Registration desk times:
Tues: 7-10 pm | Weds: 7-10 am; 3-8 pm | Thurs: 4-10 pm | Fri: 7-11 am; 12-3 pm; 5-7 pm | Sat: 8-11 am

9:00 am
9:30 am
10:00 am
10:30 am
11:00 am
11:30 am
12:00 pm
12:30 pm
1:00 pm
1:30 pm
2:00 pm
2:30 pm
3:00 pm
3:30 pm
4:00 pm
4:30 pm
5:00 pm
5:30 pm
6:00 pm
6:30 pm
7:00 pm
7:30 pm
8:00 pm
Track 1 - Break Me
Track 1 - Break Me
Jim Shaver, Mitchell Hennigan - Return From The Underworld - The Future Of Red Team Kerberos
9:00 am - 9:50 am

This talk discusses Kerberos Key derivation, cracking and the future of Kerberos, kerberoasting and NTLM. Also discusses the possibilities for increased knowledge around Kerberos in the security community.

Jim Shaver - Penetration tester at Crowe Horwath working on penetration assessments, infrastructure security reviews as well as social engineering. Jim has been working in IT, security and pen testing for 9 years. Jim is a contributor to mitmproxy and pyopenssl. Mitchell Hennigan - Penetration tester at Crowe Horwath working on penetration assessments, infrastructure security reviews as well as social engineering. Mitchell has been involved in the penetration testing field for 2 years.

Jim - @elitest
Mitchell - @mrconan312

Casey Rosini - Memory-Based Library Loading: Someone Did That Already.
10:00 am - 10:50 am

The technique of using memory-based library loading has been around for a number of years. It is available in different forms and for different operating systems. It has been popularized in the security-space with long-standing techniques perhaps even longer than some are aware. And here I thought that I found or did some new evasion. This talk discusses a library for Windows that is still maintained but has been seemingly overlooked for over a decade (or has it?), and how it can be used against the next-generation securing of the digitals.

Casey has been living a dream of the software development and security industries for just over 10 years. With an early exposure to security research and development, he has endured many sleepless nights of analyzing Microsoft Patch Tuesday releases, coding sprees, and even compliance and regulatory initiatives for commercial and government sectors. In recent years he has provided technical leadership within global security operations, developed frameworks for security awareness initiatives, and conducted large-scale application security assessments and penetration tests. His background is in security research, software development, static & dynamic software security analysis, reverse engineering all the things, and reading a lot of technical documents and source code.

11:00 am - 12:00 pm

Marcello Salvati - Building the DeathStar: getting Domain Admin with a push of a button (a.k.a. how I almost automated myself out of a job)
12:00 pm - 12:50 pm

"Ever since the advent of tools like PowerSploit, Empire, Bloodhound and CrackMapExec pentesting Active Directory has become a pretty straight forward and repetitive process for 95% of all the environments that I get dropped into. This begs the question: can the process of going from an unprivileged domain user to Domain Admin be automated? Well obviously, since this talk is a thing, the answer is yes!

Introducing the DeathStar: a Python script that leverages Empire 2.0's RESTful API to automate the entire AD pentesting process from elevating domain rights, spreading laterally and hunting down those pesky Domain Admins!

This talk will mainly focus on how DeathStar works under the hood, how to properly defend against it and the most common AD misconfigurations/vulnerabilities that I see in almost every environment which allow for this script to be so effective. It will then conclude with live demos of the tool in action (which hopefully will not fail miserably) and some final considerations from yours truly. "

Marcello Salvati (@byt3bl33d3r) is a security consultant who's really good at writing bios. He's so good at writing bios that he was awarded the 'The Best Bio Ever from *insert date when bios became a thing* to 2017" award. (Totally legit award. Don't Google it, Bing it). His boss Liz asked him about ten times to re-write his bio because "It was too good. He had to make it less good. We didn't want people to cry in shame when they read it. It was like a poem ... sniff.. *a single tear is shed*". By day a security consultant, by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code he has recently devoted his attention to the wonderful rabbit hole that is Active Directory which has become his favorite thing to 0wn.


Jason Lang - Modern Evasion Techniques
1:00 pm - 1:50 pm

As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. Defenders: might want to come to this one.

Jason Lang (@curi0usJack) is a caffeine-imbued coding hermit, briefly emerging from the Wisconsin woods to congregate with other infosec & PowerShell lovers. Proficient in { }’s and trollery, Jason spends his days on the prowl for customer data and evenings in off-the-grid pursuits. #Nano4lyfe


Aaron Lafferty - FM, and Bluetooth, and Wifi... Oh My!
2:00 pm - 2:50 pm

"Our organizations utilize radio frequencies (RF) on a daily basis. These signals surround us, travel through us, and often move beyond the physical and logical boundaries that we have established to protect our organizations. What is RF saying about your organization or client? How do you find out? What tools and processes do you need to find out the radio frequencies your organization or client uses. What information can you find and where do you find it?"

Aaron Lafferty, like Zaphod Beeblebrox, is just this guy... you know? Unlike Zaphod, he only has one head. Aaron has always been interested in radio, having gone through armloads of walkie talkies as child. At the time of this bio creation, he's not entirely sure what he's doing as a job.


Ben Ten - Detect Me If You Can
3:00 pm - 3:50 pm

As long as there is a "Patch Tuesday", and software has bugs, there will always be an attack vector to which defensive controls are unable to defend. This is because most defensive strategies have focused on stopping attacks at their initial vector. In this talk, I will go over how I attack and bypass most deflection controls and go under the detection radar. I will then highlight the areas where defenders can begin to build a detection defense which will identify attacker behavior regardless of the initial vector. I will run through attacks I have used, which bypass several deflective controls, and show you how you can create detection controls to detect me; that is, if you can.

"Ben Ten is a Senior Security Consultant with TrustedSec doing penetration testing and consulting. He has spent over 15 years doing Application & Web Development; Security Implementation, Consulting, & Training; Federal Regulation and Compliance oversight in relation to Information Technology (HIPAA, HITECH, PCI); and managing a team of developers and IT professionals.

He is creator of the PoshSec Framework and works with the PoshSec development team. He has spoken at several conferences over the past 5 years including ShowMeCon, DerbyCon, BSides Chicago/Raleigh/Dallas Fort Worth, HackCon Norway, and more."


int0x80 (of Dual Core) & savant - Full-Contact Recon
4:00 pm - 4:50 pm

"Imagine starting your pentest with a shell. Better yet, a shell with privileges. Skip the web app. Forget bruteforcing. Hackers often take the path of least resistance, and so should you. Not a pentester? You can still do this, and defend your infrastructure.

Full-Contact Recon will guide the audience through practical information looting from public sources like Travis-CI, GitHub,, and popular social platforms (LinkedIn, Twitter, etc). We will also release three tools to streamline the process. Coupled with experiences from actual red team operations; we will show you several ways to make your first connection a privileged shell."

int0x80 - int0x80 is the rapper in Dual Core. savant - savant is not in the sudoers file. This incident will be reported.

int0x80 - @dualcoremusic
savant - @savant42

Matt Nelson - Not a Security Boundary: Bypassing User Account Control
5:00 pm - 5:50 pm

Microsoft's User Account Control feature, introduced in Windows Vista, has been a topic of interest to many in the security community. Since UAC was designed to force user approval for administrative actions, attackers (and red teamers) encounter UAC on nearly every engagement. As a result, bypassing this control is a task that an actor often has to overcome, despite its lack of formal designation as a security boundary. This talk highlights what UAC is, previous work by others, research methodology, and details several technical UAC bypasses developed by the author.

Matt Nelson (@enigma0x3) is a Red Teamer and Security Researcher with SpecterOps. Matt has a passion for offensive PowerShell, is an active developer on the PowerShell Empire project, and helps build offensive toolsets to facilitate red team engagements. He has published research on a number of novel UAC bypasses and holds CVE-2017-0007 for his device guard research.


Stephen Hilt & Lord Alfred Remorin - Victim Machine has joined #general: Using Third Party APIs as C&C Infrastructure.
6:00 pm - 6:50 pm

The popularity of third party chat applications is on the rise for both personal and enterprise use. They provide the ability to send brief messages similar to previously popular platforms such as ICQ, AIM, and even IRC. However, one of the main reasons they are being adopted is due to their functionality and cost. The challenge is that these same benefits are attracting cybercriminals to the services.

Cybercriminals are utilizing legitimate chat services as command and control channels to facilitate malicious activity. To achieve this, actors are using the platforms’ API services to integrate custom applications within the chat platforms. On most of these platforms, “bots” are automated scripts that are running on a remote machine to provide integrated information, including anything from a cat fact and meme creation, to running OS commands. The APIs allow for flexibility to listen for an action and then perform a task based on the information. Threat actors are taking notice of this and utilizing API functions for command and control.

This talk will delve into the API functions, and how malware and cybercriminals are utilizing these functions as command and control capabilities. Attendees will understand how to identify, mitigate and prevent such communications from happening in their own organizations.

Stephen Hilt has been in Information Security and Industrial Control Systems (ICS) Security for over 10 years. With a Bachelor’s Degree from Southern Illinois University, he started working for a large power utility in the United States. There Stephen gained an extensive background in Security Network Engineering, Incident Response, Forensics, Assessments and Penetration Testing. From there Stephen started focusing on ICS Assessments and NERC CIP Assessments. With that experience Stephen then moved to working as an ICS Security Consultant and Researcher for one of the most foremost ICS Security Consulting groups in the world. Stephen has published numerous Nmap Scripts and contributed to multiple Open Source projects. Stephen is also an author on the Hacking Exposed ICS/SCADA book.

Lord Alfred Remorin started working in cyber security industry with Trend Micro since 2009. Lord is currently a Senior Threat Researcher for Forward-Looking Threat Research Team which deals with future threat technologies, cybercrimes and targeted attacks. His primary focus areas are on cybercrime research and reverse engineering. Prior to research, Lord worked as an Anti-Malware Engineer which specializes in malware reverse engineering, forensics analysis and clean-up.


Track 2 - Fix Me
Track 2 - Fix Me
Benjamin Holland - JReFrameworker: One Year Later
9:00 am - 9:50 am

JReFrameworker is a Java bytecode manipulation tool released at DEFCON 24 that lowers the barrier to entry for developing Managed Code Rootkits in the Java Virtual Machine. Bytecode manipulations are written entirely in source code, removing the need for any pre-requisite knowledge of bytecode internals and allowing anyone with a basic working knowledge of Java to develop a sophisticated rootkit. Following the tool’s original release last year, development has continued while incorporating community feedback. Along with the improved documentation, bug fixes, and rigorous unit testing comes the ability to create multiphase manipulations, incremental compilation, an improved Metasploit post module, and integrations into the Atlas program analysis framework. By including interactive visual program analysis capabilities, JReFrameworker can automatically generate payloads for arbitrary programs at the click of a mouse (think Minority Report meets rootkit development). Finally, we explore alternate applications of the framework for reverse engineering and hardening third party applications. At the end, a special Derbycon release of the tool, which includes a little something extra, will be revealed.

Ben Holland is a PhD candidate at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA’s Automated Program Analysis for Cybersecurity (APAC) program. His past work experience has been in research at Iowa State University, mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. Ben holds a M.S. degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he is a member of ISU’s Knowledge-Centric Software Lab working on DARPA’s Space/Time Analysis for Cybersecurity (STAC) program.


Zac Brown - Hidden Treasure: Detecting Intrusions with ETW
10:00 am - 10:50 am

"Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don't capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows.

ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Because our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open-source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service.

In this talk, we’ll discuss a few ETW sources we’ve found to be high value as well as the detections they enable. We’ll also demo an example of using krabsetw as well as some considerations in using ETW in your intrusion detection pipeline at scale."

Zac Brown is a Senior Software Engineer at Microsoft on the Office 365 team, working on security for OneDrive/SharePoint Online. He started his career at Microsoft in the Windows division seven years ago working on developer experience, COM, and performance. Zac fell into security by accident and doesn’t consider himself a security professional but rather a software engineer first. He’s passionate about building efficient systems at scale and not getting breached. In his free time, he enjoys spending time with his wife and goofball dogs, making BBQ (smoking), reading, and trying in vain to learn Haskell.


11:00 am - 12:00 pm

Ryan Nolette - How to Hunt for Lateral Movement on Your Network
12:00 pm - 12:50 pm

"Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?

In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement."

Ryan is Sqrrl's primary security technologist and expert. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With over a decade in the infosec field, Ryan has been on the product and operations side of companies such as Carbon Black, Crossbeam Systems, SecureWorks and Fidelity. Ryan has been an active speaker and writer on threat hunting and endpoint security.

Johnny Long - Kali Linux?
1:00 pm - 1:50 pm

What is Kali Linux? People outside our industry think it's cool thanks to Elliot and Angela. Insiders have referred to it as “the new version of Backtrack” or “the ISO with all the hacking tools”. Kali Linux has been evolving for over a decade and has become a staple in our industry, but few people really know what it’s capable of. As a Kali Linux insider, I’ll give you the real scoop. We’ll dig deep into some of Kali’s little-known and powerful features and cover some potent spinoffs including the “nexmonPi" and the wicked-cool android-based NetHunter that is so much more than “Kali in your pocket”. There’s far too much cool stuff to reveal in the writeup, but I’ll share plenty of insight, free tips and training resources designed to help you "Master the Penetration Testing Distribution”. Johnny Long spent his career as a professional hacker. He is the author of numerous security books including No-Tech Hacking and Google Hacking for Penetration Testers and a contributor to Kali Linux Revealed. He is the founder of Hackers for Charity and currently works with the Offensive Security team.

Brent White, Tim Roberts - Common Assessment Mistakes Pen Testers and Clients Should Avoid
2:00 pm - 2:50 pm

"Penetration assessments can be a stressful time for those involved. It’s a moment where the network admins find out if the network they manage, or maybe even helped to build, holds up against simulated attacks. Or, it’s a moment as a pen tester where you can help the client and strengthen their security posture, or screw things up by making a mistake - potentially losing a client and giving your company a black eye. However, this shouldn’t be a stressful time. As a client, it is important to understand why the test is taking place and how this helps. As a pentester it is important that you know what you are doing, need to ask for and aren’t just going in blind or throwing the kitchen sink at the network.

This talk is to highlight common issues that we’ve either encountered or have have been vented to about from both the penetration tester’s side of the assessment as well as the client’s side. We’d like to bring these issues to light to hopefully help ensure a more smooth assessment “experience” for all parties involved."

Tim and Brent are Sr. Security Consultants within NTT Security’s Threat Services group. They have developed Red Team and Social Engineering testing methodologies and have spoken at internationally recognized security conferences including DEFCON, DerbyCon, B-Sides, ISSA International, AIDE at Marshall Univ, Techno Sec & Forensics Invest. Con, and more. Tim has held management, IT and physical security roles across multiple industries, including healthcare and government. He is a regular contributor to NTT Security’s ‘#WarStoryWednesday' series, has developed methodologies for for red team and social engineering assessments and has been featured in CSO on the subject of onsite social engineering Brent is the founding member of the Nashville Def Con group (DC615), and is a supervisor for the Def Con conference “Groups” program. He has also held several IT roles including Security Director of a global franchise company as well as Web Manager and information security positions for multiple television personalities and television shows on The Travel Channel. He has also been interviewed on the topic of social engineering on the popular web series, “Hak5” with Darren Kitchen. Both have been interviewed on the topic of “White hat hacking” for Microsoft’s “Roadtrip Nation” television series. Their experiences with traditional/non-traditional pentesting techniques include network, wireless, social engineering, application and physical testing. These techniques have led to highly successful Red Team assessments against corporate environments. By sharing their experiences, they hope to continue to contribute to the InfoSec community.

Brent White - @brentwdesign Tim Roberts - @zanshinh4x

Paul Asadoorian - Everything I Need To Know About Security I Learned From Watching Kung Fu Movies
3:00 pm - 3:50 pm

"Whether you are a fan of Kung Fu movies or not, this will be an entertaining and informative look at various aspects of computer security. We’ll discuss how to learn computer security, the student & teacher dynamics, practical security tactics for defense and offense and explore some of the political and social aspects of security. Whether you are trying to break into the field of security, trying to defend your network from attackers or just plain want to be a better security professional, this is the talk for you. More detailed topics will include:

Your teacher may be reluctant to teach you The consequences of taking shortcuts in your training There will always be adversaries more skilled than you The best defense is to have a good offense The “softer” skills will more likely than not lead to victory Heroes don’t always start out as such"

Paul Asadoorian spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. He is the founder of the Security Weekly podcast network, offering several freely available shows on the the topics of information security and hacking. As Product Evangelist for Tenable Network Security Paul built a library of materials on the topic of vulnerability management. In 2007 Paul co-authored a book called “WRT54G Ultimate Hacking”, and since then has been passionate about the security of IoT. When not hacking together embedded systems/IoT devices (or just plain hacking them) or coding silly projects in Python, Paul studies Kung Fu (Shaolin Long Fist) and, of course, watches Kung Fu movies.


Lee Holmes, Daniel Bohannon - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
4:00 pm - 4:50 pm

"Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?

A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.

Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.

Approaches for evading these detection techniques will be discussed and demonstrated.

Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation."

Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team. Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. He is the author of the Invoke-Obfuscation and Invoke-CradleCrafter PowerShell obfuscation frameworks

Lee - @Lee_Holmes
Daniel - @danielhbohannon

Timothy Wright - Reverse Engineering Hardware via the HRES
5:00 pm - 5:50 pm

The Hardware Reverse Engineering Stanardard or HRES has been designed to provide security engineers with a framework to reverse engineer hardware and make the process repeatable and measurable. The process follows the same high level process structure as the PTES but focuses on testing and reversing embedded systems and firmware. My presentation will present the process and all online documentation to the security community for feedback and acceptance.

Tim has over 20 years in information security with a focus on performing red team engagements. He is currently the red team lead for a major power company and works on his own time to learn more about security.


Concert Setup
6:00 pm - 6:50 pm

Track 3 - Teach Me
Track 3 - Teach Me
Tyler Hudak - To Catch a Spy
9:00 am - 9:50 am

In the first Vault 7 WikiLeaks dump, the documents discussed several different persistence and anti-RE techniques that the CIA supposedly uses to avoid detection and maintain access to systems they compromise. None of these methods are new or undetectable; in fact, all of them have been widely used by malware for years. This talk will discuss each of these techniques, how they work, and more importantly, how defenders can detect the use of these techniques in their environments or during their investigations.

Tyler has more than 15 years of extensive experience in incident handling, malware analysis, computer forensics, and information security at multiple organizations. He has also spoken and taught at a number of security conferences on these and other infosec topics. Iä! Cthulhu fhtagn!


Mick Douglas - Rapid Incident Response with PowerShell
10:00 am - 10:50 am

PowerShell shouldn’t just be used by pen testers! Attendees of this talk will learn how to conduct each phase of the IR process using PowerShell as a means to increasing the cadence and completness of their DFIR program.

11:00 am - 12:00 pm

R.J. McDown - Windows Rootkit Development: Python prototyping to kernel level C2
12:00 pm - 12:50 pm

Red teams are always looking for new ways to persist on hosts that could potentially take several days to compromise. The necessity for reliable, stealthy persistence is highlighted when the compromised target is the initial foothold into the internal target network. Common methods and tools used to persist on compromised hosts will be briefly covered before diving into developing custom software operating at the user and kernel level. A couple of opensource projects, and their APIs, will be introduced that make it possible to interact with kernel level drivers from user-mode programs. Both, Python and C APIs are available, allowing for Python prototyping before moving to C, a compiled language. This is great for testing and researching new features, as design flaws can be worked through quicker. Lastly, a demonstration will be given of evading event logs, subverting host firewall configurations, hiding active C2 network connections from the OS, spawning arbitrary sessions (PowerShell Empire, Metasploit, etc.), and harvesting credentials from network traffic.

R.J. McDown (BeetleChunks) is a security researcher, penetration tester, and red teamer with experience assessing numerous Fortune 500 companies. In his spare time, he works on developing and researching new tools and techniques to be used on client assessments and IOCs associated with them.


Winn Schwartau - How to Measure Your Security: Holding Security Vendors Accountable
12:00 pm - 12:50 pm

"How to Measure Your Security: Holding Security Vendors Accountable"

Security Guy since 1983. Cyberwar. Modelling.


Amit Serper - Peekaboo! I Own You. Owning Hundreds of Thousands Vulnerable Devices with only two HTTP packets
1:00 pm - 1:50 pm

Imagine that you've purchased your small a cheap ip security camera to feel just a little better with your own physical security. Now imagine that the people who designed that camera know nothing about secure programming, security or programming at all. Imagine that your precious camera can be hijacked into a botnet with only two HTTP packets.

This presentation details two severe zero-day vulnerabilities that we've discovered (CVE-2017-5674-5) in a commonly available, white-label IP camera sold by many vendors (we ordered 40 models of cameras from 40 different merchants). Exploiting these vulnerabilities would have allowed us to get a root shell on hundreds of thousands of devices with just two HTTP packets (per device of course). While IoT hacking isn’t new, this presentation will give you a good example of what security on embedded devices looks like in today’s Mirai botnet world and how painfully easy it is to find severely alarming vulnerabilities on such devices.

I’ll walk through all the steps in our research, from hardware hacking to firmware dumping to just plain ol’ reversing. I’ll demo the exploits and explain, step by step, where the developers went wrong, what could have been done to avoid this situation and why this problem is so severe. I will even demo how these exploits can be taken a step further to compromise the entire network. There will be root shells, there will be exploits, there will be tears.

Amit leads the security research at Cybereason's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. He also has extensive experience researching attacks on large scale networks and investigating undocumented OS resources and APIs. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for an Israeli intelligence agency, specifically in embedded system security. He's presented at RSA, BSides Tel Aviv, CircleCityCon, LayerOne and other conferences.


Tim "lanmaster53" Tomes - Burping for Joy and Financial Gain
2:00 pm - 2:50 pm

"If you do application security and don't use Burp Suite, then you're likely doing it wrong. If you do use Burp Suite, then you know that Burp is chock full of features that are either counterintuitive in their placement or complicated to use. In this talk, my goal is to leverage experience gained from years in the field with Burp Suite to demystify some obscure features of Burp and share unintended ways I use the tool to be a more effective and efficient application security tester.

As a PortSwigger Burp Suite Training Partner, I have the privilege of teaching students with many different levels of exposure to Burp Suite. One thing remains consistent across all of the students in my classes; Regardless of skill level, they all walk away with something that makes them more proficient with Burp Suite. I'm confident you will too."

Tim is a Managing Consultant at nVisium with extensive experience in Application Security and Software Development. Tim currently manages multiple open source software projects such as the Recon-ng Framework, the HoneyBadger Geolocation Framework, and PwnedHub, writes technical articles at, and frequently instructs and presents on Application Security topics at major Information Security conferences such as DerbyCon, ShmooCon, Black Hat and SANS.


Christopher Maddalena - POP POP RETN ; An Introduction to Writing Win32 Shellcode
3:00 pm - 3:50 pm

If you have ever worked with an exploit or Metasploit, you have probably used shellcode, but do you know how it is made? This talk has been designed to walk you through the ins and outs of basic shellcode, with a focus on Windows and the x86 architecture. There will be a review of the basic computer science behind shellcode, a look under the hood of msfvenom works and how you can recreate msfvenom's shellcode in Assembly, and then a walkthrough and a demo of how you can create a custom connectback stager using Assembly.

Chris Maddalena is a Michigan-area security consultant who specializes in red teaming. Chris is involved with penetration testing, physical security, phishing, and on-site social engineering. He is also active in tool development, specifically in the areas of recon and phishing, and has released several publicly on GitHub. Chris is heavily involved with the Michigan security group, #misec, where he manages the "misecgroup" YouTube channel to make recordings of local presentations and workshops available to the community.


Jim Nitterauer - What A Long Strange Trip It’s Been
4:00 pm - 4:50 pm

"Every day we are bombarded with news from every direction warning of impending doom for those connected to the thing we call the Internet. The InfoSec community banters about the Twitters discussing, dissecting and dissing those upon whom misfortune has fallen while forgetting that they too might one day suffer the same fate. George Santayana said “Those who cannot remember the past are condemned to repeat it.” Many in the community are far too young, have far too little history under their belts and spend little time understanding the path we all took to get to where we are today.

This talk relates the path I’ve taken from a being a degreed Biologist and Microbiologist through starting several Internet services companies to my current position. I’ll relate my failures and successes during that journey to the state of tech at that point in time examining common practices of the day that now seem ludicrous by today’s standards. The goal will be to help everyone learn some history from someone who has been there so that we might start using that knowledge as a lens to help us better understand the current state of our industry and make better decisions moving forward. After all, what we view as standard, prudent and cutting edge today might not appear that way to those who come after us. Seeing where we have once been might help us really appreciate how far we have come!

Come join me in a twenty plus year trip down memory lane. "

Currently a Senior Security Specialist at AppRiver, LLC., his team is responsible for global network deployments and manages the SecureSurf global DNS infrastructure and SecureTide global spam & virus filtering infrastructure as well as all internal applications. They also manage security operations for the entire company. He holds a CISSP certification. He is also well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 20 years. Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, CircleCityCon, DEF CON (2017) and several smaller conferences. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security in practical and easy-to-deploy ways. Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the president of the Florida Panhandle (ISC)2 Chapter. When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.


Joff Thyer, Pete Petersen - Game On! Using Red Team to Rapidly Evolve Your Defenses
5:00 pm - 5:50 pm

"This talk will be an enjoyable conversation with good beer, great bourbon, and terrific friends who are reliving the journey of infosec maturity from the perspective of both a penetration testing company and their client over a three year period. Details of various engagements will be discussed along with post-mortem analysis, lessons learned, as well as resulting mitigation tactics and defensive strategies. We will discuss the outcomes at each stage of rendered service and how both client and vendor adjusted their approach to re-engage again and again. The engagement culminates in Red Team exercises that clearly demonstrate the infosec evolution of the client. The talk will leave the defensive audience with a sense of hope, a list of achievable goals, and several tactics. The red team with get a glimpse into the maw of the blue future and the value of their tradecraft. Special brief guest appearances and commentary are expected from others in the community that assisted the client along the way as well. "

Joff has over 15 years of experience in the IT industry in roles such as enterprise network architect and network security defender. He has experience with intrusion detection and prevention systems, penetration testing, engineering network infrastructure defense, and software development. Joff’s role at Black Hills spans anything from software development, to security research and penetration testing. Joff is a SANS instructor for SEC573, and also is a co-host on the Security Weekly podcast.


Joshua Corman, Christian Dameff MD MS, Jeff Tully MD, Beau Woods - Anatomy of a Medical Device Hack- Doctors vs. Hackers in a Clinical Simulation Cage Match
6:00 pm - 6:50 pm

"In the near future, a crisis unfolds at a hospital: patients on automated drug infusion machines overdose, hacked insulin pumps lead to car crashes, and internal defibrillators flatline weakened hearts. Clinical staff are unprepared and ill equipped to treat these complications, as they are all unaware of the true culprits behind the crisis. A state of emergency is declared, the public demands answers, and policymakers scramble to preserve national trust.

This was the scenario that played out in first-of-their-kind clinical simulations carried out in June, and the results were scary yet unsurprising: health care cybersecurity is in critical condition.

It’s been a long four years since the guiding ideals and message of The Cavalry was tempered from the forge that was the first Hacker Constitutional Congress (hosted in these very halls at DerbyCon 3). The battle continues to ensure that technologies capable of impacting public safety and human life remain worthy of our trust, and no battlefield looms larger than the healthcare space.

Despite important steps toward change- from the Hippocratic Oath for Connected Medical Devices to the just-published Health Care Industry Cybersecurity Task Force Report- recent events remind us that the dual pillars of healthcare technology- patient facing medical devices and the infrastructure that supports clinical practice- remain as vulnerable and exposed as ever.

Join Josh Corman and Beau Woods of I am The Cavalry as they team up with Christian Dameff, MD, and Jeff Tully, MD- two “white coat hackers” working to save patient lives at the bedside- to share lessons learned from the world’s first ever clinical simulations of patients threatened by hacked medical devices.

By bringing the technical work done by security researchers you know and love to life and demonstrating the profound impact to patient physiology from compromised devices, these life-like simulations provide a powerful avenue to engage with stakeholder groups including clinicians and policymakers, and may represent the new standard for hackers looking to demonstrate the true impact and importance of their biomedical work."

Joshua Corman is the director of the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center and a founder of I am The Cavalry (dot org). Corman previously served as CTO for Sonatype, director of security intelligence for Akamai, and in senior research and strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. Josh’s unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He recently served on the 2016 HHS Cybersecurity Task Force and is a co-founder of the CyberMed Summit, a first of its kind event featuring the world’s first ever clinical simulations of patients threatened by hacked medical devices. Christian Dameff MD, MS is an emergency medicine physician, hacker, and researcher. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Security research topics include hacking critical healthcare infrastructure and medical devices. Together with his research partner Dr. Jeff Tully, Christian developed the world’s first ever clinical simulations of patients threatened by hacked medical devices. Jeff Tully MD is an anesthesiologist, pediatrician, and researcher with an interest in understanding the ever-growing intersections between health care and technology. Prior to medical school he worked on “hacking” the genetic code of Salmonella bacteria to create anti-cancer tools, and throughout medical training has remained involved in the conversations and projects that will secure healthcare and protect patients as we face a brave new world of remote care, implantable medical devices, and biohacking. Together with his research partner Dr. Christian Dameff, Jeff developed the world’s first ever clinical simulations of patients threatened by hacked medical devices. Beau Woods is the deputy director of the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center, as well as a key member of the I Am the Cavalry initiative. He is also a co-founder of the CyberMed Summit, a first of its kind event featuring the world’s first ever clinical simulations of patients threatened by hacked medical devices. Beau started his career working at a regional health provider, protecting patients by defending medical data and devices. His focus is on the intersection of cybersecurity and the human condition, primarily around Cyber Safety.

Joshua Corman- @joshcorman
Christian Dameff- @cdameffmd
Jeff Tully- @jefftullymd
Beau Woods- @beauwoods

Track 4 - Three Way
Track 4 - Three Way
Robert Simmons - Advanced Threat Hunting
9:00 am - 9:50 am

"Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first.

This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid."

Robert Simmons is Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has spoken on malware analysis at many of the top security conferences including DEFCON, HOPE, and DerbyCon among others. Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.


Rod Soto, Joseph Zadeh - CHIRON - Home based ML IDS
10:00 am - 10:50 am

"CHIRON is an open source python based Machine Learning framework that applies security analytics to home network traffic and for dynamic learning of indicators of external threats and other potential malicious activity. The tool continuously monitors network traffic and applies machine learning techniques for adaptive discovery and baselining of a small user population. Initial use cases in v1.0 include:

- Identification of assets in home network (IoTs, Workstations, Laptops, Servers, routers)

- Fingerprints users, services, and protocols

- Applies analytics to users and devices (Average session length, Traffic, Visited sites) to determine standard usage behavior and service profiles

CHIRON framework will then perform dynamic analysis that will provide users with the following

-- High risk domains, assets, users

-- Usage per asset and user

-- Social media usage

-- Malicious file downloads

-- Data usage (Cloud Services)

Chiron will provide users with indicator of high risk assets, users and visited sites as well as identification of malicious sites and payloads. The goal of Chiron is to provide detection of threats using behavioral machine learning techniques. This provide users with a free lightweight open source tool that does not depend on static commercial signatures. CHIRON can run on Security Onion Linux distribution, it uses BRO IDS framework to process network traffic and does not need production hardware in order to be deployed. The more storage space allocated to underlying log data will provide with greater visibility"

Rod Soto has over 15 years of experience in information technology and security. Currently working as a Director of Security Research at JASK.AI. He has spoken at ISSA, ISC2, OWASP, DEFCON, Black Hat, RSA, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 BlackHat Las vegas CTF competition and is the founder and lead developer of the Kommand && KonTroll competitive hacking Tournament series. Joseph Zadeh studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEFCON and Torcon security conferences. Most recently he joined JASK.AI as Chief Data Scientist. Previously, Joseph was part of Splunk UBA and the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanentes first Cyber Security R&D team.


11:00 am - 12:00 pm

Casey Smith, Keith McCammon - Blue Team Keeping Tempo with Offense
12:00 pm - 12:50 pm

"Red: Forgot about slinging binaries, and set aside Powershell. What does it take to level attacks against an enterprises that take a positive approach to endpoint telemetry and security: application whitelisting, exploit mitigation, virtualization-based security?
Blue: Forget about static indicators, and assume that even the most clever patterns of attack depend on awareness of a specific technique (albeit not a specific implementation). What does it take to build a defensive strategy that assumes as little as possible, favoring suppression of the good over alerting to the bad?"

We have ground truth on tracing adversaries and their tactics.


Matthew Verrette - Data Mining Wireless Survey Data with ELK
1:00 pm - 1:50 pm

Over the past few years the community has talked about collecting wireless signals, but there has been very little on analyzing this data. Using the ELK stack I’d like to data mine wireless survey and sensor data, to see what patterns emerge.

Matthew spent 9 years in the United States Marine Corps working as a communications operator. Since leaving the Marine Corps in 2008, he has spent his time as an Intrusion Detection and Threat Analyst, Penetration Tester and general security consultant. Most recently he has realized he can’t do and is now teaching specialized security courses.


Kevin Finisterre - How to KickStart a Drone JailBreaking Scene
2:00 pm - 2:50 pm

Jailbreaking is fairly common place in the various market verticals for modern technology. The internet of things has brought us many devices ripe for exploitation. The consumer drone market is no different. In this talk Kevin Finisterre will walk the audience through birthing a community of rooters, jailbreakers, modders and tweakers of DJI consumer drone hardware.

Kevin works as a drone mitigation subject matter expert for Department 13's MESMER counter UAS team. He prides himself in dissemination of information relating to software vulnerability, and the risks associated with vulnerable code.

Jim McMurry, Lee Neely, Chelle Clements - Web Application testing - approach and cheating to win
3:00 pm - 3:50 pm

As security professionals we are often called upon to assess the security of web delivered applications and/or services. Not all of us have either experience or a methodology for responding to this type of assessment request. Web based applications and services are the key technologies behind modern service delivery. And their security, or lack thereof, can make or break a company. We will lay out an approach to follow including tools to help with the assessment throughout each step of the process. We will discuss free and commercial products that can assist the assessment process. The user will leave with information they can take back to their home organization to serve as a foundation for either an ad-hoc or ongoing capability.

"Jim McMurry is an accomplished Technologist with an entrepreneurial mindset with over 23 years of combined experience in Security, Information Technology, Telecommunication, Networking, Management and Software development. Jim's varied experience in network security, military projects, IT and high-tech arenas, with startups through Fortune 1000 companies, provides him with a unique set of tools as he grows Milton Security. He volunteers for numerous charities, and supports Veterans through the Milton Veteran Hiring program.

Lee Neely is a senior IT and security professional at Lawrence Livermore National Laboratory with over 25 years of extensive experience with a wide variety of technology and applications from point implementations to enterprise solutions. He currently leads LLNL’s Entrust team and is the CSP lead for new technology adoption specializing in mobility. He teaches cyber security courses, and holds several security certifications including GMOB, GPEN, GWAPT, GAWN, CISSP, CISA, CISM and CRISC. He is also the Technology Director for the ISC2 Eastbay Chapter.

Chelle Clements has been associated with computer science and cyber security for over 20 years. She has an AAS in Environmental Science from Northern Virginia Community College, and a BS and an MS in Information Systems Management from University of San Francisco. She is an Army Veteran, one of the first women in the Corps of Engineers (she has some great stories!). She spent 30-years at Lawrence Livermore National Lab as a researcher in three different fields (chemistry, physics and computer science) and also as a community outreach volunteer. She currently supports several Veteran causes with pro bono web development (such as East Bay Stand Down) and serves on her city’s art commission."

Jim - @jmcmurry
Lee - @lelandneely

Mark Loveless - When IoT Research Matters
4:00 pm - 4:50 pm

Most IoT research involves low hanging fruit and kitchen appliances. But what happens when the tech you are researching is changing a niche industry, or creating one? This involves a little deeper dive. This talk illustrates some basic concepts and includes some tips on how to make that dive slightly deeper, with examples of hacking tool usage, going above and beyond with a vendor during disclosure, and creating realistic attack scenarios without coming across as mere stunt hacking.

Mark Loveless aka Simple Nomad has worked for software and hardware vendors in the security space, as well as in IT and security for large Fortune 500 companies. He has spoken at numerous security conferences worldwide including Defcon, Blackhat, Shmoocon, RSA, and has been quoted for his security and privacy views via numerous online, print, and television media outlets including Wired, Washington Post, CNN, and many others. He has seen ghosts and two UFOs, but otherwise appears normal.


Mike Saunders - I want my EIP
5:00 pm - 5:50 pm

When I started learning buffer overflows, I thought it was something everybody else already knew. But the reality is, there are lots of us, just like me, who want to know more but are either overwhelmed by the idea that buffer overflows are beyond their capabilities or just don’t know where to get started. This is a 101-level talk; we’ll talk about how a buffer overflow works, how to fuzz an app to identify an overflow opportunity, and how to create a simple overflow that will result in a compromise of a target system. If you can already smash the stack, spray the heap, and write ROP chains in your sleep, this isn’t the talk for you. If you want to learn more about how simple buffer overflows work and how to write them, this talk is for you. When you leave, you will have the information necessary to help you write your first overflow when you walk out the door.

Mike Saunders' love of IT started in the third grade when he discovered he could view the code of BASIC programs on an Apple ][e. Mike now performs penetration testing and vulnerability assessments for a multinational agribusiness corporation. He has held many information technology and IT security positions, including developer, network administrator, system administrator, security architect and security incident handler. Mike holds the OSCP, ISC2 CISSP, and GIAC GPEN, GWAPT, GMOB, and GCIH certifications. When he is not at work, he is an avid kayak fisherman and member of a local horn rock band.


Event Setup
6:00 pm - 6:50 pm

talk title and description TBD

Stable Talks
Stable Talks
Jenny Maresca - Personalities disorders in the infosec community
9:00 am - 9:25 am

Understanding the interpersonal relationships that develope in the community and how to identify traits in people to understand how a disorder affects their interactions with others

I hack none of the things and check facebook


Jason Morrow - Purple team FAIL!
9:30 am - 9:55 am

What went wrong with the introduction of a red team discipline into fortune 1 and how the teams came together to course correct. The result has been a successful purple team that has driven the security posture forward at the world’s leading retailer. This will cover some basic do's and don'ts along with new rules of engagement when integrating blue and red.

Jason Morrow is responsible for leading real time threat identification and remediation for Walmart, it’s subsidiaries’ and acquisitions’ networks. Additional responsibilities include the creation of custom cybersecurity detection mechanisms and security data analytics for those global networks. He holds PMP, GSEC, GISP, GCIH, GMON, Network+, A+, and former holder of CCNA and CCSP certifications. Jason has presented cyber defense tactics at multiple universities and National Cybersecurity Collegiate Defense Competition (NCCDC)


Ryan Elkins - Architecture at Scale – Save time. Reduce spend. Increase security.
10:00 am - 10:25 am

An effective security architecture program must establish a framework to correlate security between operations, development, and the business. It must be agile to support devops, visionary to support strategy, and reasonable to support adoption. This talk will detail the building blocks required to develop and implement an architecture program that will output artifacts for technical engineers through executive leadership. The automated framework will identify technology overlap, highlight unbalanced spend, and measure the maturity of security control domains. Upon completion of the talk, an architecture tool will be released to support and automate the correlation of the architectural components, leading to continual security program maturity.

Ryan Elkins is the director of cloud and application security architecture at Eli Lilly and has over 10 years of security experience across the financial, insurance, and pharmaceutical industries. Elkins has extensive experience with application and cloud security, penetration testing, monitoring and incident response, program leadership, and enterprise architecture. Elkins holds the CISSP and CCSP certifications and has a master’s degree in Information Security from Nova Southeastern University.


Justin Herman - Building a full size CNC for under $500
10:30 am - 10:55 am

Everyone wishes it was easier to take an idea and make it into physical form. In this talk I will go over the methods I used to create a full sized 4x8 CNC for less than $500. I will show you the locations to get parts along with steps used to construct it. Come and learn how you can DIY make a machine with the smallest footprint, a large workspace, all for under $500.

Justin Herman is an organizer of BSides Cleveland, a board member of the NorthEastern Ohio Information Security Forum (NEOISF) and a active participant of Cleveland Locksport. He lives in Akron, OH with wife Anna-Jeannine and their son.


11:00 am - 12:00 pm

Spencer J McIntyre - Python Static Analysis
12:00 pm - 12:25 pm

"Python is a popular language and that is true as well within the Security industry. This talk will outline how Python code can be statically analyzed using publicly available tools such as bandit. It will then take a more technical approach and outline how the abstract syntax tree (AST) can be processed and searched based on behavior clues to identify potential security issues. Many security tools search for vulnerabilities by analyzing the contents of static strings and examining their variable names. This alternative approach instead demonstrates how the AST can be analyzed to identify pieces of sensitive information such as encryption keys and passwords based on matching them with usage patterns.

This will be a technical talk focused on using automated techniques to find security vulnerabilities in Python projects. The audience will leave with an understanding of these techniques and how they can be applied to the projects they are either developing themselves or using in their daily routines. This talk will end with a live demonstration of a forked version of the public Bandit scanner where these techniques have been implemented."

As a member of the Research and Development team at SecureState, Spencer McIntyre works to discover vulnerabilities within organizations systems and understand the underlying risks. Mr. McIntyre balances his focus between vulnerability and in-house tool development. During his time with SecureState, Mr. McIntyre has worked with a variety of clients across multiple industries, giving him experience in how each secures their data and the threats that they encounter. Mr. McIntyre uses his background in software development to help him to understand and exploit the underlying logic in the software he encounters. He is active in the open source community, making multiple contributions to a variety of projects such as the Metasploit Framework.


Jonathan Echavarria, David E. Switzer - The Trap House
12:30 pm - 12:55 pm

Jonathan Echavarria, David E. Switzer - The Trap House: Making your house as paranoid as you are.

Home automation and IoT is all the rage, but once you have your thermostat automated, what is next? How can you leverage your automated home for active defense and gain some situational awareness, both inside and out? Much research has been done on the security of IoT devices, and this talk looks into how to use IoT (and possibly their insecurities) for your home security, while keeping costs down.

Jonathan Echavarria has over half a decade of experience in the Information security industry. His primary interests include adversary emulation, reverse engineering, and good old fashioned breaking into networks. Currently, he works as a Red Team Operator while performing security research in his spare time. He holds a number of industry certifications including OSCE, OSCP and CEH. David Switzer is a red team operator who has 20+ years of experience in systems and network security. Some alphabet Soup: GSE #136, G[cia|cih|awn|sec|stuff]), OSCE, CISSP and ITILv3 (I keep it gangsta). His obsessions/amusements include RF, wireless networks, hardware hacking, and other expensive time sinks. Jonathan and David work at ReliaQuest in Tampa, Florida, a leading co-management security provider.


Joe Desimone - Hunting for Memory-Resident Malware
1:00 pm - 1:25 pm

Once a staple of nation state level adversaries, memory-resident malware techniques have become ubiquitous even for lowly criminal activity. With their ability to evade endpoint protection products, it is critical for defenders to understand and defend against these techniques. In this talk, I will describe both common and advanced stealth malware techniques which evade today’s hunt tools and methodologies. Attendees will learn about adversary stealth and understand ways to detect some of these methods. New code for rapidly hunting for these techniques across your enterprise will be released.

Joe Desimone is a Senior Malware Researcher at Endgame. He has over 5 years of experience in the information security industry, primarily tracking and countering APTs, reverse engineering malware, and developing novel techniques and tools to empower hunt teams. Joe holds a BS and MS in Computer Security from RIT.


Justin Wilson - C2 Channels - Creative Evasion
1:30 pm - 1:55 pm

Shining light on new ways attackers are being creative with C2 channels.

I am 26 years old, 15 years unprofessional experience in cyber security and currently working as a Cyber Intelligence Analyst at United Parcel Services.

Kevin Gennuso - Reaching Across the Isle: Improving Security Through Partnership
2:00 pm - 2:25 pm

Information security has been a challenge since the dawn of computer networking. Improving the situation requires coordination and cooperation, not an adversarial stance between The Business, Security and IT. The answer isn't more endpoint agents, blinky boxes, or vendor pitches. The answer lies in partnering with all teams with a common purpose: improved security.

Kevin is an infosec greybeard who has helped secure various Pittsburgh-based companies for nearly 20 years. As someone who has learned everything from the infosec community, he strives to give back through mentoring and presenting to anyone enthused enough to listen.


Lsly - Out With the Old, In With the GNU
2:30 pm - 2:55 pm

In our field and related subsections, we typically don’t learn from scratch. Instead, we learn from those who have been around longer — through books, online resources, and person-to-person training. That said, when is “tribal knowledge” harmful? Can we improve (or remove) commands we use for a single purpose for something better? Why do people confine their use of `awk` when it can be as flush as Perl? This talk will review some simple ways we can streamline command line, by stripping down to the bare essentials. Most examples will be in Linux, however there will be other systems to explore.

Lsly is a Penetration Tester, perpetual Linux sysadmin, and multi-platform gamer. She’s part of the organizing staff at Nolacon and volunteers elsewhere — giving back to her infosec family. Lsly is hungry to learn and is now working on the OT staples of ICS/SCADA. Typically you’ll find her scoping out WAPs, wiggling ATM card readers, and hiding in a corner with music, a 3DS, and CTFs.


Matt Hastings, Dave Hull - Tracing Adversaries: Detecting Attacks with ETW
3:00 pm - 3:25 pm

Event Tracing for Windows (ETW) is a powerful debugging and system telemetry feature that's been available since Windows 2000, but greatly expanded in recent years. Modern versions of Windows offer hundreds of ETW providers that are a veritable treasure trove of forensic data. This talk will take a fresh look at operationalizing ETW to combat contemporary intrusion methodologies and tradecraft. We'll walk through real world examples, covering both common malware behaviors and stealthy attacks that "live off the land", and demonstrate how to effectively utilize key ETW providers to detect and respond to these techniques.

First inspired by David Lightman, Dave Hull has been working with computers for most of his life. Professionally, he's been chasing hackers for more than a decade. He's an engineer at Tanium, writing code to extend and enhance the IR capabilities of the platform. Prior to Tanium, he was the technical lead for IR in Microsoft's Office 365. He contributes to open source projects and has created a number of open source IR tools including Kansa, a modular framework for IR written in PowerShell. Hull has presented at a number of security conferences including SecTOR, the SANS DFIR Summit, SecKC and BSides. Matt Hastings has been the majority of his career in varies incident response roles. Currently he is a director at Tanium, responsible for their Endpoint Detection and Response products. Previously, Matt worked as a consultant doing anything people would pay money for, but mostly that included enterprise-wide incident response, financial crime investigations and penetration testing. Matt has previously presented at other industry conferences such as: Black Hat, Defcon, BSides, and BruCon.

Matt - @_mhastings_
Dave - @davehull

Sean Metcalf, Nick Carr - The Current State of Security, an Improv-spection
3:30 pm - 3:55 pm

"Think ""Whose Line is It Anyway"" meets InfoSec - don't expect to see many slides. This presentation is literally security theater (but this time in a good way).

Sean & Nick improv their way through several current challenges in securing networks and discuss ways to improve defenses. Audience participation is mandatory and suggest topics, categories, and wacky APT names from the mundane to the bizarre. From the moment the clock starts, Sean & Nick will do what many in our industry are accused of doing anyway: making things up as we go along! We know we can give some insight, hope to make it fun, and if we’re failing, we’ll revert to props!

The dynamic duo will wrap up the improv adventure with a handful of slides that highlight the best methods to defend against the current threats. These slides will summarize the useful information that Nick & Sean had subliminally been providing in between the props and ad hoc skits. Furthermore, the audience will walk away with some actionable tasks to better secure their environment.

Suggested audience: skeptics, people a few beers deep, and anyone who wants a different take on the standard infosec talk while still learning some solid methods to protect against modern attacks."

Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (, which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences. Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, Follow him on Twitter @PyroTek3 Nick Carr is a senior manager of security consulting and incident response at Mandiant. Nick provides expertise as a technical investigative lead and crisis manager for large-scale intrusions. He is also responsible for several monitoring and detection initiatives within Mandiant and implementing attacker methodology detection at FireEye. Prior to joining Mandiant, Nick served as Chief of Technical Analysis and incident response team lead for DHS ICS-CERT, focusing on SCADA systems and critical infrastructure cyber attack readiness and response. A computer engineer and graduate from the Naval Postgraduate School’s Cyber Operations program, Nick has spent his career in computer security, network analysis, and intelligence roles in the U.S. Government and private industry.

Sean Metcalf - @PyroTek3
Nick Carr - @ItsReallyNick

Matthew Perry - I Survived Ransomware . . . TWICE
4:00 pm - 4:25 pm

"In this talk, Matt will describe what happened at the law firm where he works and the steps he took to solve the problem and prevent it from happening again. Matt will cover how to create a layered prevention plan and a disaster recovery plan, including insurance if all else fails."

Matthew Perry has spent more than thirty years providing litigation support, network administration, and investigative services inside a prominent local law firm.Though Matt refers to himself as an “old school” technologist and a “simple man,” those who encounter him learn not to underestimate his capabilities


Michael Collins - Drone Delivered Attack Platform (DDAP)
4:30 pm - 4:55 pm

"The day the chickens moved into the coop I knew there was going to be trouble. I had no idea the extent of the problem, until one day I realized that they were building a rogue network inside of the coop. This was partially my fault for providing power to the coop in the first place, but I definitely underestimated their capabilities. What kind of evil were they plotting? I could try to hack into their wireless network, but they had good physical security so getting in close proximity to their location was going to be a problem.

What I settled on was using a drone to deliver a hacking drop kit to the chicken coop. The goal is to build the complete kit with low cost, readily available parts, so that if the chickens capture the drone or it is otherwise compromised, we are not out a ton of money. It should have sufficient battery to provide flight time to and from the target location, and sufficient compute time to do a reasonable amount of wireless hacking. We would use the drone to deliver our attack kit to the roof of the chicken coop and power off the rotors to preserve battery for our return flight. We would then use a Raspberry Pi with a wireless antenna to do the wireless hacking. Our platform could be accessed remotely over the cell network using something like TAP, and things that need more compute power like cracking hashes could be shipped offsite over the cell network. "

Michael Collins has over 20 years of experience in information security, primarily as an ethical hacker. He worked in consulting for 15 years at both Ernst & Young and Deloitte where he was responsible for conducting penetration testing for a wide variety of companies including financial services, energy, manufacturing and government clients. Michael joined MasterCard in 2011 where he was responsible for performing security testing on MasterCard products and platforms. He recently worked on the security testing of MasterCard’s MDES platform, which supports mobile payment platforms such as Apple Pay and Google Wallet, as well as MasterCard's mobile wallet solution.


Michael Flossman - Mobile APTs: A look at nation-state attacks and techniques
5:00 pm - 5:25 pm

Michael Flossman - Mobile APTs: A look at nation-state attacks and techniques for gathering intelligence from military and civilian devices

As we increasingly rely on mobile devices to create, access, and modify sensitive information, sophisticated nation-state actors such as Russia, Israel, and the U.S. are being forced to expand their traditionally desktop focussed toolsets to now include a mobile surveillanceware capability. This talk will dive into mobile APTs, the nation-state actors leveraging them, and the commonalities and differentiators they share. We will specifically discuss the families ViperRAT and FrozenCell, two bespoke Android surveillanceware tools. One is being deployed against Palestinian individuals and organizations in conjunction with a desktop component, while the other has been seen in targeted attacks against Israeli Defense Forces personnel. Our unique insight into attacker infrastructure allows us to see how widely deployed these tools are and what information has been exfiltrated from compromised devices. The internals of these tools, their capabilities, command and control infrastructure, and their ability to successfully retrieve intelligence from compromised devices will be presented.

Michael is a security analyst at Lookout where he works on reverse engineering sophisticated mobile threats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering and the prototyping of automated analysis solutions. When not analyzing malware there’s a good chance he’s off snowboarding, diving, or looking for flaws in popular mobile apps.

Michael George - MacOS host monitoring - the open source way
5:30 pm - 5:55 pm

MacOS host monitoring - the open source way, I will talk about a example piece of malware(Handbrake/Proton) and how you can use open source tooling detection tooling to do detection and light forensics. Since I will be talking about the handbrake malware, I will also be sharing some of the TTPs the malware used if you want to find this activity in your fleet.

Dropbox - Security Engineer. I work on the Incident Response team at Dropbox. I primarily work on host-based detection systems.

Nyxgeek - Statistics on 100 million secrets: A look at recent password dumps
6:00 pm - 6:25 pm

nyxgeek - Statistics on 100 million secrets: A look at recent password dumps.

People often choose passwords assuming that nobody else will ever see them. This talk examines some of the common, odd, and interesting passwords found while examining recent password dumps. What's YOUR secret?


Patrick Coble - Hacking VDI, Recon and Attack Methods
6:30 pm - 6:55 pm

VDI Deployments are in over 90% of all the Fortune 1000 companies and are used in almost all industry verticals, but are they secure? The goal of most VDI deployments is to centrally deliver applications and/or desktops to users internally and externally, but in many cases their basic security recommendations haven’t fully deployed, allowing an attacker to gain access. This talk will review the basic design of the top two solution providers, Citrix and VMware. We will go over these solutions strengths and weaknesses and learn how to quickly identify server roles and pivot. We will also examine all the major attack points and their defensive counters. If you or if you have a client that has a VDI Deployment you don’t want to miss this talk.

Patrick Coble is an independent EUC and Security Consultant working around Nashville, TN. Patrick has worked in IT for 18 years and as a consultant for over 9 years. He is a recognized expert in Virtualization, EUC solutions and Security. He has deployed hundreds of VDI deployments using both Citrix and VMware solutions all over the southeast. Patrick is working to expose and close the gaps in VDI solutions when it comes to security. He helps with Red and Blue teams to gain access and secure VDI deployments.


Russ McRee - DFIR Redefined
7:00 pm - 7:25 pm

Those of us who operate within the constructs of digital forensics and incident response understand the nuances of the related acronym (DFIR) intimately. This presentation will offer insight on a slightly different take on DFIR using R, the open source programming language and software environment for statistical computing and graphics. Forensics and incident response both suffer from, and can benefit from, the data explosion. That said, modern DFIR programs are obligated to embrace and attempt to master security data science. Doing so effectively can lead to vastly improved visualization, and behavioral analysis. We'll discuss such opportunities and provide an overview of some basic tools, tactics and procedures to get you started. Code examples will be included and shared for practice and exploration.

Russ McRee is Group Program Manager of the Blue Team for Microsoft’s Windows & Devices Group (WDG). He writes toolsmith, a monthly column for information security practitioners, and has written for other publications including Information Security, (IN)SECURE, SysAdmin, and Linux Magazine. Russ has spoken at events such as DEFCON, Derby Con, BlueHat, Black Hat, SANSFIRE, RSA, and is a SANS Internet Storm Center handler. He serves as a joint forces operator and planner on behalf of Washington Military Department’s cyber and emergency management missions. Russ advocates for a holistic approach to the practice of information assurance as represented by


Stable Talks