Opens at 08:30

Election Campaign Security Panel

More information to come soon!

To be announced

While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and workshops.

Over the past several years, merchants worldwide have been increasingly accepting contactless payments. With this change, malicious actors have begun to adapt and exploit both contactless payment cards and mobile payment platforms. Through monitoring underground websites, iDefense observed indicators of threat actors performing this type of fraud.

Adam Bumgarner

Breaking the attack kill-chain is one of the primary objectives of every Blue Team. Time spent identifying the indicators of compromise and acting on them is time that the attacker is on your network. With that in mind, follow me on a hunting expedition. We’ll follow the attacker through the kill chain and figure out how to stop him before he gets any further. In the end, you’ll be armed with knowledge that can make your next hunting expedition a success!

David Brascome

Check out the available options within the hotel or take a quick walk next door to the mall food court.

This talk is based on a joint research I have completed along with Max Kersten regarding a Magecart infection that occurred on an Olympic Ticket Reseller site. This talk is about our adventure in contacting the site and getting to take it down. From there we go even further, finding 9 more compromised websites and eventually taking the entire domain down.

Jacob Pimental

Emergency services are crucial to any city. Yet, with advances in technology, many vulnerabilities have surfaced within the services ecosystem. Within the past five years, the industry was exposed to many attacks targeting 911 services. My talk will provide insight into the operation of a 911 call center and investigate many attack vectors targeting this aspect of critical infrastructure.

Marc Fruchtbaum

The Freedom Of Information Act was enacted in 1967, and has been used for decades to uncover information about US government activity. Two years ago, Emily began asking government agencies questions about old hacks and hackers using the FOIA process. In this talk, Emily will present the most interesting, and funny finds over the last 2 years.

Emily Crose

On October 1st, 2019, the NSA formally established the Cybersecurity Directorate to “prevent & eradicate” threats – right in our own back yard. What does it look like when an intelligence agency decides to do cybersecurity? Let’s go beyond the talking points to understand the organization, why it was created, what it does, and how it does it.

Greg Bednarski

We all put a lot of trust in the applications we use chat with other people. Have you ever wondered what your chat application is doing in the background? How is it storing the message or pictures you send? You are required to login to send and receive messages….or are you? Come see how some of the most popular chat clients send data and if anyone else could see this data.

Tobias Mccurry
5:30 - 9:00
BSidesCharm Party
Opens at 8:30
Election Campaign Security Panel
More information to come soon!
To be announced
While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and workshops.

Crypto agility refers to the ability to update crypto primitives quickly with minimum overhead. Most organizations do not practice crypto agility, exposing themselves to unnecessary risk. CARAF can be used to determine the appropriate mitigation strategy commensurate with their exposure. This talk will present key motivations for crypto agility, CARAF itself, and application to quantum computing.

Chujiao Ma

The C2 Matrix: this is information for the community and a call to action! It is an open sourced C2 evaluation framework so that teams can determine what’s the best tool for penetration testing/red teaming particular scenarios. We’ll talk through why we built the framework, the components, automatically generated defensive artifacts, and adversary emulation across multiple frameworks.

Bryson Bort
Check out the available options within the hotel or take a quick walk next door to the mall food court.

The Security Operations Center, everyone has one, but is it really more than a checkbox or a place to go where dreams die? This talk will discuss some of the core issues that SOCs face today as well as suggestions and ideas to get this pivotal role and department back on mission by trusting and empowering analysts to find badness.


Data breaches pose an enormous risk to consumers. But just how bad is it? With a focus on accessibility, the Data Breach Archives tool automatically collects & standardizes data breach notices published by state governments to determine the scope of the problem. This session will discuss uses for the tool & contemporary legal hurdles that prevent data breach victims from recovering in court.

Ahmed Eissa

Preventing cloud-native exploits requires us to rethink cloud architecture and how we use services such as IAM. We will simulate advanced cloud attacks live to demonstrate how common cloud misconfigurations are exploited to understand how we can prevent them up front with secure architecture.

Josh Stella

Container security is reliant upon an effective implementation of security best practices. Based upon open source security tools, the security concepts utilized by containers are considered mature. Implementation of secure infrastructure utilizing a Linux operating system are described and compared to the security implementation within a container runtime.

Kimberly Mentzell

Detecting domains that could be used in typosquatting attacks using your brand’s name is valuable. There are existing solutions for domain/brand monitoring, but not every organization has room in the budget for these services. Alternatively, organizations can turn to open source tools. This session examines one open source project that was adapted into a domain typosquatting monitoring tool.

Pat Heaney
5:30 - 9:00
BSidesCharm Party
11:30 - 12:00
Ransomware: Nation-States and Hostile Acts Exclusion

Traditional notions of nation-state responsibility in pre-Internet world are being challenged through on-line activities such as Russia’s alleged use of NotPetya. This creates second order effects such as denial of claims by insurers using “hostile acts exclusion”. NotPetya is a prime example and could be the beginning of more uninsurable damages.

Matt Bodman

Bolting a security solution on the side of technology just doesn’t work as well as built-in protection. This talk covers adversary use of LD_PRELOAD and how one tool used its audit system for defense. We’ll discuss considerations for whitelisting design and show how checks built into the dynamic linker would be more effective than an add-on tool.

Tony Lambert

Check out the available options within the hotel or take a quick walk next door to the mall food court.

Currently, compliance is seen as a blocker. Various different stakeholders tend to do what they want instead of what they should do based on policy, strategy and guidance. The people doing the work aren’t sure why they need to, or don’t see how it aligns with what needs to be done. Compliance is more than just a roadblock – it complements both Governance and Risk Management (GRC). There are frameworks to implement, counsel to consult, budget planning and execution to follow. Development and practice of organizational policies are cumbersome yet necessary. Where does one begin to start?

This is not the compliance talk we have been avoiding. This is about helping to identify and justify risk-based decisions to strengthen the organization. It’s about the organizational policies, the implementation, and how you can use those to generate the data needed to help your teams. It’s about working with the business and having the support needed to gain success.

Trevor Bryant

Pattern interrupt techniques have been a mainstay of hypnosis for over fifty years and a staple of con-artistry for centuries longer. These techniques can be easily learned and implemented to induce a state of confusion that leaves the target temporarily suggestible. Social engineers can exploit this to bypass the critical thinking of a human barrier.

Brandon Becker

In this session, the presenter will cover the 10 legitimate tools most often seen in use by targeted attackers. Session will include demonstration of their use as well as detection methods/forensic evidence to determine if these tools have been used maliciously in a network.

Jim Miller

YARA, an open-source pattern matching framework, has become ubiquitous for writing signatures used in intel, threat hunting, and host detection. Much like any programming or logic language, there are important best practices and efficient ways of writing and structuring the rule logic to be more efficient and modular. Even more so when used in an operational technology (OT) context for hunting and detecting threats to “”ICS””.

This talk will give techniques and tips for writing YARA rules effectively, using them in the context of OT threat detection, and present useful tools for implementing YARA on OT-related data and environments.

Wes Hurd

Walking through the challenges faced by infosec candidates in search of their next best opportunities. This guide tackles each stage in the journey with step by steps guidelines based on decades of recruiting experience and input from the community.

Kirsten Renner
Opens at 9:00

While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and Hiring Village.

Combat sports and cyber defense have a lot in common! Drawing from personal experience, Charity will discuss lessons for network defense, incident response, and offensive strategy learned from the ring of collegiate Taekwondo sparring and the ‘pit’ of the Mid-Atlantic Collegiate Cyber Defense Competition.

Charity Barker

Curious how hackers use the latest exploits to gain unauthorized access? This presentation will dissect a real world attack that included one of the first known exploits of the Window’s BlueKeep RDP vulnerability (CVE-2019-0708) in a customer’s environment; as well as other tactics the threat actor used to gather information and attempt to move laterally through the network.

Taree Reardon

Check out the available options within the hotel or take a quick walk next door to the mall food court.

Many detections are based upon known variants and detection data sources. Meanwhile, attackers invest in identifying new variants, decreasing the efficacy of a detection over time. How can we increase resilience against evasion and maximize detection shelf life? In this talk, we will establish a new methodology to build a resilient detection for InstallUtil, a commonly abused Windows utility.

Matt Graeber

The purpose of this talk is to present the basics of how an inexperienced or new analyst to a Security Operations Center would conduct an investigation. Additionally, presenting the analyst as a risk analyst and detective rather than similar to an I.T. break/fix specialist. This is part technical and part on how to format the information in such a way that management understands. The investigation is one of the core tasks that a SOC analyst conducts and is often an area that people are left to figure out how to succeed by trial and much error.

Michael Jenks

Stick around to hear the latest on how the conference went as well as win free prizes!

Opens at 9:00

While the main talk rooms are setup, please take the time to visit our sponsors and explore the villages and Hiring Village.

My Talk will Cover How to get started in the world of threat hunting with only Red Teaming experience. What are the Similarities when it comes to threat hunting and red teaming. How does having the knowledge of red teaming/penetration testing help enhance your threat hunting skill set. Discuss how the tools and techniques used by both Red Teamers and Threat hunters are done in a similar fashion.

Charles Shirer

While the Gorgon Group has managed to keep a low profile, they have quietly built a massive botnet and carried out targeted attacks. Come learn about how they perform these operations, and avoid detection using an amalgamation of open-source projects. This talk will also cover the various tools we use to track and analyze this campaign.

Danny Adamitis

Check out the available options within the hotel or take a quick walk next door to the mall food court.

Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look. What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.

Mark Morowczynski and Oana Enache

Create a network segmentation strategy by solely utilizing the Windows Host-Based Firewall. Using Group Policy as an orchestrator for centralized management, firewall rules can be deployed to endpoint firewalls to limit the ports and protocols that are allowed to communicate between security zones. These security zones will be based upon Active Directory User and Computer Security Groups memberships.

Mike Burns
Stick around to hear the latest on how the conference went as well as win free prizes!
11:30 - 12:00
Automatic License Plate Recognition with the Raspberry Pi

Using a Raspberry Pi, camera, and battery pack, we can perform discrete, mobile ALPR (Automatic License Plate Recognition) for about $100. The data taken from this can be analyzed stored and analyzed for patterns.

Marc Muher

IoT devices are everywhere. From washing machines, to refrigerators, to web cameras and routers; many of these devices host light-weight operating systems with their own capabilities and vulnerabilities associated with them. This talk will discuss various methods of performing firmware analysis, with an emphasis on low cost techniques so that anyone can start performing their own analysis.

1:00 - 2:00
Lunch and a Movie

How about a low level break with some humor, good links and cats? With ‘Punzel our Cat (PoC) as both payload delivery and metaphor we will discuss some things anyone can do and some sources to do much more.

Steve Pote

Your employees are your first line of defense. These defenders need training. Mandatory training presentations will lose people’s attention; a punishing environment won’t encourage people to report issues. So what do you do? Learn how to develop a positive security program that teaches your defenders to be successful against common workplace threats. You don’t have to be the weakest link.

Olivia Brundage
12:00 - 4:00
Visit the Hiring Village sponsors to discuss future career opportunities!

Click the tabs above to see scheduling for resume review and career coaching.

The Hiring Village is only open for four hours so make sure you stop by to talk with all of the great companies who will be there to show what opportunities they have available.

12:00 - 2:00
Suzie Grieco

Ms. Suzie Grieco transitioned from a career in sales and marketing for a national media organization to become a top recruiter for a regional technology staffing agency supporting commercial organizations as well as defense and intelligence government agencies. After five years, she then joined Booz Allen Hamilton as a senior corporate recruiter the Organization and Strategy team supporting intelligence community agencies and transitioned to Booz Allen’s Human Capital consulting team. In 2013, Ms. Grieco co-founded SG2 Recruiting, a boutique recruiting firm headquartered in Virginia, that supports companies by designing and implementing talent acquisition initiatives that identify, engage, screen, recruit and on-board hard-to-find candidates. She currently serves on the board of recruitDC, a community organization dedicated to helping regional talent acquisition professionals in the Washington DC Metro area.



Twitter: @SG2_recruiting

Senior Technical Recruiter with Dragos and have over 20 years experience recruiting in the Metro DC and Baltimore markets. I have experience working in both Corporate and Agency environments supporting a wide array of industry with a heavy emphasis on technology.


Senior Manager for Technical Recruiting at FireEye with 10 years overall in cyber. Enjoys talking tech around red team, incident response and industrial control systems. Heavy focus on intern and new grad hiring with a desire to help guide both down the right paths in the cyber world and making sure they are highlighting themselves to employers.



Twitter: @bordle12

I’m Lisi a Technical Recruiter at Novetta focused in the advanced data analytics government space. Highly experienced with resume review for Information Technology candidates with clearances. The number one thing I care about his helping people. I can help with Interview prep, getting over nerves of technical interviews, resume review, linkedin profiles, networking, and where to apply for roles! I am a huge Nationals fan and love playing golf. Very excited to be a part of this team!



Twitter: @kaLisi_mu

12:00 - 2:00
John Stoner

Mr. Stoner has over 19 years of experience in the national security and defense sector working a variety of roles, including most recently as a Cyber Threat Analyst, Cyber Counterintelligence Analyst and Cyber Instructor. He is currently the Deputy Director of DCISE (DoD-DIB Collaborative Information Sharing Environment) at the DoD Cyber Crime Center (DC3), having previously been the DCISE Chief of Analytics. His experience includes IT, instruction and course design, cyber exercise and testing, penetration testing, threat support, SIGINT (Signals Intelligence), and Cyber Operations. He holds A+, Net+, CEH, CHFI, CEI, CISD, CASP, FITSP-Manager, and CISSP certifications. He also holds a Computer Studies degree from UMUC. He has spoken at a variety of local, national and international level of conferences including BSides DC, BSides NoVA, BSides London, BSides Pittsburgh, BSides Vegas, the Maryland Infragard Cybersecurity Conference, the Central Maryland’s ISSA chapter, and at the Federal IT Security Conference among others. He also often attends the monthly Booz Allen Hamilton Hacker Trivia event at Jailbreak in Laurel, MD! He is a huge soccer fan and coaches youth soccer. He got started in military intelligence and then government cybersecurity by secretly joining the Army when he was 19!


Amélie is a Senior Technology Advocate at Splunk, focused on helping organizations transform, grow and secure themselves in the ever evolving world of technologies and their accompanying challenges. She arrives at Splunk after nearly 25 years as a technologist, from systems administration and engineering to executive technology leadership in various industries, academia, NGOs, and the government. In the last decade, she’s supported various Federal agencies, leading various projects and initiatives, including modernization activities, cybersecurity policy, and security architecture and operations. Often seen “soapboxing” about technology workforce development, training and recruiting policies, practices and techniques, she’s mostly observed providing measured guidance to InfoSec Twitter at @webjedi and her executive take on DevSecOps at

Twitter: @webjedi

A former red-team leader turned security architect, Dan has spent the last 19 years working with various commercial and government agencies to ensure their infrastructures don’t just meet, but exceed compliance standards. Dan has over 13 years of active US Army service and 7 years reserve time, with multiple degrees and certifications. Over the last few years Dan has helped transitioning soldiers develop meaningful resumes, reflecting military skills to the civilian market.

Twitter: @motoringguy

9:00 - 1:00
AWS Hands-On Intro Workshop (Training Room 1)

Learn AWS security and ops in this hands-on workshop. Build a highly-available, secure VPC infrastructure in AWS and expand your load-balanced network to take advantage of serverless services, to elastically scale as we deliberately overload and kill parts of our environment. No prior AWS experience is required.

​Aelon Porat

Play to learn! Come see how CTFs can be used to teach and reinforce application security concepts to developers and others.


Joe Kuemerle

Do you analyze malware in a sandbox but get lost when there are limited results and you need to read the assembly to know why? This lab based class will introduce everything needed to start analyzing malware down at the code level. Don’t give up when dynamic tools fail! Learn the fundamentals of assembly to practice and move from a triage analyst all the way up to a true malware reverse engineer.

Student Requirements:
– Students should have an entry level understanding of programming in any language. A general idea of malware analysis goals will be helpful, but is not necessary.
– Students must bring a 64 bit laptop with:
* VirtualBox or VMWare Workstation installed (VMWare Workstation Player is acceptable)
* 25GB of free disk space to install a provided analysis VM
* 8GB of RAM
* 1 USB slot
* Internet Connectivity

As this is a full day of training lunch will be provided for this course to all students.

Adam Gilbert
9:00 - 4:00
PowerShell Crash Course (Training Room 2)

This course will give you the basics of PowerShell. You will learn the PowerShell syntax. Learn things like how to repeat tasks, iterate through a list of objects and the various things you can do with PowerShell object. You will also learn how to discover new cmdlets, modules, and functions. You will gain experience by practicing what the instructor is teaching, and demos of production scripts and tools. The target audience for this course are individuals who are new to scripting and individuals who are new to PowerShell. Play in the PowerShell CTF to help enforce the learning.


As this is a full day of training lunch will be provided for this course to all students.

James Honeycutt