In 1986, Jim obtained notoriety as the original case agent for the “Hanover Hacker” case. This case involved a group of German hackers who electronically penetrated DOD computer systems all over the world and sold the information to the Soviet KGB. The case was detailed in the best seller, “The Cuckoo’s Egg”, by Dr. Cliff Stoll.

In 2006, Christy created the DC3 Digital Forensics Challenge an international competition that in 2013 had 1,800 participants spanning 49 states and 53 countries. The exercises were designed to develop, hone, and engage participants in the fields of cyber investigation, digital forensics, and cyber security. 

Jim has been asked by Mr. Jeff Moss and the Black Hat & Defcon organizers to create and moderate the “Meet the Fed” panel for approximately 12 years. Jim brought together the current and former senior cyber government leaders for multiple panel discussions before one of the world’s largest hacker conventions.

Arming Small Security Programs: Network Baseline Generation and Alerts with Bropy

Anomaly based IDS tools are expensive. Signature based IDS tools only work if a signature exists. Using a simple Bro script, organizations without large security budgets can generate alerts for anomalous packets IF they have a complete baseline of the ports and protocols their devices use. I wrote Bropy to simplify the process of generating a network baseline to be used with Bro. With this tool, small security teams can generate network baselines for systems in a matter of minutes, rather than hours or days. Armed with the data generated by Bropy, organizations have the option to either continue to receive alerts on anomalous communication, or use the data to generate firewall configurations to enhance network security. Written in Python, Powered by Bro

 

Presenter: Matt Domko

Matt Domko is an Information Security Instructor for Chiron Technology Services. His experience as an enterprise administrator and cyber network defender for the US Army are what drive his passion for network defense and "Blue Teaming". Pro Tip: If you're trying to social engineer him: motorcycles, moustaches, and karaoke are great icebreakers.

 

 

Automating Bulk Intelligence Collection

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to find the signal in the noise to be able to best protect an organization.

 

This talk will cover techniques to automate the processing of data mining malware to derive key indicators to find active threats against an enterprise. Techniques will be discussed covering how to tune the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We’ll also discuss techniques for organizations to find and process intelligence for attacks targeting them specifically that no vendor can sell or provide them.

 

Presenter: Gita Ziabari

Gita Ziabari is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 13 years of experience in threat research, networking, testing and building automated frameworks.

 

 

Clean up on Aisle APT

This presentation will discuss findings from running multiple sinkholes over the past year. I have purchased multiple domains associated with 'APT' activity after the domains have expired. I will discuss initial expectations before beginning this journey and then discuss actual results and findings. To assist other researchers, suggestions and lessons learned from this experiment will be shared.

 

Presenter: Mark Parsons

Mark Parsons is a developer and threat analyst for King and Union. Previously, he has worked at a civilian federal agency doing incident response and threat intelligence. He has spent the past several years working on creating solutions that allow threat analysts and net defenders to spend more time looking at data rather than collecting it. Mark has previously spoken at BSIDES Charm, ArchC0n and the Sans CTI Summit.

 

 

Current State of Virtualizing Network Monitoring

This presentation will look at the viability of virtualizing and containerizing network security monitoring devices such as IDS/IPS systems, full packet capture, netflow, etc. There are a number of challenges in a virtual environment with managing system load. We have been looking at how to best virtualize open-source network monitoring solutions in both large and small environments and will detail some of the information we have learned during this adventure. We will detail a project on a single inexpensive host providing network monitoring and event collection built entirely on Open Source software. Finally, we will discuss and demo high-speed (10G+) virtualized monitoring solutions with newer technologies such as SR-IOV and DPDK-enabled OpenVSwitch.

 

Presenters: Ed Sealing and Daniel Lohin 

Ed Sealing and Daniel Lohin both work at Sealing Technologies. Their focus is primarily security engineering and figuring out how to securely build enterprise scale systems in a manner that is functional and secure. Ed is the CEO of Sealing Technologies and has over 15 years in IT and Security within the Federal Govt. Daniel Lohin holds a Masters from George Mason University and also teaches part time at a local community college.

 

 

Detecting the Elusive: Active Directory Threat Hunting

Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected?

 

This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks.

 

One of the latest tools in the offensive toolkit is ""Kerberoast"" which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed.

 

The attacker's playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks.

 

Presenter: Sean Metcalf

Sean Metcalf is founder and principal consultant at Trimarc Security (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.

 

Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3

 

 

Imposter Syndrome: I Don't Feel Like Who You Think I Am.

Several years ago I was walking back to my hotel after a day's worth of DerbyCon talks and it hit me all at once. ""I'm an infosec fraud. I'm not finding 0-day exploits. I'm not hacking cars or Internets of Things and I don't know PowerShell. I don't belong in infosec."" It was a hard revelation to grasp because I loved infosec and the people in it. But that was my ""truth"" back then and I went home and looked for jobs outside of the computer industry. [SPOILER ALERT] I didn't leave our industry. Instead, I threw myself into the community and tried to conquer those feelings of inadequacy and self-doubt.

 

Does this sound like someone you know? If so, come join me and learn not only about ""Imposter Syndrome"" but how I am dealing with it and how you and your colleagues can too.

 

Presenter: Micah Hoffman

Micah is an active member in the NoVAHackers community, a certified SANS instructor and runs a number of open source projects. When not working, teaching, or learning, Micah can be found hiking or backpacking on the Appalachian Trail or on the many park trails in Maryland.

 

 

IoT Pressure Cooker What Could Go Wrong

This talk will dive into vulnerabilities discovered in an IoT pressure cooker. Demonstration of how an attacker can modify data in transmit and in storage on a mobile app with can modify the temp, timing and pressure of the device, which is a potential safety concern.

Presenter: Ben Actis

Ben Actis spent five years at MITRE in the areas of mobile reverse engineering and network analytics. He taught intro to x86 and intro to flow analysis which are available on opensecuritytraining.info. He spent one year at Lookout's research and response team in San Francisco. He was the primary researcherresponsible for shedun/humming bad and xcode ghost. He is currently at Synack where he is a research and development engineer. When not reversing he is busy catching pokemon, taking Krav Maga, and trolling on twitter.

 

 

Microsoft Patch Analysis for Exploitation

Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction.

 

Presenter: Stephen Sims

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has a MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. He holds the GIAC Security Expert (GSE) certification as well as the CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.

 

 

OPSEC for the Security Practictioner

In our industry we provide security advice to industry. But what about our attack surface? Here are some steps you can take to lower your profile.

 

Presenter: Michael Clayberg

Michael is a husband, father, musician, and inveterate computer geek. He's worked in the computer industry since the days of the mainframe and remembers when the IBM PC debuted. Back then he played punk rock. Now he plays bluegrass. He currently assists the government is securing web applications and cloud environments.

 

 

Red Teaming the Board

Red teaming as an infosec practice has centered lately around showy exploits, social engineering, and ski-mask style hacking. This is just the tip of the iceberg, to better align security teams with what business leaders need, we need to get back to our adversarial roots by focusing on a broader spectrum of threats, how businesses can be harmed, and how to uncover them from a process perspective. This talk will focus on how and where we as security practitioners can apply red teaming techniques in the corporate environment, going beyond the same old live fire hacking exercises with war games, business process reviews, and competitor/market analysis. The goal of this talk is to empower security teams to better align themselves with not only IT and engineering departments, but the core business objectives and directives in place at their respective organizations.

 

Presenter: Robert Wood

Robert Wood runs the security team at Nuna, whose core directive is to protect one of the nation's largest collective healthcare data sets. Previously, Robert was a Principal Consultant at Cigital where he founded and led the red team assessment practice and worked with strategic clients across the United States in an advisory capacity. Throughout his career, Robert has approached problems from the red teaming perspective, identifying how and why things might fail when instigated from an adversary.

 

Users don't pay attention to your security guidance and they tune out during those training programs you bought because it's all just so boring. But learning "how to be a hack" is interesting, so I've turned cyber security education into an exercise in doing evil. This presentation will discuss why and how I've designed training classes that teach average users how to do some very bad things. I teach people ranging from software engineers to accountants how to carry out specific attacks, crack passwords, social engineer their way to fame and fortune, and so on. Furthermore, the talk discuss how you too can raise general security awareness in so doing. It will comprise a discussion of my general philosophy on teaching evil, instructional design, classes I teach regularly, and topics for classes that are still on the drawing board.

 

Presenter: Chris Niemira

Chris Niemira is AOL veteran who once spent over seven years running the front door to one of the world’s largest email systems just so he could kick spammers in their digital pants. He's done time in the banking and pharmaceutical industries, as well as some bubble-era dot-coms that we won’t talk about. Today he survives in the Northern Virginia Underground as an SRE and security enthusiast who spends his days hands-on helping product owners make their code faster, more stable, and safer. Either that or sitting in meetings. Depends on the day, really. He's been designing and teaching security training classes for the past year, so he probably thinks he knows more than he does about it. He also speaks at conferences from time to time, has directed off-Broadway theater, and enjoys retro video games.

 

The AVATAR Project and You

This isn't about bald children who can control elements or Blue cat aliens. Over the past few months, I've been writing a guide on building your own lab environment to suit your needs I've been calling Project:AVATAR

If you're looking for advice on how to build a flexible lab environment that can accommodate red or blue team practice activities this is the talk for you.

Please be aware that this talk is NOT a training.

 

Presenter: da_667

da_667 has been described as "Twitter Infamous" by his peers. Has a fondness for malware hunting, threat intel, NSM, and helping security newbies to get their bearings. Also enjoys shiny challenge coins.

 

The Battle for OSINT – Are you Team GUI or Team Command Line?

There’s more than one way to hack open-source intelligence. In this session, the presenters will demonstrate different ways to acquire information online. Tips and tricks to getting information through point and click will be compared and contrasted with the results of API scraping and coding Python scripts. After all that data is obtained, what do you do with it? The presenters will then discuss the multitude of applications for the data gained as well as the optimal ways to analyze and interpret it. You’ll come away from this session with a better understanding of how to get data from a variety of sources and utilizing different methods of retrieval.

 

Presenters: Tracy Z. Maleeff and Joe Gray

Tracy Z. Maleeff, @InfoSecSherpa, is an independent information professional providing research and social media consulting, with a focus on information security. She is a frequent presenter about best practices of data mining from social media, professional networking, and introduction to information security topics. Tracy has 15 years of experience as a librarian in academia, corporate, and law firm industries and earned a Master of Library and Information Science from the University of Pittsburgh. She is the Principal of Sherpa Intelligence LLC – your guide up a mountain of information.

 

Joe Gray (@C_3PJoe ) joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own blog and podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone.

 

 

The Cryptography of Edgar Allan Poe

Baltimore resident Edgar Allan Poe had a keen interest in cryptography. Cryptography figured prominently in some of his literature. He also wrote a white paper about cryptography and ran a crypto challenge for a magazine. We'll review the historical context of Poe's interest in cryptography and examine a number of the cryptograms he published and solved.

 

Presenter: Robert Weiss (pwcrack)

Senior Information Security Engineer and Penetration Tester/Red Teamer
Def Con Speaker Goon
Member of NoVaHackers, Unallocated Space and NoVa Labs.

 

The Not So Same-Origin Policy

The same-origin policy remains one of the most important security mechanisms of the web, protecting servers from malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so our talk aims to show how limitations in the application of the same-origin policy can undermine security. We explain in depth how the same-origin policy works and how it can be bypassed to exploit cross-site vulnerabilities, including examples of Java, Flash, Silverlight, and Cross-Origin Resource Sharing (CORS) misconfigurations.

 

As the same-origin policy and cross-site request forgery (CSRF) are inherently connected, we will also show both simple and complex cross-site request forgery attacks and how CSRF functions within the context of the same-origin policy. This will include classic CSRF attacks that work within the confines of the same-origin policy and more complicated attacks that utilize server misconfigurations to bypass the same-origin restrictions altogether.

 

Presenter: David Petty

David is an Associate Security Analyst at Independent Security Evaluators (ISE), a security consulting company in Baltimore, MD. He has recently graduated from Northwestern University with a B.S. in Computer Science, and discovered his interest in security while working for ISE during college. He specializes in breaking web and mobile applications, reverse engineering, and digital forensics, and uses these skills to conduct custom security assessments of software products.

 

 

Threat Hunting - Thinking About Tomorrow

The presentation addresses a gap in industry regarding strategic threat intelligence and tactical intelligence in the digital realm. Today the threat intelligence that is vehemently demanded and produced address only the battle, not the war. Terms such as 0-day and Actionable Intel have driven threat hunters into a world where our intel consumer has developed a dangerous case of near-sightedness, only concerned about the 50m threat unable to fathom one existing beyond the 300m target. A lack of experience and diversity among analysts in the intelligence community has created both a knowledge and experience gap that threatens our ability to truly understand our enemy. There is a breed of analyst needed on the Threat Hunter team to fight the fight on the digital battle fronts and win. That analyst is one who embodies more than just technical skills to hunt malware, but one who can think like a criminal anticipate the next target and beat the bad guy to it. This presentation will discuss the differences between tactical and strategic intelligence, the skills a successful strategic analyst should hold, and examples of how real world events translate into attacks/threats in the digital world.

 

Presenter: Tazz

Tazz is a security veteran whose technology interests began with Atari and she was amazed when a word processor had enough memory to hold multiple lines. She’s been involved with technology since 1997 starting her career in communications, after which she completed her degree. She’s had various IT roles and responsibilities over the years to include Field Software (Breaker/Fixer) Engineer, System Administrator of Chaos, IA Hoodlum, Compliance Sorceress, Information Security Cat Herder, & Security Architect. She enjoys fitness, horseback riding, weather above 70F, and anything full of laughs and weird people.

 

 

Understanding the Cybersecurity Act of 2015

The Cybersecurity Act of 2015 attracted national attention because it provided limited immunity for companies that share information about cybersecurity threats with the federal government. A lesser-noticed provision of the law, however, could have more impact on corporate cybersecurity activities. The statute significantly broadens the ability of companies to monitor networks for cybersecurity threats and employ defensive measures. This presentation provides a roadmap to the new law and explains how it expands the abilities of companies to engage in monitoring and defensive measures without running afoul of existing laws such as the Stored Communications Act and Wiretap Act. The presentation also examines privacy advocates' concerns with the new law.

 

Presenters: Jeff Kosseff and Dennis Devey

Jeff Kosseff is an Assistant Professor of Cybersecurity Law at the United States Naval Academy. He practiced cybersecurity and privacy law at Covington & Burling, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. Kosseff is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.

 

Dennis Devey is a Midshipman First Class at the U.S. Naval Academy.

 

 

Weaponizing Splunk: Using Blue Teams for Evil

Splunk is a log aggregation and correlation tool that is normally used for defensive analysis and infrastructure management. What if Attackers could use this same tool against the blue team? During this presentation, I will discuss creative uses that penetration testers and Red Teamers can use to gain more access and move laterally within an organization.

BSidesCharm is excited to host free training for attendees again for 2017. This year we've been able to increase to five trainings sessions in total across Saturday and Sunday!