Training courses are available on a first-come, first-served seat assignment only to current BSidesCharm ticket holders. Information on how to register for a class will be sent via email soon to the account on your ticket.

Practical Dark Web Hunting using Automated Scripts

How can you effectively hunt data from the dark web using scripts? How can you circumvent scraping defenses on the dark web? How can you automate your scripts? If you are curious about the answers to these questions and want to learn how to effectively write automated scripts for this task, then this workshop is for you. There are many forums and marketplaces on the dark web where actors buy, sell, and trade goods and services like databases, exploits, trojans, ransomware, etc. Collecting data from the dark web can help any organization identify and detect risks that may arise due to their assets being sold on the dark web. In this workshop, you will learn why collecting data from the dark web is essential, what open-source tools you can use to collect these data, how you can create your tools & scripts, and automating your script for effective collection. The workshop’s primary focus will be on circumventing defenses put by forums & markets on the dark web against scraping.

Prerequisites:
Basic scripting in python
Knowledge of using VMs & Linux machines

Apurv Singh Gautam (@ASG_Sc0rpi0n)

Apurv Singh Gautam works as a Threat Researcher at Cyble. He commenced work in Threat Intel 3 years ago. He works on hunting threats from the surface and dark web by utilizing OSINT, SOCMINT, and HUMINT. He is passionate about giving back to the community and has already conducted several talks and seminars in conferences like SANS, Defcon, BSides, local security meetups, schools, and colleges. He loves volunteering with Station X to help students make their way in Cybersecurity. He looks forward to the end of the day to play and stream one of the AAA games Rainbow Six Siege.

PowerShell Crash Course

This course will give you the basics of PowerShell. You will learn the PowerShell syntax and what to Google if you need help. Learn things like repeating tasks, iterating through a list of objects, and the various things you can do with PowerShell objects. You will also learn to discover new cmdlets, modules, and functions. You will gain experience by practicing what the instructor is teaching and demos production scripts and tools. The target audience for this course is individuals who are new to scripting and new to PowerShell.

James Honeycutt (@P0w3rChi3f)

Mr. Honeycutt is a 26-year military veteran and has over 20 years of experience in IT/Security operations. He holds numerous SANS certifications and is currently working on his MSISE Degree (Masters of Science in Information Security Engineering). Mr. Honey enjoys giving back to the community by instructing. He has conducted a SANS Mentor Windows Security and PowerShell class, taught a three-month Security Boot Camp with Trilogy, and currently teaches Firewalls and Network Security at Howard Community College. He was also selected to peer review the SEC586: Blue Team Operations: Defensive PowerShell. When he has the time, he will produce PowerShell videos on YouTube.

Mr. Honeycutt became the Active Directory PowerShell expert as a SysAdmin. He started learning PowerShell back in PowerShell v2 and stays current with the changes. Mr. Honeycutt is currently serving as the Windows and PowerShell expert on his Cyber Protection Team, creating new ways and techniques to accomplish tasks without specialized tools. His current work includes a PowerShell Port Scanner, a PowerShell version of the bash file command. You can find his published work on GitHub.

He believes that if the adversary is living off the land, the defender should too.

Holistic AWS Cloud Security Design for Organizations New to Cloud

Ditch the kale smoothie, it’s time to go big picture. Your organization is moving to AWS, and you’re in a panic. Which of the 42 billion AWS service offerings do you really need? How do you manage user and service accounts? What about those 7 different rogue AWS accounts you just found out about? We’ll walk through select essentials of organizing and standardizing your AWS environment(s), securing AWS accounts and services, managing IAM, and implementing core services to protect your environment. We’ll talk about balancing security with usability, how your existing architecture can work for you and against you, and how to identify and protect your attack surface in (and even out of) the cloud. By the end of the training, you will have hands-on experience with many security essentials for your AWS accounts and the services within them, and an understanding of the components of high-level cloud security design.

Prerequisites
Participants will need to bring a laptop to this training with a reliable browser in order to access the AWS Web Console. Participants should expect to create 2 or more new AWS accounts. These accounts are intended to be created and configured during the training, but reuse is fine as long as the account in question does not have production or important data or infrastructure within it. Minimal experience with AWS is beneficial but not required.

Cassandra Young (@muteki_rtw)

Cassandra works full time in information security consulting, focusing on Cloud Security Architecture and Engineering, while also pursuing a master’s degree in Computer Science part time. Notable coursework includes cloud-based app development, and academic research on serverless security and privacy/anonymity technology. Additionally, as one of the directors of Blue Team Village, Cassandra works to bring free Blue Team talks, workshops and more to the broader InfoSec community.

Threats lurking beneath the subsurface: Understanding and analyzing threats to Windows Subsystem for Linux (WSL)

In April 2016, Microsoft shocked the PC world when it announced the Windows Subsystem for Linux (WSL). WSL is a supplemental feature that runs a Linux image in a near-native environment on Windows, allowing for terminal functionality without the over-head of a virtual machine. While this new functionality was welcomed by developers, it also introduced a new attack surface threat actors can – and do – target. Black Lotus Labs recently identified several malicious files that were compiled in the Linux binary format ELF which utilized native windows APIs. Over the past several months, Black Lotus Labs has identified numerous agents – i.e. lightweight scripts that load more robust agents into memory – keyloggers, and in some cases fully functional remote access trojans. The novelty of using an ELF loader designed for the WSL environment gave the technique a detection rate nearly, or in some cases a, zero for sample found on Virustotal. This talk will briefly introduce WSL, then focus on the samples Black Lotus Labs observed abusing this feature in the wild.

Danny Adamitis (@dadamitis)

Daniel Adamitis is a Principal Information Security Engineer at Lumen Technologies responsible for advanced actor tracking and threat intelligence. He previously performed threat analysis and reporting on nation-state campaigns while at Cisco Talos, before joining Lumen’s Black Lotus Labs. In his spare time, he enjoys cooking and running with his dog.

Call the Plumber: Your Documents are Leaking

For most organizations, posting brochures, contract templates, whitepapers, and various forms of marketing collateral online is a standard practice. And for most threat actors, this can surreptitiously provide a wealth of information about the organization they are targeting.

In this talk, we will examine why cyber criminals benefit from the public sharing of organizational documents, how they make use of the metadata contained in the documents, how misconfigurations and lack of user awareness can lead to data leaks, and propose practical / open source methodologies organizations can employ to protect themselves.

Nick Ascoli (@kcin418)

Nick Ascoli is the founder and CEO of Foretrace, an External Attack Surface Management (EASM) solution. Prior to starting Foretrace, Nick was a Cyber Research Scientist and Consultant with Security Risk Advisors and has published several open-source tools including pdblaster and TALR. Nick has been a speaker at Blackhat Arsenal, SANS, and B-Sides conferences on SIEM and UEBA topics.

Job Hunting Like a Hacker

Job hunting? Join Jason Blanchard for a crash course in job hunting like a hacker. Writing a resume sucks because humans don’t know how to explain their skills and abilities due to so many self-inflicted factors. Check out this fun and engaging and interactive way of explaining who you are so you can use these techniques to get the job you want.

Jason Blanchard (@BanjoCrashland)

Jason Blanchard is the Content & Community Director of Black Hills Information Security. During the pandemic he hosted a livestream on Twitch for job hunting like a hacker. 212+ viewers returned to let him know they were able to land a new job using the tactics he taught. He has worked in the comic and film industries and now gets to create content and build community within cybersecurity.

Engineering != (Admin || Analyst || Responder)

The field of Security Engineering has evolved as an essential function within the Information Security industry. Security Engineers are responsible for many aspects of protecting the enterprise; including designing of secure systems, supporting security operations, and protecting business platforms, data centers and now, the cloud. The nebulous role of Security Engineers is sometimes confused with system administrators, security analysts or even penetration testers. Yet the industry recognizes the need for Security Engineers with over 1000’s of opportunities in the DMV region alone. This talk will address questions such as “What is a security engineer?” and “Aren’t they the system administrators?” Reswob (reswob10) and Noog (nfltr8) will provide their experience as Security Engineers in Information Security (or Cyber) solving real problems for federal services and other industries. Heck, we will even throw in a framework that we created called the Security Engineering Triad. After all that fun, we want to inspire the next generation on what it takes to become security engineers in today’s world to include experience, education and certifications needed.

Craig Bowser (@reswob10)

Craig Bowser is an Infosec professional with over 20 years of experience in the field. He has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer in DoD, DOJ and Dept of Energy areas and is currently a Security Solutions Architect at GuidePoint Security. He has some letters that mean something to HR departments. He is a Christian, Father, Husband, Geek, Scout Leader who enjoys woodworking, sci-fi fantasy, home networking, tinkering with electronics, reading, and hiking. And he has a to do list that is longer than the to do slots that are open.

Lu (@nfltr8)

Underground Insights: Criminal Exploitation of Multi-Factor Authentication

As organizations increasingly deploy or modify existing multi-factor authentication (MFA) techniques, cybercriminals are increasingly exploiting MFA. Regardless of whether organizations’ use of MFA requires SMS messages, authentication applications, or hardware-based security keys, Accenture Cyber Threat Intelligence (ACTI) is observing malicious actors buying and selling MFA bypass techniques, in addition to actors sharing and seeking information on the topic. In this talk, ACTI examines the underground activity focused on bypassing MFA, as well as threat actors buying and selling services to bypass MFA, including modified versions of publicly available tools, mobile malware, credential stealers, SIM swapping, Signaling System 7 (SS7) exploits, and services for bypassing MFA to hack cryptocurrency wallets.

Adam Bumgarner 

Adam Bumgarner currently works as an intelligence analyst at Accenture Security and brings nearly 15 years of experience in researching and analyzing financially-motivated cybercrime. Adam focuses primarily on English and Russian-language cybercrime research and analysis, including researching threat actors and groups, emerging trends and tactics, techniques and procedures (TTPs). Adam has also conducted a great deal of research focused on hacktivism. Additionally, Adam possesses an in-depth knowledge of the evolution of criminal forums and markets.

The Uncensorable Stack: Malicious Applications of Blockchain Tech

Blockchain technology introduces new opportunities for adversaries to level up their tradecraft. By combining different decentralized technologies full censorship resistant user-friendly applications can be built without a single point of failure. This talk will cover known attacker instances of blockchain based capabilities, dive into each layer of an uncensorable tech stack, demo what a malicious application might look like, and provide defenders mitigation strategies.

Jesse Buonanno (@1337Bananas)

Jesse Buonnano currently works as a Security Engineer at BlockFi focusing on bringing blockchain activity into the realm of Cyber Threat Intelligence. Previously, he worked at MITRE doing Adversary Emulation for the ATT&CK Evaluations as well as building cryptocurrency & blockchain capabilities for law enforcement. Free time is consumed by Ironman 70.3 training #RedTeamFit.

Forecasting cyber-attacks – mathematical models & techniques

Wouldn’t it be fantastic if you could forecast the next cyber-attack, the number of attacks, and even how rapidly the attacks would occur? In this session, I’m going to show you how you can use the MITRE ATT&CK framework to build up your attack scenario then use the mathematical models to generate your forecasts. Don’t worry, you don’t have to be a mathematician (or even good at math) to use these models. The goal of this activity is to be proactive in developing mitigations and strategies for the next possible cyber-attack.

Charlene Deaver-Vazquez (@FISMACS_LLC)

Charlene has worked as a subject matter expert in cybersecurity for 12 years. She has worked in IT for 30 years in both private and government sectors, from supporting small networks and programming to designing global networks.

More than a decade ago, she transitioned to compliance, managing a multi-million-dollar contract, then went on to auditing installation sites, cloud, and even supporting deployable platforms.

For the past several years she has been providing enterprise-level risk analysis to C-suite stakeholders. In 2021, she created Probabilistic Risk Modeling for Cyber (P-RMOD4Cyber) a framework of methods, models, and guides for cyber-related quantitative analysis.

AD CS means “Active Directory is Cheese (Swiss)”

Active Directory is great.
Public Key Infrastructure is great.
So you’d think Microsoft’s AD-integrated PKI – AD Certificate Services – would be great too. And configured correctly, it is!

But in practice, Microsoft’s “easy” approach to PKI often creates security issues in typical deployments. Luckily, you can eliminate the most common & most dangerous misconfigurations with a few easy checks.

Jake Hildreth (@dotdotdotHorse)

Jake Hildreth is a Senior Security Consultant and member of the Identity Security Team at Trimarc Security, LLC. As a recovering sysadmin with over 20 years of wide-ranging experience in information technology, he configured, administered, or supported almost every technology used by small and medium businesses. His day-to-day work at Trimarc focuses on assessing Active Directory configurations for Fortune 500 companies to help secure their environments. He currently holds the CISSP and Security+ certifications and plans to expand into offensive research in the near-future.

Malware Wars: DarkSide Strikes Back as BlackMatter

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as well as interview the ransomware operators themselves. In this session, we will take you through our discovery of the BlackMatter ransomware group and its evolution through the shutdown as well as provide a technical deep dive on the Windows, PowerShell and Linux ransomware itself. We will also address how this evolution trend shows up in the larger ransomware operator landscape, especially among sophisticated actors.

Lindsay Kaye (@TheQueenofELF)

Lindsay Kaye is the Director of Operational Outcomes for Insikt Group at Recorded Future. Her primary focus is driving the creation of actionable technical intelligence – providing endpoint, network and other detections that can be used to detect technical threats to organizational systems. Lindsay’s technical specialty and passion is malware analysis and reverse engineering. She received a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

James Niven 

James is a Principal Threat Researcher at Recorded Future that researches Russian based ransomware.

KQL and Azure AD Workbooks for the Blue Team

As more IT resources are moved to the cloud organizations need the ability to access this log data as well as perform complex queries. KQL (Kusto Query Language) is a tool that belongs in every defenders toolkit for operations monitoring as well as threat hunting. But how do you even get started if you don’t know KQL? This session will be heavy on practical to get you up and running TODAY.

In this session we will leverage some of the built-in Azure AD workbooks to understand the basics of KQL. Then we will progress to more complex KQL concepts and show you how you can take any existing workbooks and customize them for your own use or even create your own and contribute back to community of workbooks that’s growing!

Corissa Koopmans (@Corissalea)

Corissa Koopmans (@Corissalea) is part of the “Get to Production” team in the Microsoft Identity Division, focusing on customer experience, open identity solutions, and improving the product based on customer feedback. She has a background in International Management and Data Analytics and has presented Microsoft MVP Summits, BSides Charlotte, and Tec2020.

Tosin Lufadeju 

Tosin Lufadeju (@tosinluf_PM) is a Program Manager on Microsoft’s Identity Customer Success team. As a “Get-to-Production” PM, he focuses on understanding customers’ needs and driving deployments of Azure Active Directory features across Microsoft’s top customers and partners. He has also led partner trainings and customer feedback sessions across various Azure AD features.

Let’s Get Cooking with CyberChef

CyberChef is known as the “cyber Swiss army knife” because of the myriad operations you can perform with this most excellent tool. Developed by GCHQ, this open-source web application can encode and decode, encrypt and decrypt, compress and decompress, analyze files and images, and so much more. Every professional should have CyberChef in their toolbox and in this talk I will cover some of the operations I frequently use in my role as a security researcher.

Marcelle Lee (@marcellelee)

Marcelle Lee is a Security Researcher and an adjunct professor and training consultant. She specializes in cybercrime, digital forensics, and threat research. She is involved with many industry organizations, working groups, and boards, including the Women’s Society of Cyberjutsu, Infragard Maryland, the NIST Cyber Competitions Working Group, and the Cybersecurity Association of Maryland Advisory Council. She also both builds and participates in cyber competitions.

Marcelle has earned the CISSP, GCFA, GCIA, GCIH, GPEN, GISF, GSEC, GCCC, C|HFI, C|EH, CSX-P, CCNA, PenTest+, Security+, Network+, and ACE industry certifications. She holds four degrees, including a master’s degree in cybersecurity. She has received the Chesapeake Regional Tech Council Women in Tech (WIT) Award and the Volunteer of the Year award from the Women’s Society of Cyberjutsu. Marcelle frequently presents at conferences and training events, and is an active volunteer in the cybersecurity community.

Information Literacy Makes for Better Information Security

The American Library Association defines ‘Information Literacy’ as, “a set of abilities requiring individuals to ‘recognize when information is needed and have the ability to locate, evaluate, and use effectively the needed information.” Correct and accurate information is crucial to Information Security, whether it be for Threat Intelligence gathering or monitoring an incident response. Learn tips and strategies from a former librarian on how to ascertain the validity of information before using it, or worse, passing along what may be disinformation. You will come away with this session with a better sense of data gathering and organization, in addition to being a more literate consumer of information.

Tracy Z. Maleeff (@InfoSecSherpa)

Tracy Z. Maleeff, aka @InfoSecSherpa, is a Security Researcher with the Krebs Stamos Group. She previously held the roles of Information Security Analyst at The New York Times Company and a Cyber Analyst for GlaxoSmithKline. Prior to joining the Information Security field, Tracy worked as a librarian in academic, corporate, and law firm libraries. She holds a Master of Library and Information Science degree from the University of Pittsburgh in addition to undergraduate degrees from both Temple University (magna cum laude) and the Pennsylvania State University. While a member of the Special Libraries Association, Tracy received the Dow Jones Innovate Award, the Wolters Kluwer Law & Business Innovations in Law Librarianship award, and was named a Fellow. Tracy has been featured in the Tribe of Hackers: Cybersecurity Advice and Tribe of Hackers: Leadership books. She also received the Women in Security Leadership Award from the Information Systems Security Association. Tracy publishes a daily Information Security & Data Privacy newsletter and maintains an Open Source Intelligence research blog at infosecsherpa.medium.com. She is a native of the Philadelphia area.

The tribe and the copycat – A look into Pakistani APT campaigns in recent years.

In recent years, there has been a substantial uptick in the intrusions attributed to Advanced Persistent Threat (APT) groups aligned with Pakistan. The two groups, ‘Transparent Tribe’ and ‘SideCopy’ have operated a variety of campaigns to realize the unified goal of espionage. Transparent Tribe is a well-established group, known to have operated since at least 2016. SideCopy however, is a relatively new threat actor in nascent stages of its life cycle – only disclosed recently, circa 2020.
Using a combination of compromised and attacker owned infrastructure, the APTs have deployed bespoke malware against a variety of targets in the Indian sub-continent. Typical targets for the groups include government and military entities in Afghanistan and India.
In this presentation we take a deep dive into the tactics, techniques and procedures (TTPs) used by both the groups over the course of the past two years. The presentation will start by showing the initial patterns and themes of malicious documents and lures used by the groups in 2020. The presentation will finish with an evolutionary analysis of Transparent Tribe and SideCopy’s tactics resulting in the deployment of their Windows malware implants.

Asheer Malhotra (@asheermalhotra)

Asheer is a threat researcher specializing in malware analysis, reversing, detection technologies and threat disclosures within Talos. He has been researching malware threats for about a decade at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world.

ICS/OT Cyber Threats, Vulnerabilities, and Incidents: Past and Present

Gain an in-depth look at old case studies and new research across 2021 highlighting new ICS threat groups, vulnerabilities, and insights from the field including incident response case studies of previously unreported incidents. This session will give a ground-truth reality and primer on what is really happening in our industrial environments.

Ben Miller (@electricfork)

Ben Miller is Vice President of Professional Services and R&D at the industrial cyber security company Dragos, Inc. where he leads a team of analysts responding to OT/ICS intrusions and a delivery of assessments, hunts, training, and research efforts to improve OT/ICS defenses and security.

Ben Miller leads the Dragos team of experts who are on the front lines in solving some of the toughest security challenges for the world’s most critical infrastructure.

An information security veteran with over two decades experience, Ben has focused on the unique challenges of securing and defending industrial control systems. He began his critical infrastructure journey as an electric asset owner where he was responsible for detecting and responding to threats across a Fortune 150 enterprise where he became acquainted with security challenges for transmission, generation, and nuclear environments. Ben then joined the North American Electric Reliability Corporation (NERC). In what was to become the Electricity Information Sharing and Analysis Center (E-ISAC), Ben worked closely with federal agencies and industry across a variety threats, vulnerabilities, and other matters as it relates to the North American bulk electric system. He is an accomplished speaker at conferences around the world and occasionally writes for various publications.

In his spare time, he enjoys the simple pleasures of outdoor cooking with his family in Maryland.

Extortion, Chaos and Needless Busywork AKA Vendor Risk Management

Trends in the security and compliance include increased attention to the security posture of critical vendors known as Vendor Risk Management. This has led to the proliferation of third-party risk rating vendors, unwieldy questionnaires, and processes. This talk dives into real-world issues created by this rush-to-rate frenzy and discusses rational solutions for effectively rating vendor risk.

Jim Nitterauer (@jnitterauer)

Currently Director of Information Security at Graylog, Jim and his teams are responsbile for IT Services, Security and Compliance across the organization. He holds the CISSP and CISM certifications in addition to a Bachelor of Science degree with a major in biology from Ursinus College and a Master of Science degree with a major in microbiology from the University of Alabama. He is a 2000 graduate of Leadership Santa Rosa and a 2001 graduate of Leadership Pensacola. He is well-versed in ethical hacking and penetration testing techniques and has been involved in technology for more than 25 years. Jim has presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, BSides San Francisco, CircleCityCon, DEF CON, DerbyCon, CypherCon, HackerHalted, Blue Team Village, Blue Team Con and several smaller conferences. He has presented training classes at CircleCity Con and BSides San Francisco. He is a regular contributor to the Tripwire Blog. He regularly attends national security conferences and is passionate about conveying the importance of developing, implementing and maintaining security policies for organizations. His talks convey unique and practical techniques that help attendees harden their security in practical and easy-to-deploy ways. Jim is a senior staff member with BSides Las Vegas, a member of the ITEN WIRED Planning Committee and the President of the Florida Panhandle (ISC)2 Chapter. He served as President and CEO of GridSouth Networks, LLC, a joint venture between Creative Data Concepts Limited Inc. and AppRiver, LLC., and founded Creative Data Concepts Limited, Inc. He stays connected with the InfoSec and ethical hacker community and is well-known by his peers. In addition to his work at Graylog, he devotes his time to advancing IT security awareness and investigating novel ways to implement affordable security controls. When not at the computer, Jim can be found working out, playing guitar, traveling or just relaxing with an adult beverage.

$how Me the Money

It’s a challenge for smaller organizations to embrace security, and it can be a downright battle to start a security program. Here’s a guide to getting the buy-in you need and starting a security program at your company.

Carlota Sage (@carlotasage)

Raised in the wilds of Alabama by angry chickens and crazy people, Wolfpack-educated in the Tar Heel/Blue Devil state, and indoctrinated into Security by Silicon Valley appliance vendors (which are either wolves or angry chickens…maybe both), Carlota has returned to the east coast, where she serves as a virtual CISO for mid-sized companies. When not picking other peoples’ brains for minutia, she strings beads, destroys cars, drinks whiskey and screams into the dark, dark void that is Twitter as @carlotasage.

Into the Breach: An Analysis of State Political Party Account Exposure

Targeted by both state-sponsored and criminal actors, political parties face an array of challenges in securing their organization’s digital footprint. State-level party offices are at a particularly heightened degree of vulnerability, owing to the inherently public nature of their organizations. A major security concern for state-level parity offices is the threat of sensitive organizational data being publicly leaked or manipulated to undermine the organization’s political objectives. The risk of this scenario is magnified by the widespread appearance of party-affiliated account data in large-scale data breaches. This session presents a novel data-mining solution that quantifies the level of exposure these organizations face due to account exposure in data breaches. Leveraging open-source web utilities to enumerate state-level party websites for provided email accounts, the tool compares the results from 195 state-level party websites with data breach detection services provided by the HaveIBeenPwned API. The results have dire implications for the security of our electoral system.

Andrew Schoka 

Andrew Schoka is a Cyber Operations Officer at the Department of Defense and has spent the last six years tending the office coffee pot in different roles across government and academia. He holds an M.S. in Cybersecurity from Georgia Tech, a B.S. in Systems Engineering from Virginia Tech, and a variety of industry security certifications.

Three Bridges & a Compass: Navigating Risk Landscapes with Intelligence

A wealth of operational security resources – detections & red team tests – are now publicly available, enabling control validation cycles. Intelligence becomes near-essential to navigate which myriad controls to validate next. We will illustrate how intelligence informs prioritized control validation & risk reduction and review a new open-source tool to quickly identify addressable defensive gaps.

Scott Small (@IntelScott)

Scott Small is an expert in open source research, investigations, and analysis. Scott is a proud member of the Intelligence Services division at Recorded Future, where he advises clients on technical implementation and strategic applications of intelligence for enterprise security programs. Scott’s prior roles focused on using technology to help organizations identify and mitigate supply chain and cyber risk. His favorite ATT&CK technique is T1027.

Log4j From The Trenches

As your company winds down for the holiday season, like clockwork, another fresh CVE with publicly available exploit code drops. The Apache Log4j exploit (CVE-2021-44832), also dubbed as Log4Shell, had widespread fallout as a result of the exploit being made publicly available, and organizations are still dealing with the associated problems even months later. This talk will discuss three unique scenarios observed as a result of Log4j being exploited on VMWare Horizon servers and include 1) exploitation for persistent access via a webshell, 2) exploitation leading to a Cobalt Strike beacon, and 3) exploitation leading to a cryptocurrency miner. The talk will demonstrate the exploit chain, artifacts of each investigation, and how you can detect the activity in your network using commercially available tools such as Microsoft Defender ATP, CrowdStrike Falcon, Carbon Black, and FireEye HX. On top of that, sources for threat intelligence pertinent to these types of attacks will also be discussed, as well as prevention mechanisms.

Max Thauer (@secformax)

Max Thauer is an incident response senior consultant at Mandiant. His job entails helping clients navigate through security incidents involving ransomware, APT investigations, employee misuse, and web exploitation. Max’s primary skillset falls within the realms of EDR technologies, host-based digital forensics, log analysis and malware analysis.

Malware Analysis for the Masses

An introduction to the tools and techniques of malware analysis by way of live investigation of real malware samples. Starting with how to set up a lab and walking through a scenario from phishing email to host execution. Analysis includes PDF’s, Documents, Powershell, executables, and sandboxing.

SOCs and Shoes

The Security Operations Center, everyone has one, but is it really more than a checkbox or a place to go where dreams die? This talk will discuss some of the core issues that SOC’s face today as well as suggestions and ideas to get this pivotal role and department back on mission by trusting and empowering analysts to find badness.

Shawn Thomas (@Understudy77)

Shawn is ex Incident Response consultant, SOC manager, and current Head of Incident Response at Yahoo!, a Paranoid by trade and title he has spent his career trying to find badness and protect users. Shawn has worked in or managed many SOC’s across both the government, private sector, and MSSP space. He loves to teach and talk DFIR/Operations, volunteer at conferences, host podcasts, including Positively Blue Team and The Paranoids Podcast, and help run the DeadPixelSec discord community which is his infosec home.