Conference Schedule

Please note that this conference schedule is subject to change. If you’re viewing this schedule from a desktop, you can hold shift and click on multiple columns to sort them at the same time. All times below are in Mountain Time (MT).

Attendees will be able to watch our keynote presentations and talks, learn some new tools at the Toolshed, and can participate in workshops, labs, an Escape Room, the virtual Backdoors & Breaches tournament, Slide Show Roulette, Infosec Trivia, and the MetaCTF Capture the Flag event.

Don’t forget, attendees will be invited to a private Discord server facilitating all the conference fun. Join the Discord server and visit the #getting-started channel which contains a quick index of the many conference activities as well as a short getting started video.

Note: Track and Workshop streaming links can be found in the #track-links channel on the WWHF Deadwood 2021 Discord server. Attendees will also receive these links via email.

Day Start End Title Presenter(s) Type Track Abstract/Description Presenter Bio(s)
Weds 5:20PM 5:30PM Welcome John Strand Track 1
Weds 5:30PM 6:20PM Hack to the Future – The Stories Hal Pomeranz, Dave Kennedy, Nadean Tanner, Paul Vixie, Michele Guel Talk Track 1 What do you get when you put over 100 years of combined Information Security experience on the same stage? Hilarious stories of triumph, shame, and redemption. In their best story-telling style, our esteemed panel will share life-lessons from their past that will help give you a new perspective on what will shape our industry in the future.
Weds 6:30PM 7:20PM Burnout: The Security Risk Chloe Messdaghi Talk Track 2 Did you notice a shift in your mental health and/or your colleagues? Burnout was at an all time last year due to the surreal 2020. As we approach the end of the pandemic, we recognize how critical mental health plays when accomplishing goals and productivity output. This talk dives into the factors that lead to burnout among security professionals, the clear line between burnout and failure to retain team members, and how to invest in your team to make sure your team is able to thrive during stressful times. Chloé Messdaghi is a tech changemaker who is innovating tech and information security sectors to meet today’s and future’s demands by accelerating startups and providing solutions that empower. She is an international keynote speaker at major information security and tech conferences and events, and serves as a trusted source to reporters and editors, such as Forbes and Business Insider. Additionally, she is one of the Business Insider’s 50 Power Players.
Weds 6:30PM 8:30PM Offensive WMI Workshop Chris Truncer Workshop WMI has recently been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. Even with the recent surge in WMI use, not everyone knows how to interact with it. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario. Want to read files, perform a directory listing, detect active user accounts, run commands (and receive their output), download/upload files, and do all of the above (plus more) remotely? The goal for this workshop will be to enable students to walk away with an understanding of how WMI, a service installed and enabled by default since Windows 2000, is utilized by attackers, demystify interacting with the service locally and remotely, and give students the ability to leverage WMI in the same manner as attackers. Christopher Truncer (@ChrisTruncer) is a co-founder and red team lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other open-source software. Chris began developing tools that are not only designed for the offensive community but can enhance the defensive community’s ability to defend their network as well.
Thurs 7:00PM 8:00PM Slide Show Roulette Frank Victory Fun & Games Track 1 One of the things that makes a great presenter is knowing the material. It is essential in the presentation and makes the flow great. But what happens when a presenter is not familiar with the topic? In Slideshow Roulette, we will challenge you to present a deck you have never seen before with expertise and grace. Think you are good? Let’s find out! Frank Victory is a Marine Corp Veteran and also an experienced Cybersecurity Professional. He has worked on both Blue and Red Teams, but his passion is being an educator and enabling people to make a better future for themselves. He tries to put some fun and interesting humor in everything he does and loves to incorporate jokes and fun facts in his educational material.
Thurs 8:45AM 9:00AM Welcome John Strand Track 1
Thurs 9:00AM 9:50AM Building the Next Generation of Hackers Dave Kennedy Keynote Track 1 We always hear there is a skills shortage in security. This is true – there is a skill shortage in already established senior level positions in security. The gap between fresh out of college, high school, or minimal experience versus the in-between to senior is alarming. Companies and organizations are focusing their efforts on hiring individuals with years of already established experience causing a massive skills gap due to the inability to train up our next generation of hackers. This talk will dive into what we are doing to fix that, and how you can differentiate yourself to land a junior job at a number of different organizations. In addition, I’ll be discussing how we train junior level resources up and how our program has been successful in creating a diverse workforce that continues to try to chip away at the skills shortage. We have to train our next generation of hackers, and it starts with all of us. David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.
Thurs 10:00AM 10:50AM Homegrown Organic OST’s: Do you know what is in your payload. Joe B. Talk Track 1 Most hacking tools we use today (Top 10 hacking tools of 2021) Acunetix, Nessus, Nmap, Metasploit, Wireshark, Nikto, John the Ripper, Kismet, SQLninja, Wapiti, Canvas. Have free trials, F\OSS versions but are all mostly enterprise. There are exceptions and most tools used by seasoned testers are “free” both in “free as in beer” and “Free as in speech” which means “zero price” (gratis) versus “with few or no restrictions” (libre). On the other hand, you can pay a hefty price for tools that are entirely closed source you just have the power to operate them in a limited capacity. In this talk, we will discuss the differences however, why you should in the end just “grow” your tools at “home”. Recently with an uptick in discussion around OSTs, that are on GitHub and the ease-of-use, we often run into issues with these tools then being used in malicious attacks on organizations. If the tool did not exist to make it easier would the attack still happen? Putting speculation, we have also seen a rise in tools that run auto exploits. While fun these tools can leave traces and files behind if they are not cleaned up, So the idea of writing your own tools to avoid the “no trace left” debate. If you leave a piece of “malware” behind and its used to gain access to a client network are you responsible? The “ethical” answer is -YES-. There was an issue raised recently with LinPEAS. So, building your own tools should be what most mature teams strive for but in the best effort to emulate as close to the TTP / attack methodologies as possible to ensure that if custom tools do get used that it is both the tools and methods used that are detected not just the publicly available IoC’s. In conclusion, building your own tools so you and your teams know what is in them can be safer, lead to better testing, and ensure you’re never the cause of a breach. The Blind Hacker is an InfoSec enthusiast, mentor, coach, pentester, hacker, and more. He regularly mentors online through streams and online communities. He frequently volunteers time on workplace development for others, gives resume reviews, job advice, and coaches people into the roles they want with mock interviews. As a person with a disability, or who is differently-abled, he has never let it slow him down.
Thurs 10:00AM 10:50AM Hacking Kubernetes Security – The Def Con CTF Attack Path Jay Beale Talk Track 2 Come learn Kubernetes attack TTPs in this demo-heavy presentation! We’ll demonstrate the attack path that fully compromises the Def Con Kubernetes Capture the Flag (CTF), picking up flags and movie references. You’ll learn techniques that you can use on real-world Kubernetes attacks and map these to the Mitre Att&ack Framework. Finally, you’ll gain a stronger understanding of the security controls in and available to Kubernetes cluster. Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @Bustakube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians.
Thurs 10:00AM 12:00PM Threat Hunting Using Passive DNS Ben April, Daniel Schwalbe Workshop Every transaction on the Internet – good or bad – uses the Domain Name System (DNS). In this fast-paced, hands-on workshop, Farsight Security CTO Ben April and VP of Engineering Daniel Schwalbe will teach the fundamental investigative techniques and methodologies for how to use Passive DNS to more easily—and quickly—uncover previously unknown connections between seemingly unrelated assets, using IP addresses and domain names to map online infrastructure.

Requirements to participate:

  • Laptop, Internet access
  • Knowledge of the Domain Name System (DNS) is required.
  • Farsight DNSDB API Key (will be provided)
  • DNSDB Scout Web Edition: https://scout.dnsdb.info/
  • dnsdbq install from https://github.com/dnsdb/dnsdbq
  • dnsdbflex install from https://github.com/farsightsec/dnsdbflex

Farsight will provide free access to its passive DNS tool, Farsight DNSDB, and its command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class as well as for 60-days following the conference so that attendees can use the tool in their own work environments.

DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the workshop.

Ben April is the Chief Technology Officer at Farsight Security, Inc. Prior to joining Farsight, Ben spent eight years at Trend Micro, where he became the Americas regional manager of the Forward-looking Threat Research team. Ben has presented to security conferences on six continents, covering topics like Bitcoin, NFC, operational security and infrastructure security. He has built research systems for collecting and aggregating data, from Whois and the Bitcoin block-chain to the global routing table. His current crusade is to eliminate the technical and policy barriers that impede data-sharing among white-hat security researchers. “Once the good guys can share data as effectively as the criminals, we might have a chance.” Ben is also a volunteer sysadmin and coder for some trusted-community security projects.

Daniel Schwalbe is the Deputy Chief Information Security Officer and Vice President of Engineering at Farsight Security, Inc. Prior to joining Farsight, he served as Associate Chief Information Security Officer at the University of Washington, where his focus areas were threat intelligence, information sharing, and incident response. Daniel is a US Army Veteran and has done tours as a DOD Contractor and FBI Taskforce member. He also previously served on the board of directors for the REN-ISAC, where he remains a technical advisor. Daniel is an active contributor to the information security community, and regularly teaches undergraduate-level InfoSec courses at his alma mater, University of Washington. He has presented at national and international conferences such as DCC, ACoD, ISOI, Agora, and WWHF.

Thurs 10:00AM 6:30PM CTF Capture the Flag
Thurs 10:00AM 6:30PM Escape Room Fun & Games
Thurs 11:00AM 11:50AM Ethical Phisheries: Phishing Exercises to Test Controls instead of People Ean Meyer Talk Track 1 Just like fishing done irresponsibly causes damage to the ocean population phishing exercises done irresponsibly can do more harm than good to your organization. Over phishing and unsustainable methods will hurt the population you protect. Fear or other emotional responses are used to bait targets to click. Criminals have no rules of engagement, but phishing exercises should. Security teams can do significant damage to their reputation, their relationships with the organization, and the trust they need to maintain with users when a phishing exercise is run in a way that leaves feelings hurt. Once the damage is done protecting the organization becomes incredibly difficult. How does an organization create phishing campaigns that don’t leave people feeling foolish or angry? In this talk we will look at phishing exercises that focus on measuring the controls designed to protect users and not the users themselves. We will look at the types of campaigns that may be problematic creating a rift between security and the individuals in the organization. The goal is to create campaigns that leave the user feeling empowered with information working as a partner and not a target. A small library of “Ethical Phishing” campaigns with explanations of how to configure the campaign to test technical. This library will be made available for any organization to use and develop further via GitHub. This talk will show you how to build phishing campaigns that allow you to run an effective “ethical phishery” that creates balance and partnership instead of depleting trust. Ean Meyer is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative. Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place. Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer
Thurs 11:00AM 11:50AM Mistaken Identity: SAML, Oauth, OIDC J. Wolfgang Goerlich Talk Track 2 While everyone was focused on credentials, criminals quietly moved to exploiting mistakes in identity. You have a long and strong password? That’s sweet. You’re using all three types of multi-factor? That’s cute. It won’t matter when the adversaries compromise identity protocols after authentication. But at least you tried. The trouble is protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) are difficult to get right. Few security professionals get it right every time. Most of us get these protocols mostly working, misconfigurations be damned. This session provides an overview of common mistakes and a set of practices for protecting federated identity and single sign-on (SSO). Attendees will leave with a knot in their stomach and a list of things to check with their developers. J. Wolfgang Goerlich is an Advisory CISO for Duo Security. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices in cybersecurity consulting firms.
Thurs 12:00PM 1:00PM Lunch Food
Thurs 1:00PM 3:00PM Hacking and Defending Kubernetes, Hands On! Jay Beale Workshop Get a hands-on introduction to attacking and defending Kubernetes (k8s)! Remotely controlling a Kali Linux system, you’ll attack a new capture-the-flag scenario in the open-source Bust-a-Kube Kubernetes cluster. Once you’ve busted your way to cluster admin, you’ll use your access to harden the cluster and block your attack. Come get some direct experience with Kubernetes security!

This workshop doesn’t require you to have any experience with containers or Kubernetes. It is accessible to anyone comfortable with a Linux command line.

Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @Bustakube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians.
Thurs 1:00PM 1:50PM The B is for Business – Driving Practical Security Through the BISO Alyssa Miller Talk Track 1 What’s that? You’ve never heard of a BISO? You don’t really know what they do? In this session we’ll discuss the growing trend of implementing Business Information Security Officers. While different organizations may have slightly different visions for the role, the core concept of bridging the gap between the security team and the business line remains the same. We’ll examine key areas in which this emerging role can help your program more easily win funding, gain better adoption, and achieve greater overall effectiveness. This session will show you how the alignment of a dedicate security resource within the business line builds a powerful culture of empathy. Throughout the session, common values and practices that set your BISOs up for success will be shared. You’ll get a clear view of what facets are core to this role and how you can best tailor their alignment and responsibilities to best fit your business and security program. We’ll even discuss strategies for building a business case for developing a BISO community. By the end of the session, you’ll leave with an understanding of why your organization should really be looking at launching a BISO community of their own. Alyssa Miller, Business Information Security Officer (BISO) for S&P Global Ratings, directs the Ratings security strategy, connecting corporate security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how we look at the security of our interconnected way of life and focus attention on defending privacy and cultivating trust. A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 15 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and as co-host of The Uncommon Journey podcast on ITSP Magazine.
Thurs 1:00PM 1:50PM Securing Windows with Group Policy Josh Rickard Talk Track 2 Group Policy exists in almost every modern business environment. Many organizations do not use Group Policy extensively, effectively or at all. We all face problems with securing our Windows environments, but most do not realize they already have the best tool for the job. Do you understand how Group Policy is processed? Did you know you can manage both Active Directory groups and user rights? What about securely running Scheduled Tasks and do you even manage Services, bro? Why do all your Administrative accounts have extra permissions like Debug Programs? And why the hell are you afraid of AppLocker? Remember, Group Policy is an ENTERPRISE scale Windows registry editor and more. Josh is focused on automating everyday processes used in business and security. He is an expert in PowerShell & Python, a GIAC Certified Windows Security Administrator (GCWN), a GIAC Certified Forensic Analyst (GCFA), and has a diverse background ranging from system administration to digital forensics, incident response and managing teams and products. Josh has presented at multiple conferences including DerbyCon (2x), ShowMeCon (2x), BlackHat Arsenal, CircleCityCon, Hacker Halted, and numerous BSides. In 2019, Josh was awarded a SC Media Reboot Leadership Award in the Influencer category and is featured in the Tribe of Hackers: Blue Team book. Josh shares his experience about automation, code, and security on Swimlane’s (https://swimlane.com/blog) and his personal blog (https://letsautomate.it). You can find information about open-source projects that Josh creates and maintains on GitHub at https://github.com/MSAdministrator.
Thurs 1:00PM 3:00PM Backdoors and Breaches Tourney Fun & Games
Thurs 2:00PM 2:50PM Social Engineering the Job Interview Ursula Cowan Talk Track 1 Ever get completely flustered when it’s time for the talk-interview portion of job seeking? Do you think that because you are introverted you can’t use social engineering to help not only better deal with any social anxiety you might have, but also to help the presenters get to know the real you? Are you extroverted but yet still get nervous when faced with the possibility of a shiny new job prospect? In this presentation, participants will learn how to apply social engineering principles to help further their chances at a successful interview. We will discuss the psychology behind the social engineering principles we will use and practical, actionable steps to making both you and the interviewer feel more comfortable, get to know a bit about each other, and potentially start you on the road to a new career. Participant’s will leave here with tools to immediately go into an interview and show their best selves. Ursula ‘Ushi’ Cowan, is a Threat Research Analyst at FireEye/Mandiant, specifically Mandiant Security Validation on the Behavioral Research Team (BRT) focusing on researching adversaries’ tactics, techniques, and procedures (TTPs), breaking them down to the smallest behaviors, for the purpose of replicating them within the Mandiant Security Validation Platform. Ursula’s career started as a police detective investigating cyber-crime, death, and online exploitation, working closely with the North Florida Internet Crimes Against Children Taskforce. She later added computer forensics examiner to her list of job responsibilities and worked with the US Secret Service’s Electronic Crimes Taskforce. Her training in computer forensics began at the U.S. Secret Service’s National Computer Forensic Institute (NCFI), she also holds a Bachelor of Science in Applied Psychology from the Florida Institute of Technology, and a Master of Science in Digital Forensics from the University of Central Florida.
Thurs 2:00PM 2:50PM How To Detect Attackers Inside Your Network: Because You Can’t Win Whack-A-Mole While Blindfolded Jeff McJunkin Talk Track 2 Attackers behave fundamentally differently than users. An attacker with internal access leaves (qualitatively and quantitatively) very different indicators than a regular employee. This talk will discuss some immediate wins for detective controls inside your on-prem environment (including Active Directory), so you can begin the incident response process as soon as possible. After all, it’s hard to compete in a race when your opponent gets a multiple day head start! Jeff McJunkin is the founder of Rogue Valley Information Security, a consulting firm specializing in penetration testing and red team engagements. Jeff has a long background in systems and network administration that he leveraged into web and network penetration testing, especially involving Active Directory. He has taught dozens of classes in network penetration testing for the SANS Institute, and is the author of the “Metasploit Kung Fu for Enterprise Pen Testing” course. He specializes in not only finding end-to-end realistic attack scenarios for clients, but also in helping technical staff as well as senior leadership in understanding the attack, its ramifications, detective controls, and assisting in safe remediation.
Thurs 3:00PM 5:00PM DDTTX – Playbook Perfection Amanda Berlin, Jeremy Mio Workshop DDTTX Playbook Perfection is an introductory playbook workshop. Playbooks are an important part of any information security program. They offer structure and realistic, flexible procedures to assist in almost any situation.

As a group we will review playbooks taken from other situations and cover best practices, do’s and do not’s, structure, and maintenance. We will also cover ways to successfully test playbooks by using different methods that can work in a variety of organizations and situations.

Participants are welcome to bring their own playbooks or example playbooks to the workshop as long as they do not contain any confidential information that may put them or their organization at risk.

Amanda Berlin – (@infosystir) Amanda Berlin is a Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author for a Blue Team best practices book called Defensive Security Handbook: Best Practices for Securing Infrastructure with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible.

Jeremy Mio – (@cyborg00101) – Jeremy has focused expertise within the evolution of security convergence, the merger of physical and information security, and cyber-warfare. He is an Information Security Officer within local government and Principal within CodeRed LLC. Previously, he worked within Fortune 500 in enterprise information security as well as physical security through training/contracting. Jeremy researches and tests small UAVs [drones] for their use in defense applications in cyber warfare and intelligence, relying on Open Source technology and OSINT.

Thurs 3:00PM 3:50PM Rules of Engagement: Social Media Hacking for Hackers (Pt. 2) Maril Vernon Talk Track 1 Ever wonder why your Tweets don’t take off or someone else’s post on LinkedIn does better than yours? Want-to-be-Hackers: Trying to break in to the industry and have no idea how to promote yourself and what you know on social media? Last time we covered the 3 largest platforms for hackers and some basic strategies to use in your activity and content to gain more traction and hack the algorithms. In the second part of this multi-talk series, we take a deeper dive into the most important part to your social media success: personal branding strategies. We’ll discuss how to actually make a personal brand and use it to maximize an effective profile, anatomy of a good post, and how to create engaging content. Maril Vernon, @SheWhoHacks, is a Red Team Operator for Zoom Communications, Threat Hunter for Dark Rhino Security, and a PluralSight author, specializing in Red Teaming tools, Purple Team methodology, MITRE, and Cloud Security strategies. Maril’s expertise on VPN exploits was featured on the Cyber Security Forum Initiative, and she is a contributing editor of the latest CIS AWS Foundation Benchmark for cloud security. A year and a half ago she leveraged soft skills and a non-technical background to break into cyber security and red teaming and is an example of what you can achieve in a short time. Today she teaches others how to effectively learn pentesting skills and marketing their accomplishments to help them break into cyber security careers.
Thurs 3:00PM 3:50PM Finding a Hidden Website Compromise Kevin Bong Talk Track 2 Attackers are becoming increasingly savvy at hiding malware such as backdoors and card skimmers on compromised web servers, and building sophisticated attack chains to steal cards, even from servers using supposedly secure iframes for payments. When customers start to complain about stolen cards, it is very common for the web developers to review the site and find nothing nefarious. While this hidden and obfuscated attack code can be hard to find, there are many tricks and commonalities that make the task easier. In this talk, Kevin will use examples from his own recent website breach investigations to demonstrate the tactics that attackers are using as well as investigation techniques to help find and interpret malicious code. Kevin is a Director for the Cybersecurity group at Sikich, leading the penetration testing and forensic incident response teams. Prior to joining Sikich, Kevin spent 12 years as a Vice President of a multi-billion-dollar financial group, leading the bank’s security and IT risk management activities. With his experience performing audits, penetration testing, risk assessments and forensic investigations, Kevin provides invaluable guidance to institutions affected by standards such as those related to the FFIEC, NIST, HIPAA and PCI. Kevin has a Master of Science degree in Information Security Engineering from the SANS Institute and holds multiple computer security certifications. Kevin is the creator of the MiniPwner, a pocket-size penetration testing device used to gain remote access to a network. He’s also an author, instructor and a frequent hacker conference presenter.
Thurs 4:00PM 4:50PM Screen Doors on Battleships: The Fundamentals of Attacking ML Will Pearce Talk Track 1 In case you haven’t heard, ML is used to catch hackers (that’s you) before they’ve even had their morning coffee. ML makes your old frumpy EPP solution shiny and useful again. Though, what you may not have heard is how ML solutions can be attacked (and not just your EPP solution with a new haircut). Once you strip away the expensive marketing and fancy whitepapers, you’re left with what can only be described as math, which to be fair to the expensive marketing, sounds boring. However, the reality is that ML introduces new attack surface that has been unaccounted for – from unsolicited dik-dik pictures to pulling PII from language models, to bypassing your (least) favorite EPP solution. This talk will discuss the fundamental concepts for attacking ML, introduce a repeatable methodology, and demonstrate tooling with an end-to-end attack on a deployed ML model using Counterfit. Attendees will walk away with enough knowledge and resources to start exploring and conducting their own attacks against AI systems. Will Pearce is the Red Team Lead for Azure Trustworthy ML at Microsoft. In his current role, he is responsible for running and supporting offensive engagements against AI systems at Microsoft and with partners. This includes building assessment methodologies, developing tools, and creating research. Previously, he was a Senior Security Consultant and Network Operator at Silent Break Security, where he performed network operations, security research, and was an instructor for the popular Darkside Ops courses given at industry conferences and to private/public sector groups. His work on the use of machine learning for offensive security has appeared at industry conferences including DerbyCon, BSidesLV/SLC, and Defcon AI Village as well an academic appearance at the SAI Conference on Computing. Will maintains his OSCP and is credited with the first machine learning CVE.
Thurs 4:00PM 4:50PM Making Incident Response Suck Less Jake Williams Talk Track 2 Incident response will never be fun, it’s always going to suck. And given the current cybersecurity landscape, that suck isn’t a matter of “if”, it’s a matter of “when and how bad.” But today, before the incident, you can take some preparatory steps to make it suck less. In this session, we’ll discuss *actionable* steps every organization can take to better prepare itself to handle that inevitable incident. We’ll discuss both technical and procedural items, including creating a Collection Management Framework (CMF), establishing an incident command structure, securing incident communications, and working with breach counsel. After implementing the lessons learned in this session, you’ll be poised to better respond to any incident that some random panda, kitten, tiger, or bear throws at you. Jake Williams is an incident responder, red teamer, occasional vCISO, and prolific infosec shitposter. He has traveled the world, but isn’t welcome in China or Russia (and avoids most countries they have extradition treaties with). When not speaking at a conference like this one, it’s a good bet that Jake is engaged in hand to hand combat with an adversary rooted deep in a network or engineering ways to keep them out. Jake’s career in infosec started in the intelligence community, but has taken around the world securing networks of all shapes and sizes, from utilities to hospitals to manufacturing plants.
Thurs 5:00PM 7:00PM How to Build an Infosec Team that gets Sh*t Done Kip Boyle Workshop In this workshop, I show InfoSec managers how to build the team of their dreams. Students will learn how to attract and retain top tier talent, the kind of talented people who could work anywhere but choose to work with you, team members who get stuff done and don’t think much about changing employers.

What’s more, this kind of team throws open the door for you to become a powerful influencer on InfoSec strategy with your senior decision makers. Why? Because your team will let you work “on your program” instead of working “in your program.” And that will allow you to spend more time learning about the business your team protects and building relationships with the other top influencers across your organization.

During this workshop, we’ll be referring to the “Cybersecurity Hiring Manager Handbook,” an open-source document soon to be published under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.

Kip Boyle is a husband, dad, small business owner, and experienced cybersecurity hiring manager. Over the years, Kip has built many InfoSec teams in a variety of settings including as a captain on active duty in the US Air Force, as the CISO of PEMCO Insurance in Seattle, and vCISO in his own company, Cyber Risk Opportunities LLC. Kip is leading the creation of the open-source “Cybersecurity Hiring Manager Handbook.” He’s also the co-host of The Cyber Risk Management Podcast and principal instructor of the Hired in 21 Days online course.
Thurs 5:00PM 5:50PM Socially Acceptable Methods to Walk in the Front Door Mike Felch, Steve Borosh Talk Track 1 With initial access vectors getting scarce and the threat landscape evolving at a rapid pace, red teams are beginning to reconsider their angle of pursuit. This has caused old means of entry to be revisited in new ways while also paving the way for new entry techniques for emerging technologies. We will introduce novel approaches to gaining remote read and write access to a users Microsoft Windows file system for exfiltrating sensitive files and planting droppers. Additionally, we will share some unique research on Microsoft Azure tokens and compromising access with minimal effort leading to cloud pivoting opportunities. Attendees can expect to learn about some new red team tradecraft for traditional technologies, innovative tradecraft for emerging cloud environments, and a handful of offsec tools designed to regain traction with initial access. Mike is currently a Red Team Manager at CrowdStrike focused on R&D and prior Black Hills Information Security red teamer. He began his career in 1997 as a Linux administrator which eventually led to numerous offensive security and engineering roles with a focus on hardware/software security research. Mike was a lead forensics instructor for TeelTech, Chief Breaking Officer for OWASP Orlando, and frequent speaker at security conferences around the country. Steve is an experienced Penetration Tester and Red Team Operator. He has spoken at several security conferences to include HackMiami, Sans Hackfest, BSidesLV, BSidesDC, and BSidesNOVA. He also enjoys teaching and has extensive experience as an instructor both domestically and internationally for commercial and government spaces.

Steve is an avid offensive tool developer and blogger who enjoys contributing to the security community.

Thurs 5:00PM 5:50PM Who Littered the Sanbox – Scooping Up New Malware Behavior Olaf Hartong Talk Track 2 A malware infection is still the most common initial entry point for most ransomware problems. Towards the year of the introvert I read an article that provided an overview the links between some of the larger malware families and ransomware that was dropped as a result of that. Obviously mitigation is the best way to combat these infections but most organizations struggle to get these implemented. As a passionate detection engineer I require telemetry to be able to build meaningful detections. I need to understand what happens and what can be logged in order to build meaningful detections. To be able to track changes of behavior and spot commonalities I wanted to do this at scale, over time. This is where sandbox telemetry came in to play, a lot of it. This is a story about my road to acquire, process and analyze the data and the insights that it has brought me. Olaf Hartong is a Defensive Specialist / Co-Founder and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects. Olaf has presented at many industry conferences including WWHF, Black Hat, DEF CON, DerbyCon, Splunk .conf, FIRST, MITRE ATT&CKcon, and various other conferences. Olaf is the author of various tools including the FalconFriday detection content, ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular. He maintains a blog at https://olafhartong.nl
Thurs 6:00PM 6:50PM Operation Privacy Mishaal Khan Talk Track 1 Brace yourselves with some eye opening examples and demos showing you how easily you can be exposed and how your life can be turned upside down in a matter of minutes. As a Certified Ethical Hacker, Social Engineer and the 1st IntelTechniques Certified OSINT Professional, Mishaal sees what most people think is hidden. It allows him to shed light on the importance of hiding personal information, why you should care and what could go wrong if you don’t control your own narrative. But don’t worry, you can take full control of it all by being proactive and having a thorough workflow in place. The key takeaways will allow you take control of your own personal data that’s out there. Mishaal likes to entertain people with hacks and shortcuts while conveying a much bigger message. His hands-on nature likes to test the limits of technology by breaking things in order to learn how to secure them. He has spent his career in the corporate world as a consultant and vCISO building complex networks and helping organizations secure them. He’s an executive privacy consultant and a professional OSINT investigator. As a Certified Ethical Hacker, Social Engineer and the 1st IntelTechniques Certified OSINT Professional, he sees what most people think is hidden. It allows him to sheds light on the importance of privacy, why you should care and what could go wrong if you don’t control your own narrative.
Thurs 6:00PM 6:50PM Wait a minute. You’re telling me you built an Industrial Control System out of 80’s technology? Ashley Van Hoesen Talk Track 2 Generally speaking industrial control systems are the weakest point in any infrastructure but serve a critical function in the environment. Recently, an upswing in the number of attacks directed at the critical infrastructure environment has brought attention to the flaws and weakness. In addition, the concept of ransomware as a service has further increased the risk of exploitation of critical infrastructure. We are going to discuss the design, dangers and future of the critical infrastructure environments and point people to the solutions to move forward with more secure infrastructure. Ashley “Engage” Van Hoesen is an Security Analyst with over 10 years experience in risk and vulnerability assessments, advising on Information Security Vulnerabilities specifically in Industrial Control environments, and performing security assessments. Ashley graduated Anne Arundel Community College with honors receiving an A.A.S. degree in Information Assurance and Cybersecurity. Ashley also has completed the Department of Homeland Security Industrial Control Systems Certification.
Fri 8:00AM 10:00AM Catch me if you can – Seeing the Red through the Blue Will Hunt, Owen Shearing Workshop This two-hour workshop will help improve both red and blue skillsets through a series of hacks, where you as an attendee will have to identify malicious activities on various targets. During the workshop, the trainer (Red Team) will highlight a series of attacks that have occurred on the hosts in the In.security lab. You (the Blue Team) will then need to use Azure Sentinel to identify the malicious activities and raise the alarm! This will upskill both attackers in understanding the various attack flows that could compromise their cover and defenders in understanding how to detect them. “The best defence is a good offense” applies as much in cyber as it does in sport. You’ll get sneak peeks of the attacks the trainer has carried out before you’re set off to hunt down the evidence…. Will (@Stealthsploit) co-founded In.security in 2018. Will’s been in infosec for over a decade and has helped secure many organisations through technical security services and training. Will’s delivered hacking courses globally at several conferences including Black Hat and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.
Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin’ Fest, NolaCon, 44CON and BruCON. He keeps projects at https://github.com/rebootuser.
Fri 8:50AM 9:00AM Announcements John Strand Track 1
Fri 9:00AM 3:00PM CTF Capture the Flag
Fri 9:00AM 3:00PM Escape Room Fun & Games
Fri 9:00AM 9:50AM A Master Class on Offensive MSBuild Chris Truncer, Joe Leon Talk Track 1 As red team operators, we all have favorite tools and tactics. For FortyNorth Security’s offensive security team, our favorite initial access, persistence, lateral movement and post-exploitation technique leveraging application whitelisting bypasses. While there are hundreds of applications that can bypass application whitelisting, our most reliable and frequently used tool is MSBuild. Our red team rarely conducts an assessment without using MSBuild for some element of the attack lifecyle. The goal of this talk is to create an authoritative and exhaustive reference for security engineers to understand the full capabilities of using MSBuild on offensive engagements. We’ll cover using MSBuild within initial access payloads, persistence, lateral movement and post-exploitation jobs. We’ll also demonstrate multiple ways of executing arbitrary code stored both locally and remotely with MSBuild. For every offensive technique we demonstrate, we’ll also highlight defensive measures to detect or prevent these actions. Coinciding with this talk, FortyNorth Security will release a GitHub repository containing a comprehensive review of all known techniques for using MSbuild on offensive engagements. Christopher Truncer (@ChrisTruncer) is a co-founder and red team lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other open-source software. Chris began developing tools that are not only designed for the offensive community but can enhance the defensive community’s ability to defend their network as well.
Joseph Leon is an Offensive Security Engineer on FortyNorth Security’s offensive security team. Joseph holds the OSCP certification, previously trained at BlackHat USA (Intrusion Operations) and was nationally recognized as a top scorer in the US Cyber Challenge, a program supported by the US Department of Homeland Security. Prior to joining FortyNorth Security, Joseph founded and sold two companies: a data cleansing SaaS application that he led full stack development for as CTO and a sales consulting and lead generation firm that he led as CEO. In addition to his responsibilities with FortyNorth Security, Joseph is currently pursuing a Master’s of Engineering in Cyber Security through New York University. Prior to his web development and computer science experience, Joseph worked in the outbound lead generation space, training and consulting sales teams on how to generate new sales leads. This experience has uniquely informed his ability to conduct highly-effective social engineering campaigns.
Fri 9:00AM 9:50AM Gatekeeping: Why We’re Losing the War on Cybercrime Naomi Buckwalter Talk Track 2 There are tens of thousands of bright, passionate, and high-potential people around the world hoping desperately to break into cybersecurity. But they can’t get past the arbitrary “gates” standing in their way; most “entry-level” job openings require years of experience, formal technical education, and a litany of professional certifications to even begin doing the most basic tasks in cybersecurity. But why is this? Certainly there is entry-level work in cybersecurity. You don’t NEED five years of experience, a college degree, or a CISSP to do many of the basic tasks found in cybersecurity. This is true across almost every domain, subdomain, and speciality within cybersecurity. The truth is, we’re losing the war on cybercrime. We simply don’t have the numbers in our ranks to fight this asymmetric war, in which one bad actor can wreak havoc across multiple companies and industries. We simply need more fighters, defenders, and recruits. And just like in the army, we need to train our new recruits TODAY so they can fight the battles of TOMORROW. In this talk, Naomi Buckwalter, Founder and Executive Director of Cybersecurity Gatebreakers Foundation, will explain why gatekeeping is hurting our ability to win the fight against cybercrime, how to overcome the gatekeeping mindset, and how to hire, train, and mentor the next generation of cybersecurity professionals. Naomi Buckwalter, CISSP CISM is the Director of Information Security & IT at Beam Technologies. She has over 20 years’ experience in IT and Security and has held roles in Software Engineering, Security Architecture, Security Engineering, and Security Leadership. As a cybersecurity career adviser and mentor for people around the world, her passion is helping people, particularly women, get into cybersecurity. Naomi volunteers with Philly Tech Sistas, a Philadelphia-based nonprofit helping women of color prepare for a career in IT and tech. Naomi has two Masters degrees from Villanova University and a Bachelors of Engineering from Stevens Institute of Technology. In her spare time, Naomi plays volleyball and stays active as the mother of two boys.
Fri 10:00AM 12:00PM Advanced Cubicles & Compromises Ean Meyer Workshop What makes a great tabletop exercise? Many organizations run a tabletop exercise to check a box for compliance standards but don’t maximize the value of the time spent. Often they don’t engage the audience or force them to think enough about the problem to find areas of improvement. Further, they assume their decisions will always work during the exercise. In this workshop, we will not only discuss how to build a tabletop exercise that addresses real risk for an organization but how to make it fun and engaging for teams at all levels of an organization. The workshop will introduce attendees to the Cubicles and Compromises format as well as add new advanced elements. You will create a company with a budget, controls, and limitations then test those controls against a current real-world issue. You’ll roll dice, things won’t go as planned, and you’ll learn to what makes for for a great tabletop exercise you can take back and use at your organization. Ean Meyer is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative. Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place. Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance.
You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer
Fri 10:00AM 10:50AM Cyber Security Lessons Learned from Florin and Guilder Nadean Tanner Talk Track 1 “Life is pain, highness. Anyone who says differently is selling something.” Movies entertain us, inspire us, challenge our viewpoint and some teach us important lessons. In 1987, The Princess Bride was released and over the past 30 years became a classic. There is so much wisdom and many lessons to be learned from The Princess Bride – leadership, security, and things like how to win an argument with a Sicilian when death is on the line. This talk will share some underlying cyber security lessons that can be learned from the beloved characters and situations of this classic fairy tale including the three terrors of the fire swamp, miracle pills and being on the brute squad. With over 20 years of experience in both private and public sector environments as well as higher academia, Ms. Tanner has a solid background in synchronous and asynchrous education as well as an extensive experience in hardware, networking, operating system administration, cybersecurity and project management and is currently the Manager of Education Services at Mandiant/FireEye. Ms. Tanner entered the security field as a professional services engineer working for a SIEM, and later specialized in security analytics at RSA. She has designed and implemented training for Rapid7 offerings including InsightVM, InsightIDR and Metasploit. She has more recently participated on teams tasked to assess and advise governmental agencies and Global Fortune 100 clients, with a focus on maturing an organization’s ability to more quickly and effectively detect, respond to, and contain targeted attacks using cyber ranges. She wrote Cybersecurity Blue Team Toolkit published by Wiley in 2019 and with Sybex, wrote the CASP+ Practice Tests-003 and 004 in 2020 and 2021. She was the technical editor for the Sybex Security+ and PenTest+ book written by Mike Chapple and David Seidl. In 2020, she was the honorable mention for SC Magazine Women in IT Security award.
Fri 10:00AM 10:50AM Newzy: Discovering latent meaning in the news using science Derek Banks Talk Track 2 If you watch the news, you probably think that various news organizations are far different in their reporting and messaging. Just reading the different news organization’s takes on the latest stories would certainly reinforce that idea. But are there underlying meanings that can be found when analyzing large aggregates of articles? Let’s use data science and exploratory text analytics with a dash of machine learning and find out! Derek Banks has been a Security Analyst and Penetration Tester for Black Hills Information Security since 2014 and he has been a part of the IT industry for his entire career. He is now pursuing a Masters in Data Science from the University of Virginia and is exploring the fascinating intersection of Data Science and Information Security. Derek has held many different Information Technology jobs throughout his career and has experience in forensics, incident response, creating custom host and network-based monitoring solutions, penetration testing and red teaming, vulnerability analysis, and threat modeling.
Fri 11:00AM 11:50AM Here’s My Password: Building Effective Phishing Pretexts Corey Overstreet Talk Track 1 For most of us, we can spot a phishing or scam email from a mile away, right? Well, sometimes it’s not so easy. The sender is legitimate looking, the request and scenario in the email is reasonable, and the branding is the same companies we deal with. The only catch is that none of that was true. In this talk, I will be discussing how to build effective phishing pretexts and landing pages that are almost guaranteed to get user engagement and credentials. Corey Overstreet is an experienced penetration tester and red team operator. He has been engaged with Fortune 500 organizations across a variety of industries, including financial services, government services, and healthcare. Additionally, he has over five years of systems administration and VMWare administration experience. He has participated as a member of the SECCDC Red Team from 2016 through 2019.
Fri 11:00AM 11:50AM Protective DNS – Why it matters, and how to do it on-prem (no cloud) Paul Vixie Talk Track 2 Many cloud dns providers including opendns, heimdal, dnsfilter, cloudflare, and quad9 offer dns filtering whereby questions or answers deemed dangerous are answered dishonestly. This constructive dishonesty is a valuable security feature, and one which the US government recommended universally in an announcement last march (2021). However, managed private networks who use dns as a control and monitoring point for cybersecurity can’t or won’t push their dns service into the cloud. For them, a dns firewall called RPZ can be used to publish or subscribe to protective dns filtering policy, which can be deployed locally using any open source dns server, or any dns appliance. In this talk, Dr.
Vixie will cover the motives, methods, and context of on-premise protective dns.
Dr. Vixie previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie was a founding member of ICANN Root Server System Advisory Committee (RSSAC, current) and ICANN Security and Stability Advisory Committee (SSAC, until 2014). He is the author or co-author of a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC), and was inducted into the Internet Hall of Fame in 2014.
Fri 12:00PM 12:30PM Anatomy of a Ransomware Attack Eric Groce, CSE, Red Canary Vendor Briefing Track 1 In this brief, we walk through the Anatomy of a Ransomware Attack. Eric Groce will lead the discussion on best practices and strategies you can apply at your organization. Security leaders will learn:

  • How to enhance their team’s abilities to identify security incidents
  • The key components of a ransomware attack
  • Effective ways to improve your security program
Fri 12:00PM 1:00PM Lunch Food
Fri 1:00PM 3:00PM Backdoors and Breaches Tourney Fun & Games
Fri 1:00PM 3:00PM Advanced Passive DNS Search Techniques for Cyber Investigations Ben April, Daniel Schwalbe Workshop In this hands-on workshop, Farsight Security CTO Ben April and VP of Engineering Daniel Schwalbe will build on the search techniques introduced in the “Threat Hunting using Passive DNS” class and will expand the query complexity to include advanced regular expression patterns, globbing, and searching of “lesser known” Resource Record Types such as SOA and TXT.

Requirements to participate:

  • Laptop, Internet access
  • Familiarity with basic passive DNS Search concepts, or participation in the previous day’s “Threat Hunting using Passive DNS” workshop
  • Farsight DNSDB API Key (will be provided)
  • DNSDB Scout Web Edition: https://scout.dnsdb.info/
  • dnsdbq install from https://github.com/dnsdb/dnsdbq
  • dnsdbflex install from https://github.com/farsightsec/dnsdbflex

 

Farsight will provide free access to its passive DNS tool, Farsight DNSDB, and its command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class as well as for 60-days following the conference so that attendees can use the tool in their own work environments.

DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the workshop.

Ben April is the Chief Technology Officer at Farsight Security, Inc. Prior to joining Farsight, Ben spent eight years at Trend Micro, where he became the Americas regional manager of the Forward-looking Threat Research team. Ben has presented to security conferences on six continents, covering topics like Bitcoin, NFC, operational security and infrastructure security. He has built research systems for collecting and aggregating data, from Whois and the Bitcoin block-chain to the global routing table. His current crusade is to eliminate the technical and policy barriers that impede data-sharing among white-hat security researchers. “”Once the good guys can share data as effectively as the criminals, we might have a chance.” Ben is also a volunteer sysadmin and coder for some trusted-community security projects.

Daniel Schwalbe is the Deputy Chief Information Security Officer and Vice President of Engineering at Farsight Security, Inc. Prior to joining Farsight, he served as Associate Chief Information Security Officer at the University of Washington, where his focus areas were threat intelligence, information sharing, and incident response. Daniel is a US Army Veteran and has done tours as a DOD Contractor and FBI Taskforce member. He also previously served on the board of directors for the REN-ISAC, where he remains a technical advisor. Daniel is an active contributor to the information security community, and regularly teaches undergraduate-level InfoSec courses at his alma mater, University of Washington. He has presented at national and international conferences such as DCC, ACoD, ISOI, Agora, and WWHF.

Fri 12:00PM 4:00PM Toolshed Tools The Deadwood 2021 Toolshed is a place for individuals to share open-source tools / projects with other infosec professionals attending the conference.
Fri 1:00PM 1:50PM Threat Hunting Quick and Dirty Series: S0/E2: Hunting Big Game in Big Sky Country Jonathan Ham Talk Track 1 “Threat Hunting” has been around a lot longer than we’ve used those words, to refer to actively pursuing threat actors within our environments. The discipline has evolved a lot over the years, from mainframes to, now, environments that exist solely in “the cloud.”

This talk explores how what we’ve learned over decades can be applied to cloud environments, what it takes to conduct a serious hunt with Big Data in a Big Cloud, and what it actually looks like doing it. Much like my previous WWHF talks, I will demonstrate an actual hunt of a real adversary, blow by blow. (Field-stripping the carcass not included.)

Though I will get quite technical, as usual, my discussion and demonstration will be accessible to all audiences who want to understand how aggressive defensive operations can work—even within a ginormous outsourced infrastructure. All brought to you live from the real Big Sky Country (Montana).

[Note: This is new episode of a series of Threat Hunts. The previous three are:
S1/E1: 492063616E207374696C6C2073656520796F7521
S1/E2: Seriously, I Really Can Still See You
S1/E3: Do you C2? If you do, ICU.
S0/E1: Eewww! Zeek Ate a Worm Again! [recidivised]
They can be found on the Wild West Hackin’ Fest YouTube channel.]

Jonathan Ham is a network forensics and defensive cyber operations expert with more than two decades in the field. Jonathan literally wrote the book on network forensics (as well as the first mainstream instruction on the topic), based on his experience advising in both the public and private sectors, from small startups to the Fortune 50, the U.S. DoD across multiple forces, and several other U.S. federal agencies. As a Principal Instructor with the SANS Institute, he has instructed hundreds of students annually on network intrusion detection, security operations, and perimeter defense.
Fri 1:00PM 1:50PM MadLabs: How the Madison Cyber Labs are securing our state, country and nation Ashley Podhrasky Talk Track 2 The MadLabs drives innovation and ideas from DSU into the South Dakota economy, the Great Plains, and the nation. At the same time, it draws new talent to the state and the region. The $18-million, 40,000-square-foot facility and its programs attract elite scholars, researchers, professionals, and partnerships with government, businesses, nonprofits, and other higher education institutions. In this session, the VP of Research and Economic Development at DSU will highlight what the labs are, the research projects they have, and discuss ways to partner with DSU. Dr. Ashley Podhradsky is the Vice President of Research and Economic Development and Professor of Digital Forensics at Dakota State University. Ashley is also a board member of the First Bank and Trust Board of Directors. Ashley has been an invited speaker at several events and universities including The Pennsylvania State University, Bureau of Justice Affairs, Women in CyberSecurity, InfraGard, OSMOSIS Conference among others. Her research teams have received over 8.6 M in competitive grants and contracts. Current awards include an NSF REU site, NSF NRT program and NSA GenCyber. In addition to her academic and professional work, she has a strong passion for increasing gender diversity in cybersecurity. She is the co-founder of CybHER™, an initiative to increase gender diversity in cybersecurity. Ashley was the recipient of the EmBe 2017 “Young Woman of Achievement”, The 2017 Merrill Hunter Award for Excellence in Research, 2017 and 2018 New America Cybersecurity Fellow, and is a 2019 American Association for the Advancement of Science IF/THEN Ambassador.
Fri 2:00PM 2:50PM Why We Red Team – The Real Value of Threat Emulation Joe Vest Talk Track 1 Before we can talk about testing an organization’s security, including red team engagements, we must start at the beginning and consider the overall plan for security operations. Designing, building, deploying, operating, and managing a comprehensive security program is not an easy task. Pressure from every direction drives a security program Compliance, management, peers, budget, news all influence a security program. Although this process is complex and challenging, organizations can overcome these pressures and design and implement what is considered a robust security program. Organizations can please various parties when describing the security operations plan and, at least on paper, express a strong security program designed to stop a malicious attack. These programs pass audit and compliance checks, have a robust patch management system, conduct vulnerability assessments and penetration tests, and generally have good security hygiene. These are all great steps in defending a network from attack, but unfortunately, they still fall short of achieving the primary goal of preventing, detecting, and responding to a real threat. Why? What is missing? We must consider this question. Are organizations building security programs designed to address the threat? This presentation dives into the shortcomings of security operations planning, design, implementation, and testing and how applying threat-based security testing (red teaming) can reduce these gaps and ultimately improve the state of security. Joe has nearly 20 years of experience in red teaming, penetration testing, and application security. Joe is currently the Cobalt Strike Technical Director at HelpSystems. Prior experience ranges from authoring the book “Red Team Development and Operations,” the original author of the SANS 564 red team course, red team lead on a DoD red team, owner of a security consulting company, and a former director at SpecterOps. This diverse experience has given him extensive knowledge of cyber threats, tools, and tactics, including threat emulation and threat detection.
Fri 2:00PM 2:50PM What Jurassic Park Can Teach us about Technology Ryan Hendricks Talk Track 2 Ian Malcolm is famously quoted from Jurassic Park that the “Scientists were so preoccupied with whether they could or not they didn’t stop to think if they should.” I believe this principle can also relate to technology created in the past decades. Too often with technology, we focused on whether we could and did not think through the should. More importantly, the securing of technology was not considered from the start. It usually takes research, an exposed vulnerability, or an actual attack to bring the technology gap or oversight to light. While we know how things ended for Jurassic Park, the consequences of creating technology can be anything from exposure of sensitive date to threatening human life when we do not consider the should. Join me in the session covering examples of technology where security was not integrated, was overlooked, or poorly implemented. Also, examples where we developed technology more for convenience or because we could, rather than necessity. Ryan Hendricks, Staff Architect and Manager at VMware has 17 years of information security and intelligence experience. His first venture in the field started while working intelligence operations for the U.S. Navy and then continued in the government and private sector as an educator, facilitator, consultant, and advisor on a multitude of information technology and cybersecurity principals. Ryan worked as a trainer for the U.S. Department of Defense educating hundreds of soldiers, civilians, and contractors on everything from military communication systems to high level security certifications in addition to creating and maintaining several virtual labs, physical labs, and education platforms. Ryan currently supports the creation of most technical content at VMware covering the VMware Carbon Black products and the VMware Security portfolio. This includes creating technical content, developing labs, updating education materials, assisting in exam development for the certification programs, and educating anyone who is willing to learn. A supporter of information security who believes educated staff and end users is critical to a company’s strong security posture.
Fri 3:00PM 3:50PM Separate and Not Equal: Solving the Inequality In Cyber Doug Brush Talk Track 1 The cybersecurity industry has lamented not being able to fill the open positions. We are beaten over the head that there simply are not enough people to fill the job postings for highly lucrative jobs. But is this true? With millions of people looking for jobs, how come we can’t fill 300,000 to 400,00 open requisitions? What if the problem is how the industry educates, trains, hires, and promotes people outside of the traditional white male demographics?

This talk will examine the issues in infosec education, hiring, retention, and promotion that keeps marginalized groups from getting in and succeeding in the field and provide actionable solutions for equity and inclusion to fill the hiring demands.

Douglas is an information security executive with over 27 years of entrepreneurship and professional technology experience. He is a globally recognized expert in cybersecurity, incident response, digital forensics, and information governance. In addition to serving as a CISO and leading enterprise security assessments, he has conducted hundreds of investigations involving hacking, data breaches, trade secret theft, employee misconduct, and various other legal and compliance issues. He also serves as a federally court-appointed Special Master and neutral expert in high-profile litigation matters involving privacy, security, and eDiscovery.

He is the founder and host of Cyber Security Interviews, a popular information security podcast.

Douglas is also committed to raising awareness about mental health, self-care, neurodiversity, and diversity, equity and inclusion, in the information security industry.

Fri 3:00PM 3:50PM Guerilla Warfare for the Blue Team Rob Carson Talk Track 2 Blue Team Security is a hard job. It’s not sexy, and it is always complicated navigating between the people, processes, and technology of the organization. Blue teams try to defend meanwhile breaches still happen. Why? adversaries (external AND internal) just need to find a pin-hole or create one. Or buy one. That simple. Its time, we start thinking and acting like a guerrilla and adopt some practices from irregular warfare. Irregular warfare has a long history of defeating larger and better-equipped adversaries while using limited resources. Let’s talk about how we can adopt these tools, technique and procedures to win. Military Background: USMC Infantry Officer USMC Operations advisor to Iraqi Army Battalion conducting counterinsurgency operations (COIN) Corporate Background: Blue Team Guerilla leader using tactics, techniques and procedures (TTPs) of effective insurgency/counterinsurgencies
Fri 4:00PM 4:50PM Growing Your Cyber Garden Marcelle Lee Keynote Track 1 There are many types of gardens, ranging from tidy English-style to wildflower landscapes to vegetable patches. Each is very different in appearance but requires the same type of nurturing – feeding, watering, weeding, and cultivating. This parallels careers in cyber, and growing people in the industry. As practitioners, we are growing not only our own careers but hopefully also those of others. In my estimation, we should treat the cybersecurity industry as a community garden, where we work together and enjoy the associated benefits of our efforts. Marcelle Lee is a Senior Security Researcher and Emerging Threats Lead at Secureworks and is also an adjunct professor and training consultant. She specializes in cybercrime, digital forensics, and threat research. She is involved with many industry organizations, working groups, and boards, including the Women’s Society of Cyberjutsu, Infragard Maryland, the NIST Cyber Competitions Working Group, and the Cybersecurity Association of Maryland Advisory Council. She also both builds and participates in cyber competitions, and is the lead for the CTF featured at The Diana Initiative conference.
Marcelle has earned the CISSP, GCFA, GCIA, GCIH, GPEN, GISF, GSEC, GCCC, C|HFI, C|EH, CSX-P, CCNA, PenTest+, Security+, Network+, and ACE industry certifications. She holds four degrees, including a master’s degree in cybersecurity. She has received the Chesapeake Regional Tech Council Women in Tech (WIT) Award and the Volunteer of the Year award from the Women’s Society of Cyberjutsu. Marcelle frequently presents at conferences and training events and is an active volunteer in the cybersecurity community.
Fri 4:50PM 5:00PM Closing Session (Awards) John Strand Track 1