Keynote Presenters

Jessica Payne (@jepayneMSFT)

Jessica Payne is a Security Person at Microsoft. She’s held roles as a consultant doing Incident Response and proactive security engagements and as a Security Assurance Program Manager for the Windows and Devices Group. Currently she works on the Threat Intelligence team of Windows Defender Research. She has a Twitter account @jepayneMSFT and a blog at https://aka.ms/jessica

A conversational exploration of the issues plaguing the modern security operations center and its analysts focused on brutal honesty and clever solutions to some of the industries least talked about or focused on issues.  In the spirit of community and to make sure we cover the issues that are important to all of our fellow analysts out there, please feel free to fill out the below Google form and we will try to address your questions or come up with solutions to your problems live on the panel:


Shawn Thomas (@Understudy77) 

Shawn Thomas spent many years of his career as a SOC analyst across the MSSP, Government, and Private sector spaces before moving on to be an incident response consultant helping a wide variety of customers in both proactive security and breach investigations. Recently he finds himself back in the SOC world running a SOC analyst team for a large MSSP. Feel free to hit him up on his rarely updated twitter @Understudy77 (he isn’t much of a public sharer).

Andrew Marini (@bacon89)

Andrew Marini is a Security Engineer working as a government contractor. Previously he spent the last 8 years working in multiple SOC’s throughout the range of career fields including MSSP, Private and Public sectors. Working from an entry level tier 1 analyst up to senior shift lead across multiple shifts in 24/7 operations and now a security engineer he has seen the gambit of operations center environments and cultures.

James Callahan (@jp_callahan)

James is currently the Senior Tier III Cyber Network Analyst on a network security hunt team within a DoD Security Operations Center (SOC).  He came to this position from a long and storied career holding a wide variety of positions across multiple security disciplines as well as active duty service as Senior Counterintelligence Warrant Officer with the US Army. Now known as the Professional Paranoid, James provides security consulting services, primarily to US Government clients.

Dustin Shirley (@DShirley34)

Dustin Shirley is a Senior Security Engineer and founding partner for Fractal Security Group. He brings over 15 years of experience in supporting clients across industry and DOD. Mr. Shirley has been designing and building SOCs for customers for the last 5 years. He enjoys spending time with his family and cooking some good ole Cajun food.


An Open Source Malware Classifier and Dataset
Research in machine learning for static malware detection has been stymied because of stale, biased, and otherwise limited public datasets. In this talk, I will introduce an open source dataset of labels for a diverse and representative set of Windows PE files. The dataset also includes feature vectors for machine learning model building, a high-performing pre-trained model for research, and source code to reproducibly generate the features and model. I’ll also detail the reasoning behind the features and labels and demonstrate how the machine learning model performs on samples in the wild.

Presenter: Phil Roth (@mrphilroth)
Phil Roth is a senior data scientist at Endgame, where he develops products that help security analysts find and respond to threats. This work has ranged from tuning a machine learning algorithm to best identify malware to building a data exploration platform for HTTP request data. Previously, he developed image processing algorithms for a small defense contractor. While earning a PhD in physics, Phil used a machine learning algorithm and the IceCube detector at the south pole to search for neutrinos from other galaxies.

Adding Simulated Users to Your Pentesting Lab with PowerShell
Pentesting labs tend to have isolated boxes representing specific vulnerabilities. This doesn’t do a great job of mimicking real world networks which have active users and network activity. We created a tool set to introduce simulated users to a lab environment which enables us to accurately model real world corporate networks and allows for additional attack vectors to be explored in a safe setting. During this talk we’ll go over the major functions of the tool and showcase its capabilities with a live demonstration.

Presenter: Chris Myers (@swizzlez_) and Barrett Adams (@peewpw)
Chris is an experienced penetration tester and red teamer who's led a diverse range of red team assessments: from internal networks, to spear-phishing exercises, to web and mobile applications. These assessments have given him exposure in a breadth of industries (pharma, finance, healthcare, technology, etc.) through which he's developed a unique perspective of the current information security landscape. His areas of interest include exploit development, offensive security training and education, and automation and tool development. 

Barrett is also a red teamer and security professional with experience performing a variety of red team assessments. His focus has been on assessing externally facing networks, where he has developed a number of useful automation scripts to search for, consolidate, and organize a company's internet presence. More recently, he has created red team tools such as Invoke-PSImage for stealthy payload delivery and Invoke-WCMDump for dumping Credential Manager passwords.

Basic Offensive Application of MOF Files in WMI Scripting
A basic introduction on how to use MOF files and the Windows Management Instrumentation (WMI) database to alter how programs execute and implement your own processes. Join us for a walkthrough of MOF design and an overview of the vulnerabilities presented by the WMI database. Finally, learn how the hardest part of using MOF files is making yourself known to the user.

Presenters: Devon Bordonaro, Connor Gephart, and Sam Ruthenberg
Devon Bordonaro is a Senior undergraduate student at Towson University. He is studying Computer Science with a concentration in Computer Security. He joined the Towson University Cyber Defense Team this year to learn as much as possible about offensive and defensive tactics in Cyber Operations. He hopes to gain as much knowledge about the cybersecurity world as possible with hopes to gain a career in cyber operations, incident response, or vulnerability assessment. He is currently a Student Manager at his job with Student Computing Services at Towson University. He is responsible for supervising over 20 student employees as well as troubleshooting various computer issues for students. In his free time he enjoys playing a variety of online video games and rhythm games.

Connor Gephart is a sophomore at Towson University studying Computer Science and Mathematics with a track in Cyber Security. He joined with Towson’s Collegiate Cyber Defense Competition team this year to learn more about cyber security and its applications. He is currently a co-op with UPS helping to transition the company to DevOps, working with software such as Docker, Maven, and Ansible. He enjoys playing video games and playing a variety of role-playing and board games.

Sam Ruthenberg is a senior at Towson University majoring in Computer Science with the cyber security track. At his time at University he worked with fellow students in research and growing their cyber security knowledge. He has interned with the Navy, and worked on cyber tools and testing with Avionic platforms. He has an interest in enterprise security, and how security will change in the future.

Breaking and Entering: Lessons Learned from a Federal Penetration Tester
From traditional crime to terrorist attacks, surveillance and preparation by the perpetrators often increases the likelihood of attack success. Based on this premise, DHS Federal Protective Service used penetration testing to simulate an adversary’s perspective of federal facilities’ security and test the recommended risk management processes. Gain valuable perspectives on how trusted security measures can be exploited, then explore ways to use this knowledge to improve security planning and implementation. Come away with lessons learned from real (and sometimes scary) tests, while focusing on how to improve security assessments and measures.

Presenter: Joseph Misher (@josephmisher)
J. A. Misher is currently responsible for protective cyber operations policy and planning in the Department of Homeland Security's Federal Protective Service. In this capacity, he is responsible for merging two disciplines (cyber and physical security) throughout traditional law enforcement and security services. Since 2008, Misher has served in multiple capacities across intelligence, law enforcement, investigations, risk management and assessments. J. Misher is a 12 year Veteran with the USAF. He has taught at the Federal Law Enforcement Training Center, briefed senior staff in U.S. Congress, and graduate with academic honors from numerous training programs. J. Misher also holds a Bachelor of Arts in Jurisprudence where he graduated Summa Cum Laude and is a current Juris Doctorate candidate.

Building a Predictive Pipeline to Rapidly Detect Phishing Domains
Registering a new domain, requesting an SSL certificate, and installing it on the server got much cheaper for threat actors thanks to the LetsEncrypt Certificate Authority. Detecting new phishing domains has always been a reactive process for security teams; just like malware, one cannot provide threat intelligence on phishing domains before they're registered and operationalized.

The development of CertStream adds an interesting dimension for how this process can be improved. SSL certificates, and the domains for which they are issued, can now be monitored in real-time. Security analysts have intuition on what a phishing domain looks like when they see it. Building a predictive pipeline to detect SSL certificates issued to new phishing domains can be accomplished very simply using supervised machine learning. In this talk, I'll introduce a Python-based framework for building this predictive pipeline from scratch.

Presenter: Wes Connell (@wesleyraptor)
Wes is especially motivated and passionate for dramatically improving data hunting tradecraft within the cyber security domain. He has a very broad range of technical interests - particularly in the securing hardware, software, systems, and networks. When he's not hacking the planet, he enjoys playing more golf than is healthy and painfully rooting for the Washington Capitals.

Counting Down to Skynet
The Threatcasting Lab at Arizona State University was formed to forecast the threat that emerging technologies pose ten years into the future so that we can disrupt and recover from future events. My work seeks to bridge the gap between the qualitative analysis done within the Threatcasting workshop and the quantitative analysis needed to present an objective view on the matter.

Presenter: Nolan Hedglin
Nolan is currently a cadet at the United States Military Academy in West Point, NY in his final year.  In May he will be graduating with a B.S. in Math (with honors) and Physics (with honors).  Afterwards, he will be commissioned in the United States Army as a cyber officer. Nolan has been accepted into MIT's PhD program for Electrical Engineering, where he is interested in exploring topics in quantum information science.

Effective Monitoring for Operational Security
As Infosec practitioners, how well do you really know and monitor your IT and business operations? Would you identify a data exfiltration event by a bandwidth increase without attendant malware alerts? Would you identify an employee staying late and attempting to gain physical access to a restricted area? Would you identify a successful VPN login from another country? 

We will present effective monitoring methods we utilize and the resulting outputs that teach us what normal operations look like in order to identify suspicious activity. By reviewing these types of reports or tickets on a daily basis you will know your IT and business operations well enough to identify anomalies that may evade detection by your security tools. We will show example reports and tickets from our organization covering a variety of these topics and discuss how we analyze them, as well as how we use the information to better tune our monitoring tools.

Presenters: Russell Mosley (@sm0kem) and Ryan St. Germain (@r_stgermain) 
Russell is an IT Infrastructure & Security Director for a Silver Spring software and outsourced accounting services company.  Russell has seventeen years' experience in IT operations and enterprise defense and is responsible for the organization's compliance with SOC and FISMA requirements.  He holds degrees from UMBC, UMUC, and Towson University as well as CISSP and several vendor certifications.  

Ryan is a Senior Information Security Engineer with ten years' experience, a Master's Degree, and CISSP certification.

Exercise Your SOC: How to run an effective SOC response simulation
Security Operation Centers (SOCs) are the front line for incident detection, response, and escalation for organizations.  Few security teams evaluate their SOC's tools, techniques and procedures (TTPs) are working to their expected SOC response - even fewer on live networks with their CISO's approval.

This HOWTO talk for security teams will cover a crawl/walk/run approach to build and execute live fire incidents to target your SOC's TTP abilities to detect, respond, and escalate. Techniques, lessons learned, and WAR stories will be discussed to how to select your exercises, determine expected outcomes, methods to measure results, coordinate for CISO sign off, and how to report lessons learned to improve your SOC's TTP response.

Presenter: Brian Andrzejewski (@DevSecOpsGeer)
Brian is the lead Information Security Engineer in the CyberDefense Branch at the United States Customs and Immigration Services (USCIS). He leads, engineers, and architects several of USCIS’s security efforts and represents USCIS as a hands-on SME in several working groups within DHS and Federal government on DevSecOps, Application Security, Cloud Migration & Security, Container Security, and CyberDefense operations best practices. 

Prior to USCIS, Brian brings his prior 17+ years of professional experiences in information security, risk management, IT Operations, system development & administration, & DFIR from the Department of Defense, healthcare, commercial, and academic sectors.  He was a prior DoD SME representative in U.S. cybersecurity workforce development programs and operationalized machine-speed cyber threat information sharing between the five U.S. National Cyber Centers. He remains passionate about cybersecurity workforce development and information security education with non-profits and security researchers.

FailTime:​ ​ Failing​​ towards​ ​Success
The vast majority of talks are about a person or a team's successes. What they discovered, why it matters, what the impact is… But rarely do you get to peak behind the curtain and see the challenges they encountered and the barriers to success.

The goal of this talk is to explore failure as an often necessary component in being successful. If I'm successful, it's because I fail frequently. I also constantly test new approaches and attempting to validate new ideas. I provide several case studies of my failure in security research and other IT and other less technical topics. This presentation includes anecdotes from others in the security industry have failed and how they dealt with it (with their permission). Most people we look up to have dealt with different levels of failure. How they dealt with it and what they did next is what matters. So, how do we overcome the depression and fatigue of failure? How to keep on moving forward when something just isn't working?
Come to this talk to commiserate and better understand how to learn from failure.

Bonus (for me): If this talk fails to be successful, I will learn from it and move on, thus proving my point. :)

Presenter: Sean Metcalf (@PyroTek3)
Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (www.TrimarcSecurity.com), which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.

Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org.

Getting Saucy with APFS! - The State of Apple’s New File System
Do you know what happens when a new file system comes out? ABSOLUTE MAYHEM! All your forensic analysis tools are broken and you are thrown into the forensic dark ages - stuck with just a hex editor and cold sweat.

Ok, I might be slightly over dramatic but seriously, new file systems don’t come around very often, how do forensic analysts deal with this? APFS was introduced on iOS devices with 10.3 and natively on macOS with 10.13, High Sierra. This talk will go through the current state of Apple’s new Apple File System (APFS). Topics discussed will include file system features, imaging, analysis methods, and current tool support.

Presenter: Sarah Edwards (@iamevltwin)
Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter-intelligence, counter-narcotic, and counter-terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, Bsides*, DEF CON and the SANS DFIR Summit. Sarah is the author of the SANS Mac Forensic Analysis Course - FOR518. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. 

How we reverse engineered OSX/Pirrit, got legal threats and survived
What if I told you that you have a piece of software on your machine that runs with root privileges, injects data into your browser without you even knowing, makes itself impossible to remove, and it heavily impacts the performance if your machine? Join me for a session about OSX malware reverse engineering, the legal threats that we got from the malware authors, IDA screenshots and opsec fails.

Presenter: Amit Serper (@0xAmit)
Amit leads the security research at Cybereason's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. Whenever he is not taking apart malware and exploring the dark and undocumented corners of operating systems at the office, you could find him in his lab at home reverse engineering routers and other IoT devices and finding horrible bugs on them.

Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for the Israeli government, specifically in embedded system security.

Internet Anarchy & The Global March toward Data Localization
Lacking a global institution to harmonize internet governance, countries are formulating local data governance, privacy, and security regulations. This Splinternet poses logistical challenges for corporations and has strategic implications for geopolitics, democracy, and individual freedoms. This will be demonstrated through the GDPR, Chinese, and Russian approaches to data localization.

Presenter: Andrea Little Limbago (@limbagoa)
Dr. Andrea Little Limbago is a computational social scientist, cybersecurity researcher, writer, quant analyst, national security wonk, and outdoors and sports enthusiast. She is currently the Chief Social Scientist at Endgame, where she directs the company's technical content and contributes independent research at the intersection of cyber and geopolitics, while also advocating for greater inclusivity and representation in tech and national security. Andrea's writing and research has been featured in numerous outlets, including Politico, Dark Reading, Forbes, Business Insider, VentureBeat, and the Hill. She has presented at academic, government, and infosec cons, such as SOCOM's Global Synch, DerbyCon, Enigma, O'Reilly Security, and BSidesLV. Prior to Endgame, Andrea was a technical leader at the Joint Warfare Analysis Center, where she earned the Command's top award for technical excellence for her analytic support to the Geographic Combatant Commands, Special Operations Command, Strategic Command, and the Joint Staff. Andrea is a visiting fellow at the National Security Institute at George Mason University, a data analytics industry advisory board member at George Washington, and contributes to numerous infosec cons program review committees. 

Malware Analysis and Automation using Binary Ninja
In recent years, the need for automating malware analysis and reverse engineering tasks has become of paramount importance with the increasing prevalence and sophistication of threats. Binary Ninja is a novel reverse engineering platform that helps solve this problem by making automation easier and more approachable than current solutions. However, in speaking with colleagues over the past year, I've found that many either haven't heard of Binary Ninja or have found it hard to figure out how to incorporate it as a tool in their daily work. In this talk, I hope to demystify the Binary Ninja interface by demonstrating how to perform basic analysis and utilize the API for the common automation task of dumping and decoding configuration data using a practical, real-world sample.

Presenter: Erika Noerenberg (@gutterchurl)
Erika Noerenberg is a senior malware analyst and reverse engineer in the Threat Research group of LogRhythm Labs in Boulder, CO. Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the DoD and FBI.

Plight at the end of the Tunnel
DNS is one of the most ubiquitous and yet least analyzed network protocols. DNS tunnels are frequently employed to sneak traffic in and out of restricted environments, without ever making a direct connection to the attacker's remote endpoint.
This talk discusses a holistic approach to detect DNS tunnels, and provides an open source implementation of these techniques to scan network traffic.

Presenter: Anjum Ahuja (@jack8daniels2)
Anjum is a Threat Researcher at Endgame, working on problems related to network security, malware, and behavioral analysis. He has a background in computer networks, routing and IOT security, and holds multiple patents in these fields. Anjum holds a Masters in Computer science from Johns Hopkins University.

Powershell Deobfuscation: Putting the toothpaste back in the tube
In an effort to provide analysts with a clearer picture of what happened after exploitation and save them time, we've developed a tool for detecting and deobfuscating obfuscated Powershell scripts. This starts with a machine learning classifier to determine if a file is obfuscated or encoded, reversing any encoding any easy to decipher obfuscation found, and then finishing up the more difficult deobfuscation tasks using a neural network text translation framework.

Presenter: Daniel Grant
Daniel Grant is a Data Scientist at Endgame where he focuses primarily on multi-class malware identification, model validation, and system behavioral analysis. He has an MS in Operations Research from Georgia Tech.

Preparing for Incident Handling and Response within Industrial Control Networks
Most Industrial Control System (ICS) networks require Incident Response (IR) procedures. Generally, these procedures fulfill regulatory requirements and do little to actually prepare the organization for handling an incident. This lecture will concentrate on concepts that decrease required resources for IR, arm responders, and facilitate a return to operations.

Presenter: Mark Stacey (@lzeroki) 
Mark Stacey is currently a Principal Threat Analyst with Dragos Inc where he delivers incident response, threat hunting, and adversary research for Industrial Control Systems worldwide. Prior to joining Dragos, Mark was a member of RSA's Incident Response team for 5 years where he provided incident response, discovery, and forensic services globally for private industry, financial institutions, law firms, foreign and domestic governments. Mark spent 7 years with the Department of Energy (DOE) performing cyber and intelligence analysis for various government clients. He has functioned in both cybersecurity operations and research within the intelligence community and frequently provides community education through outreach programs with federal agencies.

Quantify your hunt: not your parents’ red teaming
The security marketplace is saturated with product claims of detection coverage that have been almost impossible to evaluate, all while intrusions continue to make headlines. To help organizations better understand what detections a commercial or open source technology platform provides, a framework is necessary to measure depth and breadth of coverage. This presentation builds upon the MITRE ATT&CK framework by explaining how to measure coverage and quality of ATT&CK while demonstrating open source red team tools and automation that generate artifacts of post-exploitation. The community of security professionals and the organizations for which they work will gain new or improved abilities to measure detection capabilities.

Finally, this presentation will articulate a call to action for the industry: adopt this common language that describes these detection capabilities in a tangible and quantifiable way.

Presenters: Devon Kerr (@_devonkerr_) and Roberto Rodriquez (@Cyb3rWard0g)
Devon Kerr is a principal researcher for Endgame R&D, designing and implementing detection and response capabilities for the Endgame platform. Prior to joining Endgame, Mr. Kerr spent more than 6 years responding to intrusions at Mandiant (A FireEye Company). 

Roberto Rodriquez is a Senior Threat Hunter at SpecterOps where he specializes in the development of analytics to detect advanced adversaries techniques. He is also the author of several open source projects, such as the Threat Hunter Playbook and HELK, to aid the community development of techniques and tooling for hunting campaigns.

Rise of the Miners
Over the past year, we've witnessed a shift in malware used by both the common criminal, and targeted actor alike. While ransomware was the bell of the ball in the past, it has been replaced with the up and coming cryptocurrency miner. This talk will explore the trends witnessed in the past year as they pertain to the rise in popularity of cryptocurrency miners being used and deployed by criminals. We'll talk about how and why this transition has occurred, as well as a number of interesting case studies about how this malware winds up on a victim's machine. Finally, we'll also discuss the most popular cryptocurrencies being mined today, and strategies you can take to mitigate this threat.

Presenter: Josh Grunzweig (@jgrunzweig)
Josh Grunzweig is a malware researcher on the Unit 42 team at Palo Alto Networks. He spends most of his days reversing malware, researching campaigns, scripting in Python, or working with others to take down malware threats. In the past he's looked at a wealth of malware families, including ransomware, crypto miners, targeted RATs, backdoors, and keyloggers, to name a few. He's been reversing malware for over 8 years and doesn't see it stopping anytime soon. Prior to malware analysis, Josh dabbled in a number of jobs in the past, including vulnerability research, network administration, system administration, and the coveted helpdesk position. 

Threat Activity Attribution: Differentiating the Who from the How
Typical attribution focuses on ‘whodunnit’ - with little clear benefit to network defenders. This talk will consider attribution by activity and behavior – to develop strategies, playbooks, and responses to types of attack, while leaving nation state attribution to amateurs and reporters.

Presenter: Joe Slowik (@jfslowik)
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to "take the fight to the adversary" by applying forward-looking, active defense measures to constantly keep threat actors off balance. When not hunting adversaries or playing with open source security projects, Joe loves playing ice hockey and building Legos.

To AI or Not to AI? What the US Military Needs for Fighting Cyber Wars
Can our military continue to think it can fight future wars without the help of AI? AI which promises to improve efficiencies in identifying threats to national security also affirms to solve our nation’s cybersecurity concerns. Some, however, regard such advanced technologies to be a false promise, diverting resources from human intelligence activities. This talk analyzes the best way forward.

Presenter: Lieutenant Colonel Ernest "Cozy Panda" Wong (@ArmyCyberInst)
Lieutenant Colonel Ernest Y. Wong is a Military Intelligence Officer in the U.S. Army who is serving as Research Scientist at the Army Cyber Institute and Assistant Professor with the Department of Systems Engineering at West Point. He graduated from the United States Military Academy with a B.S. in economics, and he holds a M.S. in management science and engineering from Stanford University, a M.A. in education from Stanford University, and a Master of Military Science from the Mubarak al-Abdullah Joint Command and Staff College in Kuwait. He had the opportunity to work as a NASA Summer Faculty Fellow and has served in overseas deployments to Iraq, Kuwait, and the Republic of Korea. His research interests include revolutionary innovations, cyber resiliency, and the application of systems engineering tools for resolving complex real-world problems.

Using Atomic Red Team to Test Endpoint Solutions
As organizations deploy endpoint solutions, testing them becomes imperative. Often teams don’t know how to test or choose poor testing plans. In order to conduct these tests, Red Canary's applied research team has developed a free open source framework called Atomic Red Team. The framework is designed to provide teams with small, discrete tests that are vendor agnostic and representative of actual adversary behavior. 

This talk will explore the Atomic Red Team framework and demonstrate basic tests, chaining tests, and opportunities for security teams to contribute to the framework. Our aim is to put a testing framework in the hands of large and small security teams to confirm that they have the coverage needed to face modern adversaries.

Presenter: Adam Mathis (@ch41_)
Adam is a security practitioner, beard enthusiast, and heavy metal connoisseur. For the better part of a decade he has worked across multiple security disciplines, such as architecture design and implementation, penetration testing, security engineering, and incident handling and response. As a Technical Account Manager with Red Canary, Adam provides strategic vision and practical solutions to help organizations improve their security posture.

Training Events

Binary Reverse Engineering for Beginners
Binary reverse engineering is a critical skill in the infosec world, from verifying crypto algorithms to finding and analyzing vulnerabilities and writing exploits. Our workshop will delve into the dark art of disassembly and provide participants with the tools and techniques required to practice it and develop the perceived "sixth sense" that accompanies expert reverse engineers.

This workshop will be utilizing the Binary Ninja disassembler software (Personal/Student or Commercial versions, demo version is not supported). If you have a copy of Binary Ninja, bring it! If you don’t have one, don’t fret. This year, Booz Allen Hamilton is sponsoring a 1-year Personal license for Binary Ninja, and all you need to do get a copy is register for a mailing list. Probably the best deal ever for a mailing list registration! As this is commercial software, government employees and those unable to receive gifted items must supply their own copy of Binary Ninja.

Participants must bring a laptop capable of running a Linux virtual machine via VirtualBox or VMWare (Player, Workstation, or Fusion).

Trainers: Ben Demick (@3pidemix) and Dennis Rembert III
Ben Demick is a senior reverse engineer and security researcher at Booz Allen Dark Labs with over 14 years of industry experience.  As one of the founding members of Dark Labs, he directs and performs research related to software binary analysis and embedded system vulnerability discovery, while also providing software engineering, development, test, incident response, and reverse engineering support to several government and commercial clients.  Ben is also an instructor for the Booz Allen Software Reverse Engineering courses, where he develops course material and delivers training to internal staff and external clients, as well serving as a lab instructor for undergraduate reverse engineering at the University of Maryland, College Park.  He holds a B.S. in Electrical Engineering and Physics from Clarkson University, an M.S. in Electrical and Computer Engineering from Johns Hopkins University.

Dennis Rembert III is a Senior Lead Software Engineer at Booz Allen Hamilton where he currently works as the Technical Lead of a large Enterprise development effort. He has over 9 years of experience developing and managing software projects and has worked with a variety of government clients. He has also helped lead marketing efforts and summer projects for the Booz Allen internship. Dennis is also an instructor for the internal Booz Allen Software Reverse Engineering course in addition to teaching Software Reverse Engineering at Loyola University of Maryland. He holds a B.S. in Computer Science from University of Maryland - Baltimore County (UMBC) and an M.S. in Computer Science from Johns Hopkins University. 

Cloud Busting: Understanding Cloud-Based Digital Forensics
What, exactly, is “the Cloud”? Is it a network of machines connected via the Internet scattered all over the globe? Is it a data center environment located in the United States or anywhere in the world? Is it really just “someone else’s computer”? Or, is there more to it that needs to be understood by the Information Security professional, to arm him or her with enough knowledge to answer the tough question that inevitably will be asked by their employer, “Why should we take the risk to move our most sensitive data into the cloud?” To take it one step further, should in the event of a data breach that same employer should say, “We need to investigate how this happened;” what exactly will the Information Security professional need to know to successfully conduct a digital forensic investigation, especially if he or she doesn’t have direct access to the server or hardware?

After attending this workshop, attendees should have a greater understanding of the following subjects:

*Cloud computing, including the different service models and deployment models
*Differences in Cloud governance laws between the United States and other countries
*Risks involved moving data into the cloud (and how they can be mitigated)
*How to identify the challenges of conducting a cloud-based digital forensics investigation (and how can they be overcome)
*Proper procedures of a cloud-based forensics investigation as defined by laws, regulations, and federal standards
*How to gather evidence from a cloud service provider to conduct a digital forensics investigation

Students must arrive with laptops preinstalled with TSK/Autopsy (or a valid licensed copy of FTK or EnCase). The forensic image will be made available shortly before the conference; alternatively it will be distributed on the day of the class.

Trainers: Kerry Hazelton and Tigran Terpandjian (@th3CyF0x)
Kerry Hazelton's career in Information Technology has spanned the course of twenty years, and with it he has developed considerable experience with systems and network support, data center operations, and information security. As such, he considers himself a "cybersecurity enthusiast" due to his desire and motivation to read up on the latest trends within the industry, to learn about a new exploit or tool, or his willingness to teach and share with others his experiences over the years. These traits have helped him to continue to thrive in his current position as a Security Engineer for a major healthcare data analytics provider, where he is responsible for managing their cloud security controls, incident response procedures, and security process development. He also has presented technical workshops at prior Security BSides conferences, including Charm, DC, and NoVA.

Kerry has been married to his wife Tracy for over fifteen years, and together they have one son, Benjamin.

Tigran Terpandjian (th3CyF0x) is a Senior Analyst at Accenture Federal Services. An alumnus of the Advanced Practical Social Engineering Course taught by Social-Engineer Inc, he has been fascinated with languages, cultures, social psychology, military tactics and history since his childhood. Despite receiving a B.A in international relations with a concentration in: world politics and diplomacy (University of Richmond), he stumbled across the path of Cyber Security and decided to pull the trigger and tumble down the security rabbit hole. Along the way, he was beset by the beasts of Compliance, the SOC, FISMA and FedRAMP but found his banner under Red Teaming & Social Engineering; now a cyber threat hunter, he has creatively combined his love for red teaming and social engineering. Tigran enjoys applying red teaming, digital reconnaissance and social engineering concepts to conduct cyber threat hunting and is passionate about emulating the adversary.

When not on the hunt, Tigran loves playing tennis, practicing Krav Maga, is an advocate for the inconvenient truth, writing articles on Red Team Journal and a Social Engineering novel series for Rogue Dynamics, strengthening his multilingual competency and playing/developing tactics for World of Warships. And experimenting dangerously with spices and sauces in the kitchen 

Threat Hunting with ELK
This hands-on class will walk attendees through leveraging the open source ELK stack to analyze logs to proactively identify malicious activity. The basic tools and techniques taught during this class can be used to investigate isolated security incidents or implemented at scale for continuous monitoring.

Attendees will need to bring their own Windows/Linux/macOS laptop with 8+ GB RAM, WiFi, and VirtualBox or VMware installed. A VM will be made available to attendees for download before class, as well as available on USB flash drives at the start of class. 

Trainers: Ben Hughes (@CyberPraesidium)Liana Parakesyan, and Peter Quach
Ben brings over 12 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including vulnerability assessments, penetration testing, incident response, forensics, and threat hunting. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients, sharpening his skills in network security monitoring, IR, forensics, malware analysis, security configuration, and cyber threat intelligence. He holds CISSP, GCFA, GWAPT, and Splunk Power User certifications. Ben is also a member of the Maryland bar and volunteers at a pro bono legal clinic.

Liana brings to Polito a wide range of experience in cybersecurity. Liana has worked with policies from various industries, created tailored cybersecurity frameworks for companies and agencies. She has background in building cybersecurity laboratories for clients and conducting penetration testing, and threat intelligence activities. She holds Security +, CEH, and CISSP certifications. Liana also leads community workshops to educate people about cybersecurity and privacy.

Peter has a diverse background in cyber security, IT, project management, marketing, and business development. He has worked on many projects over the years for Fortune 500 companies and is currently a Project Manager at Polito, Inc. Peter believes that cyber security should enable business and works with clients to create and implement solutions that work for their unique needs. Peter double majored in both Business Administration as well as Information Systems Management and currently holds the Security+ certification.

Traffic Analysis Workshop 2018
This is a 1 day workshop that provides a foundation for investigating malicious network traffic. It begins with investigation concepts, using Wireshark, and identifying hosts in network traffic. The workshop then covers characteristics of malware infections and suspicious network traffic. Participants will learn how to determine the root cause of an infection. The workshop concludes with an evaluation in reviewing traffic and drafting an incident report.

- A laptop with some sort of connectivity to the Internet.
- Wireshark installed (the most recent version as possible).
- A basic knowledge of network traffic.

Trainers: Brad Duncan
Brad Duncan specializes in network traffic analysis and exploit kit detection.  After more than 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010.  He is currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42.  Brad is also a volunteer handler for the Internet Storm Center (ISC) and has posted more than 100 diaries at isc.sans.edu.  He routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he's provided over 1,300 pcaps of malicious activity to the community.

Subpages (27): View All