Workshops

Below you’ll find details about the Deadwood 2021 workshops. Please note that like the conference, all workshops will be held virtually. Be sure to join the conference Discord server where we have dedicated channels for each workshop.

  • Advanced Cubicles & Compromises w/ Ean Meyer

    What makes a great tabletop exercise? Many organizations run a tabletop exercise to check a box for compliance standards but don’t maximize the value of the time spent. Often they don’t engage the audience or force them to think enough about the problem to find areas of improvement. Further, they assume their decisions will always work during the exercise. In this workshop, we will not only discuss how to build a tabletop exercise that addresses real risk for an organization but how to make it fun and engaging for teams at all levels of an organization. The workshop will introduce attendees to the Cubicles and Compromises format as well as add new advanced elements. You will create a company with a budget, controls, and limitations then test those controls against a current real-world issue. You’ll roll dice, things won’t go as planned, and you’ll learn to what makes for for a great tabletop exercise you can take back and use at your organization.

    Presenter Bio:

    Ean Meyer (@EanMeyer) is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative.

    Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place.

    Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance

    You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer

  • Advanced Passive DNS Search Techniques for Cyber Investigations w/ Ben April and Daniel Schwalbe

    In this hands-on workshop, Farsight Security CTO Ben April and VP of Engineering Daniel Schwalbe will build on the search techniques introduced in the “Threat Hunting using Passive DNS” class and will expand the query complexity to include advanced regular expression patterns, globbing, and searching of “lesser known” Resource Record Types such as SOA and TXT.

    Requirements to participate:

    • Laptop, Internet access
    • Familiarity with basic passive DNS Search concepts, or participation in the previous day’s “Threat Hunting using Passive DNS” workshop
    • Farsight DNSDB API Key (will be provided)
    • DNSDB Scout Web Edition: https://scout.dnsdb.info/
    • dnsdbq install from https://github.com/dnsdb/dnsdbq
    • dnsdbflex install from https://github.com/farsightsec/dnsdbflex

     

    Farsight will provide free access to its passive DNS tool, Farsight DNSDB, and its command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class as well as for 60-days following the conference so that attendees can use the tool in their own work environments.

    DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the workshop.

    Presenter Bios:

    Ben April is the Chief Technology Officer at Farsight Security, Inc. Prior to joining Farsight, Ben spent eight years at Trend Micro, where he became the Americas regional manager of the Forward-looking Threat Research team. Ben has presented to security conferences on six continents, covering topics like Bitcoin, NFC, operational security and infrastructure security. He has built research systems for collecting and aggregating data, from Whois and the Bitcoin block-chain to the global routing table. His current crusade is to eliminate the technical and policy barriers that impede data-sharing among white-hat security researchers. “Once the good guys can share data as effectively as the criminals, we might have a chance.” Ben is also a volunteer sysadmin and coder for some trusted-community security projects.

    Daniel Schwalbe is the Deputy Chief Information Security Officer and Vice President of Engineering at Farsight Security, Inc. Prior to joining Farsight, he served as Associate Chief Information Security Officer at the University of Washington, where his focus areas were threat intelligence, information sharing, and incident response. Daniel is a US Army Veteran and has done tours as a DOD Contractor and FBI Taskforce member. He also previously served on the board of directors for the REN-ISAC, where he remains a technical advisor. Daniel is an active contributor to the information security community, and regularly teaches undergraduate-level InfoSec courses at his alma mater, University of Washington. He has presented at national and international conferences such as DCC, ACoD, ISOI, Agora, and WWHF.

  • Catch me if you can—Seeing the red through the blue w/ Will Hunt and Owen Shearing (Virtual)

    This two-hour workshop will help improve both red and blue skillsets through a series of hacks, where you as an attendee will have to identify malicious activities on various targets. During the workshop, the trainer (Red Team) will highlight a series of attacks that have occurred on the hosts in the In.security lab. You (the Blue Team) will then need to use Azure Sentinel to identify the malicious activities and raise the alarm! This will upskill both attackers in understanding the various attack flows that could compromise their cover and defenders in understanding how to detect them. “The best defence is a good offense” applies as much in cyber as it does in sport. You’ll get sneak peeks of the attacks the trainer has carried out before you’re set off to hunt down the evidence….

    Phase 1

    • Lab access and overview
    • Common KQL syntax
    • Using Azure Sentinel to find artefacts

    Phase 2

    • Phishing attacks and IOCs
    • Practical scenario
      • Catch the phish

    Phase 3

    • Credential theft
    • Practical scenario
      • Identifying credential-based attacks and compromised accounts

    Phase 4

    • Using Out of Band (OOB) channels to exfiltrate data
    • Practical scenario
      • Identifying suspicious network activity

    Who should attend:

    • This workshop is suited to a variety of delegates, including:
      • Blue/Red team members
      • SOC analysts
      • Penetration testers
      • Security professionals
      • IT Support as well as administrative and network personnel

    Technical / Hardware / Software Requirements:

    • Delegates will need to have access to a system with a web browser

    Presenter Bios:

    Will (@Stealthsploit) co-founded In.security in 2018. Will’s been in infosec for over a decade and has helped secure many organisations through technical security services and training. Will’s delivered hacking courses globally at several conferences including Black Hat and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.

    Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin’ Fest, NolaCon, 44CON and BruCON. He keeps projects at https://github.com/rebootuser.

  • DDTTX – Playbook Perfection w/ Amanda Berlin and Jeremy Mio

    DDTTX Playbook Perfection is an introductory playbook workshop. Playbooks are an important part of any information security program. They offer structure and realistic, flexible procedures to assist in almost any situation.

    As a group we will review playbooks taken from other situations and cover best practices, do’s and do not’s, structure, and maintenance. We will also cover ways to successfully test playbooks by using different methods that can work in a variety of organizations and situations.

    Participants are welcome to bring their own playbooks or example playbooks to the workshop as long as they do not contain any confidential information that may put them or their organization at risk.

    Presenter Bios:

    Amanda Berlin – (@infosystir) Amanda Berlin is a Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author for a Blue Team best practices book called Defensive Security Handbook: Best Practices for Securing Infrastructure with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible.

    Jeremy Mio – (@cyborg00101) –  Jeremy has focused expertise within the evolution of security convergence, the merger of physical and information security, and cyber-warfare. He is an Information Security Officer within local government and Principal within CodeRed LLC. Previously, he worked within Fortune 500 in enterprise information security as well as physical security through training/contracting. Jeremy researches and tests small UAVs [drones] for their use in defense applications in cyber warfare and intelligence, relying on Open Source technology and OSINT.

  • Hacking and Defending Kubernetes, Hands On! w/ Jay Beale

    Get a hands-on introduction to attacking and defending Kubernetes (k8s)! Remotely controlling a Kali Linux system, you’ll attack a new capture-the-flag scenario in the open-source Bust-a-Kube Kubernetes cluster. Once you’ve busted your way to cluster admin, you’ll use your access to harden the cluster and block your attack. Come get some direct experience with Kubernetes security!

    This workshop doesn’t require you to have any experience with containers or Kubernetes. It is accessible to anyone comfortable with a Linux command line.

    Presenter Bio:

    Jay Beale (@JayBeale) works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @BustaKube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest, and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns, and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians.

  • How to Build an Infosec Team that gets Sh*t Done w/ Kip Boyle

    In this workshop, I show InfoSec managers how to build the team of their dreams. Students will learn how to attract and retain top tier talent, the kind of talented people who could work anywhere but choose to work with you, team members who get stuff done and don’t think much about changing employers.

    What’s more, this kind of team throws open the door for you to become a powerful influencer on InfoSec strategy with your senior decision makers. Why? Because your team will let you work “on your program” instead of working “in your program.” And that will allow you to spend more time learning about the business your team protects and building relationships with the other top influencers across your organization.

    During this workshop, we’ll be referring to the “Cybersecurity Hiring Manager Handbook,” an open-source document soon to be published under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.

    Presenter Bio:

    Kip Boyle (@KipBoyle) is a husband, dad, small business owner, and experienced cybersecurity hiring manager. Over the years, Kip has built many InfoSec teams in a variety of settings including as a captain on active duty in the US Air Force, as the CISO of PEMCO Insurance in Seattle, and vCISO in his own company, Cyber Risk Opportunities LLC. Kip is leading the creation of the open source “Cybersecurity Hiring Manager Handbook”. He’s also the co-host of The Cyber Risk Management Podcast and principal instructor of the Hired in 21 Days online course.

  • Offensive WMI Workshop w/ Chris Truncer

    WMI has recently been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. Even with the recent surge in WMI use, not everyone knows how to interact with it. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario. Want to read files, perform a directory listing, detect active user accounts, run commands (and receive their output), download/upload files, and do all of the above (plus more) remotely? The goal for this workshop will be to enable students to walk away with an understanding of how WMI, a service installed and enabled by default since Windows 2000, is utilized by attackers, demystify interacting with the service locally and remotely, and give students the ability to leverage WMI in the same manner as attackers.

    Presenter Bio:

    Christopher Truncer (@ChrisTruncer) is a co-founder and red team lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other open-source software. Chris began developing tools that are not only designed for the offensive community but can enhance the defensive community’s ability to defend their network as well.

  • Threat Hunting using Passive DNS w/ Ben April and Daniel Schwalbe

    Every transaction on the Internet – good or bad – uses the Domain Name System (DNS). In this fast-paced, hands-on workshop, Farsight Security CTO Ben April and VP of Engineering Daniel Schwalbe will teach the fundamental investigative techniques and methodologies for how to use Passive DNS to more easily—and quickly—uncover previously unknown connections between seemingly unrelated assets, using IP addresses and domain names to map online infrastructure.

    Requirements to participate:

    • Laptop, Internet access
    • Knowledge of the Domain Name System (DNS) is required.
    • Farsight DNSDB API Key (will be provided)
    • DNSDB Scout Web Edition: https://scout.dnsdb.info/
    • dnsdbq install from https://github.com/dnsdb/dnsdbq
    • dnsdbflex install from https://github.com/farsightsec/dnsdbflex

    Farsight will provide free access to its passive DNS tool, Farsight DNSDB, and its command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class as well as for 60-days following the conference so that attendees can use the tool in their own work environments.

    DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the workshop.

     

    Presenter Bios:

    Ben April is the Chief Technology Officer at Farsight Security, Inc. Prior to joining Farsight, Ben spent eight years at Trend Micro, where he became the Americas regional manager of the Forward-looking Threat Research team. Ben has presented to security conferences on six continents, covering topics like Bitcoin, NFC, operational security and infrastructure security. He has built research systems for collecting and aggregating data, from Whois and the Bitcoin block-chain to the global routing table. His current crusade is to eliminate the technical and policy barriers that impede data-sharing among white-hat security researchers. “Once the good guys can share data as effectively as the criminals, we might have a chance.” Ben is also a volunteer sysadmin and coder for some trusted-community security projects.

    Daniel Schwalbe is the Deputy Chief Information Security Officer and Vice President of Engineering at Farsight Security, Inc. Prior to joining Farsight, he served as Associate Chief Information Security Officer at the University of Washington, where his focus areas were threat intelligence, information sharing, and incident response. Daniel is a US Army Veteran and has done tours as a DOD Contractor and FBI Taskforce member. He also previously served on the board of directors for the REN-ISAC, where he remains a technical advisor. Daniel is an active contributor to the information security community, and regularly teaches undergraduate-level InfoSec courses at his alma mater, University of Washington. He has presented at national and international conferences such as DCC, ACoD, ISOI, Agora, and WWHF.

     


Please keep an eye on this page for more updates on the workshops at Deadwood 2021.

Please note: We cannot guarantee that all the workshops listed on this page will be available at the conference. But we’re going to try really, really hard to make sure that they’re all there.