Below you’ll find details about the Deadwood 2022 workshops. Be sure to join the conference Discord server where we have dedicated channels for each workshop.
- Advanced Passive DNS Search Techniques for Cyber Investigations
In this hands-on workshop, DomainTools CISO Daniel Schwalbe will build on the search techniques introduced in the “Threat Hunting using Active and Passive DNS” class and will expand the query complexity to include advanced regular expression patterns, globbing, and searching of “lesser known” Resource Record Types such as SOA and TXT.
Requirements to participate:
– Laptop, Internet access
– Familiarity with basic passive DNS Search concepts, or participation in the previous day’s “Threat Hunting using Active and Passive” workshop
– DNSDB API Key (will be provided day of the event)
– DNSDB Scout Web Edition: https://scout.dnsdb.info/
– dnsdbq install from https://github.com/dnsdb/dnsdbq
– dnsdbflex install from https://github.com/farsightsec/dnsdbflexDaniel will provide free access to DNSDB, our passive DNS tool, along with command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class and for 30-days following the conference so attendees can visualize how the tool will work within their own environments.
DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the Workshop.
Presenter Bio:
DomainTools, the leader in domain name and DNS-based cyber threat intelligence, has acquired Farsight Security, a leader in DNS intelligence and passive DNS cyber security data solutions. The acquisition comes as a natural extension of both companies’ long-standing partnership to deliver Farsight’s market-leading passive DNS data via the DomainTools Iris investigation platform to assess risk, map attacker infrastructure, and rapidly increase visibility and context on threats. Farsight’s market leading DNS observation data combined with DomainTools best-in-class active DNS data gives customers the earliest and most comprehensive look into threats emerging outside their network.
- Felon in Five Minutes
Explaining common ways an attacker could bypass physical controls using technology and bypass tools. Misconfigurations in Physical Security enabling an attacker to perform Cyber Attacks.
Presenter Bios:
Joseph Kingstone
Joseph Kingstone joined Black Hills Information Security (BHIS) in Fall 2021 as a Security Analyst. In this role, Joseph performs external and internal penetration tests, C2 pivots, and red teams. He’s had a desire to work at BHIS since transitioning into IT—and eventually penetration testing and red teaming—after serving in the Army. He values the opportunity to perform meaningful work with smart people. In his free time, Joseph enjoys astronomy, tinkering with cars, and learning more about infosec.Rick Wisser
Rick Wisser has been with the Black Hills Information Security (BHIS) team since 2015. He is a Penetration Tester, Security Analyst, GIAC Certified Incident Handler (GCIH), and a SANS NetWars Level 5 certificate holder. Rick has an associate degree in Electronic Technology and Computer Networking as well as a BS in Electrical Engineering. - Hacking and Defending Kubernetes
Get a hands-on introduction to attacking and defending Kubernetes (k8s)! Remotely controlling a Kali Linux system, you’ll attack a new capture-the-flag scenario in the open-source Bust-a-Kube Kubernetes cluster. Once you’ve busted your way to cluster admin, you’ll use your access to harden the cluster and block your attack. Come get some direct experience with Kubernetes security!
This workshop doesn’t require you to have any experience with containers or Kubernetes. It is accessible to anyone comfortable with a Linux command line.
Presenter Bio:
Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @BustaKube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest, and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns, and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians..
- Incident Response Playbook Perfection
Incident Response Playbook Perfection is an introductory playbook workshop. Playbooks are an important part of any information security program. They offer structure, realistic and flexible procedures to assist in the triage of almost any cyber security situation. There will be a focus on Ransomware and Business Email Compromise as these are currently the most common attack vectors.
As a group we will review playbooks taken from real life attack situations and cover best practices, do’s and don’ts, structure, and maintenance. We will also cover ways to successfully test playbooks by using different defense and response methods that can work in a variety of organizations and situations.
Participants are welcome to bring their own playbooks or example playbooks to the workshop as long as they do not contain any confidential information that may put them or their organization at risk.
Key Takeaways:
– Students will be able to take away the following materials and skills at the completion of this course.
– Participating in and creating tabletop exercises that map to security frameworks
– Understanding and creating IR playbooks and runbooks
– Understanding of the importance of tabletops, playbooks, and runbooks in any size organization.
– Experience with decision analysis under pressure as a team
– Ability to create after action reports and present resultsPresenter Bios:
Amanda Berlin
Amanda Berlin is the Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author of a Blue Team best practices book called “Defensive Security Handbook: Best Practices for Securing Infrastructure” with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible. Amanda is an avid volunteer and mental health advocate. She has presented at a large number of conventions, meetings and industry events. While she doesn’t have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quickly to new technologies.Jeremy Mio
Jeremy has focused expertise within the evolution of security convergence, the merger of physical and information security, and cyber-warfare. He is an Information Security Officer within local government and Principal within CodeRed LLC. Previously, he worked within Fortune 500 in enterprise information security as well as physical security through training/contracting. Jeremy researches and tests small UAVs [drones] for their use in defense applications in cyber warfare and intelligence, relying on Open Source technology and OSINT. - Resume Writing & Mock Interviews
Join industry leaders Kip Boyle, Frank Victory, Neal Bridges, and Joshua Mason for a career-building workshop to kickstart or get your cybersecurity career to the next level. The workshop will be broken up into two sessions on separate days. On the first day, we will cover resume writing with tips and insights and review resumes for in-person attendees. On the second day, we will discuss interviews and give techniques for preparation and delivery. We will follow that up by putting an attendee or two in the hot seat and coaching them through what to expect and how to make the most impact.
Presenter Bio:
- Supercharging SSH – Hands-on!
It’s a pretty safe bet that all of us have used ssh at least once to let us type keystrokes and see the screen results on another computer. That’s great – it’s an encrypted and authenticated channel that protects that conversation. But SSH can do so much more! Using SSH as just a terminal is like buying a $400,000 supercar and only driving it in first gear!
We want to introduce you to the other gears in that Lamborghini: automating logins, running commands on multiple machines, file transfers, tunneling other types of traffic, and a whole bunch of advanced techniques. The entire session will be at your own pace; you’ll have a series of hands-on labs where you’re given a goal along with optional hints and steps to complete the lab. By doing this on your own laptop and accessing a throwaway cloud server, you can try these techniques in a safe environment to get comfortable with them. We’ll have lab mentors available for both in-person and virtual attendees so you can ask for help with any piece of these labs or find out how a particular technique would work in your environment. Feel free to skip any labs where you already know the material so you can jump right to the interesting stuff – the techniques that will help you do your job better!
Prerequisites: a laptop that either has ssh installed or one where you have the ability to install a command line or graphical (*) ssh client. You can use your own account or you can set up a dummy account on the laptop. We’ll provide an account on a cloud server that you can access to do the labs (or use your own if you prefer). You’ll need Internet access to do these labs – the conference/hotel wifi will be fine.
* The screenshots we provide in the lab book focus on command line ssh, though we’ll try to help you find the equivalents in a graphical ssh client.
Presenter Bios:
Bill Stearns
Bill provides Customer Support, Development, and Training for Active Countermeasures. He has authored numerous articles and tools for client use. Bill was the chief architect of one commercial and two open-source firewalls and is an active contributor to multiple projects in the Linux development effort. His spare time is spent coordinating and feeding a major anti-spam blacklist. Bill’s articles and tools can be found in online journals at http://github.com/activecm/ and http://www.stearns.org.Naomi Goddard
Naomi has a bachelor’s degree in Computer Science from Dakota State University. She specializes in modern full-stack development and likes to dabble in iOS development. Her interests include oil painting, Swedish ciders, paddleboarding, retro hardware game modding with her husband, and adventuring with her two Siberian Huskies.Keith Chew
Keith joined the ACM team in 2018 and describes his career at Active Countermeasures as his dream job. His fascination with computing and processes stems from working with his first personal computer in 1982 – a TI-99/4A. Keith sees himself as fortunate for the opportunity to apply his passion towards a career that assists in the advance of technology. Beyond computing and electronics, Keith also enjoys anything with an engine, wheels, or wings. - Threat Hunting using Active and Passive DNS
Every transaction on the Internet – good or bad – uses the Domain Name System (DNS). In this fast-paced, hands-on workshop, DomainTools Director of Sales Engineering Taylor Wilkes-Pierce, will teach the fundamental investigative techniques and methodologies for leveraging DNS and hosting infrastructure data to more quickly and easily uncover previously unknown connections between seemingly unrelated assets, IP addresses, certificates, registration data, domain names, and more to map online infrastructure.
Requirements to participate:
– Laptop, Internet access
– Basic knowledge of the Domain Name System (DNS) is required.DomainTools Iris Investigate allows users to pivot through 20+ years of domain and infrastructure data along with the most up-to-date DNS observations on 400 million+ registered domains from around the world. As a result, Iris Investigate enables defenders to assess whether to allow, conditionally allow, or deny various types of connections and gain visibility into what type of risk an indicator represents.
Presenter Bio:
DomainTools, the leader in domain name and DNS-based cyber threat intelligence, has acquired Farsight Security, a leader in DNS intelligence and passive DNS cyber security data solutions. The acquisition comes as a natural extension of both companies’ long-standing partnership to deliver Farsight’s market-leading passive DNS data via the DomainTools Iris investigation platform to assess risk, map attacker infrastructure, and rapidly increase visibility and context on threats. Farsight’s market leading DNS observation data combined with DomainTools best-in-class active DNS data gives customers the earliest and most comprehensive look into threats emerging outside their network.
Please keep an eye on this page for more updates on the workshops at Deadwood 2022.