Registration desk times:
Tues: 7-10 pm | Weds: 7-10 am; 3-8 pm | Thurs: 4-10 pm | Fri: 7-11 am; 12-3 pm; 5-7 pm | Sat: 8-11 am

10:00 am
10:30 am
11:00 am
11:30 am
12:00 pm
12:30 pm
1:00 pm
1:30 pm
2:00 pm
2:30 pm
3:00 pm
3:30 pm
Track 1 - Break Me
Track 1 - Break Me
John Toterhi - Aiding Static Analysis: Discovering Vulnerabilities in Binary Targets through Knowledge Graph Inferences
10:00 am - 10:50 am

Static analysis is the foundation of vulnerability research (VR). Even with today's advanced genetic fuzzers, concolic analysis frameworks, emulation engines, and binary instrumentation tools, static analysis ultimately makes or breaks a successful VR program. In this talk, we will explore a method of enhancing our static analysis process using the GRAKN.AI implementation of Google's knowledge graph and explore the semantics from Binary Ninja's Medium Level static single assignment (SSA) intermediate language (IL) to perform inference queries on binary-only targets to identify vulnerabilities.

John Toterhi is a cyber-security researcher at the Battelle Memorial Institute. He specializes in reverse engineering, vulnerability research, and tool development. John's recent research includes enhancing embedded RE via live memory-overlaid emulation, developing environment-aware tools, and defeating signature-diversity in malware with large-scale correlation via deep learning. John previously worked as a civilian malware analyst for the United States Air Force where he developed a passion for offensive security.


Kyle Hanslovan, Chris Bisnett - Evading Autoruns
11:00 am - 11:50 am

When it comes to offense, maintaining access to your endpoints is a key. For defenders, it's equally important to discover these footholds within your network. During this talk, Kyle and Chris will expose several semi-public and private techniques used to evade the most common persistence enumeration tools. Their techniques will explore ways to re-invent the run key, unconventionally abuse search order, and exploit trusted applications. To complement their technical explanations, each bypass will include a live demo and recommendations for detection.

For the past 10 years, Kyle Hanslovan has supported defensive and offensive cyber operations in the U.S. Intelligence Community and currently is the CEO of Huntress Labs. He actively participates in the ethical hacking community as a Black Hat conference trainer, STEM mentor, and Def Con CTF champion. Additionally, he serves in the Maryland Air National Guard as a Cyber Warfare Operator. Chris Bisnett is a veteran information security researcher with more than a decade of experience in offensive and defensive cyber operations. While serving with the NSA RedTeam, he attacked government networks and systems to identify and remedy vulnerabilities. He is also a recognized Black Hat conference trainer for the “Fuzzing For Vulnerabilities” and ""Embedded Fuzzing"" courses.

Kyle - @KyleHanslovan
Chris - @ChrisBisnett

12:00 pm - 12:50 pm

John Dunlap - Jumping the Fence: Comparison and Improvements for Existing Jump Oriented Programming Tools
1:00 pm - 1:50 pm

Stuck on a difficult exploit payload where you simply cannot use the stack to hold your exploit payload? Jump Oriented Programming (“JOP”) may hold the key to your success, but the way forward may not be so simple. The main focus of this talk will describing existing ROP compiler support for Jump Oriented Programming techniques, and will feature proposals for improved support across several tools and architectures.

John Dunlap is a security Engineer at Gotham Digital Science specializing in static analysis and code review. Gotham Digital science is a boutique penetration testing firm specializing in testing of unusual or otherwise bespoke software systems. John’s main research interests include concolic execution, reverse engineering and advanced exploitation techniques.


Closing Ceremony Setup
2:00 pm - 2:30 pm

Closing Ceremony
2:30 pm - 3:30 pm

Track 2 - Fix Me
Track 2 - Fix Me
Maddie Stone - IDAPython: The Wonder Woman of Embedded Device Reversing
10:00 am - 10:50 am

"Ready to learn why and how to leverage IDAPython to take hundreds of hours off of the time required to statically analyze the firmware of embedded devices? Tired of only being able to find IDAPython examples for x86 and ARM? Frustrated with developing analysis tools that can only apply to one architecture? Then this talk is for you!

This talk first discusses some important differences between the analysis process of applications and firmware images. It then shows how to use IDAPython to address these differences when analyzing firmware images running on a variety of microcontroller architectures. I will then explain and demonstrate a general toolkit of IDAPython scripts I wrote to triage, analyze, and annotate a firmware image’s IDA database for more efficient static analysis. The key focus is writing the scripts to be architecture-agnostic so that you have a toolkit that can be used repeatedly on each new target firmware image. All demonstrated and discussed scripts are available open-source at "

Maddie Stone is a reverse engineer at the Johns Hopkins University Applied Physics Laboratory. She is the lead of JHU/APL’s 150-person Reverse Engineering Working Group. The majority of her career has been spent deep in the firmware of embedded devices including 8051, C166, MIPS, PowerPC, BlackFin, the many flavors from Renesas (SH2, SH4, R8C, M16C), and more. She has previously spoken at the Women in Cybersecurity Conference and REcon Montreal.


Lennart Koopmann - Love is in the Air - DFIR and IDS for WiFi Networks
11:00 am - 11:50 am

"Every company uses wireless networks in some way and asking for the WiFi password, simply expecting a wireless network to be present, is the new normal. We are constantly surrounded by dozens of devices, constantly blasting out wireless packets that are not only full of interesting information but also unencrypted.

The WiFi attack vector has been identified a long time ago and the famous Wifi Pineapple devices make it possible to exploit issues with the 802.11 WiFi standard even without strong wireless expertise. To make things worse, access point logs are rarely centralized and even if they are, they don't contain information that could let you spot an attack early.

This talk explains important parts of the 802.11 standard, how it can be exploited and how to collect wireless frames using my Open Source tool ""nzyme"". Nzyme collects important 802.11 frames and sends them into the Open Source log management tool Graylog. We will demo a Graylog filled with 802.11 frames and show IDS and DFIR use-cases like spotting rogue access points or certain attack patterns.

[DerbyCon team: I am not intending to focus this too much on Graylog. I want to avoid making this a vendor talk and will clearly mention that you can also send the data into Splunk or an Elastic Stack if you want to, but will show Graylog because that's the tool I'm obviously most familiar with. I will focus on 802.11 and how to use the data. Not what tool the data is in. Used my email address because I check that one regularly :)]"

Lennart has a software engineering and architecture background and started the Open Source Graylog project in 2009.


Joseph M Siegmann - Going Deep and Empowering Users - PCAP Utilities and Combating Phishing in a new way
12:00 pm - 12:50 pm

In this day and age IDS/IPS sensors which just are not enough to detect and stop all of the threats. We need to go all the way the the packet layer. Joseph Siegmann, CISO, is going to share one approach to enhancing the signature level alerts, and demonstrate real world solutions for malware hunting and automation through the use of full packet captures, along with sharing some custom tools, to enhance any security operation. Joe will also share a new approach to Phishing, and how we can empower the end users when it comes to handling the many phishing events that happen on a daily basis.

Joseph is the Chief Information Security Officer (CISO) for a large multi-national retailer, with more than 25 years in the industry, he has owned and successfully run his own companies, to implementing international infrastructures, to developing pioneering software that has revolutionized industries. He has been coding since he was eight, and holds over 25 professional certifications, is very passionate about anything geeky, is a devoted dad and loving husband, and gets bored easily.


Todd Sanders - We're going on a Threat Hunt, Gonna find a bad-guy.
1:00 pm - 1:50 pm

Let's do some hunting! This talk will dive into a big buzz word that vendors and providers are throwing around with golden fish hooks. No, not confefe. Threat Hunting! How new of a concept is threat hunting? What does it really mean to hunt, and how are organizations deploying their hunters? Are we going on a bear hunt? This presentation will attempt to give viewers several resources into threat hunting, help demystify the sales lingo from the vendors, and check in with reality from the words of actual threat hunters (plus the meme's, as many as possible).

Todd has been playing around with technology for 17 years (30 if you include gaming on the NES). He has had the opportunity to support a variety of small businesses with their IT needs, and then moved on to provide infrastructure and security support for a global nutritional product manufacturing company. When not drowning from work overload, Todd tries to support his wife on the near impossible task of raising two young girls. Long beach walks cause foot pain.


Closing Ceremony Setup
2:00 pm - 2:30 pm

Closing Ceremony
2:30 pm - 3:30 pm

Track 3 - Teach Me
Track 3 - Teach Me
Nate Guagenti, Adam Swan - Windows Event Logs -- Zero 2 Hero
10:00 am - 10:50 am

"In this talk you will be shown logging, consuming, and analyzing (on a small & large scale) WMI tracing logs, Windows Event Logs, PowerShell logs, Cuckoo malware sandbox Windows logs (to give yourself new ideas/hunts), and more. Everything shown is free (granted you have 1-2+ available Windows Licenses) and can be setup and deployed in less than a day (Zero 2 Hero). You will have a demonstration of immediate benefits for active/historical breach detection, sysadmin, helpdesk, and forensics for windows hosts. Demonstrations will also be shown for things, that would be a supplement to Sysmon, such as once an ""entity"" already has DomainAdmin creds ( ie: detecting ).

Slides and scripts will be released immediately after the presentation (git commit+push cronjob)."

Nate - Utility man who, in his short 4 yr career in infosec, has worked on everything from engineering a 40Gbps+ Bro solution to incident response to database/SIEM implementation+design. Adam - Bio will fit in one line... a malware reverse engineer and incident responder.

Nate - @neu5ron
Adam - @acalarch

Piotr Marszalik and Michael Wrzesniak - Gone In 59 Seconds - High Speed Backdoor Injection via Bootable USB
11:00 am - 11:50 am

Gaining physical access was trivial, but now the computer is locked (or off) and time is running out…the "SmuggleBus" allows us to take advantage of unencrypted drives to quickly collect local password hashes and implant the backdoor of our choice without modifying any system binaries - all from a bootable USB and in a matter of seconds.

Piotr Marszalik is an Information Security Consultant and Manager at Crowe Horwath. He specializes in methodology and tool development for Crowe's Penetration Testing and Red Teaming services. Piotr is also an Offensive Security Certified Expert (OSCE). His responsibility at Crowe includes planning and execution of various penetration testing and security awareness assessments. Michael Wrzesniak is a Cybersecurity Consultant at Crowe Horwath. Mike has been involved with Crowe for 2 years. His specialties include penetration testing, web application testing, and malware development.

Piotr - @addenial
Michael - @_Wrzes

R.J. McDown - Windows Rootkit Development: Python prototyping to kernel level C2
12:00 pm - 12:50 pm

Red teams are always looking for new ways to persist on hosts that could potentially take several days to compromise. The necessity for reliable, stealthy persistence is highlighted when the compromised target is the initial foothold into the internal target network. Common methods and tools used to persist on compromised hosts will be briefly covered before diving into developing custom software operating at the user and kernel level. A couple of opensource projects, and their APIs, will be introduced that make it possible to interact with kernel level drivers from user-mode programs. Both, Python and C APIs are available, allowing for Python prototyping before moving to C, a compiled language. This is great for testing and researching new features, as design flaws can be worked through quicker. Lastly, a demonstration will be given of evading event logs, subverting host firewall configurations, hiding active C2 network connections from the OS, spawning arbitrary sessions (PowerShell Empire, Metasploit, etc.), and harvesting credentials from network traffic.

R.J. McDown (BeetleChunks) is a security researcher, penetration tester, and red teamer with experience assessing numerous Fortune 500 companies. In his spare time, he works on developing and researching new tools and techniques to be used on client assessments and IOCs associated with them.


Matthew Eidelberg and Steven Darracott - SniffAir – An Open-Source Framework for Wireless Security Assessments
12:00 pm - 12:50 pm

"SniffAir is an open-source wireless security framework. Its primary purpose is to provide pentesters, systems admins, or others eager about wireless security a way to collect, manage, and analyze wireless traffic. SniffAir was born out of the hassle of managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws or malicious traffic.

We created SniffAir to collect all the traffic broadcasted, grouping them by Client or Access Point. SniffAir can be instructed to parse the information based on rules created by the user. These rules help define the scope. Using these rules, SniffAir moves the in-scope data to a new set of tables, allowing the framework to compare against the original table for anomalies. The user can then perform queries, which display the information required in a clear and concise manner – perfect for facilitating attacks."

Matthew Eidelberg is a husband, father, and big security fanatic. Matthew works as a Security Consultant on Optiv’s Attack and Penetration team. Matthew’s primary role is to conduct security penetration testing and red teaming assessments for Optiv’s clients, while also developing detailed remediation procedures in order to provide the best value to Optiv’s clients. Previously, Matthew worked as a Security Consultant for the Herjavec Group in Canada, providing the same type of work for clients in Canada, the United States and Asia. Matthew received his Bachelor of Technology in Informatics and Security, Seneca@York University in 2012 and was certified as an Offensive Security Certified Professional in March of 2015.


Michael Robinson and Joseph Oney - Become the Puppet Master - the battle of cognition between man and machine
1:00 pm - 1:50 pm

How do you approach an investigation? How do you deal with large amounts of data? How do you know which questions to ask and which evidence may hold the answers? As defenders, we will reflect on the strengths and success of human analysis. We will also speak to the appeal of further leveraging the strengths of computers. This talk will compare our cognitive abilities and where it intersects with the introduction of Machine Learning, AI, and neural networks. We will share our limited understanding of years working with human analysts, of time learning and working with systems related to Data Science and how we perceive a gap will remain.

Michael - Security Operations Manager at UPS, a Cyber Operations Technician in the US Army (175th Cyber Protection Team) and hold the GIAC Security Expert #116. For Joe, Lead Analyst at the UPS SOC, does Cyber things for the Air Force and is a trained weatherman. Seriously.

Michael - @chief_m1ke Joe - @joeoney

Closing Ceremony Setup
2:00 pm - 2:30 pm

Closing Ceremony
2:30 pm - 3:30 pm

Track 4 - Three Way
Track 4 - Three Way
Michael Gough - EDR, ETDR, Next Gen AV is all the rage, so why am I enraged?
10:00 am - 10:50 am

A funny thing happened when I evaluated several EDR, ETDR and Next Gen AV products, currently all the rage and latest must have security solution. Surprisingly to me the solutions kinda sucked at things we expected them to do or be better at, thus this talk so you can learn from our efforts. While testing, flaws were discovered and shared with the vendors, some of the flaws, bugs, or vulns that were discovered will be discussed. This talk takes a look at what we initially expected the solutions to provide us, the options or categories of what these solutions address, what to consider when doing an evaluation, how to go about testing these solutions, how they would fit into our process, and what we found while testing these solutions. What enraged me about these EDR solutions were how they were all over the place in how they worked, how hard or ease of use of the solutions, and the fact I found malware that did not trigger an alert on every solution I tested. And this is the next new bright and shiny blinky security savior solution? The news is not all bad, there is hope if you do some work to understand what these solutions target and provide, what to look for, and most importantly how to test them! What we never anticipated or expected is the tool we used to compare the tests and how well it worked and how it can help you.

Kyle Wilhoit - Kinetic to Digital: Terrorism in the Digital Age
11:00 am - 11:50 am

"Terrorists have found novel ways to circumvent typical security controls. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, defacing websites to further their political or idealogical viewpoints, all the way to utilizing social networks to convey their messages. No matter what technology or service rolls out in the future, there will always be room for abuse. Terrorist organizations, while taking plays from organized cybercrime or state sponsored entities, are completely different then their counterparts in their methods, ideologies, and motivational factors.

Looking closer at terrorist ecosystems, we attempt to understand terrorist organization's abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, their use of the ""darkweb"", the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily. We will also track financials on the ""deep web"" attempting to locate financial records of these organizations while also attempting to understand how these organizations are leveraging the ""deep web."" We will dive deeply into each of the technologies and how they are used, showing live demos of the tools in use. "

Kyle Wilhoit is a Sr. Security Researcher (or Purveyor of offensive security) at DomainTools. Kyle focuses on research DNS- related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. More importantly, he causes pain to cyber criminals and state sponsored entities worldwide. Prior to joining DomainTools, he worked at Trend Micro as a Sr. Threat Researcher with a focus on original threat, malware, vulnerability discovery/analysis and criminal activity on the Internet. Previous to his work at Trend Micro, and he was at Fireeye hunting badness and puttin' the bruising on cyber criminals and state sponsored entities as a Threat Intel guy. Kyle is on the Blackhat Guest Review board, and has spoken at over 50 conferences worldwide, including Blackhat US, Blackhat EU, FIRST, SecTor, Defcon, HiTB, Derbycon, and several more. Kyle is also involved with several open source projects and actively enjoys reverse engineering things that shouldn't be. Kyle is a co-author on the book Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions. @lowcalspam

Aaron Hnatiw - Hacking Blockchains
12:00 pm - 12:50 pm

More than just the system behind Bitcoin, blockchain is a new technology that has the potential to change the financial industry and beyond. But what is it, really? And what should you be aware of when looking to implement blockchain technology into your organization? This talk will cover the fundamentals of how blockchains work, newer implementations and variations on the original Bitcoin specification, and finally, the security implications inherent in the technology. Both vulnerabilities and mitigations will be covered, as well as developing methods to audit the security of any blockchain implementation. Whether you are building the next blockchain technology or looking to implement blockchain into your organization, this talk will leave you with the fundamental knowledge you need to do so securely.

As a Senior Security Researcher at Security Compass, Aaron Hnatiw is constantly looking into the future to find ways to better secure the technologies of tomorrow. Whether that's blockchain technology, machine learning/artificial intelligence, or virtual reality, he's always working on something new and bleeding edge. His past lives have included such fun and exciting careers as: security consultant, system administrator, software developer, and college professor. In his spare time, Aaron enjoys writing security tools and contributing to the open source software ecosystem.


Tim MalcomVetter - Winning (and Quitting) the Privacy Game: What it REALLY takes to have True Privacy in the 21st Century; or How I learned to give in and embrace EXIF tags
1:00 pm - 1:50 pm

"The privacy vs. technology debate rages on. So many people say they want “total privacy,” but so few people are *actually* willing to put in the effort it takes to achieve it. They expect total privacy while still embracing modernity. I took the challenge and forced my wife and kids to come along, too, managing to lawfully remove all associations between my identity and my actual physical address, save for two obscure databases—still, that was enough to stifle a whole slew of invited hackers and law enforcement officers from winning a table stakes game: learning the physical address where we put our heads on our pillows every night for the past few years, despite the fact that we still used technology, social media, and paid electric bills.

The “game” is over now and we’ve called it quits. We could continue, but it’s incredibly difficult and taxing. Turns out, living life with total privacy between physical and digital requires tons of planning, discipline, money, time, and sacrifice, but it was a fun exercise and learning experience.

Come to this talk to live the private life vicariously through me. Learn how we did it, how we nearly blew it (several times), and just how amazingly difficult it really is, especially if you have friends, extended family, or … kids! Become jaded on the future of privacy or leave motivated to uproot your loved ones to try it out for yourselves. "

Tim MalcomVetter (@malcomvetter) has over fifteen years building and breaking systems: red teaming the world’s largest commercial organization, consulting with Fortune 500s, hacking everything from mobile apps to fuel pumps to proprietary “legacy” services on TCP sockets, leading e-commerce dev teams, and deploying enterprise security solutions. Tim has several degrees, held a doctoral research fellowship, and several certifications. Tim has presented on offensive security topics in several venues, including Black Hat, DerbyCon, ShowMeCon, ArchC0N, several BSides, several developer conferences, and more. Tim also volunteers time for university infosec programs, including CCDC.


Closing Ceremony Setup
2:00 pm - 2:30 pm

Closing Ceremony
2:30 pm - 3:30 pm

Stable Talks
Stable Talks
Ryan Reid - Introducing SpyDir - a BurpSuite Extension
10:00 am - 10:25 am

"The problem? Too much code, huge dynamic environments, and far too little time. The answer? Automation!

During web application assessments, testers often leverage tools like DirBuster to identify valid endpoints/pages through brute force. But what about when they have the source code sitting in front of them? Will they use it to their advantage and automate forced browsing?

Some time ago I was working on a hybrid assessment that contained ~2k Classic ASP files. As I spidered the dynamic application, I found I had only discovered ~250 endpoints. Concerned that I may have missed sections of the application simply because they weren't referenced within the immediate portion available from the landing page, I whipped up a quick script to treat all .asp files within the directory as if they were valid resources being served by the web server.

No surprise, most were accessible. This one-time Python script turned BurpSuite extension is SpyDir.

SpyDir provides an extensible platform to assist in discovery by enumerating endpoints from the source files and the code they contain. In this presentation, I'll go over the tool's aims and uses. "

Ryan Reid is a Senior Application Security Consultant with nVisium. He spends his days performing application assessments and his nights building tools to make life easier. In his spare time, Ryan can be found behind his drum set... making far too much noise.


Sarah Norris - Phishing for You and Your Grandma!
10:30 am - 10:55 am

Phishing attacks may seem like a breeze, however sometimes the hard part is getting past the series of barriers that are encountered before the target. This talk discusses some of the common limitations encountered during short term phishing campaigns and how to ensure more successes. Techniques discussed in the this talk will include how to choose an effective pretext and payload as well as how to improve the likelihood and legitimacy of delivery.

Sarah Norris is a Security Consultant for TrustedSec. She started her career in Information Security after conducting PCI audits for Trustwave. Before Trustwave, Sarah worked on Linux systems writing and debugging custom Python modules for Zenoss. Her favorite animal is horses and her favorite person is Martha Stewart.


Matt Scheurer - Regular Expressions (Regex) Overview
11:00 am - 11:25 am

Writing Regular Expressions (Regex) is a versatile skill set to have across the IT landscape. Regex has a number of information security related uses and applications. We are going to provide an overview and show examples of writing Regex for pattern matching and file content analysis using sample threat feed data in this presentation. Along with a healthy dose of motherly advice, we cover Regex syntax, character classes, capture groups, and sub-capture groups. Whether Regex is something completely new or worth brushing up on, this talk is geared toward you.

Matt Scheurer is a Systems Security Engineer working in the Financial Services industry. Matt holds CompTIA Security+, MCP, MCPS, MCTS, MCSA, and MCITP certifications. He maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), and Information Systems Security Association (ISSA). Matt is a regular attendee at monthly Information Security meetings for 2600, the CiNPA affiliated Security Special Interest Group (CiNPA Security SIG), Ohio Information Security Forum (OISF), and Cincinnati SMBA.


Jonathan Broche, Alton Johnson - Securing Your Network
11:30 am - 11:55 am

Jonathan Broche, Alton Johnson - Securing Your Network: How to Prevent Ransomware Infection

"Malware and Zero Day Exploits are a hot topic in the Information Security community as of late. With new variants of ransomware and zero day exploits being released, organizations have been on high alert. It is estimated that the recent “Wannacry” ransomware affected over 200,000 systems some of which were located in high impact environments (i.e., hospitals and police stations). Similarly, zero day exploit leaks are being released as frequent as we can remember. With black hat groups launching subscription based programs, zero days are more accessible to the public than ever.

It is important to know how to best protect yourself and an organization from these threats. Attendees at this talk will be presented with current events, real world examples, and learn best practices that can be put to use immediately to prevent such attacks. In addition, a tool will be released to help aid network administrators in the discovery and prevention of new/unauthorized services being exposed on their external environment.

The tool released and demonstrated during the talk will have the priority of securing and/or reducing external network services. The tool will perform port scans against an organization’s external-facing assets as a job (i.e., on a daily, weekly, monthly basis), save the results, and cross-reference the results at the time of the next scan. If new services have been discovered that were not previously discovered, the tool will email network administrators and alert them of the newly discovered service(s). By reducing the amount of services that are externally-facing and ensuring that there are no rogue services being made available, an organization can not only reduce their overall attack surface but also reduce their chances of being targeted by zero day exploits. "

Jonathan Broche is a computer security professional with over 10 years of hands-on experience in the Information Technology field. He specializes in penetration testing, social engineering and system security configurations.


TJ Toterhi - Diary of a Security Noob
12:00 pm - 12:25 pm

"So you’re looking to get into or have just landed your first job in security. Great! Wait, now what?

Being new to infosec can be exciting and overwhelming. With the field going through such a high demand for talent, you're not alone. I was there not too long ago myself and I'd like to share what I've learned along the way. I'll talk about the things that I wish I would have known when I was a noob. We'll discuss interviewing, mentorship, meetings and conferences, training, and more."

In his fairly new career in Information Security, TJ has had the opportunity to perform threat and vulnerability management, incident response, security engineering, and penetration testing. All of this started by accident: approaching the end of his degree, TJ wasn't enthused about one of the final courses he had to take: Network Security. After just a few classes though, what began as reluctance quickly turned into excitement and a career in one of the coolest fields. TJ knows how overwhelming it is being a noob in Information Security, so he enjoys sharing what did - and didn't - work for him during his formative years with others new to the industry.


Tom McBee, Jeff McCutchan - Spy vs. Spy - Tip from the trenches for red and blue teams
12:30 pm - 12:55 pm

"This talk outlines some common, but effective, red team tactics as well as some of the defensive countermeasures for them. Boring, right? Wrong, because it doesn't stop there! Next we will escalate the complexity and sneakiness of the attacks for the purpose of dealing with the defensive countermeasures. We go back and forth like this, through a few iterations of each attack and its defenses. We conclude with an analysis of defensive trends, and a suggestion for shifting the way defense is commonly thought of.

Attendees will leave this talk with an understanding of defensive techniques used to mitigate common attacks, offensive tricks to increase the success of the same attacks, and an idea for improving the way organizations commonly think about defense."

Tom - "Tom's background began in Systems Administration before moving over to Information Security in 2014. Since then he's focused on ways to help defend networks and systems from threats, while trying to increase his own offensive skillsets. He is currently working as a Senior Consultant at SecureState.", Jeff - "Jeff has been working in IT for about eight years with a focus on security for the past five. He enjoys performing offensive services as well as helping others learn and grow through training and mentoring. He is currently working as an Associate Principal Consultant at SecureState."

Tom - @t3phanis
Jeff - @jamcut

Zach Grace - changeme: A better tool for hunting default creds
1:00 pm - 1:25 pm

"Default credentials haunt organizations. Whether they're used to gain access or escalate privileges, default credentials lurk in the corners most organizations. To combat this attack, organizations leverage commercial vulnerability scanners. However in my research, most commercial scanners fall short and can leave your organization vulnerable to attack while giving you a false sense of security.

This presentation will cover my research into the efficacy of commercial vulnerability scanners to detect default passwords and present my open source tool, changeme (, for improving the detection of default credentials. I'll be releasing version 1.0 of changeme at DerbyCon."

Zach has worked in offensive security for the last seven years focusing on securing financial institutions. He is active in the Milwaukee security community in which he helps organize @MilSec, is an OWASP Milwaukee chapter leader and is a member of the Wisconsin Collegiate Cyber Defense Challenge (CCDC) Red Team. He’s also the creator of the open source security projects changeme and Sticky Keys Hunter.