Sunday

10:00 am
10:30 am
11:00 am
11:30 am
12:00 pm
12:30 pm
1:00 pm
1:30 pm
2:00 pm
2:30 pm
3:00 pm
3:30 pm
4:00 pm
4:30 pm
Track 1
Track 1
Ham Radio 4 Hackers
10:00 am - 10:50 am

Eric Watkins, Devin Noel

Introduction into the basics of Radio Frequency (RF). Why it's important to get licensed, better understand RF and be able to legally transmit. We'll address how ham radio relevant to hackers in the modern Software Defined Radio era. We'll have a live DEMO with audience participation, please bring your RTL-SDR and an OTG dongle so you can try out decoding an RF signal using your mobile device.

Eric Watkins: KR0VER- Is a security architect who is interested hacking all things RF. Devin Noel: N7HKR - Is a security engineer who enjoys hacking and doing other cool things with technology.

Getting Control of Your Vendors Before They Take You Down
11:00 am - 11:50 am

Dan Browder

With cloud services now a normal part of business how does your organization handle being at fault when one of your third parties is breached? Properly vetting vendors and third parties is increasingly important to minimize the likelihood of that happening. We’ll explore the current and future state of third party risk management including: how to squeeze vendors for information they might not want to give you, what to do if you are the service provider getting questions, and how to plan for a breach of your information from a third party.

Currently an InfoSec director with a focus on incident response, awareness, and vendor risk, Dan has been traversing tracts of technology for over 20 years. After dabbling in diversions from design to development, Dan settled into scrutinizing suspect security standards. Aside from alliteration, Dan enjoys spending time with his family, building & breaking things.

@nevon

Cyber Intelligence: There Are No Rules, and No Certainties
12:00 pm - 12:50 pm

Coleman Kane

We've built an intelligence-driven security operations program over the years, and would like to impart our wisdom to the security community. There's a lot of formalization and "best practices" out there, but often times we learn that these can be quite unwieldy. I will communicate what we've learned in building a cyber intelligence program with the backdrop of a lot of information available on the subject. At the end of the talk, hopefully you will come away thinking about cyber intelligence in terms of some simple components you can start with, and build from, to gradually evolve into a business-focused operation for your team.

Coleman Kane is the Principal Technologist for GE Aviation's security operations team in Cincinnati. He built the Cyber Intelligence program from the ground up, as well as working on teams developing sensoring and malware analysis platforms for the company. Coleman currently teaches cyber security courses as a Ph. D. candidate at the University of Cincinnati.

@colemankane

Getting Started in CCDC
1:00 pm - 1:50 pm

Russell Nielsen

In my talk, I will be covering how to set up a test environment, what systems you can and should use and how to run your practices. Also, I will be sharing my experiences in competing in CCDC, lessons learned and tools we used that helped us out.

I have been working in the field for about 5 years now as an IT Security Manager and also do a little consulting on the side. I have a BS in Cybersecurity, Security + and currently working on my CISSP. In school I was the windows lead on our CCDC team. In CCDC I helped to set up the practice environment and run the practices. Our team competed in the Pacific-Rim region and also in Nationals.

Changing Our Mindset From Technical To Psychological Defenses
2:00 pm - 2:50 pm

Andrew Kalat

The majority of our Information Security defensive mindset is structured around technical weaknesses and issues. Yet, the adversary is increasingly turning to weaknesses in human psychology to breach our organizations and IT systems. This talk will explore the many examples of that shift in attack approach, how we in IT are not yet fully embracing this change, and recommendations on how we can start to deal with this new reality of Infosec Defense.

Andrew Kalat, is a Sr. Manager of Information Security at USBank and co-host, Defensive Security Podcast. Andrew is a 20 year veteran of the security industry, working in diverse roles such as architect, sales engineer, consultant, and management. He is also a private pilot, published author and avid photographer.

@Lerg

Closing Ceremony Setup
3:00 pm - 3:30 pm

Closing Ceremony
3:30 pm - 4:30 pm

Track 2
Track 2
Two-Factor, Too Furious: Evading (and Protecting) Evolving MFA Schemes
10:00 am - 10:50 am

Austin Baker, Doug Bienstock

Multifactor authentication is often the first (and too often, the last) line of defense against motivated attackers trying to get access to sensitive data. While is it correctly hailed as a cornerstone of in-depth network defense, adoption rates are outpacing education about the real-world attack scenarios levied against MFA schemes everyday. Here, we present an attempt at a modern threat model of MFA schemes today, with a breakdown of both classic and novel tools and techniques and what security teams responsible with enforcing MFA can do about it.

Austin Baker started his career in InfoSec learning the ways of Digital Forensics and Incident Response. Then, he learned it was way more fun learning to do break things than how to put them back together. Since then, he's been a practicing Red Team member at Mandiant, helping secure organizations by pretending to be one of the bad guys. Doug Bienstock splits his time at Mandiant performing Incident Response and Red Team work. He uses lessons learned from IRs to better simulate attacker techniques and aid organizations stay ahead of the bad guys.

@doughsec

IoT: Not Even Your Bed Is Safe
11:00 am - 11:50 am

Darby Mullen

During this talk we will discuss the tips, tools and techniques needed to identify and reverse engineer the command and control protocols required to remotely manipulate an industry leading “smart bed”. Starting with identifying the location of two roque access points, the talk will discuss how to capture wireless frames and dissect them in Wireshark. After determining the protocol, the talk will demonstrate a custom Python tool for controlling multiple beds simultaneously. Additionally, the talk will deep dive into identifying the attack surface of the bed’s administrative interface, as well as describing privacy issues with the software.

A self-described developer, infosec nut, & Crossfit addict - Darby Mullen has worked on both the blue and the red sides of infosec, most recently running a team building a secure browsing platform.

@darby0x6d

Fingerprinting Encrypted Channels for Detection
12:00 pm - 12:50 pm

John Althouse

Last year we open sourced JA3, a method for fingerprinting client applications over TLS, and we saw that it was good. This year we tried fingerprinting the server side of the encrypted communication, and it's even better. Fingerprinting both ends of the channel creates a unique TLS communication fingerprint between client and server making detection of TLS C2 channels exceedingly easy. I'll explain how in this talk. What about non-TLS encrypted channels? The same principal can be applied. I'll talk about fingerprinting SSH clients and servers and what we've observed in our research. Are those SSH clients what they say they are? Maybe not.

Detection Scientist, Bro NSM Enthusiast, PC Master Builder, BMW Track Instructor

@4A4133

How to put on a Con for Fun and (Non) Profit
1:00 pm - 1:50 pm

Benny Karnes, John Moore, Rick Hayes, Matt Perry, Bill Gardner, Justin Rogosky, Mike Fry, Steve Truax

Planning and running an InfoSec conference can be the most fun and rewarding time that you can have herding cats. The 304 Geeks have been mostly successfully running Hack3rcon for the last 9 years. In this talk we will share our perspective on how to build your organization and get started running your very own conference.

Benny Karnes is the most vocal member of the 304 Geeks (He talks a lot), As our resident CTF Geek Benny builds and runs the servers for Hack3rcon. John Moore is a Crypto and Cypher expert, He also prints the programs for Hack3rcon. Rick Hayes is the most well-armed of the 304 Geeks, because, well yeah because. Matt Perry is the Designated Adult of the 304 Geeks and the resident Social Engineer that talks everyone else into doing his work. Professor Bill Gardner is in charge of all things Cyber. Justin Rogosky is a Gemini and likes holding hand on long walks on nude beaches (Hey that is not my hand). Mike Fry is the 304 Geeks resident web master and in charge of all the stuff the rest of us got tired of doing. Steve Truax is the newest member of the board and is in charge of bringing the donuts.

Benny - @kungfujo, John - @mournewind, Rick - @ragingotaku, Matt - @sirgurdWV, Bill - @oncee, Justin - @CptSexy, Mike - @MichaelDFry, Steve - @steventruax

Bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010
2:00 pm - 2:50 pm

Gabriel Ryan

Existing techniques for bypassing wired port security are limited to attacking 802.1x-2004, which does not provide encryption or the ability to perform authentication on a packet-by-packet basis. The development of 802.1x-2010 mitigates these issues by using MacSEC to provide Layer 2 encryption and packet integrity checks to the protocol. Since MacSEC encrypts data on a hop-by-hop basis, it successfully protects against the bridge-based attacks pioneered by the likes of Steve Riley, Abb, and Alva Duckwall. In addition to the development of 802.1x-2010, improved 802.1x support by peripheral devices such as printers also poses a challenge to attackers. Gone are the days in which bypassing 802.1x was as simple as finding a printer and spoofing address, as hardware manufacturers have gotten smarter. In this talk, we will introduce a novel technique for bypassing 802.1x-2010 by demonstrating how MacSEC fails when weak forms of EAP are used. Additionally, we will discuss how improved 802.1x support by peripheral devices does not necessarily translate to improved port-security due to the widespread use of weak EAP. Finally, we will consider how improvements to the Linux kernel have made bridge-based techniques easier to implement and demonstrate an alternative to using packet injection for network interaction. We have packaged each of these techniques and improvements into an open source tool called Silent Bridge, which we plan on releasing at the conference.

Gabriel Ryan is a penetration tester and researcher with a passion for wireless and infrastructure testing. He currently serves a co-founder and principle security consultant for Digital Silence, a Denver based consulting firm that specializes in impact driven penetration testing and red team engagements. Prior to joining Digital Silence, Gabriel worked as a penetration tester and researcher for Gotham Digital Silence, contributing heavily to their wireless security practice and regularly performing large scale infrastructure assessments and red teams for Fortune 500 companies. Some of Gabriel's most recent work includes the development of EAPHammer, an 802.11ac focused tool for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys producing music, exploring the outdoors, and riding motorcycles.

@s0lst1c3

Closing Ceremony Setup
3:00 pm - 3:30 pm

Closing Ceremony
3:30 pm - 4:30 pm

Track 3
Track 3
Cloud Forensics: Putting The Bits Back Together
10:00 am - 10:50 am

Brandon Sherman

Cloud computing security response is no different to servers racked in a regular datacenter, except for a key difference: When a server is breached, and the need exists to perform a forensic evaluation of that server, the responder has no idea where, or what, that server is. The very first steps of imaging a disk need to be rethought in an environment where disks are of variable sizes and capabilities, and are only exposed via APIs. Many things which are taken for granted in the physical world are implementation details in the cloud. Recent product launches in AWS, such as the next-generation of EC2 instances which access EBS in a different manner, as well as bare-metal instances, have changed some of these implementation details— which potentially changes what an incident responder may encounter.

Brandon has been working with AWS infrastructure for four years and is a Senior Cloud Infrastructure engineer at Twilio, where the challenge of real-time cloud communications requires thinking about security in new and exciting ways. He wants to replace himself with microservices & APIs but until he manages to do that, you’ll find him teaching anyone who will listen that they can be a “security person” too.

Killsuit: The Equation Group's Swiss Army knife for persistence, evasion, and data exfil
11:00 am - 11:50 am

Francisco Donoso

Most researchers have focused on the Equation Group's brilliant exploits but very few researchers have focused on their extremely effective post exploitation capabilities. During this talk, we will dissect the KillSuit framework, the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration. KillSuit is a little-known part of the DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to stealthily establish persistence on machines, install keyloggers, packet capture tools, perform WiFi MITM, and other more information gathering tools. Killsuit includes many interesting ways to silently exfiltrate data and intel - including custom written IPSEC-like protocols and misuse of ""disabled"" WIFI cards and near-by open networks.

Francisco currently runs a Managed Security Service Architecture team for a large multi-national computer security company. His passion and hobby is researching and understanding Nation-State hacking capabilities and tools. He has been on the forefront of research into the Equation Group’s post-exploitation tools and capabilities since their release by the Shadow Brokers and has spoken about this research at Derbycon, Thotcon, and other conferences.

@Francisckrs

R.J. McDown - Windows Rootkit Development: Python prototyping to kernel level C2
12:00 pm - 12:50 pm

Red teams are always looking for new ways to persist on hosts that could potentially take several days to compromise. The necessity for reliable, stealthy persistence is highlighted when the compromised target is the initial foothold into the internal target network. Common methods and tools used to persist on compromised hosts will be briefly covered before diving into developing custom software operating at the user and kernel level. A couple of opensource projects, and their APIs, will be introduced that make it possible to interact with kernel level drivers from user-mode programs. Both, Python and C APIs are available, allowing for Python prototyping before moving to C, a compiled language. This is great for testing and researching new features, as design flaws can be worked through quicker. Lastly, a demonstration will be given of evading event logs, subverting host firewall configurations, hiding active C2 network connections from the OS, spawning arbitrary sessions (PowerShell Empire, Metasploit, etc.), and harvesting credentials from network traffic.

R.J. McDown (BeetleChunks) is a security researcher, penetration tester, and red teamer with experience assessing numerous Fortune 500 companies. In his spare time, he works on developing and researching new tools and techniques to be used on client assessments and IOCs associated with them.

@BeetleChunks

M&A Defense and Integration – All that Glitters is not Gold
12:00 pm - 12:50 pm

Sara Leal, Jason Morrow

So your enterprise bought a new bright and shiny – now what? I bet their InfoSec practices are fine, right? We will discuss how to plan and execute on an integration from a defense perspective; due diligence, purchasing, and integrating into enterprise security engineering and defense practices along with migrating monitoring into your own SOC (or MSSP). This talk is also applicable to you just landed an InfoSec job at a company that is just starting their security program and wonder where to start.

Jason Morrow - Jason Morrow is responsible for leading real time threat defense for fortune 1, it's subsidiaries' and acquisitions' networks. The scope of his role also includes incident management automation, orchestration, active defense, and RE. He holds the PMP, GSEC, GISP, GCIH, GMON, Network+, A+, CISSP and former holder of CCNA and CCSP certifications. Jason has presented cyber defense tactics at multiple universities, InfoSec cons, and the National CyberSecurity Collegiate Defense Competition (NCCDC). Sara Leal - Sara Leal is a Senior Manager in the Security Operations Center (SOC) which is responsible for protecting Walmart and acquisition networks from malicious activity. She currently has responsibility for the SIEM (Security Incident and Event Management) Engineering team and the SOC Data Analytics team. Sara currently holds the GCIA and GMON SANS certifications. In her free time, she enjoys spending time with her three children ages 22, 14, and 11 and she loves to travel.

@saraleal417, @jrmorrow43

Living off the land: enterprise post-exploitation
1:00 pm - 1:50 pm

Adam Reiser

You've compromised that initial server and gained a foothold in the target network: congratulations! But wait - the shadow file has no hashes but root, the ssh keys have strong passphrases, and all the interesting traffic is encrypted - there's nothing of value here! Or is there? In this talk, I will explore post-exploitation techniques for turning your compromised bastion hosts into active credential interceptors under a variety of blue team monitoring scenarios.

Adam Reiser is a security researcher with Cisco's Advanced Security Initiatives Group. His work includes red team engagements and hunting for zero days. He cultivated an early interest in information security as a sysadmin at the Open Computing Facility at UC Berkeley, while there completing his physics degree. His other interests include acroyoga and riparian restoration.

Hillbilly Storytime: Pentest Fails
2:00 pm - 2:50 pm

Adam Compton

Whether or not you are just starting in InfoSec, it is always important to remember that mistakes happen, even to the best and most seasoned of analysts. The key is to learn from your mistakes and keep going. So, if you have a few minutes and want to talk a load off for a bit, come and join in as a hillbilly spins a yarn about a group unfortunate pentesters and their misadventures. All stores and events are true (but the names have been be changed to prevent embarrassment).

Adam Compton has been a programmer, researcher, professional pentester, father, husband, and farmer. Adam has over 18 years of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has worked for both federal and international government agencies as well as within various aspects of the private sector.

@tatanus

Closing Ceremony Setup
3:00 pm - 3:30 pm

Closing Ceremony
3:30 pm - 4:30 pm

Track 4
Track 4
Breaking Into Your Building: A Hackers Guide to Unauthorized Access
10:00 am - 10:50 am

Tim Roberts

During this presentation, we’ll discuss proven methods of bypassing popular physical security controls and employees, using only publicly available tools and social engineering. You'll hear war stories from assessments that we have performed, and the frightening simplicity of gaining unauthorized physical access to many things from server rooms to Top Secret Ops rooms. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used, as well as remediation recommendations.

Tim is a Sr. Security Consultant within NTT Security’s Threat Services group. He have developed Red Team and Social Engineering testing methodologies and has spoken at internationally recognized security conferences including DEFCON, DerbyCon, B-Sides, ISSA International, AIDE at Marshall Univ, Techno Sec & Forensics Invest. Con, and more. Tim has held management, IT and physical security roles across multiple industries, including healthcare and government. He is a regular contributor to NTT Security’s ‘#WarStoryWednesday' series, has developed methodologies for red team and social engineering assessments and has been featured in CSO on the subject of onsite social engineering. He is the founder of DC859 (the 859 area code DEFCON group) and is a core member for the DEFCON Conference “Groups” program. His experience with traditional/non-traditional pentesting techniques include network, wireless, social engineering, application and physical testing. These techniques have led to highly successful Red Team assessments against corporate environments. By sharing his experiences, he hopes to continue to contribute to the InfoSec community.

@zanshinh4x

The making of an iOS 11 jailbreak: Kiddie to kernel hacker in 14 sleepless nights.
11:00 am - 11:50 am

Bryce "soen" Bearchell

In December 2017,Google Project 0’s Ian Beer released an exploit for two iOS kernel bugs. This is Bryce’s story of going from being a iOS kernel n00b to weaponizing the exploit into a fully functioning jailbreak for iOS 11.1.2. Each challenge along the path will be discussed including: iOS sandboxing, the terrible AMFI, the intricacies of code signing & entitlements, sleep deprivation, and more. Everyone & all skill levels are welcome—kernel hacking isn’t *that* scary!

Bryce has been an active competitive hacker for the past 13 years, is a core team member of V&, and competes regularly with Nasa Rejects and Spaceticles—previously playing with Mammon Machine and Men-In-Black-Hats, obtaining a Black Badge at DefCon 19. Alongside V&, Bryce has run OpenCTF at DefCon for several years and is deeply embedded in the CTF community, encouraging newcomers to participate and learn as well as challenging seasoned CTF players with mind bending problems. Professionally, Bryce has been a vulnerability researcher for several years and is currently a security consultant and penetration tester at Coalfire Inc. @soen_vanned

Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests
12:00 pm - 12:50 pm

Tomasz Tuzel

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. In the earlier days, using virtualization for such "introspection" has only been thought of as a technique to develop stealthy rootkits. Today, there are a wide variety of security products using these techniques for services that include, for example, intrusion detection or malware analysis. With such rapid advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. These advances thus beg the question: how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms guaranteeing data privacy even in the presence of such an introspecting hypervisor, there are no tools that can check whether the hypervisor is introspecting when it shouldn't - until now! We have developed Environmental Characterization and Response (ECR), a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor. The package leverages a variety of metrics to determine the potential presence (or lack) of introspection. These techniques are developed to look at micro-architectural properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. As hypervisors are notoriously known to manipulate time-stamps of virtualized clock-sources when standard instructions are used, we have developed timing methods that are difficult to manipulate by the hypervisor. ECR requires no special software, as the package is built to require the minimum possible amount of dependencies and relies only on standard administrator rights in the VM it runs in.

Tomasz has been a security researcher for over six years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.

Pwning in the Sandbox: OSX Macro Exploitation & Beyond
1:00 pm - 1:50 pm

Adam Gold, Danny Chrastil

While performing red team engagements against a hybrid OSX/Windows environment we were challenged with creating successful maldocs targeting OSX systems with the up to date Microsoft Office Suite, which is protected by the OSX sandbox. After jumping through many hurdles both with VBA version conflicts and sandbox restrictions we successfully created our payload along with a post exploitation process to gather and exfil data from within the sandbox. Adam will share his experience with working with Apple security experts to block these attacks and put protections with a corporate environment. This is a perfect love story of Purple teaming which resulted in creating a more secure environment. Also, the mitigation we will be sharing for these attacks has not been publicly released by anyone including Apple at this point in time.

With over 10 years’ experience in the information technology and cyber security fields, Adam has been recognized as an expert in these areas, strengthening the overall security posture for many organizations including NATO, Hewlett-Packard, Department of the Navy, and more recently, Walmart's Security Operations Center. Over the course of his career, Adam has specialized in development, innovation, and various defensive capabilities. Daniel Chrastil has over 10 years experience in security ranging from red teaming for the world's largest commercial organization, hacking web and mobile applications, developing and hosting CTFs, and building secure web application environments. Daniel uses his skills from his past life as a web developer and system administrator to develop open source security tools for the security community and is developer for the Empire Framework project.

@import_au, @DisK0nn3cT

IOCs Today, Intelligence-Led Security Tomorrow
2:00 pm - 2:50 pm

Katie Kusjanovic, Matthew Shelton

With the advent of STIX 2.x and the ever-increasing evolution of TIP technologies, TI analysts and TI data are careening at break-neck speed towards the next level, the post-IOC world of intelligence-led security.

Mrs. Kusjanovic is a Senior Solutions Consultant for the North American branch of Eclectic IQ. Her primary roles include conducting demonstrations of Threat Intelligence Platform and Intelligence Feed technologies and supporting customers with their operational and analytic needs. Her career covers incident response in the SOC/NOSC/Fusion Center and a panoply of cyber security engineering responsibilities, inclusive of SIEM, firewalls, endpoint detection solutions, intrusion detection/prevention systems to name a few. She has a bachelor’s degree from the University of Florida and is currently taking classes toward her Master’s Degree in Cyber Security/Computer Science. Matt Shelton is a member of FireEye’s internal blue team. In his role, he leads an intelligence-driven risk management program responsible for identifying technology risk at FireEye, prioritizing risk based on adversary intentions and capabilities, and then working with business partners around FireEye to ensure the correct mitigations are in place. With over 18 years of experience in multiple security disciplines, Mr. Shelton has spent his career advising commercial, government, and military clients on how to build intelligence-led security programs.

@mattjshelton

Closing Ceremony Setup
3:00 pm - 3:30 pm

Closing Ceremony
3:30 pm - 4:30 pm

Stable Talks
Stable Talks
We are all on the spectrum: What my 10-year-old taught me about leading teams
10:00 am - 10:25 am

Carla A Raisler

Being a parent of an autistic child has taught me how to communicate with my team in a way that no book on leadership has. We all fall somewhere on the spectrum and communicating with one another is key to building effective teams.

Carla Raisler is a cybersecurity professional in the healthcare industry and the department of defense. When she isn’t harassing her coworkers with phishing tests or security audits, she’s telling war stories while enjoying her favorite bourbon.

@KyCarla

No Place Like Home: Real Estate OSINT and OPSec Fails
10:30 am - 10:55 am

John Bullinger

Join me in discovering the large amount of OSINT data that can be obtained through the many areas of Real Estate. Along the way we will cover areas of OPSec failures in the market and things to do to prevent it.

John is currently a hands-on CSO for a small SaaS company. He has over 25 years of experience in the IT and Security industry. John has worked in multiple sectors including Retail, Manufacturing, Medical, and Technology. He has held roles ranging from Systems Administrator, DBA, Director/CIO, and CSO. John currently holds a OSCP, GCIH, CISSP, and PMP certifications.

@TheBull963

The Layer2 Nightmare
11:00 am - 11:25 am

Chris Mallz

It all started with a very simple question. Is it possible to firewall all internal traffic to help prevent or detect lateral movement?

Chris Mallz would much rather spend his time hacking or researching than writing a Bio.

@vvalien1

Attacking Azure Environments with PowerShell
11:30 am - 11:55 am

Karl Fosaaen

For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information. MicroBurst is a PowerShell tool that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.

Karl is a Practice Director at NetSPI who specializes in network and web application penetration testing. With over ten years of consulting experience in the computer security industry, he has worked in a variety of industries and has made his way through many Active Directory domains. Karl also holds a BS in Computer Science from the University of Minnesota. This year, he has spent a fair amount of time digging into automating and assessing the Azure stack. Over the years at NetSPI, Karl has helped build out and maintain their GPU cracking boxes. Karl holds a couple of certifications, that is neat. Karl has previously spoken at THOTCON, DerbyCon 6.0, and BSidesPDX. In his spare time, you may see him trying to sell you a t-shirt as a swag goon at DEF CON.

@kfosaaen

Blue Blood Injection: Transitioning Red to Purple
12:00 pm - 12:25 pm

Lsly Ayyy

Moving from a large company with a retinue of pentesters, to a start-up with far fewer resources, can be a strain. It may be just you. While you're performing services, your new company may also need you to be flexible -- move to supporting some IR or blue team-related functionality. You won't be able to do both sides of a purple team, but you can help things meet for your clients. This talk will have my story, as well as some ideas when having to reach across a spectrum of needs with limited (or no) defense-focused personnel.

Leslie is a network-focused penetration tester (learning about OT/ICS in their downtime). Relatedly, they're a perpetual Linux sysadmin and frequent conference volunteer and attendee. Typically you’ll find them scoping out WAPs, wiggling ATM card readers, and hiding in a corner with MP3s, a 3DS (playing JRPGs), or CTFs.

@benevolust

Mirai, Satori, OMG, and Owari - IoT Botnets Oh My
12:30 pm - 12:55 pm

Peter Arzamendi

Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in 2016. Since the release of Mirai’s source code, IoT botnet authors have used it as a framework to build new malware. Authors have expanded the original Mirai code base with new capabilities and functionality while making some improvements. This talk will cover three of the most recent variants of Mirai based botnets and the flair added by the authors to make it their own.

Peter Arzamendi is a Security Researcher with NETSCOUT Arbor's ASERT team. He has expertise in vulnerability discovery, fuzzing, exploitation techniques, malware analysis, and protocol analysis. Areas of interest include static and dynamic analysis of binaries and hardware reverse engineering. He has over 15 years of experience in systems administration, computer engineering, and information systems security. He is active in the InfoSec community and has presented on security topics at Shmoocon, Hack in Paris, Blackhat Arsenal, and local venues. He has also contributed to several open source projects such as Metasploit, Fgdump, and Serpico.

Comparing apples to Apple
1:00 pm - 1:25 pm

Adam Mathis

Many defenders have hard fought experience finding evil on Windows systems, but stare blankly when handed a Mac. You know all the ways PowerShell can own a box, but how about AppleScript? This practical talk will give defenders a primer in finding adversarial activity on macOS using the TTPs they know and love from other platforms as a reference point.

Adam is a security practitioner, beard enthusiast, and heavy metal connoisseur. For the better part of a decade he has worked across multiple security disciplines, such as architecture design and implementation, penetration testing, security engineering, and incident handling and response. Adam is an Incident Handler with Red Canary, helping organizations find and evict evil.

@ch41_

How online dating made me better at threat modeling
1:30 pm - 1:55 pm

Isaiah Sarju

Isaiah Sarju uses online dating sites such as Tinder and OkCupid. At times this seems antithetical to his stance on privacy and security. To better understand the security ramifications of online dating, and to establish safer methods of doing it, he applied threat modeling to online dating. Through this he came up with a set of best practices depending on your threat model. This talk is relevant for anyone who is trying to balance privacy/security and a desire for human connection in this modern world. Due to the real and perceived dangers of online dating, the stigma that surrounds it, and the pervasiveness of it, it is a great lens through which folks can be introduced to the core principles of threat modeling. It also makes it fun to talk about!

Isaiah Sarju is a co-owner of Revis Solutions, LLC, a boutique information security firm. He has contributed to the Microsoft Security Intelligence Report, conducted numerous white hat hacking attacks, and taught students how to become top tier defenders. He plays tabletop games, swims, and trains Brazilian Jiu-Jitsu.

@isaiahsarju