Conference Schedule

Please note that this conference schedule is subject to change. If you’re viewing this schedule from a desktop, you can hold shift and click on multiple columns to sort them at the same time. All times below are in Pacific Time (PT).

Virtual attendees will be able to watch Track 1, Track 2, Track 3, keynote presentations, and the Toolshed as well as be able to participate in workshops, an Escape Room, the virtual Backdoors & Breaches tournament, and the MetaCTF Capture the Flag event. Don’t forget that we’ll have a private server set up for all conference attendees, but especially for virtual attendees. The link to the Discord server was sent via email if you did not receive it be sure to check your spam and promotional folders.

If you still don’t have the Discord link please email us at [email protected]

Helpful links to conference activities can be found in the conference Discord server in the #event-links channel.

For location and more information please click the “+” to the left of the agenda item.

Day Start End Title Presenter(s) Type Location Track Virtual Presenter(s) Abstract/Description Presenter Bio(s)
Weds 2:00PM 6:00PM Registration Registration Foyer
Weds 6:00PM 6:50PM Security Isn’t What You Do! Doc Blackburn Talk Pacific A/B Track 1 Us security professionals have a problem. We have been hired to solve an impossible problem. What’s the problem? We have been hired to secure our organization. Why is that a problem? It’s an impossible goal! Nobody can say their organization will never be breached. But that is the expectation of our employer. That’s what security is. It’s what we were hired to do. How do we solve this? Let’s explore this with a discussion about what our job actually is, and what to do about it.
Weds 7:00PM 7:50PM Panel Discussion – Everything Old is New Again Hal Pomeranz, Ed Skoudis, Alyssa Miller, and Tony Sager Talk Pacific A/B Track 1 What do you get when you put 100 years of combined computing experience on the stage at one time? Mostly a lot of mind-boggling stories of triumph and defeat and bad choices that will leave you shaking your head. How do our past mistakes inform our future readiness? Are we doomed to repeat the same old anti-patterns or are we actually making progress as an industry? Panel includes: Hal Pomeranz, Ed Skoudis, Alyssa Miller, Tony Sager
Weds 8:00PM 8:30PM Augmented Reality Workshop Jon Bevers and Jake McKenna Talk Pacific A/B Track 1
Thurs 7:30AM 6:30PM Registration Registration Foyer
Thurs 7:45AM 8:30AM Yoga with Christine Loma Vista Terrace
Thurs 9:00AM 9:50AM Starting with the Adversary Derek Rook Keynote Pacific A/B Track 1 Phrases like “Offense informs defense” or “Think like an adversary” can be heard in numerous conference talks. But what if we were to take that idea to the extreme? Join Derek as he discusses his journey doing exactly that. From the humble beginnings of penetration testing as a substitute for mature security process, to building productive relationships with partner teams, and eventually joining forces with blue team to form an over powered purple team, you’ll get the inside look at the successes and failures of starting with the adversary. Derek is an industry veteran with over 20 years of experience spanning IT, security, and senior leadership. An offensive security leader, he focuses on leveraging adversarial perspectives to help grow defensive capabilities. A passionate educator, he is constantly working on new community education and outreach projects, including an offensive security focused YouTube channel, a few CTFs, and a variety of community talks. Derek holds several security certifications and a NolaCon Black Badge.
Thurs 10:00AM 6:30PM Capture The Flag hosted by MetaCTF MetaCTF CTF Foyer MetaCTF
Thurs 10:00AM 12:00PM Intro to Lockpicking (In-person Only) Ed Miro Workshop Porthole We will have a small number of lock picking kits for sale on site. Ed Miro is a cyber security instructor at multiple community colleges, Antisyphon InfoSec Training, and for his own company Miro Labs. He specializes in leadership, professional development and social engineering. Ed is also the Tabletop Simulator Mod Architect for Backdoors & Breaches.
Thurs 10:00AM 10:50AM What is ATT&CK coverage, anyway? Breadth and Depth Analysis with Atomic Red Team Adam Mashinchi Talk Pacific A/B Track 1 This talk will highlight the Atomic Red Team™ project’s efforts to define and increase the test coverage of MITRE ATT&CK® techniques. We’ll describe the challenges we encountered in defining what “coverage” means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that’s used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Thurs 10:00AM 10:50AM Going Dark — effective modern site security is behavioural in nature Paul Vixie Talk Coast Ballroom Track 2 Paul Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS. Vixie is a prolific author of open source Internet software including Cron and BIND, and of many Internet standards documents concerning DNS and DNSSEC. He was the founder and CEO of Farsight Security (2013-2021). In addition, he founded the first anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010.
Thurs 10:00AM 12:30PM Introduction to Purple Team Exercises Tim Schulz & Shawn Edwards Workshop Harborside Room Tim Schulz
Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last seven years while working at multiple FFRDCs. He is the author of the Purple Maturity Model, and has given talks on purple teaming, adversary emulation, MITRE ATT&CK, and technical leadership.Shawn Edwards
Shawn Edwards is a Senior Adversary Emulation Engineer at SCYTHE, Inc. where he focuses on leading the development of adversary emulation capabilities and open-source collaboration. He is an experienced offensive capability developer, having developed novel tools and techniques for the open source, public, and private sectors to be used in red teaming and security research. Previous roles include red teaming at MITRE and their ATT&CK Evaluations project, Sony, and the US DoD. When not hacking, he enjoys being as far from computers as possible; preferably at a cabin in the mountains with his dog and some home-made mead.
Thurs 10:00AM 6:30PM WWHF Hands-On Labs WWHF Labs Pacific C/D Track 3
Thurs 10:00AM 6:30PM Vendor Booths Open Vendors Pacific C/D Track 3
Thurs 10:00AM 6:30PM Escape Room Fun & Games Embarcadero
Thurs 11:00AM 11:50AM Democratizing Cloud Security Andrew Krug Talk Pacific A/B Track 1 2020 brought us a host of major data breaches and zero day vulnerabilities. Log4Js CVE alone had an impact on a massive scale. No matter how many times this happens many of our security cultures seem to make the same mistakes. In this talk we will explore the concept of democratized security and how that manifests in observability. We’ll step through some sample cloud breaches and CVEs from last year and demonstrate how “accessible observability” and empowering engineering teams through democracy helps defend cloud environments from startup scale to enterprise scale. Andrew Krug is a Security Engineer specializing in Cloud Security and Identity and Access Management. Krug also works as a Cloud Security consultant and started the ThreatResponse project a toolkit for Amazon Web Services first responders. Krug has been a speaker at Black Hat USA, DerbyCon, and BSides PDX.
Thurs 11:00AM 11:50AM What rattles around in the mind of your Chief Information Security Officer? Russell Eubanks Talk Coast Ballroom Track 2 Got a CISO? Likely. Understand what is rattling around in the mind of your CISO? Not likely at all. Gain insight into this often misunderstood role. Learn what is going on in the mind of your CISO. Discover how to better connect to your CISO so you can help them help you and get all your stuff done! Russell will share what it is like to move from being an individual contributor to having the privilege to lead people who lead people who deliver cybersecurity in many diverse industries. You do not have ever to wonder again. From factory worker to founder of Security Ever After, Russell Eubanks’ career trajectory has been anything but traditional. While working a factory job, Russell realized he wanted more and started investigating options. He learned about his company’s tuition reimbursement program and promptly signed up for computer classes at his local community college. Russell worked in the factory until early morning then attended classes. Russell is the former SVP, CIO, and CISO of the Federal Reserve Bank of Atlanta. He holds a bachelor’s degree in computer science from the University of Tennessee at Chattanooga. In his free time, Russell studies leadership keeps up with his wife, son, and daughter. He also stays busy with his recently discovered passion for running and ran his fourth marathon recently.
Thurs 12:00PM 1:00PM Buffet Lunch for all Attendees Food Pacific Foyer Buffet style lunch provided for all in-person attendees.
Thurs 12:00PM 12:30PM Vendor Brief Vendor Brief Pacific A/B Track 1
Thurs 12:30PM 1:00PM Vendor Brief Vendor Brief Pacific A/B Track 1
Thurs 12:30PM 2:30PM Advanced Cubicles and Compromises Ean Meyer Workshop Harborside Room What makes a great tabletop exercise? Many organizations run a tabletop exercise to check a box for compliance standards but don’t maximize the value of the time spent. Often they don’t engage the audience or force them to think enough about the problem to find areas of improvement. Further, they assume their decisions will always work during the exercise. In this workshop, we will not only discuss how to build a tabletop exercise that addresses real risk for an organization but how to make it fun and engaging for teams at all levels of an organization. The workshop will introduce attendees to the Cubicles and Compromises format as well as add new advanced elements. You will create a company with a budget, controls, and limitations then test those controls against a current real-world issue. You’ll roll dice, things won’t go as planned, and you’ll learn to what makes for for a great tabletop exercise you can take back and use at your organization. Ean Meyer is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative.

Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place.

Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance

You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer

Thurs 1:00PM 3:30PM Resume’ Writing & Mock Interviews Josh Mason and Kip Boyle Workshop Porthole
Thurs 1:00PM 3:00PM Backdoors and Breaches Fun & Games Pacific C/D
Thurs 1:00PM 1:50PM Lifting the veil, a look at MDE under the hood Olaf Hartong Talk Pacific A/B Track 1 Companies often put a high level of trust on their tools to support them in their quest to protect them from harm. But is that trust warranted? What are the out of the box capabilities and what can be gained from the telemetry that they produce in terms of custom detections My research extensively focused on one of the most popular EDR’s, Microsoft Defender for Endpoint in order to find out it’s strong and weaker points. I’ve also put it head to head against a free telemetry solution, Sysmon in a search for the most optimal implementation that is still manageable for an organization in order to have the best defensive capabilities. I wanted to understand how these tools work, where they get their telemetry and most importantly, are there gaps I should be aware of. This deeper understanding allows you to utilize both at their maximum capacity or at least be aware of the areas to implement additional coverage or mitigations. Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specialises in understanding the attacker tradecraft and thereby improving detection. He has a varied background in blue and purple team operations, network engineering, and security transformation projects. Olaf has presented at many industry conferences including WWHF, Black Hat, DEF CON, DerbyCon, Splunk .conf, FIRST, MITRE ATT&CKcon, and various other conferences. Olaf is the author of various tools including ThreatHunting for Splunk, ATTACKdatamap and Sysmon-modular.
Thurs 1:00PM 1:50PM Hacking my Bank with OSINT Matthew Toussain Talk Coast Ballroom Track 2 Come with me to a world of pure information. Not basic usernames and passwords, what you’ll see might defy expectations. If you want to view OSINT paradise simply look around and view it. Anything you want to find? Do it! There’s nothing to it. Step one, get the username and password. Next, find the bank. Once you’ve got that on lock it’s time to bypass 2FA. Join me as we fiddle with publicly available internet resources to make our way into my personal bank account. Yes, really.
Thurs 1:00PM 1:30PM Tool Demo – VoIP Suite Mishaal Khan ToolShed Pacific C/D Track 3 VoIP Suite is a Web Base and self-hosted application that provides an interface enabling SMS, MMS and Voice calls using the API Keys from providers like Telnyx/Twilio. It is compartmentalized and you can host the database, code, frontend and backend on any platform. It is build with privacy and security in mind. It eliminates the dependency on sms and voice calls by traditional telecom providers and allows you more control and flexibility over the infrastructure (server, database, URL, numbers). It is a key component in your privacy journey. Debuted on The Privacy, Security & OSINT Podcast by Michael Bazzell. Mishaal uses his cybersecurity background and OSINT skills to spread awareness, educate people and provide actionable next steps to help protect people and organizations from threats they may not be aware of. He’s a virtual CISO, certified Ethical Hacker, Social Engineer, OSINT investigator, Privacy consultant, coder and a general problem solver.
Thurs 1:30PM 2:00PM Tool Demo – Velociraptor Wes Lambert ToolShed Pacific C/D Track 3 Velociraptor is a cross-platform, open-source endpoint visibility platform that provides host-based security monitoring, forensics, response, and threat hunting capabilities at scale. With it’s built-in query language (VQL) and various deployment models, Velociraptor can be extended to fit many use cases and quickly unearth artifacts when hunting across one to thousands of endpoints. Aside from it’s own built-in data acquisition methods and parsers, Velociraptor can also leverage external tools to allow defenders to quickly and easily expand the capabilities of the platform. Gone are the days of traditional dead-box forensics, memory images, and shipping of ALL THE LOGS!. Velociraptor aims to shift much of the analysis to the endpoint, filtering out noise and only gathering pertinent data in order to afford analysts and responders the ability to quickly and efficiently gain ground truth during an incident, reduce costs and increase retention time for events shipped to a SIEM, and uncover malicious activity through routine monitoring. Wes Lambert is a Principal Engineer at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks. He is a huge fan of open source software projects, and loves to enhance organizational security using completely free and easily deployable tools.
Thurs 2:00PM 2:50PM Vulnerability Discovery, From Bronze Age to Cyber Age Tony Sager Talk Pacific A/B Track 1 Tony Sager is a Senior Vice President and Chief Evangelist for CIS® (The Center for Internet Security, Inc.). He leads the development of the CIS Controls™, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions of use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS’ independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities.

In addition to his duties for CIS, he is an active volunteer in numerous community service activities: the Board of Directors for the Cybercrime Support Network; and a member of the National Academy of Sciences Cyber Resilience Forum; Advisory Boards for several local schools and colleges; and service on numerous national-level study groups and advisory panels.

Sager retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional. He started his career there in the Communications Security (COMSEC) Intern Program, and worked as a mathematical cryptographer and a software vulnerability analyst. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA’s role in the development of open standards for security. Sager’s awards and commendations at NSA include the Presidential Rank Award at the Meritorious Level, twice, and the NSA Exceptional Civilian Service Award. The groups he led at NSA were also widely recognized for technical and mission excellence with awards from numerous industry sources, including the SANS Institute, SC Magazine, and Government Executive Magazine.

Mr. Sager holds a B.A. in Mathematics from Western Maryland College and an M.S. in Computer Science from The Johns Hopkins University.

Thurs 2:00PM 2:50PM Street Cred: Passwords to Passwordless Wolfgang Goerlich Talk Coast Ballroom Track 2 Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication? This session describes how to increase trust in passwordless authentication. What holds us back from getting rid of passwords? We’ll share use cases and lessons from early adopters. We won’t undo forty years of authentication in forty minutes. But we will share a path forward. J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices for cybersecurity consulting firms.
Thurs 2:00PM 2:30PM Tool Demo – BloodHound Andy Robbins ToolShed Pacific C/D Track 3 BloodHound is an attack path analysis tool used by offensive security professionals to find and analyze attack paths in on-prem Active Directory, Azure Active Directory, and Azure Resource Manager. If there is a path from your compromised system or principal to your objective, BloodHound will find it. Andy Robbins (@_wald0) is one of the co-creators of BloodHound and is the Product Architect of BloodHound Enterprise at SpecterOps. Andy’s background is in red-teaming and pentesting. Andy has spoken about and given training around Active Directory and Azure security at BlackHat USA, BlackHat Europe, DEF CON, BSidesLV, BSides Seattle, Derbycon, Troopers, ekoparty, and other conferences as well.
Thurs 2:30PM 3:00PM Tool Demo – VolWeb Félix Guyard ToolShed Pacific C/D Track 3 VolWeb is an opensource digital memory forensic platform. The goal of VolWeb is to improve the efficiency of memory forensics by providing a centralized, visual and enhanced platform for incident responders and digital forensics investigators. Loving computer since a young age I have first dedicated my time to red team. Then and after a Licence in Computer Science and a Cybersecurity Master, I have decided to discover blue teaming and more precisely digital forensics and threat intelligence. I am currently focusing on memory analysis and REM until I am bored.
Thurs 2:30PM 4:30PM Threat Hunting using Active and Passive DNS Taylor Wikes-Pierce Workshop Harborside Room Every transaction on the Internet – good or bad – uses the Domain Name System (DNS). In this fast-paced, hands-on workshop, DomainTools Director of Sales Engineering Taylor Wilkes-Pierce, will teach the fundamental investigative techniques and methodologies for leveraging DNS and hosting infrastructure data to more quickly and easily uncover previously unknown connections between seemingly unrelated assets, IP addresses, certificates, registration data, domain names, and more to map online infrastructure.

Requirements to participate:
-Laptop, Internet access
-Basic knowledge of the Domain Name System (DNS) is required.

DomainTools Iris Investigate allows users to pivot through 20+ years of domain and infrastructure data along with the most up-to-date DNS observations on 400 million+ registered domains from around the world. As a result, Iris Investigate enables defenders to assess whether to allow, conditionally allow, or deny various types of connections and gain visibility into what type of risk an indicator represents.

DomainTools, the leader in domain name and DNS-based cyber threat intelligence, has acquired Farsight Security, a leader in DNS intelligence and passive DNS cyber security data solutions. The acquisition comes as a natural extension of both companies’ long-standing partnership to deliver Farsight’s market-leading passive DNS data via the DomainTools Iris investigation platform to assess risk, map attacker infrastructure, and rapidly increase visibility and context on threats. Farsight’s market leading DNS observation data combined with DomainTools best-in-class active DNS data gives customers the earliest and most comprehensive look into threats emerging outside their network.

Thurs 3:00PM 3:50PM Making the case for SCA Alyssa Miller Talk Pacific A/B Track 1 First it was mostly talked about in theory, then it was struts in an Equifax application, and most recently it was a high severity vulnerability in Log4j. The challenges of the almost ubiquitous use of open source libraries in modern development continue to confound engineering, security and even vendor management teams across organizations. One practice that has gotten some traction but admittedly less than deserved attention up until recently is Software Composition Analysis (SCA). In this session I’ll present the various challenges that modern development ecosystems leveraging open source libraries and packages present to us. You’ll hear about various forms of tooling from simple Development Environment capabilities to full blown commercial solutions that can help address some of those challenges through SCA. Together we’ll analyze my experience leveraging SCA’s capabilities in my organization’s Log4j response. From there we’ll discuss how to message the value proposition of SCA and win support from not just your security teams but your engineering, product, and vendor management teams as well. You’ll leave this session with valuable knowledge you can use tomorrow to make the case for introducing SCA capabilities into your organizations software development pipeline. Alyssa Miller, Business Information Security Officer (BISO) for S&P Global, directs the global security strategy for the Ratings division, connecting corporate security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how we look at the security of our interconnected way of life and focus attention on defending privacy and cultivating trust. A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 15 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and other media appearances.
Thurs 3:00PM 3:50PM Hiding in plain sight from blue teams Henri Hambartsumyan Talk Coast Ballroom Track 2 Blue teams using detection logic to detect attacks always need to balance the false positives and false negatives. One very common way of dealing with false positives is to allow “known good” – i.e. allow lists. This presentation is about my research of real-world data to identify and classify such “known good” behaviours in “common software”. With this overview of “known good” software, you can start replicating the same behaviour and try to hide in the “allow lists” of the blue teams. The presentation will show you which IoCs are related to various tactics that occur very often “in the wild”, and how you can use the same IoC to hide in the allow lists of detection rules. During the presentation, I will share numerous examples which can directly be used in real attack simulations, emulating semi-sophisticated attackers. Examples of topics discussed in the presentation: how to pretend to be a SAP macro, which filename/function name to use when using rundll32, how to drop your persistence in the startup folder without being detected, etc. Henri has a background in offensive security and has been working in the area of penetration testing, security assessments and (threat intel based) red teaming for the last 10 years. During these years, Henri has performed (and is performing) a large number of such projects in a worldwide consulting role. Henri is one of the founders of FalconForce, a company focusing on combining red and blue knowledge in every project. In this role he has switched to a full-time purple teamer, for the last 2 years. About half of the time, Henri is performing red teaming engagements for clients worldwide in challenging environments with strong blue teams. Here, he can use his blue team knowledge to avoid detection. The other half of the time, Henri is building detections for clients based on the attacks performed. The knowledge and experience from red teams required for bypassing EDRs and blue teams is directly used by Henri to build detections and close gaps left by EDRs. In his spare time, he likes low-level development, reverse engineering and occasionally racing motorbikes.
Thurs 3:00PM 3:30PM Tool Demo – oxidebpf Rafael Ortiz ToolShed Pacific C/D Track 3 Designed for security use cases, oxidebpf is a permissive licensed pure Rust library for managing eBPF programs. The feature set is more limited than other libraries, but emphasizes stability across a wide range of kernels and backwards-compatible compile-once-run-most-places. Users can compose arbitrary eBPF programs independently from the file they’re compiled in, leaving behind the all-or-nothing approach of many other libraries. You import the library, give it a built eBPF program, tell it what you want to load and how, and you’re done. Friday (aka “Rafael Ortiz”) is a defensive security researcher with a background in biomedical engineering. They started their security career defending VoIP systems for a telemedicine DoD subcontractor before joining Telefonica’s cybersecurity division as a security specialist and researcher. Their past research projects focused on privacy and security in areas such as mobile devices, industrial control systems, and identity. Rafael’s work on Red Canary’s research and development (R&D) team focuses on finding and developing new ways to protect customers.
Thurs 4:00PM 4:50PM Securing Down-Ballot Political Campaigns: The Next Frontier Daniel Bardenstein Talk Pacific A/B Track 1 X In 2018, when Daniel signed up to volunteer infosec support for a Congressional campaign, he never imagined that he would end up getting involved with the first-ever lawsuit brought against a U.S. citizen for domestic electronic election meddling. After defending the campaign from a primary competitor, working with a major newspaper, and collaborating with the FBI to support their investigation, Daniel saw first-hand how vulnerable down-ballot campaigns are in the U.S., and how poor our current legal frameworks are to handle campaign hacking. Two years later, Daniel teamed up with a former colleague to lead Foresight Partners to address this problem head-on. Daniel Bardenstein is a Digital Services Expert at the Defense Digital Service, where he leads cybersecurity projects for the Department of Defense, including the U.S. COVID-19 vaccine efforts, the Hack the Pentagon bug bounty program, and ICS/SCADA research. He is also a Policy Fellow at the Aspen Institute’s Tech Policy Hub, where he focuses on securing medical devices and the energy sector. Outside of work, Daniel leads Foresight Partners, a non-partisan non-profit that provides infosec training and support to political campaigns. Before joining government, he led product teams in the private sector building tools for national security and infosec use cases.
Thurs 4:00PM 4:50PM Three Amigos: How to Tell if your PenTest was performed by a silent movie star Kevin Johnson Talk Coast Ballroom Track 2 In this presentation, Kevin Johnson of Secure Ideas will reflect on the horrible and ugly that he has seen presented as penetration test results. He will walk through various scenarios, and how you can validate the results from your tests, understand how to spot frauds and false positives, and ensure that your testing is really hero worthy! Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies.
Thurs 4:30PM 6:30PM Threat Hunting Advanced Techniques Bill Stearns & Naomi Goddard Workshop Harborside Room This 2 hour course will cover advanced tools, techniques, strategies, and processes for Threat Hunting. We’ll use AC-Hunter as our platform for discussion. We’ll look at how to integrate with your existing tools, how to perform a Threat Hunt more efficiently, and how to use advanced strategies and features. There will be time to cover your questions and focus on aspects of Threat Hunting that could use some more explanation.

Attendees will be given access to an AC-Hunter system for the duration of the course. While there are no strict prerequisites, the presentation will be more valuable to you if you’ve spent some time Threat Hunting (either live or in a Threat Hunting class).

You will need a web browser and Internet access to work with AC-Hunter, and we strongly recommend Chrome for this.

Bill Stearns
Bill provides Customer Support, Development, and Training for Active Countermeasures. He has authored numerous articles and tools for client use. Bill was the chief architect of one commercial and two open-source firewalls and is an active contributor to multiple projects in the Linux development effort. His spare time is spent coordinating and feeding a major anti-spam blacklist. Bill’s articles and tools can be found in online journals at http://github.com/activecm/ and http://www.stearns.org.Naomi Goddard
Naomi has been on the ACM dev team since 2018 as a full stack engineer. Her passion is front end development and she enjoys dabbling in graphic design. Her interests outside of tech include oil painting, digital art, home improvement, and mushing her two Siberian Huskies around with a go kart.
Thurs 5:00PM 5:50PM Statikk Shiv: Leveraging Electron Applications For Post-Exploitation Ruben Boonen Talk Pacific A/B Track 1 Electron applications are ubiquitous, we use them every day. When you are listening to Spotify, talking to your friends on Discord or programming in VSCode; Electron is powering that user experience. Electron also drives common chat platforms like Slack & Microsoft Teams (v1.x). In this presentation we will review the attack surface of Electron application in a Red Team scenario; how an attacker can assume the user’s identity and introduce novel tooling to instrument Slack for enumeration and internal social engineering purposes. Ruben Boonen (@FuzzySec) is part of IBM’s X-Force Red Team, providing public & private sector client’s assurance around the security posture of their products and infrastructure. Before joining IBM he worked in both defence, on FireEye’s Technical Operations & Reverse Engineering (TORE) team and offence as a senior security consultant. While he has lead a wide variety of engagements he has developed a special interest for all things Windows. His areas of research include Windows internals, privilege escalation, C#/PowerShell trade-craft and memory manipulation.
Thurs 5:00PM 5:50PM Move in Silence: Staying Quiet in Mature Networks Cory Wolff Talk Coast Ballroom Track 2 Security Operations Centers and event monitoring have advanced by leaps and bounds in the past decade. While this is a good thing for cybersecurity as a whole, as red teamers and penetration testers, this means that Metasploit payloads and common tools simply won’t work. Any attempt to drop tools like Mimikatz or Responder will be contained by even the most basic of Antivirus and EDR. Want to kick off an Nmap scan and recon the network? Good luck with that! Cory Wolff is a red team lead and hacker with decades of experience in IT, security and development. He has been building and breaking all the things since his first computer in 1988 and is probably still reading the Hackers Manifesto. He holds the Offensive Security Certified Professional(OSCP) and Certified Information Systems Security Professional (CISSP) certifications and can be found tending to his farm when not wired in.
Thurs 6:00PM 6:50PM Communication in Security Katelyn Eubanks Talk Pacific A/B Track 1 The topic of cyber security is often a difficult conversation to navigate when it comes to getting buy-in from your management, other employees, and even the rest of the Technology team. The question many IT security professionals ask themselves is how can we make this relationship with our peers better, so that we can best protect our infrastructure? Communication in security provides a quick overview on best practices to create an engaging security environment to help security professionals communicate effectively and implement positive change in their environments. Information Security Architect for the City of Sioux Falls, Katelyn Eubanks works to ensure security compliance and best practices are kept a priority from vulnerability remediation to educating end users. Moving from Arizona, Katelyn Eubanks has previously worked in the education technology field, leading a team to provide adaptive learning tools for students at the high school level.
Thurs 6:00PM 6:50PM Applying the Invisibility Cloak: Obfuscate C# Tools to Evade Signature-Based Detection Brett Hawkins Talk Coast Ballroom Track 2 Attackers and offensive security professionals have been migrating from PowerShell to C# for post-exploitation toolkits, due to advances in security product configurations and features. An example of one of these improvements has been AMSI for .NET, which allows the scanning of .NET assemblies in memory. Currently, the majority of detections for these C# tools rely on static signatures, rather than the behaviors of the tools themselves. This talk will review various static indicators that can be used within C# toolkits for detection, and how to bypass those static signatures by making manual modifications, and through automated modification methods using X-Force Red’s proof-of-concept C# obfuscation tool InvisibilityCloak. Additionally, defensive considerations will be discussed. Brett has been in Information Security for several years working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, and is currently on the Adversary Simulation team at X-Force Red. He holds several industry recognized certifications, and has spoken at several conferences including DerbyCon, Hackers Teaching Hackers, and BSides Cleveland. Brett is also a member of the open-source community, as he has contributed to or authored various public tools, such as SharPersist, DueDLLigence and InvisibilityCloak. Brett’s extensive knowledge and experience in a breadth of different Information Security areas gives him a unique and well-rounded perspective.
Thurs 8:00PM 10:00PM Slide Show Roulette Frank Victory and Ean Meyer Fun & Games Coast Ballroom Track 2 “One of the things that makes a great presenter is knowing the material. It is essential in the presentation and makes the flow great. But what happens when a presenter is not familiar with the topic? In Slideshow Roulette, we will challenge you to present a deck you have never seen before with expertise and grace. Think you are good? Let’s find out! Are you a good heckler? While comments and ridiculous questions are not required, they are highly encouraged!” Frank Victory
I have been in I.T. since the early 90’s, focusing the last 15 years on security. I have worked in a variety of roles, including an individual contributor to Director of Security Architecture, Security Engineering, and Vulnerability Management. However, titles are not as important to me as being effective and making an impact My career includes both Blue Teams and Red Team functions. I have worked in Patch Management, Penetration Testing, DFIR, and Threat & Risk Management. I am very adaptable to tackling any issue at hand. I have been an Instructor at three of the Community Colleges and Several Universities. Over the past ten years, I have taught PC Technician, Digital Forensics and Investigations, Network II, and Fundamentals of Cyber Security. I have also created the core content for the Penetration Testing/Vulnerability Assessment course for the State of Colorado I like to give back to the community, so I serve as a volunteer Board Member of the Denver OWASP group, where we provide free meetups and low-cost conferences.Ean Meyer
Ean Meyer is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative.Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place.Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance

You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer

Thurs 7:00PM 8:00PM Hiring Happy Hour Josh Mason & Kip Boyle Coast Ballroom Track 2
Thurs 7:00PM 8:00PM Talkin’ Bout News BHIS & Friends Talk Pacific C/D Track 3
Fri 6:45AM 7:45AM Run with BHIS Hotel Front Entrance
Fri 7:30PM 4:00PM Registration Registration Foyer
Fri 7:45AM 8:30AM Yoga with Christine Loma Vista Terrace
Fri 9:00AM 9:50AM Are we really making a difference? Dan DeCloss Talk Pacific A/B Track 1 Attacks persist and stocks don’t seem to be affected. Attacks persist and rarely is there accountability. So one has to raise the question as to whether what we’re doing is really making a difference? Why do we put all of this effort into what feels like a losing battle? This talk will explore feelings of futility in cybersecurity and ask the hard questions we know deep down we all have. We’ll explore why now is more important than ever to understand why we’re doing what we’re doing, how to stay focused on the right priorities, and collaborate better than ever. Dan DeCloss is the Founder and CEO of PlexTrac and has over 17 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to the private sector where he worked for various companies including Telos, Veracode, Mayo Clinic, and Anthem. Dan’s background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that focus is on the right work to reduce risk. Dan can be reached on LinkedIn at https://www.linkedin.com/in/ddecloss/ or on Twitter @wh33lhouse.
Fri 9:00AM 9:50AM Attacking and Defending Azure with BloodHound Andy Robbins Talk Coast Ballroom Track 2 There’s no two ways about it: Azure is a confusing and complex collection of intertwined systems. Finding attack paths in Azure by hand is a frustrating, slow, and tedious process. Defending Azure against those same attack paths is almost impossible with the built-in tooling provided by Microsoft.

In this talk, I will demonstrate how to use BloodHound to find and analyze attack paths into, out of, and within the various Azure services, including Azure Active Directory and Azure Resource Manager. I’ll demonstrate some of the more interesting and common attack primitives you may find, and I’ll show how defenders can use the free and open source version of BloodHound to find and eliminate the most dangerous attack paths.

Andy Robbins (@_wald0) is one of the co-creators of BloodHound and is the Product Architect of BloodHound Enterprise at SpecterOps. Andy’s background is in red teaming and pentesting. Andy has written about Azure attack primitives on the SpecterOps blog, and spoken at and given training at conferences on Active Directory security.
Fri 9:00AM 4:00PM Capture The Flag hosted by MetaCTF MetaCTF CTF Foyer
Fri 9:00AM 4:00PM WWHF Hands-On Labs WWHF Labs Pacific C/D Track 3
Fri 9:00AM 4:00PM Vendor Booths Open Vendors Pacific C/D Track 3
Fri 9:00AM 4:00PM Escape Room Fun & Games Embarcadero
Fri 9:25AM 9:40AM Abusing MS SQL using SQLRecon Sanjiv Kawa Talk Pacific C/D Track 3 “What? Tool talk: https://github.com/skahwah/SQLRecon
Who is it for? Red Teamers and Penetration Testers
Why? Tool was developed to solve an operational problem while on engagement. No real .NET/C# MS SQL post-exploitation tool which is compatible with most C2 frameworks
How? Demonstrate common MS SQL configurations seen in enterprise networks (single, linked, double linked, etc), various access privileges, misconfigurations, abuse
Demonstrate why it is useful using a live demo against 2 – 4 common MS SQL configurations”
Sanjiv Kawa has over 10 years of experience performing offensive security assessments. Currently, Sanjiv performs threat intelligence led red teaming against mature and capable organizations at IBM X-Force Red. Sanjiv is an active member in the information security community. He has developed tools such as Wordsmith, presented at conferences, such as BSides and Wild West Hackin’ Fest and frequently contributes to projects on GitHub and VulnHub.
Fri 9:50AM 10:05AM Every Boring Problem Found in eBPF Rafael Ortiz aka Friday Talk Pacific C/D Track 3 This talk is about all the issues the Red Canary team ran into while implementing BPF as defenders, how we solved them, and how defenders can use BPF in their environments. In May 2021 I started diving into adding Berkeley Packet Filter (BPF) as a telemetry source for Red Canary’s Linux endpoint security agent. This work culminated in the release of several open source libraries, and many more lessons learned. I went through every PR, Jira ticket, and Slack message from the past six months to put together this list of BPF gotchas and their solutions. I hope to help defenders, developers, and researchers ramp up with BPF faster than I did. Friday (aka “Rafael Ortiz”) is a defensive security researcher with a background in biomedical engineering. They started their security career defending VoIP systems for a telemedicine DoD subcontractor before joining Telefonica’s cybersecurity division as a security specialist and researcher. Their past research projects focused on privacy and security in areas such as mobile devices, industrial control systems, and identity. Rafael’s work on Red Canary’s research and development (R&D) team focuses on finding and developing new ways to protect customers.
Fri 10:00AM 10:50AM What happened to the “Cyber War” Destruction Predictions? Dave Kennedy Talk Pacific A/B Track 1 X Shields up! Red alert! Attacks imminent. Wait, just kidding. It seems with every cycle around war or heightened tensions, there is an elevated risk and cause for concern for adversary’s conducting offensive operations. This talk dives into capabilities of various advanced adversaries and why we don’t see the large scale destruction that is often promised when heightened tensions occur. Cyber warfare is complex in nature, requires ample time for planning, and definitely something that many countries lack the capabilities of conducting as part of military kinetic extension warfare. Offensive capabilities aren’t as easy as it was portrayed in Mr. Robot. A few strokes of the keyboard and bringing the power grid to its knees is a fantasy, although possible. This talk dives into various patterns we’ve seen in the past, and what’s on the horizon in cyber warfare. David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.
Fri 10:00AM 10:50AM Hunting for Windows “Features” and How To Use Them Chris Spehn Talk Coast Ballroom Track 2 Offensive security professionals have been using Frida for analyzing iOS and Android mobile applications. However, there has been minimal usage of Frida for desktop operating systems such as Windows. Frida is described by the author as a “Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.” From a security research and adversarial simulation perspective, Frida can be used to identify MITRE ATT&CK technique T1574.002 also known as dynamic-link library (DLL) sideloading. Frida is not limited to identifying DLL sideloading. It can also identify MITRE ATT&CK technique T1546.015 also known as Component Object Model (COM) hijacking. This presentation will review DLL sideloading, and how attackers and offensive security professionals can identify potential DLL sideloading opportunities using X-Force Red’s proof-of-concept Frida tool Windows Feature Hunter (WFH). “Chris Spehn is a member of the X-Force Red Adversary Simulation team at IBM. Throughout his career, he has worn many hats working on diverse projects to provide public and private sector client’s assurance around the security posture of their products and infrastructure. Such assessments included External and Internal Penetration Tests, and Adversary Simulation engagements.

Previously, Chris worked both in offense and defense. He started his career working for Discover doing penetration testing. After that, Chris was a Security Researcher for Trustwave SpiderLabs. Chris also did contracting for MasterCard performing penetration tests. Chris’ most recent role before joining IBM was at FireEye Mandiant, where he was a Principal Proactive Security Consultant specializing in conducting Adversary Simulation exercises, and Penetration Testing engagements for Fortune 500 clients across multiple industry sectors.”

Fri 10:00AM 12:00PM Hacking and Defending Kubernetes, Hands On! Jay Beale Workshop Harborside Room Get a hands-on introduction to attacking and defending Kubernetes (k8s)! Remotely controlling a Kali Linux system, you’ll attack a new capture-the-flag scenario in the open-source Bust-a-Kube Kubernetes cluster. Once you’ve busted your way to cluster admin, you’ll use your access to harden the cluster and block your attack. Come get some direct experience with Kubernetes security!

This workshop doesn’t require you to have any experience with containers or Kubernetes. It is accessible to anyone comfortable with a Linux command line.

Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @BustaKube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest, and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns, and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians.
Fri 10:00AM 12:00PM Social Engineering for Introverts (In-person Only) Ed Miro Workshop Porthole “Are you shy? An introvert? Join us and break out of your shell with structured, safe and gradual exposure to social interaction in our 2 hour in-person workshop. Learn and practice practical social skills, find your voice and make friends. Fully interactive, learn while having fun, and includes 1-on-1 sessions/small groups. Ed Miro is a cyber security instructor at multiple community colleges, Antisyphon InfoSec Training, and for his own company Miro Labs. He specializes in leadership, professional development and social engineering. Ed is also the Tabletop Simulator Mod Architect for Backdoors & Breaches.
Fri 10:15AM 10:30AM A Tale Of Two Strands Graham Helton Talk Pacific C/D Track 3 In early 2021 I took a training class by John Strand. In that class, John mentioned the existence of another individual also named John Strand who happened to be a male model that made some questionable decisions. I made an offhanded comment that it would be great if I could get this model to sign John’s book “Offensive Counter Measures: The Art of Active Defense”. John saw this comment and explained that one of his most prized possessions was the book “The Pursuit and Capture of Kevin Mitnick” signed by Kevin Mitnick. How hilarious would it be if I could somehow convince male model John Strand to sign the cyber security book written by John Strand of Black Hills Information Security? There was only one problem. When you google “John Strand” the only results you get are cyber security related articles, this could make your modeling career very difficult to get off the ground no matter how many shirtless photo shoots you do in abandoned train yards. This (understandably) did not make our model friend very fond of John so getting him to actually sign a book by his more popular doppelgänger would be nearly impossible. Luckily for us, we work in an industry where doing the impossible is typically in the job description. This is the story of how I got John Strand his own book signed by male model John Strand. My name is Graham Helton, I am a penetration tester, security researcher, and an avid user of Linux and Vim. I will absolutely tell you about them if you give me the chance. I graduated in May of 2021 with a Bachelors in Cyber Security along with a plethora of certifications but learned more from listening to Darknet Diaries and hacking video games than I did from my degree. Ironically, I am currently pursuing my Master of Science in Information Security Engineering from SANS. During my senior year of college I began working as a penetration tester. I have experience in penetration testing both external and internal networks, web applications, and cloud environments. I also teach practical phishing assessments for TCM-Academy which relies heavily on creating a believable pretext for socially engineering people to click a link during phishing engagements. I have been blogging about various penetration testing and security related topics on my website www.grahamhelton.com for nearly two years and spend entirely too much time on infosec twitter.
Fri 10:40AM 10:55AM Smuggling Botnet C2 Through Users’ Browser Matthew Bernath Talk Pacific C/D Track 3 Command and control (C2) infrastructure are vital to the operation of botnets and their operators take active measures to prevent their discovery. In this presentation, I demonstrate that an attacker could leverage public advertisement services to obfuscate the source of their command and control servers by co-opting web users’ browsers to smuggle data.

My colleagues and I created a system that garners unaware users that could provide the means to proxy information on behalf of a botnet using permissive web protocols. By deploying ads on the web and collecting real-world user data, further refined by traffic simulation, we showcase the practicality and feasibility of such an attack scenario. Our work shows that a reliable, difficult to trace communication tunnel can be created with ad-based peers at a minimal cost. In doing so, we highlight some of the issues with how browsers handle protocols like WebRTC and the lack of scrutiny on ads by many advertisement networks.

Matthew Bernath is a reverse engineer and vulnerability researcher at Caesar Creek Software in Dayton, Ohio. In his work, he specializes in embedded Linux systems and has a personal interest in black-box fuzzing. He also is an avid CTF player and teaches cybersecurity to students at University of Michigan.”
Fri 11:00AM 11:50AM Cybersecurity Cannot Ignore Climate Change Chloe Messdaghi Talk Pacific A/B Track 1 X Our planet has hit a tipping point that we can never have the planet reverse the damage that humans have caused. We can no longer use the wait and see strategy, it’s time our industry acknowledges the negative impact we have on the planet, and start making changes to combat climate change. In this talk, I address where we stand in climate change, how our industry is contributing to the problem, why we should care, and what every single company in our industry can do to cut down on emissions to become part of the growing community to make sure that this planet has a future beyond our generations. Chloé Messdaghi is the Founder and Principal at Impactive Consulting, a management consulting firm that helps businesses unlock opportunities to enhance trust, mitigate risk, and become purpose-driven. For over ten years, she has advised and developed impactful solutions that drive growth and innovation while transforming businesses to become resilient. Chloé is a public speaker at major conferences and a trusted source for national and sector reporters and editors, as well as her research, op-eds, and commentary have been featured in numerous outlets, from Forbes and Business Insider to Bloomberg, and TechRepublic. Her work has earned her many distinctions, including being listed as one of the Business Insider’s 50 Power Players. Chloé continues to roll up her sleeves for many projects, such as the co-founder of We Open Tech and the Open Tech Pledge project to help increase opportunities and representation of marginalized persons in cybersecurity and tech. In addition, she provides an advice column for Ask Chloé on Security Boulevard, and hosts ITSP Magazine’s The Changemaking Podcast.
Fri 11:00AM 11:50AM When OSINT met Privacy Mishaal Khan Talk Coast Ballroom Track 2 Manage Your Online Existence and control your narrative.

Most of us want a balance: our private lives only to be known by a few people and our public image to be the best possible version of ourselves.
Are we doing anything to make that happen or are we leaving it up to internet algorithms to decide?

The balance should tip in your favor, not those who profit from it or misuse it.

I’ll walk you through my story from spreading my own data to managing my online privacy while controlling my narrative and how you can do it too.

You will learn to OSINT yourself, scrub yourself from the internet, carefully deal with the exposure of your data, and take proactive steps to control your image online.

Warning: You may see some extreme OSINT, breached data, coupled with questionable Disinformation tactics.

Mishaal uses his cybersecurity background and OSINT skills to spread awareness, educate people and provide actionable next steps to help protect people and organizations from threats they may not be aware of.

He’s a virtual CISO, certified Ethical Hacker, Social Engineer, the 1st IntelTechniques Certified OSINT Professional, Privacy consultant, coder and a general problem solver.

Fri 11:00AM 11:15AM Kicking Imposter Syndrome to the Curb Elaine Harrison-Neukirch Talk Pacific C/D Track 3 “Overcoming the doubts and fears of “Imposter Syndrome” can be a challenge, but it’s not one we have to work through alone. With any challenge, there are obstacles to work through before completing sucessfully. By building support networks, having the faith and willingness to take those first steps, and possibly fail, Imposter Syndrome can be kicked to the curb.

What is Imposter Syndrome? How did I determine that I suffer from it? I became a victim of Imposter System as a child.It has stayed with me into my adult cybersecurity career. Once I realized I suffered from Imposter Syndrome, I identified ways to work toward “Kicking imposter syndrome” to the curb. These techniques included:
Taking advice and encouragement from my coworkers
Pushing myself out of my comfort zone
Realizing that I cannot know everything in cybersecurity and information tech
Understanding that failing does not mean I am any “less” than others in my network
Ignoring my self doubt

By working to get past my Imposter syndrome, I spoke at my first con in 2021 and have been less hesitant to submit CFPs to 2022 cons. I speak up more often at work and am more willing to put myself out there.

By sharing my journey with others, I hope that they will come to realize that they are not alone. Imposter Syndrome doesn’t have to be something that a person lives with.”

Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. She is also Education Lead for CSNP.
Fri 11:25AM 11:40AM Should information be free? NFTs, Aaron Swartz, and Hacker Culture Kim Crawley Talk Pacific C/D Track 3 X NFTs are all the rage amongst certain groups in tech. You can’t spend long on Twitter, Instagram, or Facebook without stumbling upon one of those dreadful monkey pictures. Is it really a great way to get rich by buying digital art encoded into an Ethereum blockchain?

Kim explains the big mistake NFT inventor Anil Dash admitted to– a single blockchain record has the data capacity for a URL, but not for an actual graphic file. URLs for web hosted graphics can easily be found through Google Images or by using View Source in your web browser. So does knowing a URL confer ownership? Absolutely not. Especially not if you don’t run the web server that hosts it.

Kim goes onto describing the secondary problems of the massive NFT scam– immense electricity consumption and related polution through cryptomining, and why it’s so difficult and expensive to buy a PS5 or a new gaming laptop these days.

Hacker culture used to be about the free exchange of information. Hacker icon Aaron Swartz died for his cause to make knowledge freely available. Kim explains how if Swartz was alive today to see the advent of NFTs, he’d be outraged. We should all be outraged.

Kim Crawley has been researching and writing about a variety of cybersecurity and hacker culture topics for almost fifteen years. She honed her craft through AT&T, BlackBerry, Venafi, and several other tech vendors. She appeared in 2600 Magazine twice. In the bookstore, she’s featured in the first volume of Tribe of Hackers by Marcus Carey and Jennifer Jin, she co-authored The Pentester Blueprint with Phillip Wylie, and she recently wrote 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business as her first solo work. After managing Hack The Box’s blog, she now manages Synack’s blog. When Kim’s not working, she loves playing Japanese video games and being immersed in Toronto’s goth scene.
Fri 12:00PM 1:00PM Buffet Lunch for all Attendees Food Pacific Foyer Buffet style lunch provided for all in-person attendees.
Fri 12:00PM 12:30PM Vendor Brief – VMware Vendor Brief Pacific A/B Track 1
Fri 12:00PM 1:00PM Vulnerability analysis, you are (most likely) doing it wrong. John Strand and Bryson Bort Talk Pacific C/D Track 3 In this talk John and Bryson will talk about how companies fail to effectively tackle modern vulnerabilities.
Fri 12:00PM 2:00PM Intermediate Purple Team Workshop – Detection Engineering Chris Peacock & Shawn Edwards Workshop Harborside Room Chris is an Adversary Emulation – Detection Engineer at SCYTHE, specializing in Purple Team Exercises and Detection Engineering. His previous experience includes multiple roles such as Cyber Threat Intelligence Analyst, Cyber Threat Hunter, Tier 3 SOC Analyst, Incident Responder, Cyber Security Consultant, and Purple Team Lead. He previously worked at Raytheon Intelligence & Space as well as General Dynamics Ordnance and Tactical Systems. Additionally, he has experience in multiple industries, including Energy, Finance, Healthcare, Technology, and Defense. Current certifications include GCTI, GCFA, GCED, eJPT, and CSIS.
Fri 1:00PM 1:50PM Architecting for Ransomware Resilience Jake Williams Talk Pacific A/B Track 1 Ransomware continues to hit organizations of all sizes, and with the latest iterations, a more holistic approach is warranted. This session details ways to improve overall resilience, including: \n* Unpacking different backup strategies (offline, immutable storage, data-only) and the advantages and drawbacks of each.\n *Methods for monitoring and alert on data theft (double extortion)\n*Techniques for minimizing lateral movement. Jake Williams, IANS Faculty and Executive Director of Cyber Threat Intelligence at SCYTHE, is a CTI professional, an incident responder, a breaker of software, and a former government hacker probably wanted by all the cool countries. Jake has spent decades in information security and many years consulting with clients in different verticals and across the globe to secure networks, investigate breaches, and ensure secure operations. Likes: threat modeling, application security, threat hunting, and reverse engineering. Dislikes: self-proclaimed thought leaders and anyone who needlessly adds blockchain to a solution that was operating perfectly well without it.
Fri 1:00PM 1:50PM Hacking Azure services for bounties and credentials Josh Magri Talk Coast Ballroom Track 2 As attackers, we often have to work with what we’re given. When we gain access to an Azure environment, we have to work with whatever services are in use. Sometimes we find ourselves with limited access to services where no public research is available. This talk will walk through real examinations of several Azure services. We will look at several evergreen techniques developed by the NetSPI team, and two privilege escalation bugs that resulted in bounties and fixes from Microsoft. Josh is a Security Consultant at NetSPI where his main focus is Azure testing, which includes contributing to the MicroBurst project, a collection of offensive security scripts for Azure. This entails researching and developing new tools and techniques for attacking Azure services. Josh got started in Azure with a course from BHIS, and has since authored several tools and blog posts about Azure penetration testing. Josh has previously worked as a penetration tester, a red teamer, and an application security consultant. He holds the GSEC, GCIH, GCFA, and OSCP certifications.
Fri 1:00PM 3:00PM Backdoors and Breaches Fun & Games Pacific C/D
Fri 1:00PM 3:30PM Resume’ Writing & Mock Interviews Josh Mason and Kip Boyle Workshop Porthole
Fri 1:00PM 1:30PM Tool Demo – What a shell Dotfile can do for you! H. “Waldo” Grunenwald ToolShed Pacific C/D Track 3 In the DevOps world, much is made of automation and reducing friction. Despite this, few engineers that I’ve met take the fullest advantage of the closest point of friction: the humble terminal. For decades, terminals have been most powerful tool in most engineers’ arsenals, and are well-automatable. It’s certainly not hard to improve your daily life, but I find that few people know about or explore the world of dotfiles. In this talk, I’ll show some ways that you can improve your daily life by reducing friction, saving time, being lazier, catching mistakes, and amusing yourself. Waldo is a Tech Evangelist for Datadog, which normally means that he gets to travel and meet people, and advocate on their behalf. He is a recovering SRE and Operations Engineer, has been active in the DevOps community for quite some time, and is keen on helping organizations stop hurting themselves. Despite being a raging introvert, he enjoys public speaking. In his spare time, he enjoys collecting hobbies that he doesn’t have the time to engage in. He hates writing about himself in the third person, and aspires to one day be a better bio writer.
Fri 1:30PM 2:00PM Tool Demo – Office 365 Federated User Enumeration Ellis Springe ToolShed Pacific C/D Track 3 A new technique for generic Office365 user enumeration for both Managed and Federated environments using correlated authentication response analysis. A response header in an authentication method leaks key information regarding valid/invalid status of each user attempted. The issue is, each organizations indicators seem to differ which makes writing static indicator rules difficult. This tool will correlate known valid and invalid responses dynamically to generate a baseline, then test each unknown user against that baseline. I have been a penetration tester and red team operator for a little over two years. My primary focuses are Active Directory security and social engineering. In my spare time I develop tools and occasionally get outdoors.
Fri 2:00PM 2:50PM Nathan Sweaney Talk Pacific A/B Track 1 Nathan Sweaney is a Principal Security Consultant with Secure Ideas. He has a wide range of experience in networking, systems administration, and development spanning 18 years in IT and more than 10 in information security. Nathan has a considerable amount of experience with point-of-sale environments and managing compliance regulations such as PCI. He excels at finding practical, operationally feasible approaches for businesses to mitigate threats and minimize compliance obligations such as HIPAA and PCI.

Nathan regularly conducts security training, both publicly and privately, including secure coding techniques, network and application penetration testing, and more. He has spoken at security events such as DEFCON, BSidesLV, ShowMeCon, and the FBI’s Information Warfare Summit, as well as a wide variety of industry-specific events. He’s one of the core organizers of BSidesOK and serves on the board of directors for ISSA Oklahoma, OWASP® Tulsa, and the Hackers of Oklahoma Enterprises Syndicate.

He has held the GPEN, GWAPT, and GAWN certifications.

Fri 2:00PM 2:50PM Sustainable Phisheries: Preventing Disease in Farm Raised Phishing Ean Meyer Talk Coast Ballroom Track 2 In a follow-up to the talk Ethical Phisheries we will discuss what can be done with data collected during an ethical phishing campaign. Ethical phishing campaigns attempt to remove fear, uncertainty, and doubt (FUD) from phishing exercise lures. FUD often leads to bad outcomes in phishing exercises including a distrust of security teams by the people they are trying to protect. In an ethical phishing exercise the goal is testing email controls, not necessarily people. What rules can be created or improved? How do you make other teams at your company into security champions? Phishing emails delivered, opened, and links clicked are where many phishing exercises begin and end. To gain real value from a phishing operation we need to look at more than if a target was “caught”, but instead look at “how did the bait get there in the first place?” This talk will look at common phishing emails that cause issues, how to build better phishing pretexts, and how to incorporate what you learn from your ethical phishing exercise into a sustainable phishing program that continuously protects your organization. Ean Meyer is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative.

Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place.

Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance

You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer

Fri 2:00PM 4:00PM Advanced Passive DNS Search Techniques for Cyber Investigations Daniel Schwalbe & Kelly Molloy Workshop Harborside Room In this hands-on workshop, DomainTools CISO Daniel Schwalbe and Director of Network Development, Kelly Molloy will build on the search techniques introduced in the “Threat Hunting using Active and Passive DNS” class and will expand the query complexity to include advanced regular expression patterns, globbing, and searching of “lesser known” Resource Record Types such as SOA and TXT.

Requirements to participate:
-Laptop, Internet access
-Familiarity with basic passive DNS Search concepts, or participation in the previous day’s “Threat Hunting using Active and Passive” workshop
-DNSDB API Key (will be provided day of the event)
-DNSDB Scout Web Edition: https://scout.dnsdb.info/
-dnsdbq install from https://github.com/dnsdb/dnsdbq
-dnsdbflex install from https://github.com/farsightsec/dnsdbflex

Daniel and Eric will provide free access to DNSDB, our passive DNS tool, along with command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class and for 30-days following the conference so attendees can visualize how the tool will work within their own environments.

DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the Workshop.

DomainTools, the leader in domain name and DNS-based cyber threat intelligence, has acquired Farsight Security, a leader in DNS intelligence and passive DNS cyber security data solutions. The acquisition comes as a natural extension of both companies’ long-standing partnership to deliver Farsight’s market-leading passive DNS data via the DomainTools Iris investigation platform to assess risk, map attacker infrastructure, and rapidly increase visibility and context on threats. Farsight’s market leading DNS observation data combined with DomainTools best-in-class active DNS data gives customers the earliest and most comprehensive look into threats emerging outside their network.

Fri 2:00PM 2:30PM Tool Demo – HackThisAI Joseph Lucas ToolShed Pacific C/D Track 3 HackThisAI is a series of capture the flag (CTF) challenges to educate and train adversarial machine learning techniques. CTFs are a common way information security professionals learn new skills and compete across the community. Challenges are categorized so that players can focus on specific topics. The HackThisAI challenges should be approachable for new data scientists, machine learning engineers, and traditional infosec professionals, but progress in difficulty to the point that requires combinations of advanced techniques and creative approaches. Often, you’ll see adversarial machine learning tasks classified into these buckets. It’s a useful framework for bringing an adversarial mindset to AI/ML products but remember that these tasks are not mutually exclusive. Complex objectives may require combinations of methods that traditionally belong in these categories. 1. Evade the model. Can you evade or fool the model? 2. Influence the model. Can you change how the model operates? 3. Steal the model. Can you steal, extract, or invert the model? 4. Infer membership. Was this data point used in the model training process? Joe Lucas likes to operate at the intersection of data science and traditional information security. With a traditional math background, he learned to hack in the military before pivoting between data science and offensive security jobs as a civilian.
Fri 2:30PM 3:00PM Tool Demo – atomic-operator Josh Rickard ToolShed Pacific C/D Track 3 atomic-operator enables security professionals to test their detection and defensive capabilities against prescribed techniques defined within atomic-red-team. By utilizing a testing framework such as atomic-operator, you can identify both your defensive capabilities as well as gaps in defensive coverage. Josh Rickard is a Security Solutions Architect at Swimlane focused on automating everyday processes in business and security. He is an expert in PowerShell and Python, and has presented at multiple conferences including DerbyCon, ShowMeCon, BlackHat Arsenal, CircleCityCon, Hacker Halted, and numerous BSides. In 2019, Josh was awarded an SC Media Reboot Leadership Award in the Influencer category and is featured in the Tribe of Hackers: Blue Team book. You can find information about open-source projects that Josh creates on GitHub at https://github.com/MSAdministrator
Fri 3:00PM 3:50PM Introduction to ATM Penetration Testing Hector Cuevas Cruz Talk Pacific A/B Track 1 ATM attacks will not stop anytime soon, they are an attractive target for cyber-criminals and Financial institutions need skilled pentesters to test their ATM security, nevertheless, not so many have the experience due to the lack of information.

This presentation aims to be an introduction to ATM penetration testing which could guide security consultants into how to effectively perform an assessment. As attractive as it sounds, a financial institution doesn’t get much value from jackpotting their ATMs and there is a wide variety of variables that come into play and that a pentester should review.

I’ve worked as Offensive Security Consultant, Forensic Analyst and Threat Hunter for some of the most renowned security companies in the industry, such as SpiderLabs and BishopFox where I have specialized on Red teaming, Digital Forensics and Incident Response.

For the last 5 years I’ve focused on ATM security, responding to several ATM security incidents, doing forensic artifacts research, performing ATM offensive engagements and forensic analysis and finding ATM malware. I have presented on some security conferences such as DEFCON, Ekoparty and 8.8.

Fri 3:00PM 3:50PM Being A Better Defender By Channeling Your Worst Adversary: Lessons Learned Building Adversary Emulations John Stoner Talk Coast Ballroom Track 2 My background is on the defensive side, blue team, but I always had an interest in the red team side of things. After taking SANS Incident Handling 504 back in 2006, who wouldn’t?

Over the past five years, I have either built or assisted with building adversary emulations using techniques that adversary groups from around the world utilize. Why? To help blue teamers identify threats and use their tool sets more effectively, as well as demonstrate the value of certain data sets and techniques that can be applied everyday. I’ve been the adversary and I will share with you my experiences, lessons learned, pitfalls that I have encountered and share guidance that may help you as you contemplate if adversary emulation is something that your blue team would benefit from.

Attendees will come away with a better understanding of where scenario based adversary emulation fits, how to focus your efforts to ensure that everyone is getting something out of it, guidance on data sets and ideas around where to start when building your scenarios.

Finally, links to existing data sets that we have created will be provided so if you want to see what we produced and use them to improve your own hunting and detection, you can!

John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that focus on enhancing these specific security skills. His writings can be found on Splunk blogs, most notably in the Hunting with Splunk: The Basics and Dear Buttercup: The Security Letters series. John developed and maintains a Splunk application that drives greater situational awareness and streamlines investigations and assists in steering the BOTS ship. He enjoys problem solving, writing and educating. John has presented at various industry symposia including BSides, FIRST, DefCon Packet Hacking Village and SANS and has briefed members of the US Congress and other senior government leaders on the threat landscape. He enjoys problem solving, writing and educating. When not doing cyber things, John enjoys reading or binge-watching TV series that everyone else has already seen. During the fall and winter, you can find him driving his boys to hockey rinks across the northeastern United States. John also enjoys listening to, as his teammates call it, “80s sad-timey music”.
Fri 3:00PM 3:30PM Tool Demo – Warhorse Ralph May ToolShed Pacific C/D Track 3 Warhorse is an infrastructure automation toolkit that can deploy virtual machines in different cloud providers to perform security assessments. Warhorse is a full-stack infrastructure automation toolkit. It will deploy a virtual machine setup DNS, configure the operating system, and install and configure all the applications. In addition, Warhorse is fully modular, and adding software to your stack or features is part of the design. Warhorse uses Ansible and Terraform to accomplish this automation but abstracts these software tools from the user and allows configuration through a single YAML file. With Warhorse, you can design a deployment in a single YAML file for a type of security engagement. Initially, Warhorse includes examples for both a C2 deployment and a Phishing deployment. While these are two target use cases, the possibilities are truly endless, and more examples will be added. Lastly, Warhorse will target three cloud providers for deployments AWS, Digital Ocean, and Azure; more will be added as the project matures. Ralph May is a penetration tester and security analyst for Black Hills Information Security. Ralph joined the BHIS team in 2020. Before joining BHIS, Ralph works for a competing firm as a penetration tester for the last five years. Ralph has delivered on a diverse set of engagements to included advanced adversary simulations, physical engagements, and advanced hybrid cloud penetration tests. Ralph is extremely active in the security community, speaking at multiple conferences and contributing to numerous open-source security tools. Ralph is a US Army veteran, having worked directly under the United States Special Operations Command as a soldier and civilian on many different information security challenges and threat actor simulations.
Fri 4:00PM 4:50PM iOT Exposed Data – A Goldmine for cyber crime and nation-states. Jeremiah Fowler Talk Pacific A/B Track 1 American Security Researcher living in Ukraine who has discovered millions of exposed records online discusses risks and common causes of a data breach. With real world examples and and well known companies. Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. After 8 years in the software industry Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. In 2020 he discovered 2 of the top 10 biggest data breaches of the year. His discoveries have been covered in Forbes, BBC, Gizmodo, among others.
Fri 5:00PM 5:15M Closing & Awards John Strand Awards Pacific A/B Track 1
Fri 6:00PM 10:00M Dinner on the USS Midway Food USS Midway For in-person attendees, your ticket includes dinner and Open Mic Night on the USS Midway. Bring your favorite instrument, singing voice and appetitie! This will be an evening to relax and enjoy.
Fri 6:00PM 10:00M Open Mic Night Fun & Games USS Midway For in-person attendees, your ticket includes dinner and Open Mic Night on the USS Midway. Bring your favorite instrument, singing voice and appetitie! This will be an evening to relax and enjoy.