Final list of accepted 2017 talks and training!

BSidesCharm 2017 Schedule
Schedule on KhanFu

Keynote Presenters

Rob M Lee
Robert M. Lee is the CEO founder of the industrial cyber security company Dragos, Inc. He is an internationally recognized subject matter expert on industrial control system (ICS) cyber security and cyber threat intelligence. Robert gained his start in the U.S. Intelligence Community where he founded a first of its kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. He may be found on Twitter at @RobertMLee

Each year the #1 attack vector into ICS networks as documented by the ICS-CERT is: "Unknown". The #2 attack vector is: "Phishing". The problem is we don't have email servers in SCADA environments. The reality is when threats are detected in the ICS people often do not know how they got there, and when they do it's because they saw it come in through the business networks.

His keynote will detail research done by Ben Miller and Robert Lee into the ICS threat landscape, identify why exactly it's so hard to fully understand, and reveal new samples of ICS themed malware and infection vectors as well as information for audience members to defend their environments against similar infections.

Jim Christy
Jim Christy will join us to present from his long career and deep insight into the history of cyber crime investigations and digital forensics: where we've been and where we're headed.

Jim Christy is is a retired Special Agent that has specialized in cyber crime investigations and digital forensics for over 29 years with the Air Force Office of Special Investigation, the Department of Defense Cyber Crime Center (DC3) and now the private sector as the Vice President for Investigations and Digital Forensics for Cymmetria. Jim left the government in July 2013 after 42 years of public service and has started his own consulting firm, The Christy Group, LLC. He has also co-founded The Digital Forensics Consortium, a 501 3(c) non-profit organization to promote STEM and specifically cyber investigations and digital forensics to students. The Digital Forensics Consortium has received a grant from the US Department of Homeland Security to resurrect both the Digital Forensics Challenge and the Digital Crime Scene Challenge he created for DC3.

In 1986, Jim obtained notoriety as the original case agent for the “Hanover Hacker” case. This case involved a group of German hackers who electronically penetrated DOD computer systems all over the world and sold the information to the Soviet KGB. The case was detailed in the best seller, “The Cuckoo’s Egg”, by Dr. Cliff Stoll.

In 2006, Christy created the DC3 Digital Forensics Challenge an international competition that in 2013 had 1,800 participants spanning 49 states and 53 countries. The exercises were designed to develop, hone, and engage participants in the fields of cyber investigation, digital forensics, and cyber security. 

Jim has been asked by Mr. Jeff Moss and the Black Hat & Defcon organizers to create and moderate the “Meet the Fed” panel for approximately 12 years. Jim brought together the current and former senior cyber government leaders for multiple panel discussions before one of the world’s largest hacker conventions.


Arming Small Security Programs: Network Baseline Generation and Alerts with Bropy
Anomaly based IDS tools are expensive. Signature based IDS tools only work if a signature exists. Using a simple Bro script, organizations without large security budgets can generate alerts for anomalous packets IF they have a complete baseline of the ports and protocols their devices use. I wrote Bropy to simplify the process of generating a network baseline to be used with Bro. With this tool, small security teams can generate network baselines for systems in a matter of minutes, rather than hours or days. Armed with the data generated by Bropy, organizations have the option to either continue to receive alerts on anomalous communication, or use the data to generate firewall configurations to enhance network security. Written in Python, Powered by Bro
Presenter: Matt Domko
Matt Domko is an Information Security Instructor for Chiron Technology Services. His experience as an enterprise administrator and cyber network defender for the US Army are what drive his passion for network defense and "Blue Teaming". Pro Tip: If you're trying to social engineer him: motorcycles, moustaches, and karaoke are great icebreakers.
Automating Bulk Intelligence Collection
Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to find the signal in the noise to be able to best protect an organization.
This talk will cover techniques to automate the processing of data mining malware to derive key indicators to find active threats against an enterprise. Techniques will be discussed covering how to tune the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We’ll also discuss techniques for organizations to find and process intelligence for attacks targeting them specifically that no vendor can sell or provide them.
Presenter: Gita Ziabari
Gita Ziabari is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 13 years of experience in threat research, networking, testing and building automated frameworks.
Clean up on Aisle APT
This presentation will discuss findings from running multiple sinkholes over the past year. I have purchased multiple domains associated with 'APT' activity after the domains have expired. I will discuss initial expectations before beginning this journey and then discuss actual results and findings. To assist other researchers, suggestions and lessons learned from this experiment will be shared.
Presenter: Mark Parsons
Mark Parsons is a developer and threat analyst for King and Union. Previously, he has worked at a civilian federal agency doing incident response and threat intelligence. He has spent the past several years working on creating solutions that allow threat analysts and net defenders to spend more time looking at data rather than collecting it. Mark has previously spoken at BSIDES Charm, ArchC0n and the Sans CTI Summit.
Current State of Virtualizing Network Monitoring
This presentation will look at the viability of virtualizing and containerizing network security monitoring devices such as IDS/IPS systems, full packet capture, netflow, etc. There are a number of challenges in a virtual environment with managing system load. We have been looking at how to best virtualize open-source network monitoring solutions in both large and small environments and will detail some of the information we have learned during this adventure. We will detail a project on a single inexpensive host providing network monitoring and event collection built entirely on Open Source software. Finally, we will discuss and demo high-speed (10G+) virtualized monitoring solutions with newer technologies such as SR-IOV and DPDK-enabled OpenVSwitch.
Presenters: Ed Sealing and Daniel Lohin 
Ed Sealing and Daniel Lohin both work at Sealing Technologies. Their focus is primarily security engineering and figuring out how to securely build enterprise scale systems in a manner that is functional and secure. Ed is the CEO of Sealing Technologies and has over 15 years in IT and Security within the Federal Govt. Daniel Lohin holds a Masters from George Mason University and also teaches part time at a local community college.
Detecting the Elusive: Active Directory Threat Hunting
Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected?
This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks.
One of the latest tools in the offensive toolkit is ""Kerberoast"" which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed.
The attacker's playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks.
Presenter: Sean Metcalf
Sean Metcalf is founder and principal consultant at Trimarc Security (www.TrimarcSecurity.com), an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.
Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3
Frony Fronius - Exploring Zigbee signals from Solar City
Solar equipment is becoming more readily used in homes and businesses due to cost savings, eco-friendly conservationism and current tax incentives. Companies like SolarCity use Power Inverters/Meters from 3rd parties in order to provide it's services while making the solution affordable for customers. This research will focus on understanding the communication between the Inverter, Internet Gateway and web portal used to view electrical consumption of subscriber.
Presenter: Jose Fernandez
Jose Fernandez is an InfoSec researcher with over 18 years of experience in the IT field. Jose specializes in InfoSec research by applying offensive methodologies towards practical defensive measures. Jose’s background in CNO, CND and engineering has allowed him to work in some of the most technically demanding environments throughout his career in both private and public sector. Mr. Fernandez is also a Veteran and PhD student pursuing his dissertation in application whitelisting.

I Went Phishing and Caught a Charge – Maryland Law for Pentesters
A full penetration test can involve social and physical aspects as well as the expected digital ones. This talk introduces the basics of Maryland law with an eye toward keeping you (and your employees) out of jail. Are lockpicks legal? Can social-engineering your way past security be considered a crime? What limits are there on phishing an employee’s personal (BYOD) device? 
And if the police DO get called, some suggestions are given with regard to how to present your get-out-of-jail letter (B&E permission slip) to the officer.
While this talk uses Maryland law as an example, many other states operate off of similar principles. Free-State peculiarities will be noted.
Presenter: Joshua Rosenblatt
Josh is an attorney, law-enforcement-officer, and all-around nerd. He is the law-instructor for the Baltimore Police Department and as a prosecutor previously served as the Division Chief responsible for founding the Baltimore State’s Attorney’s Crime-Strategies Unit. Josh also serves as adjunct professor in the University of Baltimore’s Forensic Science – High Technology Crime program teaching criminal and civil liability in the digital world. He thanks the DMCA for YouTube (though that’s about it), wonders if the Supreme Court will ever give up waiting for Congress to reform the CFAA, and holds CompTIA Net+ and Sec+ certs. But most of all, Samy is his hero.
The opinions and musings expressed in his talks are not a reflection on the Baltimore Police Department, the Mayor and City Council of Baltimore, or anyone else (including, at times, himself).

Imposter Syndrome: I Don't Feel Like Who You Think I Am.
Several years ago I was walking back to my hotel after a day's worth of DerbyCon talks and it hit me all at once. ""I'm an infosec fraud. I'm not finding 0-day exploits. I'm not hacking cars or Internets of Things and I don't know PowerShell. I don't belong in infosec."" It was a hard revelation to grasp because I loved infosec and the people in it. But that was my ""truth"" back then and I went home and looked for jobs outside of the computer industry. [SPOILER ALERT] I didn't leave our industry. Instead, I threw myself into the community and tried to conquer those feelings of inadequacy and self-doubt.
Does this sound like someone you know? If so, come join me and learn not only about ""Imposter Syndrome"" but how I am dealing with it and how you and your colleagues can too.
Presenter: Micah Hoffman
Micah is an active member in the NoVAHackers community, a certified SANS instructor and runs a number of open source projects. When not working, teaching, or learning, Micah can be found hiking or backpacking on the Appalachian Trail or on the many park trails in Maryland.
IoT Pressure Cooker What Could Go Wrong
This talk will dive into vulnerabilities discovered in an IoT pressure cooker. Demonstration of how an attacker can modify data in transmit and in storage on a mobile app with can modify the temp, timing and pressure of the device, which is a potential safety concern.

Presenter: Ben Actis
Ben Actis spent five years at MITRE in the areas of mobile reverse engineering and network analytics. He taught intro to x86 and intro to flow analysis which are available on opensecuritytraining.info. He spent one year at Lookout's research and response team in San Francisco. He was the primary researcherresponsible for shedun/humming bad and xcode ghost. He is currently at Synack where he is a research and development engineer. When not reversing he is busy catching pokemon, taking Krav Maga, and trolling on twitter.
Microsoft Patch Analysis for Exploitation
Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction.
Presenter: Stephen Sims
Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has a MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. He holds the GIAC Security Expert (GSE) certification as well as the CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.
OPSEC for the Security Practictioner
In our industry we provide security advice to industry. But what about our attack surface? Here are some steps you can take to lower your profile.
Presenter: Michael Clayberg
Michael is a husband, father, musician, and inveterate computer geek. He's worked in the computer industry since the days of the mainframe and remembers when the IBM PC debuted. Back then he played punk rock. Now he plays bluegrass. He currently assists the government is securing web applications and cloud environments.
Red Teaming the Board
Red teaming as an infosec practice has centered lately around showy exploits, social engineering, and ski-mask style hacking. This is just the tip of the iceberg, to better align security teams with what business leaders need, we need to get back to our adversarial roots by focusing on a broader spectrum of threats, how businesses can be harmed, and how to uncover them from a process perspective. This talk will focus on how and where we as security practitioners can apply red teaming techniques in the corporate environment, going beyond the same old live fire hacking exercises with war games, business process reviews, and competitor/market analysis. The goal of this talk is to empower security teams to better align themselves with not only IT and engineering departments, but the core business objectives and directives in place at their respective organizations.
Presenter: Robert Wood
Robert Wood runs the security team at Nuna, whose core directive is to protect one of the nation's largest collective healthcare data sets. Previously, Robert was a Principal Consultant at Cigital where he founded and led the red team assessment practice and worked with strategic clients across the United States in an advisory capacity. Throughout his career, Robert has approached problems from the red teaming perspective, identifying how and why things might fail when instigated from an adversary.

Teaching Evil
Users don't pay attention to your security guidance and they tune out during those training programs you bought because it's all just so boring. But learning "how to be a hack" is interesting, so I've turned cyber security education into an exercise in doing evil. This presentation will discuss why and how I've designed training classes that teach average users how to do some very bad things. I teach people ranging from software engineers to accountants how to carry out specific attacks, crack passwords, social engineer their way to fame and fortune, and so on. Furthermore, the talk discuss how you too can raise general security awareness in so doing. It will comprise a discussion of my general philosophy on teaching evil, instructional design, classes I teach regularly, and topics for classes that are still on the drawing board.
Presenter: Chris Niemira
Chris Niemira is AOL veteran who once spent over seven years running the front door to one of the world’s largest email systems just so he could kick spammers in their digital pants. He's done time in the banking and pharmaceutical industries, as well as some bubble-era dot-coms that we won’t talk about. Today he survives in the Northern Virginia Underground as an SRE and security enthusiast who spends his days hands-on helping product owners make their code faster, more stable, and safer. Either that or sitting in meetings. Depends on the day, really. He's been designing and teaching security training classes for the past year, so he probably thinks he knows more than he does about it. He also speaks at conferences from time to time, has directed off-Broadway theater, and enjoys retro video games.

The AVATAR Project and You
This isn't about bald children who can control elements or Blue cat aliens. Over the past few months, I've been writing a guide on building your own lab environment to suit your needs I've been calling Project:AVATAR
If you're looking for advice on how to build a flexible lab environment that can accommodate red or blue team practice activities this is the talk for you.
Please be aware that this talk is NOT a training.
Presenter: da_667
da_667 has been described as "Twitter Infamous" by his peers. Has a fondness for malware hunting, threat intel, NSM, and helping security newbies to get their bearings. Also enjoys shiny challenge coins.

The Battle for OSINT – Are you Team GUI or Team Command Line?
There’s more than one way to hack open-source intelligence. In this session, the presenters will demonstrate different ways to acquire information online. Tips and tricks to getting information through point and click will be compared and contrasted with the results of API scraping and coding Python scripts. After all that data is obtained, what do you do with it? The presenters will then discuss the multitude of applications for the data gained as well as the optimal ways to analyze and interpret it. You’ll come away from this session with a better understanding of how to get data from a variety of sources and utilizing different methods of retrieval.
Presenters: Tracy Z. Maleeff and Joe Gray
Tracy Z. Maleeff, @InfoSecSherpa, is an independent information professional providing research and social media consulting, with a focus on information security. She is a frequent presenter about best practices of data mining from social media, professional networking, and introduction to information security topics. Tracy has 15 years of experience as a librarian in academia, corporate, and law firm industries and earned a Master of Library and Information Science from the University of Pittsburgh. She is the Principal of Sherpa Intelligence LLC – your guide up a mountain of information.
Joe Gray (@C_3PJoe ) joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own blog and podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone.
The Cryptography of Edgar Allan Poe
Baltimore resident Edgar Allan Poe had a keen interest in cryptography. Cryptography figured prominently in some of his literature. He also wrote a white paper about cryptography and ran a crypto challenge for a magazine. We'll review the historical context of Poe's interest in cryptography and examine a number of the cryptograms he published and solved.
Presenter: Robert Weiss (pwcrack)
Senior Information Security Engineer and Penetration Tester/Red Teamer
Def Con Speaker Goon
Member of NoVaHackers, Unallocated Space and NoVa Labs.
The Not So Same-Origin Policy
The same-origin policy remains one of the most important security mechanisms of the web, protecting servers from malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so our talk aims to show how limitations in the application of the same-origin policy can undermine security. We explain in depth how the same-origin policy works and how it can be bypassed to exploit cross-site vulnerabilities, including examples of Java, Flash, Silverlight, and Cross-Origin Resource Sharing (CORS) misconfigurations.
As the same-origin policy and cross-site request forgery (CSRF) are inherently connected, we will also show both simple and complex cross-site request forgery attacks and how CSRF functions within the context of the same-origin policy. This will include classic CSRF attacks that work within the confines of the same-origin policy and more complicated attacks that utilize server misconfigurations to bypass the same-origin restrictions altogether.
Presenter: David Petty
David is an Associate Security Analyst at Independent Security Evaluators (ISE), a security consulting company in Baltimore, MD. He has recently graduated from Northwestern University with a B.S. in Computer Science, and discovered his interest in security while working for ISE during college. He specializes in breaking web and mobile applications, reverse engineering, and digital forensics, and uses these skills to conduct custom security assessments of software products.
Threat Hunting - Thinking About Tomorrow
The presentation addresses a gap in industry regarding strategic threat intelligence and tactical intelligence in the digital realm. Today the threat intelligence that is vehemently demanded and produced address only the battle, not the war. Terms such as 0-day and Actionable Intel have driven threat hunters into a world where our intel consumer has developed a dangerous case of near-sightedness, only concerned about the 50m threat unable to fathom one existing beyond the 300m target. A lack of experience and diversity among analysts in the intelligence community has created both a knowledge and experience gap that threatens our ability to truly understand our enemy. There is a breed of analyst needed on the Threat Hunter team to fight the fight on the digital battle fronts and win. That analyst is one who embodies more than just technical skills to hunt malware, but one who can think like a criminal anticipate the next target and beat the bad guy to it. This presentation will discuss the differences between tactical and strategic intelligence, the skills a successful strategic analyst should hold, and examples of how real world events translate into attacks/threats in the digital world.
Presenter: Tazz
Tazz is a security veteran whose technology interests began with Atari and she was amazed when a word processor had enough memory to hold multiple lines. She’s been involved with technology since 1997 starting her career in communications, after which she completed her degree. She’s had various IT roles and responsibilities over the years to include Field Software (Breaker/Fixer) Engineer, System Administrator of Chaos, IA Hoodlum, Compliance Sorceress, Information Security Cat Herder, & Security Architect. She enjoys fitness, horseback riding, weather above 70F, and anything full of laughs and weird people.
Understanding the Cybersecurity Act of 2015
The Cybersecurity Act of 2015 attracted national attention because it provided limited immunity for companies that share information about cybersecurity threats with the federal government. A lesser-noticed provision of the law, however, could have more impact on corporate cybersecurity activities. The statute significantly broadens the ability of companies to monitor networks for cybersecurity threats and employ defensive measures. This presentation provides a roadmap to the new law and explains how it expands the abilities of companies to engage in monitoring and defensive measures without running afoul of existing laws such as the Stored Communications Act and Wiretap Act. The presentation also examines privacy advocates' concerns with the new law.
Presenters: Jeff Kosseff and Dennis Devey
Jeff Kosseff is an Assistant Professor of Cybersecurity Law at the United States Naval Academy. He practiced cybersecurity and privacy law at Covington & Burling, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. Kosseff is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.
Dennis Devey is a Midshipman First Class at the U.S. Naval Academy.
Weaponizing Splunk: Using Blue Teams for Evil
Splunk is a log aggregation and correlation tool that is normally used for defensive analysis and infrastructure management. What if Attackers could use this same tool against the blue team? During this presentation, I will discuss creative uses that penetration testers and Red Teamers can use to gain more access and move laterally within an organization.

Presenter: Ryan Hays
Ryan is the Director of Security Engineering at TBG Security. With 15 years of experience in the IT field, he has worked in a variety of capacities, currently specializing in offensive security and threat emulation techniques. During his career, he has worked with a multitude of Fortune 500 and 1000 companies, along with various U.S. Government Intelligence agencies. Ryan takes pride in giving back to the infosec community by presenting at multiple conferences as well as providing training and mentorship to people across the globe. 

Training Sessions
BSidesCharm is excited to host free training for attendees again for 2017. This year we've been able to increase to five trainings sessions in total across Saturday and Sunday!

Binary Reverse Engineering for Beginners
Binary reverse engineering is a critical skill in the infosec world, from verifying crypto algorithms to finding and analyzing vulnerabilities and writing exploits. This often requires a balance of experience and intuition that only comes from practice. Our workshop will delve into the dark art of disassembly and provide participants with the tools and techniques required to practice it and develop the perceived "sixth sense" that accompanies expert reverse engineers.

All examples in the workshop will be implemented in 32-bit x86 assembly, and some experience programming in a high-level language is assumed (preferably C/C++). Examples will be performed on the Linux operating system, although many techniques will convey to any platform. It is also assumed that participants understand the legal risks associated with reverse engineering.

Participants must bring a laptop capable of running a Linux virtual machine via VirtualBox or VMWare (Player, Workstation, or Fusion). Having a basic understanding of programming and C/C++ will be greatly beneficial in taking this class.
Presenters: Ben Demick, Allen Hazelton, Michael Schroeder
Ben Demick is a Senior Security Researcher at Booz Allen Hamilton with 7 years of experience reversing embedded systems and doing embedded development. He holds a B.S. in Electrical Engineering and Physics from Clarkson University, an M.S. in Electrical and Computer Engineering from Johns Hopkins University, and has been an instructor with Booz Allen's internal software reverse engineering program for the last 3 years.

Allen Hazelton is a Chief Engineer at Booz Allen Hamilton and has 11 years of experience reverse engineering. Since 2008, Mr. Hazelton has led Booz Allen’s internal reverse engineering training program and has taught over 250 of his colleagues. Since 2009, Mr. Hazelton has lectured at the A. James Clark School of Engineering at the University of Maryland College Park where he teaches a 3 credit undergraduate course in software reverse engineering for computer engineering and computer science majors. Mr. Hazelton holds a B.S. in Computer Engineering from the University of Maryland College Park and is CEH and CREA certified.

Michael Schroeder is a Senior Lead Engineer with Booz Allen Hamilton and has 8 years of experience reverse engineering embedded systems. He holds a B.S. in Computer Engineering from the University of Maryland in College Park, an M.S. in Electrical Engineering from Johns Hopkins University, and is an instructor with Booz Allen's internal reverse engineering training program.

Bro Crash Course
In the last three years the Bro Platform has taken the network monitoring scene by storm: integrated into dozens of products, included in NSM live CDs and deployed into environments of all sizes. In this fast paced crash course attendees will get hands on training with the latest 2.4 release of Bro. We'll cover the default log model, handling intelligence, dynamically extract files on the fly and examine common attacks such as SQL injection and webshells.

Participants must bring a laptop and will receive necessary materials upon the start of the class.
Presenter: Liam Randall
Liam Randall is the CEO of Critical Stack, Inc. Originally, from Louisville, KY, he worked his way through school as a sysadmin while getting his Bachelors in Computer Science at Xavier University. He first got his start in security writing device drivers and XFS based software for Automated Teller Machines.

Presently he consults on high volume security solutions for the Fortune 50, Research and Education Networks, various branches of the armed service, and other security focused groups. He has spoken at Shmoocon, Derbycon, MIRcon and regularly teaches Bro training classes at security events.

A father and a husband, Liam spends his weekends fermenting wine, working in his garden, restoring gadgets, or making cheese. With a love of the outdoors he and his wife enjoy competing in triathlons, long distance swimming, and enjoying their community.

Dead Box...not Dead Body
Digital forensics involves more than just examining hard drives! (We'll leave the bodies to the other type of forensics.) In this hands-on workshop, we will start with an overview of the discipline of digital forensics and then dive into analysis: examining drive images, memory captures, and network traffic. The "evidence" we will discover will be part of a fictitious incident and will tie it all together. Participants will try to figure out who did it! 

Samples and detailed preparation instructions will be provided prior to class.
Presenters: Marcelle Lee, Dina Haines, and Raymond "GP" Garay-Paravisini
Marcelle and Dina are both digital forensics instructors. They both also placed in the 2011 and 2012 Defense Cyber Crime Center Digital Forensics Challenges.

Marcelle is currently working as a malware analyst and is co-founder of a security consulting company, Fractal Security Group. She holds several degrees and certifications. She is a cybersecurity competition enthusiast and an active volunteer in outreach to students and the community.

Dina is a cyber intelligence and forensic analyst and within days of completing her Master's in Cybersecurity. She is passionate about teaching security topics to anyone who will listen. In addition to her degrees, she also maintains many (although not as many as Marcelle!) industry certifications, volunteers with several charitable organizations, and knows way more about ice hockey than she ever dreamed.

Raymond Garay-Paravisini is currently a forensic analyst. He has a bachelor's degree in Criminal Justice and a second one in Computer Science. He is passionate about all things forensics with emphasis on always discovering something you did not know. He is also a military and is always excited to help teach all things forensic.

Note to students: Material for this class can be found at: https://drive.google.com/drive/folders/0B7YjVe4mne7XMndLMldHSHpjbHc

Effective YARA
Identifying, classifying and categorizing files is a vital skill, especially if you are a information security professional, researcher, analyst or engineer. This workshop delves into the science and art of employing Yet Another Regex Analyzer (YARA), the pattern matching knife of choice and provides participants with the tools and techniques required to develop and deploy effective rules.
This workshop will include sections on constructing quality rules and learning advanced dectection tactics, including the use of combining string and hex values with boolean logic. Students will learn how to integrate YARA libraries and modules into their projects to extend rule capabilities as well as how methodologies on developing targeted vs generic rules. 

The goal of this workshop is to instill skill and proficiency with YARA.  The workshop is heavy with hands on work and seeks to build comprehension on what YARA should be used against, where YARA can play a crucial role, when YARA should be used (and when not); why YARA should be used by everyone in our field, and how YARA can make a difference in your work.

Participants must bring a laptop and will receive necessary materials upon the start of the class.
Presenter: Monty St. John
Monty St John is a partner at CyberDefenses and equally husband, father, and game enthusiast. It's a close tie between what occupies his mind more -- gaming or security.
Having been involved in security, software development and forensics for a couple of decades, Monty chose to narrow his scope in 2008 to focus on digital forensics, incident response, and threat intelligence. He has a B.S. in Computer Science from Grantham University, enough certifications to paper a wall in his office, and has been an instructor on various digital forensics and threat intelligence topics for the last 3 years.

OSINT For Pen Testers: Maximizing Your Efficiency
Have you ever spent too much time in the reconnaissance phase of a pen test because you needed better intelligence? Do you make the most efficient use of OSINT? This course aims to help you find more efficient ways to collect the information about your targets so that you can get to the fun stuff: exploitation and maximum pwnage. Here, you’ll see the correlation between OSINT and Social engineering and how to better apply it to your engagements. You'll see techniques for phishing, vishing, pretexting, impersonation, and more. Tool demonstrations will include how to make the best use of OSINT Websites and standalone tools such as Datasploit, recon-ng, Social Engineer Toolkit (SET), and Browser Exploitation Framework (BeEF).

Participants must bring a laptop and will receive necessary materials upon the start of the class.
Presenter: Joe Gray
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN. Joe also maintains his own blog and podcast called Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone.