A Crash Course In Assembly For Malware Reverse Engineers

Do you analyze malware in a sandbox but get lost when there are limited results and you need to read the assembly to know why? This lab based class will introduce everything needed to start analyzing malware down at the code level. Don’t give up when dynamic tools fail! Learn the fundamentals of assembly to practice and move from a triage analyst all the way up to a true malware reverse engineer.

Student Requirements:
– Students should have an entry level understanding of programming in any language. A general idea of malware analysis goals will be helpful, but is not necessary.
– Students must bring a 64 bit laptop with:
* VirtualBox or VMWare Workstation installed (VMWare Workstation Player is acceptable)
* 25GB of free disk space to install a provided analysis VM
* 8GB of RAM
* 1 USB slot
* Internet Connectivity

Adam Gilbert

Adam Gilbert is an avid security researcher and founder of AGDC Services, a boutique computer security firm which provides malware analysis training and consulting services. He has 10+ years of infosec experience and a M.S. in Electrical and Computer Engineering, but his knowledge isn’t academic. It comes from digging down deep into malware to reverse engineer every aspect. Translating complex malware techniques into understandable concepts for fellow security practitioners is a truly rewarding experience that Adam is passionate about.

AWS Hands-On Intro Workshop

Learn AWS security and ops in this hands-on workshop. Build a highly-available, secure VPC infrastructure in AWS and expand your load-balanced network to take advantage of serverless services, to elastically scale as we deliberately overload and kill parts of our environment. No prior AWS experience is required.

Aelon Porat

Aelon Porat is an information security manager at Cision. He has extensive experience attacking and defending corporate environments. Aelon likes to jump inside networks and out of planes, and in his spare time, he enjoys demoing, speaking, and providing training at different events and conferences. Follow him @whereIsBiggles .

PowerShell Crash Course

Ever wanted to learn PowerShell and didn’t know where to start? Here is a great starting place. We will start off slow and ramp up quickly. I will cover everything you need to know to leave out of class and go build your own script. I will walk you through my process of creating my scripts. We will end with a PowerShell CTF to help with the learning process.

James Honeycutt

A hardworking and dedicated cybersecurity professional who enjoys scripting and participating in capture the flags.

I have served over 20 years in the military in various technical and leadership positions. In my current assignment, I am part of a Cyber Protection Team and serve as the Microsoft Windows Expert. In my past assignments, I served as the OIC (Officer in Charge) of both the battalion IT shop and brigade logistics IT shop, I was the “technology adviser to the Commander”. I have also served as a systems administrator, helpdesk manager, and classroom support tech. Some of my additional duties included being an Information Assurance Manager Alternate and Network Admin backup.

I am also working as a SANs Mentor. I am mentoring SEC505 (Securing Windows and PowerShell Automation) and SEC511 (Continuous Monitoring and Security Operations)

During my career, I have been known as the “go-to guy” for IT questions and problems by my directors, commanders, and peers. I have received numerous awards for my work and knowledge, to include several Meritorious Service Medals and Company Grade Officer of the Year for the state of Arkansas. I currently have a Bachelors of Science in Management in Information Systems. I currently hold the following certifications:

CISSP – Certified Information Systems Security Professional
VCP5-DCV – VMWare Certified Professional – Datacenter Virtualization
GWAPT – GIAC Web Application Penetration Tester
GPYC – GIAC Python
GMON – GIAC Continuous Monitoring
GCWN – GIAC Certified Windows Security Administrator
GPEN – GIAC Penetration Tester
GCIA – GIAC Certified Intrusion Analyst
GCIH – GIAC Certified Incident Handler
GCFA – GIAC Certified Forensic Analyst
GSEC – GIAC Security Essentials
GSNA – GIAC Systems and Network Auditor
SEC + – Security Plus
C|EH – Certified Ethical Hacker

911…what is your emergency

Emergency services are crucial to any city. Yet, with advances in technology, many vulnerabilities have surfaced within the services ecosystem. Within the past five years, the industry was exposed to many attacks targeting 911 services. My talk will provide insight into the operation of a 911 call center and investigate many attack vectors targeting this aspect of critical infrastructure.

Marc Fruchtbaum ​  

Marc Fruchtbaum is a Threat Hunter at IronNet Cybersecurity. Marc is also a 1LT in the Maryland Defense Force as the Hunt Team Lead, an Adjunct Professor at Capitol Technology University, UMGC & UC Irvine and a mentor to all his 30+ “children”. He enjoys giving back to the community and training the next generation via his non-profit, Argotis Foundation, and hopes to launch his inaugural CTF later this year, cyberpioneer.org. In his spare time (if he has any) he enjoys boating on the Chesapeake and complaining about Maryland weather.

A Hitchhiker’s Guide to Detection Engineering – Tracing Attack Technique Code Flow to Build Resilient Detections

Many detections are based upon known variants and detection data sources. Meanwhile, attackers invest in identifying new variants, decreasing the efficacy of a detection over time. How can we increase resilience against evasion and maximize detection shelf life? In this talk, we will establish a new methodology to build a resilient detection for InstallUtil, a commonly abused Windows utility.

Matt Graeber

Matt Graeber is an attacker at heart who fully embraces defense as a discipline to improve the state of security. He is a proud security optimist who believes that the future is bright and has the potential to benefit everyone. He embraces being a n00b and is only here to enjoy the ride that security takes us on. Matt is the Director of Threat Research at Red Canary.

A-hunting We Will Go! Adventures in Endpoint Threat Detection

Breaking the attack kill-chain is one of the primary objectives of every Blue Team. Time spent identifying the indicators of compromise and acting on them is time that the attacker is on your network. With that in mind, follow me on a hunting expedition. We’ll follow the attacker through the kill chain and figure out how to stop him before he gets any further. In the end, you’ll be armed with knowledge that can make your next hunting expedition a success!

David Branscome

David works as a security architect at Microsoft, helping Microsoft partners learn and deploy the latest Microsoft security technologies in Office 365, Windows 10 and Azure. David holds numerous certifications, including CISSP, GISP, GCED, GCWN, Google Cloud Architect, AWS Solutions Architect and several dozen Microsoft certifications.

Adversarial Emulation

The C2 Matrix: this is information for the community and a call to action! It is an open sourced C2 evaluation framework so that teams can determine what’s the best tool for penetration testing/red teaming particular scenarios. We’ll talk through why we built the framework, the components, automatically generated defensive artifacts, and adversary emulation across multiple frameworks.

Bryson Bort

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is an R Street Senior Fellow and an Advisor to the Army Cyber Institute. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain.

Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.

All Routes Lead to Threat Hunting

My Talk will Cover How to get started in the world of threat hunting with only Red Teaming experience. What are the Similarities when it comes to threat hunting and red teaming. How does having the knowledge of red teaming/penetration testing help enhance your threat hunting skillset. Discuss how the tools and techniques used by both Red Teamers and Threat hunters are done in a similar fashion.

Charles Shirer

Charles is a RedTeamer/Penetration Tester and ThreatHunter for SpiderLabs In his spare time Charles works on the SECBSD open source project which is a penetration testing distro based on the OpenBsd Operating System, Attends several Security Conferences, and works on Several Podcast IrongeekCast, GrumpyHackers and Streaming on HackthePlanet (OSCP,OWSP).

Automatic License Plate Recognition with the Raspberry Pi

Using a Raspberry Pi, camera, and battery pack, we can perform discrete, mobile ALPR (Automatic License Plate Recognition) for about $100. The data taken from this can be analyzed stored and analyzed for patterns.

Marc Muher

Marc Muher is interested in privacy, information security, and old video games

Best Practices for Infosec Candidates

From grossly impossible job descriptions to phantom ghosting recruiters, our community full of brilliant processionals still find themselves stuck as they attempt to find their next best career opportunity.

This talk walks through each stage of the journey: searching, networking, interviewing and negotiations – with some solid guidelines to increase chances for success.

Kirsten Renner

Possibly best known in the community for my role in the Car Hacking Village and volunteering across conferences, I also have a day job of running a recruiting team at an advanced analytics and full spectrum cyber security firm. After trying my hand at programming and IT (standing up and running helpdesks) I started tech recruiting in the early 2ks and stuck with it!!

Better Know an Adversary

In this session, the presenter will cover the 10 legitimate tools most often seen in use by targeted attackers. Session will include demonstration of their use as well as detection methods/forensic evidence to determine if these tools have been used maliciously in a network.

Jim Miller

Jim Miller (@rellimmij) is a Senior Consultant at CrowdStrike. He holds a BS in Information Technology from the Rochester Institute of Technology, as well as several SANS certifications and a CISSP. He has 15 years of professional experience covering systems engineering, forensics, incident response, and penetration testing. He’s primarily a blue teamer, but loves everything related to cyber security.

Bluetooth Sniffing and Spoofing with Punzel our Cat (PoC)

How about a low level break with some humor, good links and cats? With ‘Punzel our Cat (PoC) as both payload delivery and metaphor we will discuss some things anyone can do and some sources to do much more.

Steve Pote

Steve Pote (scp), is a cybersecurity researcher and self-proclaimed Chaos Muppet. He is currently experimenting with Bluetooth and WiFi signals (among many things). He has a background in programming and development (the naughty kind). He holds a CISSP certification and a MS in Information Technology Audit and Cybersecurity from the Fox School of Business, Temple University. Steve can be found on Twitter @scp15487477 and reached by email steve.pote@protonmail.com

Rapunzel (‘PoC) had a sad story with a happy ending. She was adopted off the street when tiny.
She is a very chill kitty, the kind that sits in Doll cloths for a tea party. PoC is the acronym for Proof of Concept. ‘Punzel makes a fun literal PoC, but an even better metaphor. She can can be found on Twitter #punzelourcat. She has no email…she’s a cat.

Compliance is Regulatory: Protecting The Business And Helping Yourself

Currently, compliance is seen as a blocker. Various different stakeholders tend to do what they want instead of what they should do based on policy, strategy and guidance. The people doing the work aren’t sure why they need to do it, or don’t see how it aligns with what needs to be done. Compliance is more than just a roadblock – it complements both Governance and Risk Management (GRC). There are frameworks to implement, counsel to consult, budget planning and execution to follow. Development and practice of organizational policies are cumbersome yet necessary. Where does one begin to start?

Trevor Bryant

Trevor Bryant is the Senior Information Security Architect at Epigen Technology specializing in Configuration Management, the Risk Management Framework (RMF), and all things under FISMA. Trevor has designed and championed agency CI/CD pipelines, as well as modernized and secured automated provisioning of critical mission/business systems. He translates Federal policy into technical implementations while also contributing language to those policies. Being involved in both the DevOps and infosec communities, he emphasizes the importance that security practices are usable through cost-effective risk-based actions. He has spent entire weekends re-reading FIPS and has been Knighted by NIST. Finally on the @wctf scoreboard.

Container Security Fundamentals

Container security is reliant upon an effective implementation of security best practices. Based upon open source security tools, the security concepts utilized by containers are considered mature. Implementation of secure infrastructure utilizing a Linux operating system are described and compared to the security implementation within a container runtime.

Kimberly Mentzell

Kimberly Mentzell is currently working in the cybersecurity industry as an educator at Frederick County Community College and the Frederick County Public School Career and Technology Center. She has over twenty years of experience in the technology field as a programmer, auditor, IT manager, network administrator, and technology educator. Kimberly holds the following active certifications: A+, Network+ Security+, CCAI, CCENT, CCNA- Routing and Switching, and CCNA- Cybersecurity Operations. She is pursuing her third Master’s degree in Cybersecurity at the University of Maryland Global Campus. In addition, Mrs. Mentzell is the founder and advisor of the CTC Cyber Team, competing in a variety of CTFs and other cybersecurity competitions. She is also a member of the Technology Review Committee at Frederick County Public Schools and an active member of the leadership committee at her schools. In her limited free time, she enjoys researching Linux, networking, and cybersecurity concepts, as well as staying current on new vocabulary with the assistance of her high school and college students.

Jon Mentzell

Jon Mentzell has been working in the computer industry for over 25 years, with a focus on Linux and Security. Jon switches back and forth between federal consulting and startups and has experience in both culminating in his current position at Red Hat as a Senior Architect. In the past he has primarily been on the defense side, including monitoring of APT actors for federal customers and providing defense mechanisms against those actors. Currently Jon works primarily with Federal customers as part of Red Hat’s North America Public Sector team.

cOTifying your own detection: YARA for ICS/OT

YARA, an open-source pattern matching framework, has become ubiquitous for writing signatures used in intel, threat hunting, and host detection. Much like any programming or logic language, there are important best practices and efficient ways of writing and structuring the rule logic to be more efficient and modular. Even more so when used in an operational technology (OT) context for hunting and detecting threats to “ICS”.

This talk will give techniques and tips for writing YARA rules effectively, using them in the context of OT threat detection, and present useful tools for implementing YARA on OT-related data and environments

Wes Hurd

Wes is a member of the Intelligence team at Dragos, focused on collection, analysis, and automation for Industrial and ICS specific threat intelligence. He is passionate about automating intelligence collection and analysis, building usable, effective, scalable tools for analysts. He previously was a member of the research team at ThreatConnect. When he isn’t analysing network and malware data or contributing to open source, he enjoys outdoor activities and reading, when he can find the time and place. He has a degree in Computer Science from GMU.

Crypto Agility Risk Assessment Framework (CARAF)

Crypto agility refers to the ability to update crypto primitives quickly with minimum overhead. Most organizations do not practice crypto agility, exposing themselves to unnecessary risk. CARAF can be used to determine the appropriate mitigation strategy commensurate with their exposure. This talk will present key motivations for crypto agility, CARAF itself, and application to quantum computing.

Chujiao Ma

Chujiao Ma is a security research and development engineer at Comcast. Her research includes a wide range of topics from de-identification of data, crypto agility, open source, and quantum computing to security metrics. Chujiao holds a PhD in Computer Science & Engineering from University of Connecticut and a Bachelor degree in Electrical and Computing Engineering from Franklin W. Olin College of Engineering.

Data Breaches & Consumer Lawsuits: Where’s the Harm?

Data breaches pose an enormous risk to consumers. But just how bad is it? With a focus on accessibility, the Data Breach Archives tool automatically collects & standardizes data breach notices published by state governments to determine the scope of the problem. This session will discuss uses for the tool & contemporary legal hurdles that prevent data breach victims from recovering in court.

Ahmed Eissa

By day, Ahmed Eissa is a senior intelligence analyst with the Threat Analysis and Investigations team at LookingGlass Cyber Solutions. By night, Ahmed is a second year part-time law student at the University of Maryland School of Law where he focuses on cybersecurity and crisis management law. Ahmed’s professional and academic interests lie at the intersection of technology, security, law, and policy. He specializes in open source intelligence methods and techniques to conduct third party risk assessments, person of interest investigations, and other threat evaluations. Ahmed is also a python programmer, which he used to build the Data Breach Archives project. In addition, Ahmed was previously a fellow at the Internet Law & Policy Foundry and an analyst at a dark web data intelligence startup. He is on Twitter at @Ahmed_A_Eissa.

Domain Monitoring, Fast and Cheap

Detecting domains that could be used in typosquatting attacks using your brand’s name is valuable. There are existing solutions for domain/brand monitoring, but not every organization has room in the budget for these services. Alternatively, organizations can turn to open source tools. This session examines one open source project that was adapted into a domain typosquatting monitoring tool.

Pat Heaney

Pat is a CSOC Consultant with Security Risk Advisors. He joined SRA after graduating from The Pennsylvania State University, where he earned a degree in Security & Risk Analysis. Since joining SRA, Pat has performed continuous monitoring for cybersecurity threats in multiple client environments. Pat has also worked to script and automate repeatable processes within the SOC.

Prior to joining SRA, Pat played roles in SOCs in the insurance and healthcare industries. In addition to achieving his undergraduate degree in Security & Risk Analysis, he is also CompTIA Cybersecurity Analyst (CySA+) certified and an AWS Certified Cloud Practitioner.

Hacking History: A 2 year retrospective on FOIA & Findings

The Freedom Of Information Act was enacted in 1967, and has been used for decades to uncover information about US government activity. Two years ago, Emily began asking government agencies questions about old hacks and hackers using the FOIA process. In this talk, Emily will present the most interesting, and funny finds over the last 2 years.

Emily Crose

Emily Crose is has been an information security professional for over a decade. She has been an officer for multiple government organizations including the NSA, CIA and US Army INSCOM. She currently works to secure critical industrial infrastructure worldwide. She is also an advocate for counter white nationalism, & government transparency.

Hacking the Cloud: Simulating Advanced Cloud Misconfiguration Exploits

Preventing cloud-native exploits requires us to rethink cloud architecture and how we use services such as IAM. We will simulate advanced cloud attacks live to demonstrate how common cloud misconfigurations are exploited to understand how we can prevent them up front with secure architecture.

Josh Stella

Josh Stella is co-founder and CTO of Fugue, the company delivering autonomous cloud infrastructure security and compliance. Previously, Josh was a Principal Solutions Architect at Amazon Web Services (AWS), where he supported customers in the area of national security. Prior to Fugue, Josh served as CTO for a technology startup and in numerous other IT leadership and technical roles over the past 25 years.

Hiding In The Clouds: How Attackers Can Use Applications Consent for Sustained Persistence and How To Find It

Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look. What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.

Mark Morowczynski and Oana Enache

Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active Directory, Active Directory Federation Services and Windows Client performance. He was also one of the founders of the AskPFEPlat blog. He’s spoken at various industry events such as Black Hat 2019, Bsides, Microsoft Ignite, Microsoft Inspire, Microsoft Ready, Microsoft MVP Summits, The Cloud Identity Summit, SANs Security Summits and TechMentor. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.

Oana has spent the past 5 years working on Identity Security and Azure Active Directory. Currently she works as Program Manager in the Azure Active Directory Get-To-Production(GTP) team. In her role, she engages with large and complex customers to help maximize the value of their investments in Azure Identity solutions. She does this by partnering closely with customers’ IT department and/or system integration partners, for the design and deployment of their cloud and hybrid identity solutions.

How Not to Make a SOC Puppet

The Security Operations Center, everyone has one, but is it really more than a checkbox or a place to go where dreams die? This talk will discuss some of the core issues that SOC’s face today as well as suggestions and ideas to get this pivotal role and department back on mission by trusting and empowering analysts to find badness.

Shawn Thomas

Understudy is an ex Incident Response consultant turned SOC manager, a Paranoid by trade and title, and has spent his career trying to find badness and protect users. Shawn has worked in or managed many SOC’s across both the government, private sector, and the MSSP space and is also a host of the Detections podcast where he regularly discusses new approaches and methodologies for both team structure and finding evil.

How your Chat application is leaking your …. sensitive pictures.

We all put a lot of trust in the applications we use chat with other people. Have you ever wondered what your chat application is doing in the background? How is it storing the message or pictures you send? You are required to login to send and receive messages….or are you? Come see how some of the most popular chat clients send data and if anyone else could see this data.

Tobias Mccurry

Tobias Mccurry is Senior Security Consultant at Synopsys. He has over 15 years of experience in different areas of IT. Tobias has a specialization in identifying vulnerabilities that have been previously missed by other teams. He has worked with client teams to evaluate critical vulnerabilities and how to mitigate them. The expertise of Tobias has helped numerous teams lower risk while ensuring that the widest coverage of testing was accomplished.

Tobias has publications in SANS Reading Room, Hacker Academy, and Infosec Institute. Finally, he holds a Bachelor in Computer Science and is pursuing Master of Science in Information Security Engineering with SANS, while maintaining multiple certifications. He streams on twitch.tv and an ambassador at NOVAHackers meetings monthly.

Hunting for Magecart

This talk is based on a joint research I have completed along with Max Kersten regarding a Magecart infection that occurred on an Olympic Ticket Reseller site. This talk is about our adventure in contacting the site and getting to take it down. From there we go even further, finding 9 more compromised websites and eventually taking the entire domain down.

Jacob Pimental

Self-taught reverse engineer. Studied at RIT before being hired by T. Rowe Price as a Sr. CyberSecurity Analyst at the BSidesCharm Hiring Village in his sophomore year. Currently working on completing his Bachelor’s Degree at UMUC. In his free time he runs the blog GoggleHeadedHacker, where he publishes malware analysis reports and Reverse Engineering tutorials.

Insights from the Criminal Underground: Contactless Payment Fraud

Over the past several years, merchants worldwide have been increasingly accepting contactless payments. With this change, malicious actors have begun to adapt and exploit both contactless payment cards and mobile payment platforms. Through monitoring underground websites, iDefense observed indicators of threat actors performing this type of fraud.

Adam Bumgarner

Adam Bumgarner currently works as an intelligence analyst with iDefense at Accenture Security and brings more than 10 years of experience in researching and analyzing financially-motivated cyber crime. Adam focuses primarily on English and Russian-language cyber crime research and analysis, including researching threat actors and groups, emerging trends and tactics, techniques and procedures (TTPs). During his time with iDefense, Adam has also conducted a great deal of research focused on hacktivism. Additionally, Adam possesses an in-depth knowledge of the evolution of criminal forums and marketplaces.

Introduction to Firmware Analysis

IoT devices are everywhere. From washing machines, to refrigerators, to web cameras and routers; many of these devices host light-weight operating systems with their own capabilities and vulnerabilities associated with them. This talk will discuss various methods of performing firmware analysis, with an emphasis on low cost techniques so that anyone can start performing their own analysis.

Rick

Rick is a Staff Cyber Security Analyst for Northrop Grumman and retired USAF/ANG veteran with over 20 years of experience in various professional roles and fields.

He has had the privilege of experiencing a broad range of roles, including performing network and endpoint analysis, adversary emulation, and conducting cyber operations as an interactive operator while part of a Red Team. Rick has been able to leverage multiple discplines during his time in InfoSec, including network analysis, intrusion detection, penetration testing, malware analysis, reverse engineering, and digital forensics.

Rick is passionate about educating and mentoring future InfoSec professionals. He has volunteered as a Red Team member for the CyberPatriot National Finals for the past 4 years, and also volunteers for the Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC) Red Team. Rick was also an adjunct professor for a local community college, where he helped coach a cyber competition team and taught computer science courses. He is still active in cyber competitions, and takes the opportunity mentor and help other students grow in the field. He has also taught short workshops at Unallocated Space, and presented at BSides Boise.

Network Segmentation without a Network Engineer

Create a network segmentation strategy by solely utilizing the Windows Host-Based Firewall. Using Group Policy as an orchestrator for centralized management, firewall rules can be deployed to endpoint firewalls to limit the ports and protocols that are allowed to communicate between security zones. These security zones will be based upon Active Directory User and Computer Security Groups memberships.

Mike Burns

Mike Burns is a Senior Consultant who’s primary focus is applying remediation strategies during Incident Response events. When not responding to IRs, he is assisting organizations with applying defensive strategies to network architecture, Microsoft technologies (Active Directory, Office365), and cloud services (Amazon Web Services, Microsoft Azure) to proactively detect and prevent threats.

Pattern Interrupts in Social Engineering

Pattern interrupt techniques have been a mainstay of hypnosis for over fifty years and a staple of con-artistry for centuries longer. These techniques can be easily learned and implemented to induce a state of confusion that leaves the target temporarily suggestible. Social engineers can exploit this to bypass the critical thinking of a human barrier.

Brandon Becker

Brandon performed professionally as a mentalist and hypnotist from 2006 to 2015. He has a B.S. in Psychology and an M.A. in Forensic Psychology. Since 2011, he has worked as a forensic therapist providing individual and group counseling to sex offenders, violent offenders, sexually aggressive youth, non-offending parents, and victims of violence. He also completes forensic evaluations for the court for these types of clients. His training and practical experience in reading people and influencing their thoughts, along with his education from criminal clients about the methods of deception, theft, and instilling false confidence, combine to create a uniquely informed perspective on social engineering. His first book, “Real Mentalism,” was sold through Trick Shop from 2015 to 2017 and he is currently finishing his next book, “Mental Exploits,” containing new methods of augmented cold reading and altering someone’s experience of reality.

He has trained law enforcement, counselors, social workers, and attorneys in criminogenic factors and interventions at forensic conferences in 2016, 2017, and 2018. He has also trained nurses and other health professionals in identifying behavioral indicators of child abuse. He is now preparing a class on the psychology of social engineering for penetration testers.

Ransomware: Nation-States and Hostile Acts Exclusion

Traditional notions of nation-state responsibility in pre-Internet world are being challenged through on-line activities such as Russia’s alleged use of NotPetya. This creates second order effects such as denial of claims by insurers using “hostile acts exclusion”. NotPetya is a prime example and could be the beginning of more uninsurable damages.

Matt Bodman

Mr. Bodman is a Senior Counsel and Privacy Officer at Maryland cybersecurity company. He previously served over 22 years in government service including the U.S. Navy and the last 12 years in the Intelligence Community where he worked, managed, and advised clients on computer network operations focused mission.

Mr. Bodman received a B.A. in Economics from University of Maryland, College Park, a J.D. from the University of Baltimore School of Law, and an LL.M in National Security Law from Georgetown Law School. He also maintains status as a Certified Information Systems Security Professional (CISSP) and as a Certified Information Privacy Professional (CIPP/US).

Red vs Blue: Using Combat Sport Psychology and Strategy to Secure Networks

Combat sports and cyber defense have a lot in common! Drawing from personal experience, Charity will discuss lessons for network defense, incident response, and offensive strategy learned from the ring of collegiate Taekwondo sparring and the ‘pit’ of the Mid-Atlantic Collegiate Cyber Defense Competition.

Charity Barker

Charity Barker is a nerd from a cornfield in Iowa who fell in love with cyber defense competitions and martial arts. She has competed in three MACCDC Regional Finals competitions, serving as the team captain for two years. Charity competed in collegiate level Taekwondo sparring for two years and earned her karate black belt in 2018. While she loves cyber defense and incident response, her passion lies in designing strategies and leading teams of technical and talented people. Charity will be graduating from Liberty University with a B.S. in Computer Science in May 2020.

The Triune Threat: Tracking the MasterMana botnet and Gorgon Group Activities

While the Gorgon Group has managed to keep a low profile, they have been quietly building up a massive Botnet and performing targeted attacks across the global. Come learn about how they have been able to successfully perform operations and avoid detection using a “moderately sophisticated” amalgamation of open-source and commercially available tools.

Danny Adamitis

Danny Adamitis is currently the Director of Intelligence Analysis at Prevailion. Prior to joining Prevailion he was a research engineer at Cisco Talos. His research has been featured in a number of publications such as Forbes, Wired, and CyberWire.

To Prevent & Eradicate: NSA’s Cybersecurity Directorate Six Months Later

On October 1st, 2019, the NSA formally established the Cybersecurity Directorate to “prevent & eradicate” threats – right in our own back yard. What does it look like when an intelligence agency decides to do cybersecurity? Let’s go beyond the talking points to understand the organization, why it was created, what it does, and how it does it.

Greg Bednarski

Greg Bednarski is the head of Cyber Policy & Strategy for the National Security Agency’s Cybersecurity Directorate, where he leads the development, coordination, and execution of cyber-related policy with the National Security Council and other US Government departments and agencies on behalf of the NSA.

Over the course of the last fourteen years, Greg has been responsible for the management and execution of computer network exploitation activities, capability development, and network analysis for foreign intelligence and cybersecurity purposes, and has provided direct support to offensive cyberspace operations. He has served in several technical, operational, leadership, and advisory positions throughout his career.

Prior to public service, Greg worked for the former Motorola Semiconductors, planning high-tech integrated circuit manufacturing operations, and PricewaterhouseCoopers LLP, executing network penetration testing and information security assessment activities for a variety of organizations.

Voight-Kampff for email addresses: Quantifying email address reputation to identify spear-phishing and fraud

“”Is this email address real?”” Internet history and age can’t be faked. Legitimate email addresses have social media profiles, Github profiles and commits, LinkedIn accounts, and they’ve been in credential dumps and data breaches. Real people can be differentiated from attacker personas using these internet breadcrumbs.

EmailRep is a system of crawlers, scanners and enrichment services that collects data on email addresses, domains, and internet personas to predict the relative risk of an email address. It uses OSINT techniques, crawlers on forums, social media sites, and professional networking sites, as well as data points from credential breaches, malicious phishing kits, community reported phishing emails, spam lists, and more.

In this talk I’ll discuss why we built EmailRep, dive in to how Blue and Red teams are using this, and review some shortcomings of this approach that future attackers will seek to exploit. Finally, I’ll deep dive on the technical architecture and implementation, giving an overview of how you could build this yourself.

Joshua Kamdjou

Josh has been doing offensive security related things for the past 10 years. He’s spent most of his professional career breaking into networks and building software for both the public and private sectors. Josh is the Founder of Sublime Security, enjoys staying fit, and loves phishing.

Whitelisting LD_PRELOAD for Fun and No Profit

Bolting a security solution on the side of technology just doesn’t work as well as built-in protection. This talk covers adversary use of LD_PRELOAD and how one tool used its audit system for defense. We’ll discuss considerations for whitelisting design and show how checks built into the dynamic linker would be more effective than an add-on tool.

Tony Lambert

Tony Lambert is a professional geek who loves to jump into all things related to detection and digital forensics. After working for several years in Desktop and Systems Administration, he joined the Red Canary team to help find evil and augment detection capabilities for organizations. Tony holds a Master’s of Science in Digital Forensic Science from Champlain College and has taught numerous technology classes for a local community college.

Wild Blue Yonder: Dissecting the BlueKeep Window’s Exploit

Curious how hackers use the latest exploits to gain unauthorized access? This presentation will dissect a real world attack that included one of the first known exploits of the Window’s BlueKeep RDP vulnerability (CVE-2019-0708) in a customer’s environment; as well as other tactics the threat actor used to gather information and attempt to move laterally through the network.

Taree Reardon

As a Senior Threat Analyst Shift Lead with VMware Carbon Black’s Managed Detection Service, Taree Reardon has been fascinated with identifying and dissecting new and emerging threats. Taree particularly enjoys endpoint detection and incident response and she recently became a GIAC Certified Incident Handler. Taree is especially fond of mentoring newcomers to the security industry, and is a strong advocate for women in tech. Outside of security, Taree enjoys spending time with her husband and cat, gaming, and has an unhealthy love of karaoke.

You’re Not the Weakest Link: Practical Ways to Improve Security Culture

Your employees are your first line of defense. These defenders need training. Mandatory training presentations will lose people’s attention; a punishing environment won’t encourage people to report issues. So what do you do? Learn how to develop a positive security program that teaches your defenders to be successful against common workplace threats. You don’t have to be the weakest link.

Olivia Brundage

Olivia currently works as a Security Engineer for the DOD. She has developed security training programs from small startups as a one-person shop to larger organizations. As she creates and defends the security of the corporate environments, she makes it so that it’s intuitive for the end user. You can probably find her cuddling with her three cats as she waits for her CI build to finish.