Registration for in-person attendees will occur in the Nugget foyer and will open at 4PM PT on Wednesday, 7:30AM PT on Thursday, and 9AM PT on Friday.
Please note that this conference schedule is subject to change. If you’re viewing this schedule from a desktop, you can hold shift and click on multiple columns to sort them at the same time. All times below are in Pacific Time (PT).
Virtual attendees will be able to watch Track 1, Track 2, keynote presentations, and the Toolshed as well as be able to participate in workshops, an Escape Room, the virtual Backdoors & Breaches tournament, and the MetaCTF Capture the Flag event. Don’t forget that we’ll have a private server set up for all conference attendees, but especially for virtual attendees.
|Day||Start||End||Title||Presenter(s)||Type||Location||Track||Virtual Presenter(s)||Abstract/Description||Presenter Bio(s)|
|Weds||5PM||5:50PM||Gazing Long Enough into an Abyss||Paul Vixie||Keynote||Nugget 1||Track 1||During 2020, the Internet faced significant threats not only from criminals and nation-states but also from legitimate businesses looking to consolidate their online power. The pandemic, with its severe impact on the global economy, now has accelerated both lines of threats. In this presentation, Internet Pioneer Dr. Paul Vixie will examine what’s at stake for today’s unsuspecting users and outline the steps CISOs can take to prepare and better protect their organizations.||Dr. Vixie previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie was a founding member of ICANN Root Server System Advisory Committee (RSSAC, current) and ICANN Security and Stability Advisory Committee (SSAC, until 2014). He is the author or co-author of a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC), and was inducted into the Internet Hall of Fame in 2014.|
|Weds||6PM||6:30PM||The Ultimate Secure Coding Throwdown – Presentation||Noah Stapleton||Presentation||Nugget 1||Track 1||x||Noah Stapleton is an Enterprise Sales Executive for Secure Code Warrior. Secure Code Warrior is a global software security company with a mission to make software development more secure for our clients using an interactive, gamified training platform. After 12 years in the financial services industry, he transitioned into the technology sector where he has helped organizations diagnose complex business requirements and implement new solutions to help hit target KPIs and advance an organization’s goals.|
|Weds||6PM||3PM on Fri (6/18)||The Ultimate Secure Coding Throwdown – Continuous Tournament||Tournament||Nugget 1||Wild West Hacking Fest – Way West + Secure Coding Tournament
When: June 16th, 6:00PM PT – June 18th, 3:00PM PT
Secure Code Warrior brings you a defensive security-based tournament from a developer’s perspective. The tournament allows you to test your skill against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability. You don’t need extensive programming knowledge as this will be a great way to learn the foundations and intermediates of leveraging code that is not only functional but is also secure.
You can find the tournament step-by-step guide here: https://youtu.be/o8XhKK_eOOs
The tournament is run virtually so you can join through your laptop from the most convenient location and time. It should take only a few hours, drop-in as you see fit during the duration of the event to complete all the challenges and win prizes!
Instructions for playing:
1) Register for the Secure Code Warrior platform here: https://discover.securecodewarrior.com/WildWayWest-tournament.html
2) Check your email for the confirmation and access the unique link to create your profile.
3) Once logged in: click “Tournaments”
4) Join the Way West Secure Coding Tournament
The Secure Code Warrior platform will be open before and after the tournament, so feel free to practice in the “Training” tab.
|Weds||6:30PM||7:20PM||Kubernetes Attack and Defense: Real Genius Edition||Jay Beale||Talk||Nugget 1||Track 1||In this talk, we’ll demonstrate Kubernetes and public cloud attacks, attacking a multi-cluster scenario themed on the movie “Real Genius.” We’ll discuss multiple defenses available to every Kubernetes and AWS user. In part of the attack path, we’ll use the open source Peirates tool. Come learn how to attack Kubernetes and break your attacks! You will learn about how to attack and avoid several “gotcha” configurations, where the cluster maintainer’s intent doesn’t match the attacker’s view of the defenses.||Jay Beale works on Kubernetes and cloud native security, both as a professional threat actor and as a member of the Kubernetes project, where he previously co-led the Security Audit working group. He’s the architect of the Peirates attack tool for Kubernetes, as well as of the @Bustakube Kubernetes CTF cluster. He created Bastille Linux and the CIS Linux scoring tool, used by hundreds of thousands. Since 2000, he has led training classes on Linux & Kubernetes security at the Black Hat, RSA, CanSecWest and IDG conferences. An author and speaker, Beale has contributed to nine books, two columns and over 100 public talks. He is CEO and CTO of the infosec consulting company InGuardians.|
|Weds||7PM||8PM||Getting Started with Atomic Red Team||Darin Roberts, Carrie Roberts||Workshop||Redwood 6||x||Emulate adversaries with the Atomic Red Team library of scripted cyber attacks. These scripted attacks, called atomic tests, will help you better understand the attack techniques defined in the MITRE ATT&CK framework and can be used to build and validate your defenses. Join Carrie and Darin Roberts for a one-hour introduction to Atomic Red Team followed by two hours of access to hands-on labs where you will be able to execute atomic tests.
For the labs, all attendees will be provided with a virtual machine in the cloud, so you’ll just need to be able to make a remote desktop connection to an IP address on the internet.
|Carrie Roberts is a web application developer, turned pentester, turned red teamer, turned blue. She loves to learn and give back to the community. She is currently one of the primary Atomic Red Team project maintainers and developers and has developed many of her own open source tools including the Domain Password Audit Tool (DPAT) and Slack Extract. She holds Master’s degrees in both Computer Science and Information Security Engineering. She has earned 12 GIAC certifications including the prestigious “Security Expert” (GSE) certification. She has spoken at numerous security conferences including DerbyCon and Wild West Hackin’ Fest, published many blog posts on topics ranging from social engineering to bypassing anti-virus, and contributed new research on the VBA Stomping maldoc technique. Darin Roberts is a penetration tester, security analyst, and prolific blogger for Black Hills Information Security. He has completed several GIAC certifications, including GSEC, GCFE, GCIA, and GCIH. He has B.S. degrees in Computer Information Technology and Engineering and a Master’s degree in Teaching. He enjoys teaching and sharing his knowledge with others, especially through his 16-hour course on “Attack Emulation Tools: Atomic Red Team, CALDERA and More …” that he teaches on a regular basis through Wild West Hackin’ Fest Training.|
|Thurs||10AM||8:30PM||CTF||Capture the Flag||Sierra 3 & 4||The MetaCTF team is excited to run the WWHF Capture the Flag (CTF) competition for the fourth year in a row. While there will be plenty of hard problems for those looking for a challenge, the goal is for you to walk away with some new tools, techniques, and skills. The challenges will cover a variety of cybersecurity categories including web exploitation, forensics, binary exploitation, cryptography, and more. It’s a team event, so make sure to get some friends together or meet some new people at the conference! The CTF will start after the opening keynote on 6/17 and close in the afternoon on 6/18. Team size is up to four people. You will need to bring your own laptop (you may want to have a Kali virtual machine), but we will provide everything else.|
|Thurs||10AM||6:30PM||Labs||Labs||Sierra 1||Check out the labs for this conference here.|
|Thurs||8:45AM||9AM||Welcome||John Strand||Nugget 1||Track 1|
|Fri||12PM||1PM||Over-Played Hands: Detecting the Gang before the Ransom||Alissa Torres||Talk||Nugget 1||Track 1||Encryption attacks at the hands of ransomware gangs continue to skyrocket in prevalence, surging an estimated 150% in 2020. Ransomware is the budding industry of cybercrime, with RaaS (Ransomware as a Service) solutions offering affiliates various modes of extortion services to pressure victims to pay, from DDOS and data theft to print jobs and notification campaigns. An upswing for blue teams is that the more elaborate the attack, the more opportunities that security analysts (and their well-honed detection strategies) will have to intercede. Join Alissa to learn more about how defenders can get the upper hand with intense dive into commonalities of ransomware actors’ pre-encryption playbooks.||Alissa Torres is passionate about security operations and empowering analysts to thrive in SOC/IR/Hunt roles. She currently leads the Threat Intel team at Cigna and mentors individuals new to the field. Having taught as principal faculty for several pivotal cybersecurity institutions, Alissa is a frequent presenter at industry conferences. She has engaged hundreds of security professionals over the last 10 years in more than 12 countries, building a legion of artifact hunters who share a common affinity for threat response. Her advice to those looking to break into the field is “Dive with abandon into the perpetual pursuit of knowledge”.|
|Thurs||10AM||8PM||Escape Room||Fun & Games||Redwood 1||See if you can get all of the outlaws back in the saddle with this rigorous saloon training exercise! Can you crack the code before it cracks you? Will you break the bank before it breaks you? Come test your escape room expertise, in-person and virtual.|
|Fri||2PM||2:50PM||PASTA and OCTIVE and STRIDE, Oh My! Bringing Threat Modeling Out of the Woods||Alyssa Miller||Talk||Nugget 1||Track 1||Threat modeling is an extremely valuable tool in the secure software development pipeline. Some studies suggest it has greater impact on security posture than other more widely practiced security activities. There are many different frameworks, models, and methodologies that have been developed in an attempt to make threat modeling easier. Yet, despite these efforts, popular approaches to threat modeling are often still considered too cumbersome, structured, or time consuming to fit into modern development cycles. In 2020, a group of 15 security professional released the Threat Modeling Manifesto to formalize decades of combined experience into a declared vision of what threat modeling truly is and what makes it important. Learn from one of these authors about how to break with the complex models and return to the values and principles of what threat modeling should be. Discover how this often-over-looked activity can actually make development pipelines more efficient while improving overall security of software. Get real practical examples of how you can use the manifesto as a guide to define or tailor a methodology that fits your needs and avoid common pitfalls that often derail this critical activity.||Alyssa Miller is a life-long hacker, security advocate, and cyber security leader. She is the BISO for S&P Global ratings and has over 15 years experience in security roles. She is heavily involved in the cyber security community as an international speaker and author. Alyssa is a member of the WiCyS Racial Equity Committee, Chapter Leader for Women of Security (WoSEC), and board member for Blue Team Con and Circle City Con. Her views, research, and career journey have been featured in “Tribe of Hackers: Blue Team”, SC Magazine, Cybercrime Magazine, and various other media appearances.|
|Thurs||10AM||10:50AM||Huge Needles, Small Haystack: Recon Methods 101||Corey Overstreet||Talk||Nugget 2||Track 2||Ever wonder how attackers gather information on a target organization? Knowing where to look can uncover a wealth of information leading to a successful phish or first foothold. In this talk, I will cover different intelligence gathering techniques targeting an organization’s external services and staff all while leaving little to no trace of our actions.||Corey Overstreet is an experienced penetration tester and red team operator. He has been engaged with Fortune 500 organizations across a variety of industries, including financial services, government services, and healthcare. Additionally, he has over five years of systems administration and VMWare administration experience. He has participated as a member of the SECCDC Red Team from 2016 through 2019.|
|Thurs||10AM||12PM||Advanced Cubicles & Compromises||Ean Meyer||Workshop||Redwood 6||What makes a great tabletop exercise? Many organizations run a tabletop exercise to check a box for compliance standards but don’t maximize the value of the time spent. Often they don’t engage the audience or force them to think enough about the problem to find areas of improvement. Further, they assume their decisions will always work during the exercise. In this workshop, we will not only discuss how to build a tabletop exercise that addresses real risk for an organization but how to make it fun and engaging for teams at all levels of an organization. The workshop will introduce attendees to the Cubicles and Compromises format as well as add new advanced elements. You will create a company with a budget, controls, and limitations then test those controls against a current real-world issue. You’ll roll dice, things won’t go as planned, and you’ll learn to what makes for for a great tabletop exercise you can take back and use at your organization.||Ean Meyer is an Associate Director of Security Assurance for a multi-billion-dollar global resort company. When not working with large enterprises he can be found at Full Sail University teaching the next generation about information security and risk management as a Course Director in the IT and Cybersecurity programs. He is also the President of BSides Orlando and mentoring co-lead for The Diana Initiative.
Ean has spoken at BSides Orlando, BSides Tampa, and InfoSec World. He has been a panelist at ISC2 Congress, Department of Homeland Security – Corporate Security Symposium, and the upcoming Synapse Summit 2021. He also runs workshops such as Advanced Cubicles & Compromises, which is a tabletop incident response workshop for Wild West Hackin’ Fest. In 2019 Ean competed in the Social Engineering Capture The Flag at Defcon 27 where he took 5th place.
Ean holds a CISSP, EC-Council – CEH, and an MS in Cybersecurity and Information Assurance
You can find him at https://www.eanmeyer.com – Twitter @eanmeyer – LinkedIn @eanmeyer
|Thurs||11AM||11:50AM||Bouncing Off Clouds: Taking What O365 Gives You||Mike Saunders||Talk||Nugget 1||Track 1||Elevator pitch: Come learn how to (ab)use O365 for user enumeration and password spraying. The long story: Passwords are still the weakest link for most organizations. and identifying usernames is a critical component of password spraying. In this talk, Mike Saunders shares his methodology for reconnaissance techniques including user enumeration and password spraying via O365. His approach allows you to perform reconnaissance quickly and efficiently on infrastructure outside of your target’s control, leading to better results and longer evasion.||Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike been performing penetration tests for nearly a decade. Mike is an experienced speaker, speaking at conferences such as DerbyCon, Circle City Con, regional BSides including Minneapolis , Kansas City, and Winnipeg, SANS Enterprise Summit, Wild West Hackin’ Fest, the NDSU Cyber Security Conference, and SANS and Red Siege webcasts. He has participated multiple times as a member of NCCCDC Red Team.|
|Thurs||5PM||5:50PM||Wrangling Security Events, a DIY Guide to Security Automation in the AWS Cloud||Andrew Krug||Talk||Nugget 1||Track 1||A look back at the last 5 years of cloud based incidents demonstrates a clear theme; organizations are not assuming breach in their design of cloud based architectures. Some common themes are access key compromises, overly permissive roles, and lack of attention to detections. When combined any two of these conditions create a security incident that is absolutely devastating for an organization, large or small. So, why aren’t they adopting cloud native technologies to secure their environments?
In the Palo Alto state of Cloud Native Security report from 2020, the company cited that many companies are spending as much on security tooling as they are on cloud based resources. The same report cited that the biggest gaps to close include training and inadequate tooling. Further, only “18% of companies felt as though they were adequately prepared to keep their cloud estates secure.”
Like so many problems the answer here is really socialization and integration of security with application development. Embedded security and leveling up developer security skills has been a trend over the last several years. But we’re not there yet. There is a definite need to make threat modeling a part of the software development lifecycle along with security automations to address the top threats.
|Andrew Krug is a Security Geek specializing in Cloud and Identity and Access Management. Krug brings 15 years experience at the intersection of security, education, and systems administration. As a fierce advocate for Open Source and founder of ThreatResponse tool suite, Andrew has helped inspire the landscape around forensics and incident response in the Cloud. Krug has been a presenter at a variety of conferences, publishing papers with BlackHat USA, DerbyCon, and many more.|
|Thurs||10AM||10:50AM||Designing an Offensive Strategy for Defense||David Kennedy||Talk||Nugget 1||Track 1||x||A number of organizations struggle with how to stay up-to-date with the latest attack vectors or changing tactics techniques and procedures (TTPs) from adversaries. This talk breaks down the misconceptions of offensive capabilities and how to best build a security program that can withstand the attacks we see today and for tomorrow. In this presentation, we’ll cover live demos of attack patterns and how these attacks evade commodity detections in EDR products and alike. Our goal is to look at the behavioral aspects around security, and how your organization is unique versus all others.||David Kennedy is founder of Binary Defense and TrustedSec. Both organizations focus on the betterment of the security industry. David also served as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David was the co-founder of DerbyCon, a large-scale conference started in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.|
|Thurs||5PM||5:50PM||Cyber People Problems: Let’s Talk About the Lack of Diversity in InfoSec||Doug Brush||Talk||Nugget 2||Track 2||The cybersecurity industry is one of the fastest-growing industries on the planet. However, women represent only 20% of the workforce, with only 14% of women serving as CISOs at Fortune 500 companies. The numbers of people of color in our community are far fewer. Additionally, women and people of color are, on average, paid less than their white male counterparts. From entry-level analysts to CISOs, the infosec industry constantly tries to fill millions of open job requisitions. However, the problem is not a lack of candidates, but systemic issues in our recruiting, hiring, training, and retainment of talent, which disenfranchises women, people of color, the LBGTQ+ community, disabled, and neurodivergent security professionals. This talk examines the lack of diversity in the cybersecurity industry that marginalizes underrepresented groups of people at many levels and what we can do to be a more inclusive and diverse industry to fill open positions and increase infosec program success.||Douglas is an information security executive with over 27 years of entrepreneurship and professional technology experience. He is a globally recognized expert in cybersecurity, incident response, digital forensics, and information governance. In addition to serving as a CISO and leading enterprise security assessments, he has conducted hundreds of investigations involving hacking, data breaches, trade secret theft, employee misconduct, and various other legal and compliance issues. He also serves as a federally court-appointed Special Master and neutral expert in high-profile litigation matters involving privacy, security, and eDiscovery.
He is the founder and host of Cyber Security Interviews, a popular information security podcast.
Douglas is also committed to raising awareness about mental health, self-care, neurodiversity, and diversity, equity and inclusion, in the information security industry.
|Thurs||11AM||11:50AM||Offensive Azure Security||Sergey Chubarov||Talk||Nugget 2||Track 2||x||These days, working with a cloud platform is already commonplace. Companies choose Microsoft Azure for a number of benefits, including security. But there are some responsibility on the customer side and that’s may become weakest link in the chain. A demo-based session shows attacks on the weakest link in 3 scenarios: Hybrid Active Directory, Legacy VM-based application and Modern Application. The session includes: – Pentesting Azure AD Connect – Bypassing authentication & MFA – Getting control over Compute – Extracting secrets from Key Vault – Getting Access to App Service and Azure SQL Database – Exploring Azure Web App Firewall||Sergey Chubarov is a Security and Cloud Expert, Instructor with 15+ years’ experience on Microsoft technologies. His day-to-day job is to help companies securely embrace cloud technologies. He has certifications and recognitions such as Microsoft MVP: Microsoft Azure, Offensive Security Certified Professional (OSCP), Microsoft Certified Trainer, MCT Regional Lead, EC Council Instructor (CEI) and more. Frequent speaker on local and international conferences. Prefers live demos and cyberattacks simulations.|
|Thurs||1PM||3PM||Backdoors & Breaches Tourney||Fun & Games||Sierra 2|
|Thurs||1PM||2:30PM||How to Sell Security to C-Levels||Chris Brenton||Workshop||Redwood 6||Given that “security” is such a vital component to an organization’s success, why do so many security leaders have trouble getting upper management to properly fund security projects? I find this tends to be a translation issue. You are trying to speak Dothraki to a bunch of Klingons. In this talk, I’ll discuss how to position security within your organization so that it’s perceived as business enablement rather than cost overhead.||Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development, and identifying their product-market fit.|
|Thurs||1PM||1:50PM||Seeing the Forest Through the Trees – Foundations of Event Log Analysis||Jacob Williams||Talk||Nugget 2||Track 2||During an incident, everyone knows you need to review the logs – but what are they actually telling you? There’s a wealth of information to be had in your logs event logs, but most analysts miss the forest because they don’t understand the trees. In this talk, Jake will walk you through some of the most impactful event logs to focus on in your analysis. We’ll target some old favorites covering login events, service creation, and process execution. We’ll also examine task scheduler logs, useful in uncovering lateral movement and privilege escalation. Finally, we’ll discuss some of the new event logs available in Windows 10 (if only you enable them first). If you don’t want to be barking up the wrong tree during your next insider investigation or getting axed because you failed to identify the lateral movement attempts, make sure to attend this session. After all, you wooden want to be disappointed you missed out on puns about log analysis!||Jake Williams is an incident responder, red teamer, occasional vCISO, and prolific infosec shitposter. He has traveled the world, but isn’t welcome in China or Russia (and avoids most countries they have extradition treaties with). When not speaking at a conference like this one, it’s a good bet that Jake is engaged in hand to hand combat with an adversary rooted deep in a network or engineering ways to keep them out. Jake’s career in infosec started in the intelligence community, but has taken around the world securing networks of all shapes and sizes, from utilities to hospitals to manufacturing plants.|
|Thurs||2PM||2:50PM||Action is Eloquence – Bridging the True Cybersecurity Skills Gap||Kris Rides||Talk||Nugget 2||Track 2||We’ve been talking about a skills gap for years now. A global pandemic has had little if any effect on closing it and is going to make it tougher in the future this gap to be bridged. We need action, not social media posts. In this presentation you will leave with a list of things you can personally action to make a difference.||Kris is the CEO & Founder of Tiro Security a Cybersecurity staffing and professional services company. He is one of a handful of true subject matter experts in the US Cybersecurity recruiting market and is a regular speaker at events such as RSA, DEFCON, (ISC)2 Security Congress, Wild West hacking Fest, ShellCon and many more. Kris has spoken on all things Cybersecurity staffing for many of the cornerstones of our industry including ISACA, ISSA, Cloud Security Alliance, OWASP and (ISC)2.|
|Thurs||2:30PM||4:30PM||Using DNS Search for Cyberinvestigations||Paul Vixie||Workshop||Redwood 6||Every online interaction begins with a lookup in the Domain Name System (DNS), the backbone of the Internet. As a result, digital footprints are left behind in the DNS. During this hands-on workshop, Dr. Paul Vixie will show you how to search historical passive DNS, from searching simple keywords and substrings as small as several characters to using regular expression and globbing techniques, to more easily—and quickly—uncover previously unknown IP addresses and domain names and map related online infrastructure.
-Farsight DNSDB API Key
-DNSDB Scout Web Edition: https://scout.dnsdb.info/
-dnsdbq install from https://github.com/dnsdb/dnsdbq
-dnsdbflex install from https://github.com/farsightsec/dnsdbflex
Farsight will provide free access to its passive DNS tool, Farsight DNSDB, and its command line (dnsdbq and dnsdbflex) and web (DNSDB Scout) tools for the class as well as for 60-days following the conference so that attendees can use the tool in their own work environments. DNSDB is a historical passive DNS database that contains Internet history data that goes back to 2010. A DNSDB API Key will be sent to registered attendees prior to the workshop.
Basic knowledge of the Domain Name System (DNS) is helpful but not required.
|Dr. Vixie previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie was a founding member of ICANN Root Server System Advisory Committee (RSSAC, current) and ICANN Security and Stability Advisory Committee (SSAC, until 2014). He is the author or co-author of a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC), and was inducted into the Internet Hall of Fame in 2014.|
|Fri||11AM||11:50AM||Why Developers Don’t Care about Security||Jamie Dicken||Talk||Nugget 1||Track 1||x||Security conversations with development teams don’t have to be an uphill battle. In this compelling session, we will discover the underlying challenges app teams face that cause them to seemingly dismiss security concerns, and we will collaboratively find solutions to those problems. To us as Information Security professionals, it can certainly feel like app teams don’t care about security. That seems clear in those moments when they proceed with a production deployment despite poor static code analysis results or when they hesitate to add a high-priority security remediation to the product roadmap. However, as a former software engineering manager, I have a different perspective. While I did sometimes postpone security endeavors or push for policy exceptions, I did care about security. The reality was that I faced extreme challenges that my InfoSec team did not see or understand. Now as an InfoSec leader myself, I realize there is a better way. We must understand the realities in which our app teams live so we can address their core concerns that cause them to push back on us. In this session, we will learn from my experiences on both sides of the table. There are ways we can partner effectively with application teams to achieve the business’s goals and keep the company safe, and together we will learn how.||Jamie Dicken is the Director of Security Assurance at Resilience. Formerly a software engineer and technical manager at two Fortune 15 healthcare companies, Jamie focused on designing, building, and delivering new features to the market. She now focuses on protecting systems like the ones she used to build.
Her professional passions include leading high-performing teams, executing on high-profile strategic initiatives, championing employee growth and development, and mentoring women in technology. Jamie has repeatedly served on internal Diversity, Equity, and Inclusion steering committees and leadership development programs for underrepresented minorities. Additionally, she has become a frequent speaker on security control validation, application security, and security culture.
Outside of work, Jamie has lots of adventures with her two mischievous little boys and amazingly supportive husband Chris. She enjoys spending time outdoors and experimenting with her hobbies of cooking and sewing.
|Thurs||3PM||3:50PM||Telecommuting Security Open Networks, Remote Workers, VPN, Oh My!||Lee Neely, Chelle Clements||Talk||Nugget 2||Track 2||With the increased use of remote work, and connecting to services from non-traditional locations, the security of those connections cannot be overlooked. We’ll be talking about the security of working from anytime anyplace, including security mitigations, such as a VPN, making sure devices are updated, accessing sensitive information from non-private locations, personal hotspot versus offered Wi-Fi and use of multi-factor authentication. All these factors increase the security of the actions performed; we will discuss avoiding a false sense of security. These precautions apply to both business and personal computing activities. This idea came about because we spend so much time online now, especially with telecommute, and as we started researching VPNs and whether or not to purchase one. VPNs advertise an extra layer of privacy / security. Is that true or is it a false sense of security? Are all VPNs created equal or are some better than others? What should we look for when purchasing a VPN? Besides regularly changing passwords, what are some other things that we can do to proactively protect our digital privacy and security? ||Lee Neely is a senior IT and security professional at LLNL with over 30 years of extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. He currently leads LLNL’s Entrust team and is the CSP lead for new technology adoption specializing in mobility. He teaches cyber security courses, and holds several security certifications including GMOB, GPEN, GWAPT, GAWN, GPYC, GEVA, CISSP, CISA, CISM and CRISC. He is also the past President for the ISC2 Eastbay Chapter, Treasurer of the Boise CSA Chapter, Member of the SANS NewsBites Editorial Board and SANS Analyst. You can keep up with Lee @lelandneely http://www.linkedin.com/in/leeneely/
Chelle touched her first computer in 1972 and has been fascinated with them ever since. She is an Army Veteran, one of the first women in the Corps of Engineers, and she has some great stories! She has an AAS in Envr Sci from NVCC (Northern VA), and a BS and an MS in Comp Sci from University of San Francisco. She spent 30-years at Lawrence Livermore Nat’l Lab as a researcher in three different fields (chemistry, physics and computer science). She currently supports several Veteran organizations with pro bono web development and until she relocated to Idaho served on the Livermore, CA art commission. Chelle’s ‘life-stretch’ since retirement is presenting and conducting cyber security workshops with her husband.
|Fri||3PM||3:50PM||Threat Hunting, Quick and Dirty:
S0/E1: Eewww! Zeek Ate a Worm Again! [recidivised]
|Jonathan Ham||Talk||Nugget 2||Track 2||Segmented worms (phylum Annelida, with tens of thousands of species) are truly ancient creatures, dating back to at least the early Cambrian Period — more than 500 million years ago! They continue to proliferate today, during the modern Internet Period, with new species emerging regularly.
In this recidivised episode, we explore the use of Zeek and other tools to rapidly facilitate our interest in “helminthology”: the study of parasitic worms. Our focus will be on foundational techniques that have stood the test of time, regardless of species.
[Note: This is Episode 4 of a series of Threat Hunts. The previous three are:
|Jonathan Ham is a network forensics and defensive cyber operations expert with more than two decades in the field. Jonathan literally wrote the book on network forensics (as well as the first mainstream instruction on the topic), based on his experience advising in both the public and private sectors, from small startups to the Fortune 50, the U.S. DoD across multiple forces, and several other U.S. federal agencies. As a Principal Instructor with the SANS Institute, he has instructed hundreds of students annually on network intrusion detection, security operations, and perimeter defense.|
|Thurs||4PM||4:50PM||Six Things No One [email protected]#$ing Told Me About Pentesting||Jason Downey||Talk||Nugget 2||Track 2||My first six months of pentesting was an absolute whirlwind. While I was fairly prepared for a lot of aspects of the job, there were several things that I wish someone had looked me in the face and told me before I signed up. This talk is geared to those that are looking to become a pentester or for those who are just starting and growing along with me.||Jason Downey has over ten years of IT professional experience, mostly in the healthcare industry. Jason has primarily served in network and network security roles with additional experience in systems administration. Jason actively attends all major cons and is an avid CTF player for many years.|
|Thurs||4:30PM||6:30PM||DDTTX – Playbook Perfection||Amanda Berlin, Jeremy Mio||Workshop||Redwood 6||DDTTX Playbook Perfection is an introductory playbook workshop. Playbooks are an important part of any information security program. They offer structure and realistic, flexible procedures to assist in almost any situation.
As a group we will review playbooks taken from other situations and cover best practices, do’s and do not’s, structure, and maintenance. We will also cover ways to successfully test playbooks by using different methods that can work in a variety of organizations and situations.
Participants are welcome to bring their own playbooks or example playbooks to the workshop as long as they do not contain any confidential information that may put them or their organization at risk.
|Amanda Berlin – (@infosystir) Amanda Berlin is a Lead Incident Detection Engineer for Blumira and the CEO and owner of the nonprofit corporation Mental Health Hackers. She is the author for a Blue Team best practices book called Defensive Security Handbook: Best Practices for Securing Infrastructure with Lee Brotherston through O’Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. She now spends her time creating as many meaningful alerts as possible.
Jeremy Mio – (@cyborg00101) – Jeremy has focused expertise within the evolution of security convergence, the merger of physical and information security, and cyber-warfare. He is an Information Security Officer within local government and Principal within CodeRed LLC. Previously, he worked within Fortune 500 in enterprise information security as well as physical security through training/contracting. Jeremy researches and tests small UAVs [drones] for their use in defense applications in cyber warfare and intelligence, relying on Open Source technology and OSINT.
|Thurs||2PM||2:50PM||Operationalizing Purple Team||Jorge Orchilles||Talk||Nugget 1||Track 1||x||This talk picks up after your first successful Purple Team Exercise is complete and teaches you how to continue maturing and improving your security program by operationalizing the collaboration between your security teams (Cyber Threat Intelligence, Red Team, and Blue Team). From testing new TTPs to Detection Engineering and showing value.||Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.|
|Thurs||9AM||9:50AM||A Picture is Worth A Thousand Hacks||Josh Wright||Keynote||Nugget 1||Track 1||Five years ago I started studying photography in earnest. It taught me more about information security than I would have ever predicted. Join me to hear the lessons I learned, and how you can leverage them to become a better information security professional.||Joshua Wright is an author and faculty fellow for the SANS Institute, and the senior technical director at Counter Hack, a company devoted to security consulting services and the development of information security challenges for education, evaluation, and competition. His most rewarding work is helping people succeed at their personal information security learning goals (that, and shells — shells too.)|
|Thurs||6PM||6:15PM||Next Level OSINT||Mishaal Khan||Talk||Nugget 1||Track 1||To really dig deep into reconnaissance and information gathering, you need to think like a hacker and dissect the problem. Get an “aha” moment as I show you live, some of the advanced methodologies used to find anything about a network, person, business or resource using a combination of pentesting tools, scripts and some basic knowledge of OSINT.||Mishaal likes to entertain people with hacks and shortcuts while conveying a much bigger message. His hands-on nature tests the limits of technology by breaking things in order to learn how to secure them. A strong passion in OSINT, Privacy, Social Engineering and Pentesting drives him to help others.|
|Thurs||6PM||6:15PM||Gamify Your Risk Prioritization||Adam Mashinchi||Talk||Nugget 2||Track 2||x||This talk will present a new and simple mechanism for groups to determine and refine the prioritization of their cyber offense or defense initiatives. The audience will get insights into why the tool was created, a variety of its use cases, and how to get started with using it in their organizations. Designed to help simplify the priorities for Red, Blue, and Purple teams, the tool presented combines “gamification,” MITRE ATT&CK, and group collaboration to present a team with a joint perspective on how they view their organization’s cyber initiatives. As a simple and fun quiz, every member of the team can quickly create a “priority map,” which is then merged together with your teammate’s maps into a unified “priority roadmap” of adversary techniques to tackle. These priority roadmaps allow teams to trivially identify where there is (dis)agreement on the risk or urgency behind various MITRE ATT&CK techniques, enabling the creation of action items, technical tasks, and detailed discussions.||Adam Mashinchi is the Director of Open Source Programs at Red Canary, where he manages the open source strategy and portfolio, including the teams, resources, and initiatives. Before Red Canary, Adam defined and managed the development of enterprise security and privacy solutions with an emphasis on adversary emulation and usable encryption at a global scale, leading numerous technical integration projects with a variety of partners and services. Adam brings with him a diverse technical background in enterprise systems administration, web and application development, mobile operating systems, and computer security. He holds a Master of Science in Applied Computer Science from Southern Oregon University with a focus on computer security and encryption. Adam is a regular attendee and participant at cybersecurity conferences such as at DEFCON’s Red Team Village, Wild West Hackin’ Fest, and Grayhat, speaking on topics ranging from insider threats in modern enterprises to the basics of Red Teaming.|
|Thurs||6PM||10:00PM||The Mechanical Bull||Fun & Games||Nugget Foyer|
|Thurs||6:30PM||8:30PM||Steak Dinner||Food||Nugget 1|
|Fri||8AM||10AM||Catch Me If You Can—Seeing the Red through the Blue||Will Hunt, Owen Shearing||Workshop||Redwood 6||x||This two-hour workshop will help improve both red and blue skillsets through a series of hacks, where you as an attendee will have to identify malicious activities on various targets. During the workshop, the trainer (Red Team) will highlight a series of attacks that have occurred on the hosts in the In.security lab. You (the Blue Team) will then need to use Azure Sentinel to identify the malicious activities and raise the alarm! This will upskill both attackers in understanding the various attack flows that could compromise their cover and defenders in understanding how to detect them. “The best defence is a good offense” applies as much in cyber as it does in sport. You’ll get sneak peeks of the attacks the trainer has carried out before you’re set off to hunt down the evidence…. Read more about this workshop here.||Will (@Stealthsploit) co-founded In.security in 2018. Will’s been in infosec for over a decade and has helped secure many organisations through technical security services and training. Will’s delivered hacking courses globally at several conferences including Black Hat and has spoken at various conferences and events. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer.
Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over a decade of experience in technical security roles. Owen has provided technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin’ Fest, NolaCon, 44CON and BruCON. He keeps projects at https://github.com/rebootuser.
|Thurs||4PM||4:50PM||Measuring Risk Using Open, Community Risk Models||Kelli K. Tarala||Talk||Nugget 1||Track 1||In this presentation, Kelli Tarala, of Enclave Security and AuditScripts.com, will teach participants a practical methodology for governing and managing risk using free and community driven risk models. After years of frustration, a large group of community volunteers banded together to create a model for managing risk that would be accessible to cyber security practitioners at all levels. This includes a common library of defensive cyber security controls mapped against guidance from the Center for Internet Security, NIST, ISO, PCI, and many other standards bodies. In addition, this library of defenses has been prioritized and tagged to make it easier for cyber security professionals to immediately use these free resources. The cyber security community should be working together to make the world’s data more secure and trustworthy. In this presentation, attendees will see the results of the community banding together to create a common set of tools that anyone can use to better defend their organization. Attendees will walk away with a better understanding of a model that can be used and specific tools that can put into practice immediately after the presentation to help their organization defend their information systems, prioritize their cyber security activities and resources, and better present risk to leadership and key business stakeholders.||Kelli K. Tarala is a Principal and Founder of Enclave Security, an IANS Faculty member, and Principal and Founder of Auditscripts.com. With 25 years of experience in information technology as a security architect and project manager, she specializes in IT audit, governance, and information assurance strategies. She is a courseware author for the SANS Institute as well as one of the former technical editors for the Center for Internet Security’s Critical Security Controls. She is also the lead author for many of the governance resources and creator of tools and policies at AuditScripts.com. She has also spent a large amount of time consulting with organizations to assist them in their security management, regulatory compliance issues, and creating information security policy libraries. She enjoys the Florida lifestyle including kayaking, paddle boarding, and snorkeling. She also likes to run and read mysteries and science fiction.|
|Fri||9AM||3PM||CTF||Capture the Flag||Sierra 3 & 4||The MetaCTF team is excited to run the WWHF Capture the Flag (CTF) competition for the fourth year in a row. While there will be plenty of hard problems for those looking for a challenge, the goal is for you to walk away with some new tools, techniques, and skills. The challenges will cover a variety of cybersecurity categories including web exploitation, forensics, binary exploitation, cryptography, and more. It’s a team event, so make sure to get some friends together or meet some new people at the conference! The CTF will start after the opening keynote on 6/17 and close in the afternoon on 6/18. Team size is up to four people. You will need to bring your own laptop (you may want to have a Kali virtual machine), but we will provide everything else.|
|Fri||9AM||3PM||Escape Room||Fun & Games||Redwood 1||See if you can get all of the outlaws back in the saddle with this rigorous saloon training exercise! Can you crack the code before it cracks you? Will you break the bank before it breaks you? Come test your escape room expertise, in-person and virtual.|
|Fri||9AM||5PM||Labs||Labs||Sierra 1||Check out the labs for this conference here.|
|Thurs||1PM||1:50PM||The Konami Code: The Secret Code to Power Up your SDLC Security||Kevin Johnson||Talk||Nugget 1||Track 1||As with the Konami Code, Kevin Johnson of Secure Ideas will explore how we can “power up” the integrations and interactions between security and development. How do we “shift left” and ensure that we are detecting and remediating security issues as early as possible within our SDLC. In this presentation, Kevin will provide the five main items that you should be doing to increase the power of your security programs working within your development teams.||Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises, and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.|
|Fri||10AM||10:50AM||If I see one more damned TLS finding…||Tim Medin||Talk||Nugget 2||Track 2||Vuln scanners and (some) auditors love check-box findings. Unfortunately, thes are often garbage findings. Findings that teams spend months or years planning to fix with only minor security improvements. In this talk we’ll talk about trash findings, the ones that matter, and how to tell the difference.||Tim is CEO at Red Siege, a company focused on penetration testing and offensive services. Tim is also a Senior Instructor and course author (SEC560 at SANS. Through the course of his career, Tim has gained information security experience in a variety of industries including previous positions in control systems, higher education, financial services, and manufacturing. Tim is the creator of the Kerberoasting, a widely utilized Red Team penetration test technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts.|
|Fri||10AM||12PM||How to Give Technical Talks||William Stearns||Workshop||Redwood 6||So much of your success in a technical field is tied to one question: Can you effectively share information?
You have so many ways to do it–Twitter, blogs, articles, giving tech support online, writing documentation, etc. There’s one more in the corner that we don’t naturally go to: public speaking. That’s a real shame. So many of us avoid that at all costs when it’s a very positive way to teach and share enthusiasm about a topic.
At WWHF Way West, we hope to turn that around so you feel empowered to speak in front of an audience.
This two-hour presentation is full of all the things you need to know to speak comfortably, share enthusiasm, set up effective presentations and labs, and avoid common mistakes.
We’ll cover the mindset you need, the way to relate to your audience, how to handle questions, and how to prepare for common talk problems.
Bill Stearns, your speaker, will have lots of stories from his own speaking career. You’ll get to learn from his mistakes! ?
If you’re not yet comfortable speaking in front of a crowd, this talk is written for you!
|Bill provides Customer Support, Development, and Training for Active Countermeasures. He has authored numerous articles and tools for client use. Bill was the chief architect of one commercial and two open-source firewalls and is an active contributor to multiple projects in the Linux development effort. His spare time is spent coordinating and feeding a major anti-spam blacklist. Bill’s articles and tools can be found in online journals at http://github.com/activecm/ and http://www.stearns.org.|
|Fri||11AM||11:50AM||Find, Hire, and Keep InfoSec Rockstars||Kip Boyle||Talk||Nugget 2||Track 2||Is your HR department unclear about the requirements for your InfoSec roles? Do you spend a ton of time screening out candidates who are one-trick ponies (“I know how to use Burp”)? Or who seem to have memorized a bunch of factoids related to security, but who don’t have the ability to reason through technical problems? Or who simply don’t know how computers and networks actually work? Should you use a “contract-to-hire” approach see what that new person is really capable of before you commit? Why are people with the latest tech skills hard to find? How can you keep great people from leaving? In this session, I’ll share solutions to these and the other top pain points of InfoSec hiring managers.||Kip Boyle is a husband, dad, small business owner, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015 after 7 years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs, where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built InfoSec teams in a variety of settings by learning (often though failure) and following (sometimes poorly) several key insights he’ll share with you.|
|Fri||9AM||9:50AM||I Got Fired: Lessons from My First Cybersecurity Leadership Role||Naomi Buckwalter||Keynote||Nugget 1||Track 1||x||I got fired on September 12, 2018. My first ever cybersecurity leadership job, and I had failed. “We’re going to let you go”, my boss said, and honestly, I wasn’t surprised at all. I was having a tough time being effective in my role. I was unable to influence and persuade. My ability to inspire confidence and win hearts and minds for security was nonexistent. I was too scared to make any decisions, and my company was hurting for it. I agreed. It was time for me to go. Since then, I’ve often reflected, “What could I have done better? What went wrong? How can I make myself a better cybersecurity leader?” I’m here today to share what I’ve learned – about myself, about being a cybersecurity leader, and why, in my opinion, many other cybersecurity leaders are failing in their own jobs as well. And most importantly, I’ll share how we can improve as a cybersecurity community so that we can help our own businesses thrive. Because good security is a service for the business. Good security enables the business. And it’s helpful to remember that from time to time.||Naomi Buckwalter, CISSP CISM is the Director of Information Security & IT at Beam Technologies. She has over 20 years’ experience in IT and Security and has held roles in Software Engineering, Security Architecture, Security Engineering, and Security Leadership. As a cybersecurity career adviser and mentor for people around the world, her passion is helping people, particularly women, get into cybersecurity. Naomi volunteers with Philly Tech Sistas, a Philadelphia-based nonprofit helping women of color prepare for a career in IT and tech. Naomi has two Masters degrees from Villanova University and a Bachelors of Engineering from Stevens Institute of Technology. In her spare time, Naomi plays volleyball and stays active as the mother of two boys.|
|Thurs||12PM||1PM||Top Network Attacks and How to Fix Them||Jeff McJunkin||Talk||Nugget 1||Track 1||Do you know what attackers target in their first hours and days when they inevitably get internal access to your organization? This talk will show the most common, over-powered attacks that attackers are using now, and how to lock it down. Defense is a race between attackers (trying to deploy ransomware / steal data / accomplish their goal) and defenders (detecting and kicking out the attacker). Every time an attacker gets initial access, it starts another race. It’s practically impossible to “win,” as a defender, if attackers can win in minutes, hours, or a few days. Claim your home court advantage, lower the number of incidents through preventive controls, and detect those attacker actions. This talk is applicable to every organization with on-prem Active Directory and internal networks.||Jeff McJunkin is the founder of Rogue Valley Information Security, a consulting firm specializing in penetration testing and red team engagements. Jeff has a long background in systems and network administration that he leveraged into web and network penetration testing, especially involving Active Directory. He has taught dozens of classes in network penetration testing for the SANS Institute, and is the author of the “Metasploit Kung Fu for Enterprise Pen Testing” course. He specializes in not only finding end-to-end realistic attack scenarios for clients, but also in helping technical staff as well as senior leadership in understanding the attack, its ramifications, detective controls, and assisting in safe remediation.|
|Fri||1PM||1:50PM||The Industrial Cyber Threat Landscape||Robert Lee||Talk||Nugget 1||Track 1||x||This presentation will walk through the industrial (ICS/OT) cyber threat landscape by starting off explaining what’s different about OT than IT networks and systems, move into a discussion on the known threat groups, vulnerabilities, and lessons learned from the field, and present case studies from incidents analyzed over the last year. The focus of the talk is educational about what makes ICS/OT different, what you can do about it, and how to get engaged to join the community.||Robert M. Lee is the CEO and Founder of the industrial (ICS/OT) cyber security company Dragos, Inc. He is considered a pioneer in the ICS threat intelligence and incident response community. He serves currently on the Department of Energy’s Electricity Advisory Committee, on the World Economic Forum’s subcommittees on Cyber Resilience for the Oil and Gas and Electricity communities, and has testified to the U.S. Senate Energy and Natural Resources Committee to advise on policy issues with relation to ICS cyber threats.
A passionate educator, Robert is the course author of SANS ICS515 – “ICS Active Defense and Incident Response” with its accompanying GIAC certification GRID and the lead-author of SANS FOR578 – “Cyber Threat Intelligence” with its accompanying GIAC GCTI certification.
|Fri||1PM||1:50PM||Rules of Engagement: Social Media Hacking for Hackers||Maril Vernon||Talk||Nugget 2||Track 2||Hackers: Ever wonder why your Tweets don’t take off or someone else’s post on LinkedIn does better than yours? Want-to-be-Hackers: Trying to break in to the industry and have no idea how to promote yourself and what you know on social media? Come learn personal branding and social media hacks from the girl who used hers to go from “not knowing what an IP address was” to working on the Red Team for Zoom Communications in less than 18 months.||Maril Vernon, @SheWhoHacks, is a Red Team Operator for Zoom Communications and PluralSight author, specializing in Red Teaming tools, Purple Team methodology, MITRE, and Cloud Security strategies. Maril’s expertise on VPN exploits was featured on the Cyber Security Forum Initiative, and she is a contributing editor of the latest CIS AWS Foundation Benchmark for cloud security. She broke in to information security a year and a half ago and is an example of what you can achieve in a short time.|
|Fri||1PM||3PM||Toolshed||Tools||Nugget Foyer||The Way West 2021 Toolshed is a place for individuals to share open-source tools / projects with other infosec professionals attending the conference.|
|Fri||1PM||3PM||Backdoors & Breaches Tourney||Fun & Games||Sierra 2|
|Fri||1PM||3PM||Intro to Git for Security Professionals||Ian Lee||Workshop||Redwood 6||x||This workshop is to provide an overview and introduction to the version control system Git.
Git has grown tremendously in popularity over the past 15 years since it was released, helped along especially due to code hosting services including GitHub.com, GitLab.com, and Bitbucket.org. These sites are where open-source projects most commonly live. Any time that you hear about a new open-source security tool being released, it is mostly likely to be found on one of these sites.
This workshop will help provide an introduction to security professionals that may have no background in software development, that would like to start using their favorite open-source tool, or even more, to find ways to contribute back.
No development experience is required, and participants will finish the workshop with the tools needed to make their first contribution the same day if they choose to.
|Ian Lee is a Computer Engineer and Cyber Assessment Coordinator in the High-Performance Computing (HPC) facility at Lawrence Livermore National Laboratory (LLNL), home to some of the largest supercomputers on the planet, including Sierra, currently the #2 in the world with a performance of 94.6 Pflop/s. At LLNL, Ian has created a role performing cyber assessment, penetration testing, and purple teaming duties for the facility. Ian also has a strong background as a software developer, with a passion for the use and development of open-source software and practices. He leads sustainment and outreach efforts of open-source software produced by the laboratory. His personal mission is to always “leave things better than you found them.”|
|Thurs||3PM||3:50PM||What It Takes To Be a Successful Chief Information Security Officer||Russell Eubanks||Talk||Nugget 1||Track 1||A lot of people want to be a CISO. Many have put together plans on what it will look like actually to be the CISO. But what does it take to be a successful CISO? Gain insight into this often elusive role. Russell shares what it is like to move from being an individual contributor to having the privilege to lead people who lead people who deliver cybersecurity to many different companies. Russell will share three keys he learned on his journey to becoming a very successful CISO. Three keys that prepare you to be successful as a CISO.||From factory worker to owner of Security Ever After and consultant with Enclave Security, Russell Eubanks’ career trajectory has been anything but traditional. Years ago, while working a factory job, Russell realized he wanted more and started investigating options. He learned about his company’s tuition reimbursement program and promptly signed up for computer classes at his local community college. Russell worked in the factory until early morning, then attended classes during the day.
Russell holds a bachelor’s degree in computer science from the University of Tennessee at Chattanooga. In his free time, Russell studies leadership, keeps up with his wife and teenage son, and daughter, and loves to smoke pork on his Big Green Egg. “Only recently, I learned about the importance of disconnecting from technology regularly,” he says. “I have my best ideas when I am away from the screen.” Russell also stays busy with his recently discovered passion for running and recently ran his third marathon.
|Fri||2PM||2:50PM||Offensive Deception | Breaking the Defender||Matthew Toussain||Talk||Nugget 2||Track 2||One of the hottest trends in Information Security today is cyber deception. This should not be limited to the defenders alone, spread the love! What does it look like when the red team sells the blue team a lemon of a story? In this talk we will be looking into several Overt Operations strategies and evaluating what the blue team is looking for and visualizing in their SOC. We’ll observe their sight picture in tools like ELK and RITA and more. Then we’ll use that knowledge to feed them a lie. If the attacker appears to be everywhere with the apparent TTP of every intrusion set, how do you respond to the real attack? Advanced red teamers don’t simply attack enterprises; they craft techniques to attack the enterprise defenses, weaponizing them against the organization itself. It’s time to hack the planet!||Since graduating from the US Air Force Academy in 2012, Matthew Toussain has served as the Senior Cyber Tactics Development Lead for the US Air Force and worked as a red teamer for Black Hills Information Security and CounterHack Challenges. In 2014, he started Open Security to focus on a more holistic approach to cybersecurity from incident response through red teaming. He is the author of SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment and has created numerous popular penetration testing tools. Matt is also a Grand Champion of NetWars Tournament of Champions. An avid runner and #RedTeamFit influence peddler, Matthew is a passionate supporter of cyber competitions such as the Collegiate Cyber Defense Competition and SANS Institute’s NetWars.|
|Fri||3PM||3:50PM||Automate your Redteam||Ralph May||Talk||Nugget 1||Track 1||Red team operations are not what they used to be. While there will always be soft targets more clients today have taken recommendations to heart. Clients continue to look at professionals in information security to identify new threats even as security controls increase. In our effort to deliver results, red teams continue to gain sophistication while engagement times stay the same. With the increases in sophistication, red teams must evolve to more than manual setup and simple attacks. As you conduct advanced engagements the need for infrastructure as code and group think becomes a requirement not a luxury. In this talk I will discuss the fundamentals of a modern red team attack chain and how we can code our TTP’s to increase success and lower are time to compromise.||Ralph May is a security analyst and penetration tester at Black Hills Information Security. Before joining BHIS, Ralph spent the last five years delivering penetration tests on a wide range of security assessments. These assessments include physical, wireless, network, social engineering, and full simulation red teams. Before focusing on security, Ralph worked as a system administrator and as a network engineer for both civilian and government employers. Ralph is a US Army veteran previously working with the United States Special Operations Command (USSOC) on information security challenges and threat actor simulations.|
|Fri||10AM||10:50AM||Protecting OAuth 2.0 and OIDC||Wolfgang Goerlich||Talk||Nugget 1||Track 1||We’ve reached a tipping point with more apps being delivered from cloud services than from on-premises. OAuth 2.0 and OpenID Connect (OIDC) have become essential in federating access and handling strong authentication. But these are frameworks not standards, and these frameworks are based on dozens of RFCs. This has resulted in numerous approaches, confusing developers and security teams alike. In this presentation, participants will learn how to secure implementations.||J. Wolfgang Goerlich is an Advisory CISO for Duo Security. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices in cybersecurity consulting firms.|
|Fri||4PM||4:50PM||CyberForce2020: Leading an Army of 380+ APT Hackers against Innocent Windmills||Kandy Phan||Talk||Nugget 1||Track 1||This is the diary of the National Red team lead of the DOE CyberForce Competition (CFC), a cyber defense competition where ICS (e.g. windmill farms) plays a pivotal role and we strive for realism. Unfortunately, due to the artificiality of the environment, defenders end up gaming the system by using tactics (e.g. killing all new processes) that will score a lot of points for the event but would get them fired in the real world. Even worse, that led to the red teams also using tactics that are only applicable for these competitions, the very antithesis of realism. We fixed this gapping problem by introducing novel scoring mechanics that made the blue team “Learn to Stop Worrying and Love the Red team”. We also wanted to increase the challenge level of what was typically needed to win. While patching, password, and firewall management are important blue team basics, we want our competition to go beyond that and include forensics, hunting, fixing code, service hardening, protecting ICS, recovering from zero days, and tuning tools to improve detection gaps. Instead of a stressful panicking state, defenders experienced intense fried brains because of all the learnin’ they were required to do during the competition. We received the feedback that we were the “most wholesome red team”. I will also be going over custom tools and infrastructure needed for advanced red teaming at scale (2000+ beacons), our focus on collecting metrics, and lessons learned on the logistics of herding a large group of hackers.||Kandy Phan is a principal cybersecurity researcher and red team lead with over 16 years of experience in the industry, where he has done assessment of enterprise networks, industrial control systems, research prototypes, and cloud environments. His interests include exploring methods to improve red team performance and automation for virtualization/cloud security. He has a passion for emphasizing deep fundamental understanding of the principles of infosec and tries to share it with newcomers to the field. He runs a youtube channel to help cybersecurity beginners learn the basics and promote a positive infosec culture.|
|Fri||4PM||4:50PM||Red Team Engagements: How to Train Your Blue Team to Hunt Adversaries||Madhav Bhatt, Brad Richardson||Talk||Nugget 2||Track 2||This talk focuses on how the Internal Red Team can pragmatically train blue teams to hunt threat actors in the environment. It incorporates the philosophy of “train like you would fight”. During this presentation we will discuss how to build visual detection charts using threat intelligence incorporating MITRE ATT&CK. Then we will demonstrate how to leverage the visual detection charts to plan and execute purple team exercises. We will also demonstrate an example of how to effectively work with SOC and other stakeholders to build high fidelity detections. Next, we will discuss how to effectively build an adversary detection pipeline using enterprise issue & project tracking software. We will show examples of cataloging, elements of minimum detection criteria, as well as, feeding priority detections into the pipeline. Finally, we will focus on how internal red teams can conduct adversary simulation and emulation to train the Blue side to be better threat hunters. We will show how to plan and execute these engagements, as well as, develop actionable reports to bolster prevention, detection, and response measures. [Target Audience] This talk is meant for organizations whether they are in the process of building a new red team program or have a red team program in place and would like to mature it further. This talk is also for defenders as it demonstrates how to continuously improve detection & response capabilities.||Madhav has completed his Master’s degree in Computer Engineering with specialization in Cyber Security. He worked as an intern while in college wearing multiple hats such as systems administrator , network architect, penetration tester as well as worked on research projects to design and develop IDS for OSPF route poisoning attacks. After graduation, he has been working in the field of Information Security where he has planned and executed different adversary simulations and emulations, purple team exercises, social engineering campaigns, network as well as application penetration tests. Brad Richardson’s security practitioner career spans 15 years in the areas of vulnerability management, security audit, pentest, and red team. Brad began his technology path in system engineering and quickly became interested in how cyber attackers find cracks in the best laid security plans and hardened networks. He continues to study how attackers find ways in and takes a special interest in the psychology of social engineering, security metrics, and adversary emulation.|
|Fri||5PM||Closing Session (Awards)||Nugget 1||Track 1|