Packet Hacking Village Workshops at DEF CON 27 Finalized

Link to register for our hands-on workshops and registration dates will be announced soon.

Workshops Schedule

Friday, August 9th

9:00-12:00 Reverse Engineering Malware 101
Amanda Rousseau
12:15-14:15 Wireshark for Incident Response & Threat Hunting
Michael Wylie
14:30-16:30 Hacking Kubernetes - Choose Your Own Adventure Style
Jay Beale
16:45-18:45 Intel-driven Hunts for Nation-state Activity Using Elastic SIEM
Sean Donnelly, Peter Hay

Saturday, August 10th

9:00-11:00 Burp Suite Workshop
Sunny Wear, Nestor Torres
11:20-13:20 Tools? We Don’t Need No Stinkin’ Tools: Hands-on Hacking with Python
Jason Nickola, Wayne Marsh
13:40-15:40 Writing Wireshark Plugins for Security Analysis
Nishant Sharma, Jeswin Mathai
16:00-18:00 Advanced APT Hunting with Splunk
John Stoner, Ryan Kovar

Sunday, August 11th

11:00-14:00 Threat Hunting with Suricata
Josh Stroschein, Jason Williams, Jack Mott, Travis Green

Workshops Abstracts and Bios

Reverse Engineering Malware 101

Amanda Rousseau, Facebook

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java

Amanda Rousseau (Twitter: @malwareunicorn) absolutely loves malware. She was as a Senior Malware Researcher at Endgame who focused on dynamic behavior detection both on Windows and OSX platforms. She worked as a malware researcher at FireEye before joining Endgame. She previously worked a reverse engineer and computer forensic examiner working for DoD forensic investigations and commercial incident response engagements. She received her MS in Information Systems Engineering from Johns Hopkins University. Research interests include malware evasion techniques, dynamic behavior classification, and developing runtime detections.

Wireshark for Incident Response & Threat Hunting

Michael Wylie, Director of Cybersecurity Services, Richey May Technology Solution

This workshop will take student’s Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and malicious network traffic analysis. We will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Placement, techniques, and collection of network traffic will be discussed in detail. Throughout the workshop, we’ll examine what different attacks and malware look like in Wireshark. Students will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and a potential breach to the network. There will be plenty of take home labs for additional practice.

Michael Wylie (Twitter: @TheMikeWylie) is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, Moorpark College, California State Universities, and for clients around the world. Michael is the winner of the SANS Continuous Monitoring and Security Operations challenge coin and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more.

Hacking Kubernetes - Choose Your Own Adventure Style

Jay Beale, CTO of InGuardians

Kubernetes continues to gain steam, as developers build microservice-based applications and everyone moves to the software-defined data center. A small minority of our Infosec industry has experience attacking container orchestration systems like Kubernetes.  We aim to address that shortage, culminating in an audience-directed Choose Your Own Adventure, "Hackers" movie-themed demo. In this demo-heavy talk, we will show you how to attack Kubernetes clusters and discuss what hardening techniques and freely available tools can break those attacks.  We'll review the components of a Kubernetes cluster, then show how a threat actor can chain configuration vulnerabilities to pivot and escalate privilege, pilfer data and take over clusters and the cloud environments on which they run. To be clear, you'll see multiple attacks against real clusters from start to finish.  You will also gain exposure to a new open source tool attack tool for Kubernetes called Peirates, available on Github. You will leave this talk with exposure to attacks against clusters that organizations have built themselves, as well as clusters provided by the major cloud providers, like AWS, Azure and GCP. You will be able to repeat specific attacks and know what defenses can break those attacks.

Jay Beale (Twitter: @jaybeale) works on Kubernetes and cloud native security, as a professional threat actor, a Kubernetes Contributor and as a member of the Kubernetes Security Audit working group. He's the architect and a developer on the Peirates attack tool for Kubernetes. In the past, Jay created two tools used by hundreds of thousands of individuals, companies and governments, Bastille Linux and the Center for Internet Security's first Linux/UNIX scoring tool. He has led training classes on Linux security and Kuberntes at the Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training, since 2000. As an author, series editor and speaker, Jay has contributed to nine books and two columns and given over one hundred public talks. He is CTO of the information security consulting company InGuardians.

Intel-driven Hunts for Nation-state Activity Using Elastic SIEM

Sean Donnelly, CEO, Resolvn, Inc.
Peter Hay, Director of Strategy and Innovation, Resolvn, Inc.

Hunting for advanced threats can be a daunting task for network defenders. In this workshop we’ll demystify threat hunting by guiding attendees through the development and execution of network traffic and host analysis workflows. Using a six-stage model, attendees will leverage threat intelligence to plan and conduct 20 small hunts, configuring and tuning their defensive tool-suite along the way. The use of IOC-based, tool-based, and TTP-based detection methods will ultimately lead to the discovery of nation-state activity on a complex, near-to-spec enterprise network.

Sean Donnelly (Twitter: @resolvn) is the CEO of Resolvn, Sean is a passionate cybersecurity researcher with extensive experience in the industry. As an active-duty U.S. Navy Cryptologic Warfare Officer, Sean worked for the National Security Agency (NSA) before becoming the Technical Director of the Navy Blue Team (NBT). Sean has developed internal tools for threat detection, such as the NBT’s Blue P.E.A.R and Expanse’s ETHIR, trained countless service members on detection techniques, and led critical security operations around the world. He holds CISSP, GPEN, and OSCP certifications along with a B.S. and M.S. from the United States Naval Academy and Boston University, respectively.

Peter Hay (Twitter: @ResolvnPete) is Resolvn’s director of strategy and innovation, Pete has an extensive and diverse background in technology driven fields including Computer Network Operations (CNO), Network Forensics, and Nuclear Chemistry. From his Navy service in leading a quick-response team of NSA cryptologists and developers who designed solutions to some of the agency’s most vital problems, to delivering multi-domain cyber security training to thousands of students world-wide, or applying for cyber security patents in the U.S. and Europe, Pete continues to stretch the edges of technology, its use, and application.

Burp Suite Workshop

Sunny Wear, Nestor Torres

Gain hands-on experience with Burp Suite in this four-hour workshop with the author of the Burp Suite Cookbook, Sunny Wear. You will learn how to use Burp Suite to hone your web application penetration testing skills. Each student receives a virtualized environment complete with a copy of Burp Suite and a vulnerable web application to hack. Lessons covered in the workshop include Burp configuration settings, Injections attacks such as Cross-site Scripting and SQL Injection attacks, automated attacks using Intruder, recommended BApp extensions and their uses, and finally, how to build and use Burp Macros.

Sunny Wear (Twitter: @SunnyWear) is an Application Security Architect and Web Application Penetration Tester. Her breadth of experience includes network, data, application and security architecture as well as programming across multiple languages and platforms. She is the author of several security-related books including her most recent, Burp Suite Cookbook, assists pentesters and programmers in more easily finding vulnerabilities within applications while using Burp Suite. She conducts security talks and classes locally and at conferences like BSides Tampa, BSides Orlando, AtlSecCon, Hackfest CA, and BSides Springfield.

Nestor Torres (Twitter: @N3S____) is a security analyst working closely with developers to pentest and fix their Web Applications. He is passionate about helping others and teaching others who are hungry for learning cybersecurity. Some of his hobbies involve building labs for vulnerability testing and setting up small to medium enterprise network.

Tools? We Don’t Need No Stinkin’ Tools: Hands-on Hacking with Python

Jason Nickola, Directory of Technical Services, Pulsar Security
Wayne Marsh, Senior Software Engineer, Pulsar Security

The hacking world is full of fantastic tools, but the ability to write your own in order to customize and achieve new functionality is the real black magic. This workshop quickly builds from programming and python fundamentals to manual construction of real-world attack tactics and techniques. Prior hacking and programming skills are not required (although they help), but basic technical knowledge and an ahead-of-time review of introductory topics are highly recommended. Come in with nothing and leave with experience writing your own host and port scanner, reverse shell, packet parser, and more in a controlled (legal) environment.

Jason Nickola (Twitter: @chm0dx) is the Director of Technical Services at Pulsar Security where he also serves as Principle Security Consultant. He can frequently be found working with clients to develop creative solutions to red- (and increasingly blue-) team challenges. Passionate about both technology and the lifelong learning process, Jason enjoys enabling others via teaching and aiding in career development. Jason is a SANS instructor for SEC560: Network Penetration Testing and Ethical Hacking and holds the GIAC Security Expert, GXPN, GREM, and OSCP certifications among others.

Wayne Marsh (Twitter: @infogroke) is a Security Consultant and the Senior Software Engineer at Pulsar Security where he spends his time programming, architecting enterprise products, and breaking into the occasional network. His varied career has involved television and satellite broadcast systems, games development, and marketing before finally focusing on the infosec industry in recent years, where he realized that the common thread in all of these areas of development is security. He loves both obsolete and new, as well as increasingly unfashionable genres of music. Wayne’s security credentials include OSCP, GPYC, GXPN, and GCIA.

Writing Wireshark Plugins for Security Analysis

Nishant Sharma, R&D Manager, Pentester Academy
Jeswin Mathai, Security Researcher, Pentester Academy

Network traffic always proves to be a gold mine when mined with proper tools. There are various open source and paid tools to analyze the traffic but most of them either have predefined functionality or scalability issues or one of a dozen other problems. And, in some cases when we are dealing with non-standard protocols, the analysis becomes more difficult. But, what if we can extend our favourite traffic analysis tool Wireshark to accommodate our requirements? As most people know, Wireshark supports custom plugins created in C and Lua which can be used to analyze or dissect the packets. In this workshop, we will learn the basics of Wireshark plugins and move on to create different types of plugins to perform dissection of non-standard protocol, provide macro statistics, detect attacks etc. We will use examples of older and newer protocols (including non-standard ones) to understand the plugin workflow and development.

Nishant Sharma (Twitter: @wifisecguy) is an R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 7+ years of experience in information security field including 5+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, DEF CON China, Wireless Village, IoT village and Demo labs (DEFCON USA). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.

Jeswin Mathai (Twitter: @jeswinmathai) is a Researcher at Pentester Academy and Attack Defense. He has presented/published his work at DEF CON China, Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Advanced APT Hunting with Splunk

John Stoner, Principal Security Strategist, Splunk
Ryan Kovar, Principal Security Strategist, Splunk

You wanna learn how to hunt the APTs? This is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the “fictional” APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre ATT&CK framework and how these concepts can frame your hunting. Using the freely available version of Splunk and OSINT, we will hunt for APT activity riddling a small startup's network. During the event, you will be presented a hypothesis and conduct your own hunts, whether it is for persistence, exfiltration, c2 or other adversary tactics. Heck, there might be some PowerShell to be found, too. We will regroup and review the specific hunt and discuss findings and what opportunities we have to operationalize these findings as well. At the end, we give you a dataset and tools to take home and try newly learned techniques yourself.

John Stoner (Twitter: @stonerpsu) is a Principal Security Strategist at Splunk where he enjoys writing, problem solving and building stuff. When not doing cyber things, you can find him reading or binge watching TV series that everyone else has already seen.

Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.

Threat Hunting with Suricata

Josh Stroschein, Director of Training, Open Information Security Foundation (OISF) / Suricata
Jason Williams, Jack Mott, Travis Green

Finding threats in your network traffic starts with understanding your traffic. ​More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this workshop, you will learn how to leverage Suricata to generate alerts, produce protocol specific logs and identify malicious or anomalous activity in your network traffic. You will get hands-on with managing alerts through EveBox and hunting through traffic with Moloch. You will also learn how to create custom Kibana visualizations and dashboards to help focus your analysis efforts. In-depth log analysis and hands-on real-world exercises will be used to reinforce the detection techniques and tactics explained throughout the workshop. This is an ideal workshop for security analysts, blue teamers and malware researchers to get hands-on diving deep into malicious traffic and see what Suricata can do.

Prerequisites: To help prepare for this workshop, we recommend that you are familiar with the basics of network security monitoring, IDS/IPS systems and Linux environments. Familiarization with IDS rules is recommended, but not required.

Josh Stroschein (Twitter: @suricata_ids) is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis, reverse engineering, software exploitation and other related security topics. Josh is also an accomplished trainer, providing training in the aforementioned subject areas at Black Hat, DerbyCon, Toorcon, Hack-In-The-Box and other public and private venues. Josh is also the Director of Training for OISF/Suricata, an author on Pluralsight and a threat researcher for Bromium.

Jason Williams (Twitter: @switchingtoguns) is a security researcher with global enterprise experience in detecting, hunting and remediating threats with open source technologies. Primarily focusing on network communications, Jason has written thousands of commercial and community Suricata rules for Emerging Threats to help defenders protect their networks. Jason participates as a Signature Development and User Training instructor for the OISF.

Jack Mott (Twitter: @malwareforme) is a security researcher who focuses on open source solutions to detect, track and hunt malware and malicious activity. He has been a signature writer for the Emerging Threats team for several years, producing community/premium Suricata signatures to help protect networks worldwide. Jack is a strong believer in the open source mission as well as helping people and organizations solve security issues with open source solutions. He resides in the USA.

Travis Green (Twitter: @travisbgreen) is a passionate Cyber Security researcher and consultant with a 20-year career that includes extensive international work leading security initiatives and advising government and military clients, consulting to enterprise businesses, and mentoring teams in best practices. Effective communicator and self-starter able to analyze data to create security policy, develop and execute strategy, and develop tools to automate processes. OISF core team member with conference presentation experience and multiple certifications.