and several infosec certifications. He has professional experience as as a newspaper carrier (on a bicycle!), telephone operator (Hello Ernestine!), pharmaceutical research scientist, and cybersecurity thought follower. He has been a college professor, and has cofounded a security startup. Mostly he is passionate about empowering others to do the right thing. And dance. |
| Thurs | 10:00AM | 10:50AM | I got an Alert. Now What? | Kellon Benson | Talk | Track 2 | New alert hits, is this a threat that could take down your infrastructure? You’ve got to be quick or it could be your company’s name in the news. Let’s slow this down and take the pressure off. “How do you assess a new alert and determine if it is a threat? Is the first thing to just go to VirusTotal, check hashes, google stuff, and see what information there is?”
Lets walk through assessing a new alert, how to investigate if something is an active threat, and what questions we should ask to make an educated decision about if something is a threat. More Details |
Kellon Benson is a Senior Incident Handler at Red Canary. They found their passion for information security working as a security analyst at their alma mater developing skills in digital forensics, compliance, network monitoring, threat hunting, and more. In their free time, Kellon likes getting away from the computer and enjoys board games, photography, cooking, and going to pop-punk and EDM concerts. |
| Thurs | 10:00AM | 6:00PM | Hands-On Labs | Labs | General Session | |||
| Thurs | 10:00AM | 6:30PM | Capture the Flag hosted by MetaCTF | MetaCTF | Fun & Games | General Session | ||
| Thurs | 10:00AM | 6:00PM | Escape Room | Fun & Games | Hotel Lobby | |||
| Thurs | 10:15AM | 10:30AM | Campfire Talk: Honey, I Shrunk the Perimeter | Ian Garrett | Talk | The Forge | With the rise and permanence of hybrid & remote work, organizations can’t rely on a purely perimeter-based cybersecurity strategy. As Zero Trust architectures start gaining traction, organizations need to shrink their perimeters, leading to a mass of new challenges. While it would be convenient to be able to just implement a smaller version of existing protections, new strategies are required, and solutions need to focus on different areas for holistic security. This talk benefits security professionals from organizations of any size and walks through some ways attackers could exploit a perimeter-based organization’s setup, the failures of some perimeter-based solutions like existing versions of DLP, the challenges of shrinking a perimeter, and recommendations that can be implemented today. | Ian Y. Garrett is the CEO and co-founder of Phalanx, which provides human-centric data security through seamless, secure file transfers & storage. |
| Thurs | 10:40AM | 10:55AM | Campfire Talk: Building an Unlicensed 802.11 Particle Accelerator | Travis Kaun | Talk | The Forge | WiFi Bustin’ makes me feel good! This talk will showcase the first of its kind ‘Pwnton Pack’, a Ghostbuster’s inspired take on a wireless penetration testing. Featuring hardware hacking, microcontrollers and wireless attack arsenals bundled into a unique package; come learn why such a pack exists and fun details around the build experience. This talk is meant to inspire newcomers to InfoSec, Arduino devices and provide a fun take on existing methodologies and toolsets. For your WiFi security needs; Who you gonna call?! | Travis began his Information Security career-building *nix chops by managing firewalls and intrusion detection systems with a managed security services provider. After time spent on the defensive side in the corporate world, Travis put on an offensive cap for a consulting role and hasn’t looked back. Travis specializes in penetration testing, focusing on gaining a foothold and expanding to a large compromise while hunting for ‘crown jewels.’ Travis is a proud member of the TrustedSec Force team. |
| Thurs | 11:00AM | 11:50AM | Exploiting Persistent XSS & Unsanitized Injection vectors for Layer 2 bypass & Protocol Creation | Ken Pyle | Talk | Track 1 | Every XSS or unsanitized input vector on a Layer 2 or Device (router or switch) is a covert network protocol waiting to happen.” – Ken “s1ngular1ty” Pyle
In the presented papers,I put forth simple exploits and use them to violate network segmentation / Layer 2 VLAN policies; routing & sending a file between isolated, air gapped networks without a router. I also route files between IPv4 and IPv6 networks / islands without a router. I will provide Proof of Concept (PoC) for TWO simple sessionless file transfer protocols that bypass all known network controls and lives in log files. In this implementation, the protocol is unencrypted or encrypted via HTTPS / SSH, operates via unauthenticated covert vectors, and on system controls do not provide adequate alerting. The provided code & protocols violate Layer 2 / Layer 3 protocol segmentation and can be used to exfiltrate data or to implant & execute malicious code through methods which bypass firewalls, VLANs / network segmentation. This PoC is very primitive. I am showing file data delimiters, the ability to segment / reassemble files via multiple injections, and Python exploit code which allows for download of the files / exfiltrated data via any modern OS or platform. |
Ken Pyle is a partner of CYBIR, specializing in Information Security, exploit development, penetration testing and enterprise risk management.
Ken is a graduate professor of CyberSecurity at Chestnut Hill College. As an author, he has published several whitepapers and academic works on a wide range of topics including: Public Information and OSINT gathering via Social Networking, Advanced Social Engineering, Software Exploit Development, Reverse Engineering, Web Application & API hacking. Ken is a highly rated and popular lecturer on Information Security having presented at industry events such as RSA, DEFCON, ShmooCon, Secureworld, HTCIA International, and others. Ken is a frequently cited subject matter expert appearing in industry publications from Veracode, Accounting Today, Netdiligence, CyberScoop, and the New Jersey Law Journal. Ken has discovered and published a large number of critical software vulnerabilities in products from companies such as Cisco, Dell, Netgear, Sonicwall, HP, Datto, Kaseya, ManageEngine, among many others. He is currently working on a book concentrating on Cybersecurity, Forensics and Secure Design. |
| Thurs | 11:00AM | 11:50AM | Why Developers Hate Infosec | Bronwen Aker | Talk | Track 2 | Why do developers hate cybersecurity folk so much? It’s simple: We break their toys and we call their “babies” ugly, then we fly off into the sunset, leaving developers and the companies they work for with unhelpful, cryptic guidelines and no clue where to start fixing things.
We can do better, but in order to do so, we have to change our attitudes and behaviors. There are lots of things we can do, and do now, to improve how we relate to developers and other people we claim we want to help. But first we have to acknowledge that there is a problem, and that we are every bit as much a part of that problem as the others involved. Additionally, if we are willing to partner with our clients to help them mitigate their vulnerabilities, we can take “security as a service” to whole new levels, opening up service options for our customers and helping them improve their security profile in effective ways. |
Bronwen Aker (GSEC, GCIH, GCFE) likes to describe herself as a “constantly evolving geek.” She has worked with computers since elementary school when she was introduced to FORTRAN programming using bubble cards. As an adult, she worked for twenty years in web development, sharing her love and knowledge of computers and the Internet with others by working on the side as a technical trainer in Southern California. In 2017, she changed career paths to enter the world of cybersecurity. She currently holds a Bachelor of Science in Cybersecurity, is a graduate of the 2017 SANS CyberTalent Academy for Women, and is currently working on her Masters in Cybersecurity. She also works for Black Hills Information Security (BHIS) as a technical editor, reading and editing 200+ pentest reports a year, and for the SANS Institute as a Subject Matter Expert in OnDemand Student Support. During the pandemic, she stayed mostly sane thanks to her four dogs and Animal Crossing New Horizons. |
| Thurs | 11:05AM | 11:20AM | Campfire Talk: How I Was Bored One Night and Found Two CVEs | Joe Helle | Talk | The Forge | I often speak to folks who are trying to break into the offensive cybersecurity arena but are struggling to set themselves apart from their peers. Blogs and Github repos, degrees and certificates are all more or less resume bullets anymore, and don’t set you apart from anyone else. Tool development can be great, but unless you develop something spectacular or have a following behind it, those resources quickly fall under the radar. | Joe is a former Army Airborne Infantry Sergeant and Veteran of the Iraq and Afghanistan wars. After serving his country he entered public service, working in a variety of non-profit roles, as well as being elected as mayor of his hometown. |
| Thurs | 11:30AM | 11:45AM | Campfire Talk: The Fools Gold Rush to Compliance | Michael Mimo | Talk | The Forge | Do not be fooled into thinking compliance controls are the same as strong security solutions. In this talk I will provide specific controls within the frameworks ISO 27001 and SOC 2 Type 2 certifications that can be leveraged to beef up your security. If your company is rushing to implement compliance certifications use this opportunity to implement strong security solutions. All too often minimum standards are implemented when you could have achieved greater outcomes. My topic will present in 15 minutes how to pitch security controls with-in the framework ISO 27001 and SOC 2 Type 2 initiatives. I will start by providing a brief overview of the two compliance frameworks. Then I will provide examples of how security solutions are driven for approval on the back of making progress with compliance. The main objective of this talk is to demonstrate best practices with security whilst still maintaining the compliance certifications management is seeking. | Chief Security Office/ Sr. Director of Information Technology – Copyright Clearance Center
Prior to Copyright, Michael worked in the financial industry for over 15 years as a cyber security professional. His main experience is on cloud forensics, Computer Forensics, Incident Response, and Information Security compliance. He has been an Incident Responder in several major incidents. He currently holds GIAC certifications in GCIH, GCFE, GCFA, and GPEN. He is also a long-term member of High Technology Crime Investigation Association (HTCIA). Currently, secretary and board member of the New England HTCIA chapter. |
| Thurs | 11:55AM | 12:10PM | Campfire Talk: New technique to maintain access in modern web apps | Momen Eldawakhly | Talk | The Forge | Maintain access isn’t only in the computer systems and networks, you can also maintain access in the modern web apps due to it’s functionality, I’ve faced a scenario while testing web app made me able to maintain access to the compromised user account even if I don’t have the credentials with exploiting the session handling functionality against the user. | Momen Eldawakhly (CyberGuy), Associate Red Team Engineer at Cypro AB with a demonstrated history of working as Bug Hunter, Penetration Tester and Security Researcher, discovered about 19 0days.
Acknowledged by Google, Yahoo, Microsoft, Yandex, Redhat, AT&T, Oneplus, SecureBug, Starbucks, Comcast, United Nations , IBM, Nokia, Sony and more. |
| Thurs | 12:00PM | 1:00PM | Lunch | Food | General Session | |||
| Thurs | 12:00PM | 12:30PM | Vendor Brief – Red Team Value Extraction | Akamai – Phil Bertuglia | Talk | General Session | Corporate Red Team programs can be very helpful when trusted as part of a comprehensive testing strategy. However, the term has become overloaded in recent years, which can lead to confusions about scope and services offered. This talk will attempt to highlight the differences from what a Red Team should be and what it probably shouldn’t try to become so that you can gain the most value from your best folks. | Phil Bertuglia is a Sr. Architect within the Information Security Team at Akamai Technologies, Inc. His undergrad degree is in Environmental & Chemical Engineering, RPI, and is an active member of his town’s Conservation Commission. Phil was originally hired at Akamai NOCC as an Engineer, in September 2000 and now manages Akamai’s Corporate Red Team. With a start in IT in College, Phil quickly moved on as a corporate Unix Administration Engineer and is responsible for starting Akamai’s Corporate SAML Federation Program. |
| Thurs | 1:00PM | 1:50PM | What’s in Your Net? | Alissa Torres | Talk | Track 1 | The success of a threat hunt is often measured by the number of newly identified indicators of compromise. Yet, if you have spent time as a threat hunter, you have to admit – those “Name in Lights” discoveries are few and far between. Conversely, what most hunts reveal is much more chaotic, requiring specific institutional knowledge and mastery of security best practices. Threat hunts efforts most commonly turn up security misconfigurations, duct-taped sysadmin work arounds, and errors and omissions in best practice. Let’s discuss the organizational impact of these gems of the hunt and most importantly, how these pivotal finds can be folded into positive hunt metrics. | Alissa Torres is a security leader/practitioner, specializing in advanced computer forensics and incident response. She discovered her passion of intrusion investigations while serving in the trenches as an incident analyst with a third-party remediation services company, and later, leading an incident response team for a global manufacturing company. Days are never dull! As a seasoned presenter, Alissa has spoken at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GCIH, GCIA, GSEC, GPEN, GREM, CISSP, EnCE, CFCE, MCT and CTT+. |
| Thurs | 1:00PM | 1:50PM | Wireless Attack Killchain for N00bs | Dennis Pelton | Talk | Track 2 | Wifi is ubiquitous in our culture. Everything from children’s toys to medical equipment relies on it. It’s found in every coffee shop, mall, and airport across the country, but how secure is it? Should we be trusting the omnipresent free wireless or is it not worth the risk?
This talk takes a first look into wifi hacking and dives into technical details about the attacks presented to ensure that beginners and experts can gain some insight into the techniques they may already be utilizing. We’ll go into details about how the 802.11 spec functions and the flaws at each step of the process that can be exploited. Armed with the knowledge of how wireless works, we’ll discuss the wireless attack killchain from wardriving for wireless reconnaissance to hooking unsuspecting targets onto rogue access points using karma attacks and abusing the 802.11 spec for deauth capabilities. From here we can segue into attacks against the WPA suite using half-handshake attacks and KRAck. With the wireless communications compromised using any combination of these attacks discussed, we move to the final phase of the killchain and go over DNS spoofing as a means to redirect a targets traffic to malicious endpoints. After covering the wireless attack killchain from start to finish, I’ll close out with the best methods to stop the killchain before it can even begin. |
Dennis Pelton is a hacker, a father, and a professional tinkerer. He currently works as a senior cloud security engineer for Foghorn Consulting, using his background in devops automation to streamline client security and evangelize the shift-left culture. He has been studying and researching information security for over a decade and a half and has built out infrastructure and automation in almost every sector including fintech, medical, defense, education, and manufacturing. This diverse background has shaped his style into a uniquely chaotic blend of security and automation with an eye for compliance.
In his spare time, Dennis designs and builds small electronics to automate attacks with a focus on culturally prevalent targets such as USB and wifi. His best known projects are unofficial defcon badges, and for his 2023 badge he plans to leverage his recent research into wifi. He enjoys learning, tinkering, paying with cats, and drinking dark heavy beers in no particular order. |
| Thurs | 1:00PM | 2:45PM | Resume Writing Workshop | Kip Boyle Frank Victory Neal Bridges Joshua Mason |
Workshop | The School Room | Join industry leaders Kip Boyle, Frank Victory, Neal Bridges, and Joshua Mason for a career-building workshop to kickstart or get your cybersecurity career to the next level. The workshop will be broken up into two sessions on separate days. On the first day, we will cover resume writing with tips and insights and review resumes for in-person attendees. On the second day, we will discuss interviews and give techniques for preparation and delivery. We will follow that up by putting an attendee or two in the hot seat and coaching them through what to expect and how to make the most impact. | |
| Thurs | 1:00PM | 1:30PM | Tool Demo – CrowdSec | Klaus Agnoletti | Toolshed | The Forge | CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban’s philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone’s security. | Klaus Agnoletti has been an infosec professional since 2004. As a long time active member of the infosec community in Copenhagen, Denmark he co-founded BSides København in 2019.
Currently as Head of Community at CrowdSec one of his current roles is to spread the word and inspire an engaging community. |
| Thurs | 1:30PM | 2:00PM | Tool Demo – SWAIN / AtlasSuite | Andrew Heishman | Toolshed | The Forge | SWAIN seeks to help defenders by automating a specific set of functions within “”Microsoft Purview”” (formerly known as Microsoft Compliance Center)
Despite being originally designed for compliance purposes, the “”Content Search”” functionality within Microsoft Purview provides notable email searching capabilities. With features like wildcarding and domain capturing, you are able to find and crush complex phishing campaigns with a single search. Using SWAIN, you can create a content search, execute that search, and upon you reviewing the results. Choose whether or not you want to purge those emails found in the search. |
Hey, I’m Andrew.
I have 3.5 years of experience in cybersecurity across multiple industries including Medical, Financial, and Manufacturing. Blue teams should be able to protect themselves from threats no matter what their budget is. Small to medium businesses should have a fair shot when it comes to mitigating the biggest cybersecurity risk; Phishing emails. That is what SWAIN is all about! |
| Thurs | 2:00PM | 2:50PM | Game One! Be a Cyber Security Pro with Privacy Expertise. Level Up and Move Up. | Kelli Tarala | Talk | Track 1 | Be Ready to Play in Any Conditions: I will briefly explain privacy from three different perspectives, legal, governance, and operations and how and why the cyber security pro interacts with them. I will explain how the two triads interact and focus on the common ground. Build Your Personal Bench Strength: I will give you compelling reasons why you should learn more about privacy engineering and Privacy by Design concepts as well as the best tools to prepare you and your team to understand and implement privacy controls. Scouting: By understand the overlap of privacy and security, you will have opportunities for new projects and jobs, and promotions. Playbook: We will compare the overlap between the NIST Cybersecurity Framework and the NIST Privacy Framework and look at a free scorecard to compare the control overlap. Slam Dunk: Tomorrow is a whole new ball game and by understanding privacy concepts and controls you can level up your cyber security career and move on up. | Kelli K. Tarala is a principal consultant and co-founder of Enclave Security, an information security and privacy consulting firm specializing in governance. As a security architect with privacy expertise, she specializes in IT audit, governance, policy library development and privacy strategies. With 25 years of experience in information technology, Ms. Tarala brings a wealth of knowledge to the three SANS courses she co-authors, and serves as one of the lead technical editors for the Center for Internet Security’s Critical Security Controls. She is also the lead author for many of the governance resources and creator of tools and policies at AuditScripts.com. You can follow her on Twitter @KelliTarala |
| Thurs | 2:00PM | 2:50PM | What’s Old is Gold | Brian Halbach | Talk | Track 2 | Sure the latest and greatest exploits are fun to play with, but as a pentester (and actual attackers) it is often the simpler things that are still working and allowing access into a network. It is often the older techniques that when used correctly, can yield amazing results. Things that may seem foolish to a newcomer may be the exact thing needed to find weak areas in an organization’s defenses. As organizations shift in their security posture over time it is not uncommon to have gaps in coverage of older types of attacks. This talk is a collection of these types of attacks and techniques. This information has been gathered by talking to several security professionals who have been around long enough to no longer be surprised by anything they see in the industry. People coming to this talk should not expect to necessarily learn anything “new” but to not forget the lessons of the past. This talk will act as a reminder that looking at older attacks can still be very useful and can serve as inspiration for the future. | Brian Halbach graduated from the University of Wisconsin-Stout with a degree in Information Technology Management and a Minor in Computer Science. During college, Brian spent several years working as a help-desk employee, which later led to a career as a Systems Administrator and then Network Engineer for both small companies and Fortune 5 companies. After realizing the lack of security that many organizations had Brian spent time as a lead Network Security Engineer helping organizations deploy the tools, technology, and processes to help make them more secure. After spending years helping defend organizations and realizing that companies still had problems seeing and understanding their security gaps, Brian switched over to red teaming and penetration testing, where he is able to use his knowledge and understanding of people, systems, and programming to bring new insights and intuition to his security testing. One of the things Brian enjoys the most about working in security consulting is being able to talk to clients about their issues and being able to help find answers to security questions when there is not an obvious solution. |
| Thurs | 2:00PM | 2:30PM | Tool Demo – Riverside | Kaitlyn DeValk | Toolshed | The Forge | Riverside is an open-source network visualization tool from inside the network, showcasing live traffic between internal hosts and external remote hosts in a real-time network graph. While capturing netflow and packet information inside of a database, users can traverse backwards in time to analyze previous network activity for enriched situational awareness and a thorough understanding of their network security posture. This utility supplements existing tooling to provide more insight for use cases such as incident response, analysis and investigation, and identification of true assets used within a network environment. | Kaitlyn DeValk is an active-duty Coast Guard (CG) officer, currently completing her Masters degree at the University of Maryland in Computer Science. Prior to graduate school, she completed his undergraduate education at the US Coast Guard Academy in 2019. Her professional experience is primarily in vulnerability assessments and penetration testing. Her certifications include GCIH, GPEN, and CISSP. |
| Thurs | 2:30PM | 3:00PM | Tool Demo – Vajra – Your Weapon To Cloud | Raunak Parmar | Toolshed | The Forge | Vajra is a UI based tool with multiple techniques for attacking and enumerating in target’s Azure and AWS environment.
The term Vajra refers to the Weapon of God Indra in Indian mythology (God of Thunder & Storms). Its connection to the cloud makes it a perfect name for the tool. Vajra currently supports Azure and AWS Cloud environments and plans to support GCP cloud environments and some OSINT in the future. |
Raunak Parmar works as a senior security engineer. Web/Cloud security, source code review, scripting, and development are some of his interests. Also, familiar with PHP, NodeJs, Python, Ruby, and Java. He is OSWE certified and the author of Vajra and 365-Stealer. |
| Thurs | 3:00PM | 5:00PM | Incident Response Playbook Perfection | Amanda Berlin Jeremby Mio |
Workshop | The School Room | Incident Response Playbook Perfection is an introductory playbook workshop. Playbooks are an important part of any information security program. They offer structure, realistic and flexible procedures to assist in the triage of almost any cyber security situation. There will be a focus on Ransomware and Business Email Compromise as these are currently the most common attack vectors.
As a group we will review playbooks taken from real life attack situations and cover best practices, do’s and don’ts, structure, and maintenance. We will also cover ways to successfully test playbooks by using different defense and response methods that can work in a variety of organizations and situations. Participants are welcome to bring their own playbooks or example playbooks to the workshop as long as they do not contain any confidential information that may put them or their organization at risk. Key Takeaways: |
Amanda Berlin Amanda Berlin is the Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author of a Blue Team best practices book called “Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible. Amanda is an avid volunteer and mental health advocate. She has presented at a large number of conventions, meetings and industry events. While she doesn’t have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quickly to new technologies.Jeremy Mio Jeremy has focused expertise within the evolution of security convergence, the merger of physical and information security, and cyber-warfare. He is an Information Security Officer within local government and Principal within CodeRed LLC. Previously, he worked within Fortune 500 in enterprise information security as well as physical security through training/contracting. Jeremy researches and tests small UAVs [drones] for their use in defense applications in cyber warfare and intelligence, relying on Open Source technology and OSINT. |
| Thurs | 3:00PM | 3:50PM | A case for threat informed penetration testing | Dan DeCloss | Talk | Track 1 | Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is great, but what other value can a pentest provide by shifting your mindset further left or with a more strategic approach? How often do you focus on the overall ROI of your penetration testing program? This talk will explore what it means to “shift left” with your penetration testing by working on a threat informed test plan. Using a threat informed test plan will provide more value from your pentesting program and gain efficiency in your security testing pipeline. This talk applies to both consultants and internal security teams. | Dan DeCloss is the Founder and CEO of PlexTrac and has over 17 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to the private sector where he worked for various companies including Telos, Veracode, Mayo Clinic, and Anthem. Dan’s background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that focus is on the right work to reduce risk. Dan can be reached on LinkedIn at https://www.linkedin.com/in/ddecloss/ or on Twitter @wh33lhouse. |
| Thurs | 3:00PM | 3:50PM | Lessons Learned from Building a Game Proxy | John Askew | Talk | Track 2 | What’s more fun than playing a game? Hacking a game (for fun and education, not for griefing of course)! For even more fun, do it live and talk about it!
In this presentation, we will highlight the journey of reverse engineering network protocols, building custom client/server/proxy tooling, and hunting for (and possibly exploiting) vulnerabilities. To illustrate this process, we will walk through a real-world case study where we reversed Valve’s GameNetworkingSockets protocol to build custom tools in python and rust, and used them to inspect games, over many weekly livestream sessions. Finally, we will pivot away from games and identify how similar techniques have been used to find serious vulnerabilities in business software. In particular, we will focus on how a better understanding of an application’s network protocols and protocol layers can be crucial to identifying vulnerabilities and weaknesses. Expect to pick up some tips and tricks for writing your own tools. |
John Askew is a penetration tester, software engineer, and occasional public speaker. He has worked full-time in offensive security since 2007, performing network and application penetration testing engagements for hundreds of clients, from local banks and small businesses to Fortune 100 companies. He is passionate about learning new skills and finding creative solutions to interesting problems, while educating and collaborating with others. Outside of work, he prefers hobbies that don’t involve a computer screen, such as outdoor running and playing the guitar. |
| Thurs | 3:00PM | 3:30PM | Tool Demo – DolosJS | Forrest Kasler | Toolshed | The Forge | DolosJS is a NAC bypass tool that was designed to be cheap to build, easy to deploy, and extremely hard to detect. DolosJS runs on a NanoPi R2S, making it both small and cheap. The DolosJS software autoconfigures the NAC bypass, making it the perfect penetration testing drop box. Operators can simply plug it into the target network and walk away. The project also includes setup scripts to allow the DolosJS device to call home over cellular LTE networks, ensuring that command-and-control (C2) communications never traverse the target network’s perimeter. When remote access over LTE is not required, the project includes setup scripts to establish C2 over Ethernet, WiFi, or Zerotier/VPN. | Forrest Kasler is a full time Penetration Tester and Social Engineer. As a lifelong nerd and hacker, Forrest loves automating advanced network attacks for his team. He has authored multiple open-source tools for the penetration testing community to address common challenges in day-to-day operations. Key research topics include: NAC bypass, MFA bypass, advanced MitM attack vectors, advanced OSINT, SMTP weaknesses, distributed brute force attacks, offensive data mining, and malware development. |
| Thurs | 4:00PM | 4:50PM | Evaluating OSINT Data Sources and Tooling – Build vs Buy | Corey Ham | Talk | Track 1 | OSINT is a field where nearly anything is possible, but where practical usage of OSINT data can be challenging. Practitioners rely on various data sources, some free/open source and some paid. This talk will identify specific data sources that can benefit a cybersecurity practitioner and compare the value of building your own tooling to generate and search OSINT data, versus obtaining it from a third-party provider. | Corey Ham is a tester at BHIS focused on Adversary Emulation and Red Teaming. Corey has been a penetration tester for nearly 10 years. |
| Thurs | 4:00PM | 4:50PM | Roll for Stealth: Intro to AV/EDR Evasion | Mike Saunders | Talk | Track 2 | Evading detection by modern AV & EDR can seem daunting and near impossible to the uninitiated. If the idea of trying to get a payload past these defenses seems unattainable and too “l337,” then this talk is for you! I’ll cover some basic concepts and tools you can use to start evading detection and get your payloads running. To the initiated, this is a 101-level talk, but who knows, you might learn a new trick along the way! | Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike has been performing penetration tests for nearly a decade. Mike is an experienced speaker and has spoken at DerbyCon, BSides MSP, BSides Winnipeg / The Long Con, BSides KC, and the NDSU Cyber Security Conference, and SANS and Red Siege webcasts. |
| Thurs | 5:00PM | 5:50PM | Vulnerabilities are a Sirius Problem! | Matthew Toussain | Talk | Track 1 | Don’t patch and ignore what your Vulnerability Scanner has to say. Sound like a crazy idea to you? The reality might be surprising. If we ask the usual suspects or even LAPSU$ it becomes obvious that one doesn’t need a scanner to crack a system. In that case, what purpose, if any, does a vulnerability scanner even serve?
Conversely, we’re in a LOT of trouble! ASUS, For Example, got hit with a ransomware compromise last year for $40 million, and they paid it! All is not lost, but to beat a human adversary we need a human operator to take on that human threat. How can the hacker mindset turn this problem to our favor, and what tools can we design that are equal to this task? Vulnerabilities are a Sirius problem. Can the open-source community break the barrier of our private sector overlords? Let’s explore just how. |
When he gets the chance, Matthew Toussain loves to take on an offbeat challenge. He’s turned a closet into a server room, a table into a computer, and a ’76 Mustang into an electric car. He’s also built an Alexa-enabled home entertainment system out of a car amp, a Raspberry Pi, a computer power supply unit, sheet metal, and plexiglass. It’s that ingenuity that underscores his work as a certified SANS instructor.
A graduate of the U.S. Air Force Academy with a B.S. in computer science and the SANS Technology Institute with an M.S. in information security engineering, he has served as the senior cyber tactics development lead for the U.S. Air Force (USAF) and worked as a security analyst for Black Hills Information Security. In 2014, he started Open Security, which performs full-spectrum vulnerability risk assessments. An avid runner who also plays piano, guitar and violin, Matthew lives in Texas with a multitude of Cisco switches. In addition to teaching at SANS, he is an avid supporter of cyber competitions and participates as a red team member or mentor for the Collegiate Cyber Defense Competition (CCDC), the annual NSA-led event Cybersecurity Defense Exercise (CDX), and SANS Institute’s NetWars. |
| Thurs | 5:00PM | 5:50PM | Thanks For The Memories: Why I Am Leaving Information Security | Douglas Brush | Talk | Track 2 | It’s been a fun ride, but that’s it – I am done. After 30 years of IT and security, I need a change. Cyber will always be a passion, but I am hanging up my spurs as a profession. It’s time for the next chapter in my life.
We mentor and talk to people coming into the industry about how to get started. However, we never speak about the end. Do we all want to burn out and die at our desks doing the same thing over and over? Or do we want to take the skills learned as hackers and apply the lessons to other areas of business in life? This talk will cover why I made the decision and offer guidance and mentorship to transition out of the industry. The only constant is change. Will you change before the constant changes you? |
Douglas Brush is a Global Advisory CISO for Splunk and an information security executive with over 30 years of entrepreneurship and professional technology experience. He is a globally recognized expert in cybersecurity, incident response, digital forensics, and information governance. In addition to serving as a CISO and leading enterprise security assessments, he has conducted hundreds of investigations involving hacking, data breaches, trade secret theft, employee malfeasance, and various other legal and compliance issues. He also serves as a federally court-appointed Special Master and neutral expert in high-profile litigation matters involving privacy, security, and eDiscovery.
He is the founder and host of Cyber Security Interviews, a popular information security podcast. Douglas is also committed to raising awareness about mental health, self-care, neurodiversity, and diversity, equity and inclusion, in the information security industry.
|
| Thurs | 6:00PM | 8:00PM | Steak Dinner | Food | General Session | |||
| Thurs | 6:00PM | 10:00PM | Calf Roping and Mechanical Bull | Fun & Games | General Session | |||
| Thurs | 6:00PM | 10:00PM | Wild West Photos | Fun & Games | General Session | |||
| Thurs | 8:00PM | 10:00PM | Slide Show Roulette | Frank Victory Ean Meyer |
Fun & Games | General Session | ||
| Fri | 6:30AM | 7:30AM | Run with BHIS | Hotel Entrance | ||||
| Fri | 8:00AM | 5:00PM | Registration | Registration | Second Floor (conference level) | |||
| Fri | 7:50AM | 8:00AM | Announcements | John Strand | General Session | |||
| Fri | 8:00AM | 8:50AM | “Hey Cortana – Do We Still Care About Binary Exploitation | Connor McGarr | Talk | Track 1 | Macro-laced Word documents, malicious HTAs, dumping LSASS, WMI, and Kerberoasting – the bread-and-butter of offensive security. Rarely do binary exploits fall under the purview of “standard” offensive toolkits. Why is this? This talk looks into contemporary exploit mitigations on Windows, such as control-flow integrity and code-signing, and how they affect the cost of developing exploits in today’s age. “Point-and-click” exploits are as good as it gets – but what is the cost-benefit analysis of doing so in the age of modern exploit mitigations? | Connor is a software engineer at CrowdStrike, focusing on vulnerability research and detection. Connor enjoys writing exploits and blogging on the exploit development process. In his free time, he also enjoys history. |
| Fri | 8:00AM | 8:50AM | Pentesting Azure Container Services | Sergey Chubarov | Talk | Track 2 | Containers are playing their role in the digital transformation by providing a fast deployment of cloud-native applications. Containers are also often viewed as secure, which is true. But how are they really well configured? A demo-based session. The session includes: – Containers 101 – Backdooring Docker containers images – Poisoning images on Azure Container Registry – Compromise containers on Azure Container Instance – Compromise containers on Azure Kubernetes Services – Vulnerability Assessment | Sergey Chubarov is a Security and Cloud Expert, Instructor with 15+ years’ experience on Microsoft technologies. His day-to-day job is to help companies securely embrace cloud technologies. He has certifications and recognitions such as Microsoft MVP: Microsoft Azure, Offensive Security Certified Professional (OSCP), Offensive Security Experienced Penetration Tester (OSEP), Microsoft Certified Trainer, MCT Regional Lead, EC Council CEH, CPENT, LPT, CEI, CREST CPSA, CRT and more. Frequent speaker at local and international conferences like Global Azure, DEF CON, Wild West Hackin’ Fest, Security BSides, Workplace Ninja, Midwest Management Summit, Hack in the Box etc. Prefers live demos and cyberattacks simulations. |
| Fri | 8:00AM | 4:00PM | Hands-On Labs | Labs | General Session | |||
| Fri | 8:45AM | 9:45AM | Threat Hunting using Active and Passive DNS | DomainTools | Workshop | The School Room | Every transaction on the Internet – good or bad – uses the Domain Name System (DNS). In this fast-paced, hands-on workshop, DomainTools Director of Sales Engineering Taylor Wilkes-Pierce, will teach the fundamental investigative techniques and methodologies for leveraging DNS and hosting infrastructure data to more quickly and easily uncover previously unknown connections between seemingly unrelated assets, IP addresses, certificates, registration data, domain names, and more to map online infrastructure.
Requirements to participate: DomainTools Iris Investigate allows users to pivot through 20+ years of domain and infrastructure data along with the most up-to-date DNS observations on 400 million+ registered domains from around the world. As a result, Iris Investigate enables defenders to assess whether to allow, conditionally allow, or deny various types of connections and gain visibility into what type of risk an indicator represents. |
DomainTools, the leader in domain name and DNS-based cyber threat intelligence, has acquired Farsight Security, a leader in DNS intelligence and passive DNS cyber security data solutions. The acquisition comes as a natural extension of both companies’ long-standing partnership to deliver Farsight’s market-leading passive DNS data via the DomainTools Iris investigation platform to assess risk, map attacker infrastructure, and rapidly increase visibility and context on threats. Farsight’s market leading DNS observation data combined with DomainTools best-in-class active DNS data gives customers the earliest and most comprehensive look into threats emerging outside their network. |
| Fri | 9:00AM | 9:50AM | Security Exclusions, Endpoint Controls, and You | Jake Williams | Talk | Track 1 | Jake Williams is the Executive Director of Cyber Threat Intelligence at SCYTHE. He is an incident responder, a breaker of software, and a former government hacker probably wanted by all the cool countries. Likes: threat modeling, application security, threat hunting, and reverse engineering. Dislikes: self-proclaimed thought leaders and anyone who needlessly adds blockchain to a solution that was operating perfectly well without it. | |
| Fri | 9:00AM | 9:50AM | Less SmartScreen More Caffeine – ClickOnce (Ab)Use for Trusted Code Execution | Nick Poweres Steven Flores |
Talk | Track 2 | Initial access payloads have historically had limited methods that work seamlessly in phishing campaigns and can maintain a level of evasion. This payload category has been dominated by Microsoft Office types, but as recent news from Microsoft has shown, the lifespan of even this technique is shortening. As greatly overlooked vehicle for initial access, ClickOnce is very versatile and has a lot of opportunities for maintaining a level of evasion and obfuscation. In this talk we’ll cover methods of bypassing Windows controls such as SmartScreen, application whitelisting, and trusted code abuses with ClickOnce applications. Additionally, we’ll discuss methods of turning regular signed or high reputation .NET assemblies into weaponized ClickOnce deployments. This will result in circumvention of common security controls and extend the value of ClickOnce in the offensive use case. Finally, we’ll discuss delivery mechanisms to increase the overall legitimacy of ClickOnce application deployment in phishing campaigns. This talk can bring to attention the power of ClickOnce applications and code execution techniques that are not commonly used. | Nick Powers Nick is an operator and red teamer at SpecterOps. He has experience with providing, as well as leading, pentest and red team service offerings for a large number of fortune 500 companies. Prior to offensive security, Nick gained security and consulting experience while offering compliance-based gap assessments and vulnerability audits. With a career focused on offensive security, his interests and prior research focuses have included initial access techniques, evasive Windows code execution, and the application of alternate C2 and data exfiltration channels.Steven Flores Steven is an experienced red team operator and former Marine. Over the years Steven has performed engagements against organizations of varying sizes in industries that include financial, healthcare, legal, and government. Steven enjoys learning new tradecraft and developing tools used during red team engagements. Steven has developed several commonly used red team tools such as SharpRDP, SharpMove, and SharpStay. |
| Fri | 9:00AM | 3:00PM | Escape Room | Fun & Games | Hotel Lobby | |||
| Fri | 9:00AM | 4:00PM | Capture the Flag hosted by MetaCTF | MetaCTF | Fun & Games | General Session | ||
| Fri | 10:00AM | 10:50AM | Writing Ransomware for Kicks | Joff Thyer | Talk | Track 1 | ||
| Fri | 10:00AM | 10:50AM | Six Things No One [email protected]#$%^& Told Me About Pentesting | Jason Downey | Talk | Track 2 | My first year as a Penetration Tester was an absolute whirlwind. I hacked, I struggled, I drank knowledge from a fire hose, I questioned my entire existence, and I while I succeeded, there was some things I just wasn’t ready for. Had I known these six things then, my transition to pentesting would have been much smoother and quicker.
This talk is geared towards newer pentesters or those looking to land their first pentesting role. It highlights things that I feel every pentester should know as well as things you can do to standout to a potential hiring manager. |
Jason Downey is a security consultant at Red Siege where he spends 90% of his time hacking clients and 10% of his time cussing at Microsoft Word. With several years of experience shared between both offensive, defensive, and networking roles, he has a well rounded approach to security and enjoys combining knowledge and personality to come up with fun ways to convince people to do things they shouldn’t. When not on the internet, he spends his time kickboxing and bouncing around to random countries. |
| Fri | 10:00AM | 11:30AM | Mock Interviews | Kip Boyle Frank Victory Neal Bridges Joshua Mason |
Workshop | The Forge | Join industry leaders Kip Boyle, Frank Victory, Neal Bridges, and Joshua Mason for a career-building workshop to kickstart or get your cybersecurity career to the next level. The workshop will be broken up into two sessions on separate days. On the first day, we will cover resume writing with tips and insights and review resumes for in-person attendees. On the second day, we will discuss interviews and give techniques for preparation and delivery. We will follow that up by putting an attendee or two in the hot seat and coaching them through what to expect and how to make the most impact. | |
| Fri | 10:00AM | 12:00PM | Hacking and Defending Kubernetes | Jay Beale | Workshop | The School Room | Get a hands-on introduction to attacking and defending Kubernetes (k8s)! Remotely controlling a Kali Linux system, you’ll attack a new capture-the-flag scenario in the open-source Bust-a-Kube Kubernetes cluster. Once you’ve busted your way to cluster admin, you’ll use your access to harden the cluster and block your attack. Come get some direct experience with Kubernetes security!
This workshop doesn’t require you to have any experience with containers or Kubernetes. It is accessible to anyone comfortable with a Linux command line. |
Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @BustaKube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest, and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns, and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians. |
| Fri | 11:00AM | 11:50AM | The Complete GRC Analyst Day in the Life | Gerald Auger, PhD | Talk | Track 1 | GRC analysts have a place in an effective information security program. Often times their routines, impact, and value are not clearly understood. In this talk, Gerald will walk through the reality of a day in the life of a GRC analyst (at Junior, Mid, Senior levels), explain the WHY around the activities being executed, and illustrate both how those functions relate to each other, and how the GRC functions relate within the totality of the information security office. You’ll pay for the whole seat, but you’ll only need the edge! | Dr. Auger is a 17+ year cybersecurity professional, academic, and author with passion for his craft. His cybersecurity-themed YouTube channel, Simply Cyber, is all about good times and hosts a Daily Cyber Threat Briefing livestream. He has built information security programs from the ground up and loves helping businesses protect their assets. Dr. Auger also teaches in the Cyber Sciences department at the Citadel Military College. He holds a PhD in cyber operations and two Masters in Computer Science and Information Assurance. https://www.youtube.com/c/GeraldAuger https://twitter.com/Gerald_Auger https://www.linkedin.com/in/geraldauger/ https://simplycyber.io |
| Fri | 11:00AM | 11:50AM | The Ethics of Digital Surveillance: Making Sense of Our Liberties in a Connected Age | Kathryn Carnell | Talk | Track 2 | With more people transitioning to work-from-home, practical technological integrations have reached new heights. This is great! More tech in our daily lives means new problems, new perspectives, new solutions, and more creativity: widening the field to include all kind of people and situations is a good thing.
However, being an increasingly networked-society also means being increasingly at-risk: if not directly, then indirectly, and not just from “black hat hackers”. We as Cybersecurity professionals wrestle regularly with the data brokerage market and how that connects to maintaining CIA for our clients and our industry: whether those clients practice data brokerage as a business strategy, or whether they are clients seeking cyber-secure tools to help them eliminate data harvesting from their lives. Data collection can be used for good (digital forensics, in one example) or, it can be used unethically, to exploit (as in the alleged case of UNITED STATES V. EPSILON DATA MANAGEMENT, LLC). I believe that just as in a biological environment, there is an optimal harmony in our digital environment between the data surveillance/collection and personal/corporate privacy models that will best aid our mutual thriving as a civilization which relies on both digital networking and social networking, to live and work. In my short presentation I will lay out the environment Users unexpectedly find themselves in and talk about preventing paranoia when introducing people to Cybersecurity; outline BOTH the positive and negative applications of data brokerage/surveillance and info-markets; and posit a practical, middle-road cultural/ethical response which we can share with our clients, companies, friends, and family to our increasingly-networked world. My goal is to encourage reflection. |
Hello, World!
Kathryn is currently an associate instructor at ThriveDX and graduated from UCF in Cybersecurity. She likes Star Wars, her cats, and living in the endless summer of southern Florida. |
| Fri | 12:00PM | 1:00PM | Lunch | Food | General Session | |||
| Fri | 12:00PM | 1:00PM | Backdoors and Breaches Live Demo | Jason Blanchard | Fun & Games | General Session | ||
| Fri | 1:00PM | 2:00PM | Felon in Five Minutes | Joseph Kingstone Rick Wisser |
Workshop | The School Room | Explaining common ways an attacker could bypass physical controls using technology and bypass tools. Misconfigurations in Physical Security enabling an attacker to perform Cyber Attacks. | Joseph Kingstone Joseph Kingstone joined Black Hills Information Security (BHIS) in Fall 2021 as a Security Analyst. In this role, Joseph performs external and internal penetration tests, C2 pivots, and red teams. He’s had a desire to work at BHIS since transitioning into IT—and eventually penetration testing and red teaming—after serving in the Army. He values the opportunity to perform meaningful work with smart people. In his free time, Joseph enjoys astronomy, tinkering with cars, and learning more about infosec.Rick Wisser Rick Wisser has been with the Black Hills Information Security (BHIS) team since 2015. He is a Penetration Tester, Security Analyst, GIAC Certified Incident Handler (GCIH), and a SANS NetWars Level 5 certificate holder. Rick has an associate degree in Electronic Technology and Computer Networking as well as a BS in Electrical Engineering. |
| Fri | 1:00PM | 1:50PM | Adversaries Rising: Looking Ahead in Security | Dave Kennedy | Talk | Track 1 | We continually see capabilities of various adversaries ranging from ransomware to nation states continue to change their tactics, techniques, and procedures to go after larger and larger companies. Our defenses largely rely on crowdsourced data, but those are largely for more mature companies that have the capabilities of understanding them and building them into their defenses. Defense is still complex, attacks continue to get more complex – how do we fix where lower-risk security breaches are only granted to a small percentage of companies with large security teams. This talk will dive into some previously known data breaches, current methods that attackers are using, and look into the future of how we need to tackle security. | David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions |
| Fri | 1:00PM | 1:50PM | Adversary Emulation or: How I Learned to Stop Being Polite and Get Real Results | Adam Mashinchi Katie Nickels |
Talk | Track 2 | Adversary emulation has become the go-to testing approach, and for good reason. By acting like real adversaries, red teams can provide effective testing to ensure enterprises detect and respond the way they want to. But there’s a problem—this sounds great in theory, but it often isn’t happening in practice. Using data from real intrusions, this talk will demonstrate how differently testers and real adversaries behave and explain why this can lead to a false sense of security. The presenters will share examples of different techniques, procedures, and tools used by testers and adversaries, including how detecting these differs. The presenters will also break down a spectrum of adversaries, providing the audience with a crawl, walk, run approach to adverary emulation to enable organizations of various capabilities. The audience will learn not only how adversary emulation is often falling short, but more importantly, how to improve testing to achieve better security outcomes. | Adam Mashinchi Adam Mashinchi is the Principal Product Manager for Managed Detection and Response at Red Canary. Before Red Canary, Adam defined and managed the development of enterprise security and privacy solutions with an emphasis on adversary emulation and usable encryption at a global scale, leading numerous technical integration projects with a variety of partners and services.Katie Nickels Katie is the Director of Intelligence for Red Canary as well as a SANS Certified Instructor for FOR578: Cyber Threat Intelligence and a non-resident Senior Fellow for the Atlantic Council’s Cyber Statecraft Initiative. She has worked on cyber threat intelligence (CTI), network defense, and incident response for over a decade for the U.S. DoD, MITRE, Raytheon, and ManTech. Katie hails from a liberal arts background with degrees from Smith College and Georgetown University, embracing the power of applying liberal arts prowess to cybersecurity. Katie has shared her expertise with presentations, webcasts, podcasts, and blog posts, including her monthly livestream, the SANS Threat Analysis Rundown, as well as her personal blog, Katie’s Five Cents. She has received multiple awards, including recognition by SC Media as a Women in IT Security Advocate as well as the SANS Difference Maker Award and the President’s Award from the Women’s Society of Cyberjutsu. |
| Fri | 1:00PM | 1:30PM | Tool Demo – KERnano | Ash Noor | Toolshed | The Forge | KERnano is a no-install Python pen testing kit, for Windows & Linux. | I am a Sudanese Pen Tester, Blogger, PyCharmer & Lover of Outer Space.
Code nights and movie nights are my favorite kind of nights. I live on the internet at www.AshNoor.me |
| Fri | 1:30PM | 2:00PM | Tool Demo – Sirius Scan & Nmap Scripting Engine | Matthew Toussain | Toolshed | The Forge | Sirius is the first truly open-source general purpose vulnerability scanner. Today, the information security community remains the best and most expedient source for cybersecurity intelligence. The community itself regularly outperforms commercial vendors. This is the primary advantage Sirius Scan intends to leverage.
The framework is built around four general vulnerability identification concepts: The vulnerability database, network vulnerability scanning, agent-based discovery, and custom assessor analysis. With these powers combined around an easy-to-use interface Sirius hopes to enable industry evolution. I will also be demonstrating NSE scripting and script integration |
When he gets the chance, Matthew Toussain loves to take on an offbeat challenge. He’s turned a closet into a server room, a table into a computer, and a ’76 Mustang into an electric car. He’s also built an Alexa-enabled home entertainment system out of a car amp, a Raspberry Pi, a computer power supply unit, sheet metal, and plexiglass. It’s that ingenuity that underscores his work as a certified SANS instructor.
A graduate of the U.S. Air Force Academy with a B.S. in computer science and the SANS Technology Institute with an M.S. in information security engineering, he has served as the senior cyber tactics development lead for the U.S. Air Force (USAF) and worked as a security analyst for Black Hills Information Security. In 2014, he started Open Security, which performs full-spectrum vulnerability risk assessments. An avid runner who also plays piano, guitar and violin, Matthew lives in Texas with a multitude of Cisco switches. In addition to teaching at SANS, he is an avid supporter of cyber competitions and participates as a red team member or mentor for the Collegiate Cyber Defense Competition (CCDC), the annual NSA-led event Cybersecurity Defense Exercise (CDX), and SANS Institute’s NetWars. |
| Fri | 2:00PM | 2:50PM | Gone In 60 {Seconds,Minutes,Hours}: Learning from three live, realistic end-to-end breaches | Jeff McJunkin | Talk | Track 1 | Penetration testers should emulate real-world adversaries and demonstrate business risk. A properly scoped pen test of the whole enterprise is a good way to check the enterprise’s resilience against breaches. However, a loss of data (breach) is often much simpler than we think. See three end-to-end breaches live and learn that 1) they’re only rarely complicated, 2) actual exploitation of patchable flaws is rare, and 3) they can happen a lot faster than you think. | Jeff McJunkin founded and consults at Rogue Valley Information Security, who helps businesses understand the business risk resulting from technical flaws, by emulating real-world, realistic adversaries in end-to-end engagements. Rogue Valley Information Security specializes in providing actionable steps for improvement in our reports, along with helping after the report is delivered. Jeff’s background is systems and network administration. He also teaches and authors courseware for the SANS Institute |
| Fri | 2:00PM | 2:50PM | API Security Through External Attack Surface Management | Phillip Wylie | Talk | Track 2 | It is hard to protect what you cannot see. So many times organizations are not aware of all their assets including APIs. They prepare to have their Internet-exposed application assessed during pentests, but have to go through the drill of taking inventory of all the applications. This is a similar task for all external assets, companies do not always know what they have exposed and this makes assessing and securing them difficult. Phillip Wylie discusses how to integrate APIs into External Attack Surface Management (EASM) to improve the security posture of external facing APIs. | Phillip Wylie is a cybersecurity professional and offensive security SME with over 18 years of experience, over half of his career in offensive security. Wylie is the Tech Evangelism & Enablement Manager at CyCognito. He is a former college adjunct instructor and published author. He is the concept creator and co-author of The Pentester Blueprint: Starting a Career as an Ethical Hacker and was featured in the Tribe of Hackers: Red Team. |
| Fri | 2:00PM | 2:30PM | Tool Demo – Locksmith | Jake Hildreth | Toolshed | The Forge | Locksmith is a tool for identifying and remediating the most common misconfigurations and issues with Active Directory Certificate Services installations. | Jake Hildreth is a Senior Security Consultant and member of the Identity Security Team at Trimarc Security, LLC. As a recovering sysadmin with over 20 years of wide-ranging experience in information technology, he configured, administered, or supported almost every technology used by small and medium businesses. His day-to-day work at Trimarc focuses on assessing Active Directory configurations for Fortune 500 companies to help secure their environments. He currently holds the CISSP and Security+ certifications. |
| Fri | 2:15PM | 4:00PM | Advanced Passive DNS Search Techniques for Cyber Investigations | DomainTools | Workshop | The School Room | In this hands-on workshop, DomainTools CISO Daniel Schwalbe will build on the search techniques introduced in the “Threat Hunting using Active and Passive DNS” class and will expand the query complexity to include advanced regular expression patterns, globbing, and searching of “lesser known” Resource Record Types such as SOA and TXT.
Requirements to participate: Daniel will provide free access to DNSDB, our passive DNS tool, along with command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class and for 30-days following the conference so attendees can visualize how the tool will work within their own environments. DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the Workshop. |
DomainTools, the leader in domain name and DNS-based cyber threat intelligence, has acquired Farsight Security, a leader in DNS intelligence and passive DNS cyber security data solutions. The acquisition comes as a natural extension of both companies’ long-standing partnership to deliver Farsight’s market-leading passive DNS data via the DomainTools Iris investigation platform to assess risk, map attacker infrastructure, and rapidly increase visibility and context on threats. Farsight’s market leading DNS observation data combined with DomainTools best-in-class active DNS data gives customers the earliest and most comprehensive look into threats emerging outside their network. |
| Fri | 2:30PM | 3:00PM | Tool Demo – BBOT | The Techromancer | Toolshed | The Forge | BBOT (Bighuge BLS OSINT Tool) is an OSINT framework written in Python. It uses a recursive consumer-event system similar to Spiderfoot, but with several improvements, including a more powerful threading engine and a versatile tagging system that automatically labels events according to whether they’re in scope, resolved/unresolved, wildcard, etc. It can be used both as a Python library and as a CLI tool, and natively supports output to the Neo4J Graph Database. | TheTechromancer is a penetration tester at Black Lantern Security, where he travels the world, writing nefarious Python tooling and testing it (with permission) against fortune-500 companies. He is a strong advocate for open source software, and open-sources all his tools, even the crappy ones. At home, he enjoys listening to Synthwave (the coolest musical genre of all time), and spends his time creating digital art and reading lots and lots of books. He really loves books. |
| Fri | 3:00PM | 3:50PM | Is the PKI sky falling? | Rick Davis | Talk | Track 1 | From PetitPotam to PKINIT, relay attacks to golden certs, the last year has brought PKI and certificates under the magnifying glass. In this talk we will discuss some of the biggest recent issues both for internal PKI’s and public certs and try to make sense of just what’s going on. We will aim to clarify and classify these issues and rate their criticality as part of the larger Active Directory ecosystem. For each issue we will attempt to discuss possible mitigations and defense, ideas for monitoring and alerting, and in some cases alternatives. The session will conclude with discussions of possible future alternatives and their feasibility for both operational and security teams. | Rick Davis is currently a Senior Customer Engineer at Microsoft focusing on Cybersecurity. With over 20 years in the field he has worked in all industry verticals including public, private and federal sectors in roles ranging from architecture to red team as well as adjunct professor and guest lecturer in areas of statistics, number theory and cryptanalysis. In addition to proactively working with customers to deploy security tools, train staff and better defend their environments Rick works closely with Microsoft’s global Incident Response team responding to some of the largest threats, ransomware outbreaks and other cybersecurity events. He is a subject matter expert on key technologies such as PKI, Active Directory and the Microsoft Defender ecosystem. |
| Fri | 3:00PM | 3:50PM | What’s up Breaches! | Mishaal Khan | Talk | Track 2 | I’ll show you the various types of data breach sets out there, everything you can gain from them (not the passwords), how to access them, use them for OSINT investigations, pentesting recon, auditing or privacy assessments, and how to prepare yourself for the next breach, because you’re going to be in it!
I’ll show you some popular leaks, public scrapes, stealer logs and data aggregator sets that will help put together the missing pieces and take your investigations to the next level. You will see how I store and parse through the terabytes of data in an efficient manner. I end with some tips on how to protect yourself from the techniques I present. |
A jack of all trades, master of some, Mishaal uses his Cybersecurity background along with his Privacy and OSINT skills to spread awareness, educate people and provide actionable next steps to help protect people and organizations from threats they may not be aware of.
With over 20 years of multinational experience, he’s a virtual CISO, certified Ethical Hacker, Social Engineer, the 1st IntelTechniques Certified OSINT Professional, Privacy consultant, coder, and a general problem solver. His personal examples, anecdotes, and clear thought process allow him to connect with people effortlessly and explain complex matters in a simplified manner. |
| Fri | 4:00PM | 4:50PM | I’m a Security Charlatan & So Are You | John Hammond | Keynote | General Session | Use discount code 100PERCENTOFF for a FREE rambling rant from a not-an-expert expert and typical white guy, clueless as to what he is talking about but showing face to make appearances and panhandle for social clout! Filled to the brim with buzzwords, senseless statistics, and unwanted hot-takes from LinkedIn, you’ll be on the edge of your seat! This is sarcasm (or satire, you decide). Actually, join John Hammond for a candid, unfiltered and unorthodox conversation on where we fall short, what we can learn from it and why that makes us better. | John Hammond is a cybersecurity researcher, educator and content creator. As part of the Threat Operations team at Huntress, John spends his days analyzing malware and making hackers earn their access. Previously, as a Department of Defense Cyber Training Academy instructor, he taught the Cyber Threat Emulation course, educating both civilian and military members on offensive Python, PowerShell, other scripting languages and the adversarial mindset. He has developed training material and information security challenges for events such as PicoCTF and competitions at DEFCON US. John speaks at security conferences such as BsidesNoVA, to students at colleges such as the US Naval Academy, and other online events including the SANS Holiday Hack Challenge/KringleCon. He is an online YouTube personality showcasing programming tutorials, CTF video walkthroughs and other cyber security content. John currently holds the following certifications: Security+, CEH, LFS, eJPT, eCPPT, PNPT, PCAP, OSWP, OSCP, OSCE, OSWE, OSEP, and OSED (OSCE(3)). |
| Fri | 5:00PM | 5:15PM | Awards | John Strand | Awards | General Session |