DEF CON 27

The Packet Hacking Village will be located at The Tower of Doom, 26th Floor at Bally's.

Talks Schedule

Friday, August 9th Saturday, August 10th Sunday, August 11th
10:00 4 years and 10,000+ Hours Later: Lessons Learned from Running a National Penetration Testing Competition
Tom Kopchak and Dan Borges
Hacking Corporate Org Socialization: One Day You Are Out and the Next Day You Pwn the Org!
D9
Wi-Fi Threat Modeling and Monitoring
Besim Altinok and Can Kurnaz
11:00 Hacking Kubernetes: Choose Your Own Adventure Style
Jay Beale
Solving Crimes with Wireless GeoFencing and Multi-Zone Correlation Analytics
Gleb Esman
Head in the Clouds
Matt Nash
12:00 StegoAugmented Malware
Mike Raggo and Chet Hosmer
"First-Try" DNS Cache Poisoning with IPv4 and IPv6 Fragmentation
Travis Palmer and Brian Somers
CIRCO: [Cisco Implant Raspberry Controlled Operations]
Emilio Couto
13:00 The Art of Detection
Jay Dimartino
Phishing Freakonomics
Russell Butturini
Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools
Wes Lambert
14:00 Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum
Winnona DeSombre
  CLOSED
14:30 Hunting Certificates and Servers
Sam Erb
Security to Make the CFO Happy
Adam
15:00 Old Tech vs New Adversaries. Round 1... Fight!
Joseph Muniz and Aamir Lakhani
Generating Personalized Wordlists With NLP by Analyzing Tweets
Utku Sen
15:30 Sandbox Creative Usage For Fun and Pro...Blems
Cesare Pizzi
16:00 Patching: It's Complicated
Cheryl Biswas
(Re)Thinking Security Given the Spectre of a Meltdown (hold my beer)
Jeff Man
17:00 Your Phone is Using Tor and Leaking Your PII
Milind Bhargava and Adam Podgorski
State Sponsored Hacking: How to Intercept/Decrypt TLS Traffic and How to Prevent TLS Interception Attacks
Chris Hanlon
18:00 Beyond Sandboxes. How to Execute IoT Malware and Analyze Its Evolution
María José Erquiaga, Sebastian Garcia
Leveraging Passive Network Mapping with Raspberry Pi and Python
Chet Hosmer
19:00 The Cyberlous Mrs. Maisel: A Comedic (and slightly terrifying) Introduction to Information Warfare
Jessica "Zhanna" Malekos Smith

Talks Abstracts and Bios

4 years and 10,000+ Hours Later: Lessons Learned from Running a National Penetration Testing Competition

Tom Kopchak, Competition Director of National CPTC / Director of Technical Operations, Hurricane Labs
Dan Borges, World Team Captain of National CPTC

The National Collegiate Penetration Testing Competition (CPTC) provides students with realistic challenges that prepare for a career in the security assessment field. The architecture of the competition is designed to mimic a real-world organization, while requiring participants to excel in both technical and communication skills. The ultimate goal is to use a unique environment to prepare young professionals to navigate the technical and administrative challenges they are likely to face in their careers. Join National CPTC directors Dan Borges and Tom Kopchak in a deep-dive discussion on what goes into building the competition scenario created for each year's event.

Tom Kopchak (Twitter: @tomkopchak) is the Director of Technical Operations at Hurricane Labs, where he pretends to manage a team of Splunk engineers, but is still an engineer and technology geek at heart. Tom's speaking experience includes a previous talk at DC24 (Sentient Storage - Do SSDs Have a Mind of Their Own?) as well as many talks at other conferences around the country (and BSides LV in 2013). He holds a Master's degree in Computing Security from the Rochester Institute of Technology, and volunteers as the white team captain for the National Collegiate Penetration Testing Competition (CPTC). When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ.

Dan Borges is an information security professional with over 15 years in computer science. Dan participates in a number of cyber security competitions each year, from being on the National CCDC Red Team and helping with the black team for the Collegiate Penetration Testing Competition (CPTC). He is an experienced red teamer who enjoys developing new tools in his free time. He has taught workshops on advanced red teaming at both DEF CON and WOPR Summit. He has been publishing a blog on infosec education for more than 10 years at lockboxx.blogspot.com.

The Art of Detection

Jay Dimartino, Head of Detections and Countermeasures at Fidelis Cybersecurity

Ever inherited a security rule you were afraid to modify? Ever import a Yara rule only to have the alerts blow up in your face? Does your SEIM or security appliance keep you up at night with email alerts? The Art of Detection focuses on the methodology of writing and sharing accurate detections to make you a better detection author. Gain confidence in managing false positives, learn rule sharing best practices, tackle large monolithic detections, and write detections that feed other detections. Learn the importance of your intelligence test data, and if your intelligence streams could be causing bias.

Jay Dimartino is a Threat Researcher for Fidelis Cybersecurity and Head of Detections & Countermeasures. He has been doing Malware Reverse Engineering for over nine years and also has several industry certifications including the GREM and GCFA.

Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools

Wes Lambert, Senior Engineer at Security Onion Solutions

As network defenders, we face evolving threats every day. We need to truly understand our computer networks, and gain greater context around events occurring within them. To do this, we can use completely free and open source tools, augmenting a platform like Security Onion, to assist in threat hunting, responding to alerts, tracking events, automating analysis of files extracted from network data streams, and even performing remote host-based forensics. This presentation discusses how freely available tools can be integrated to empower teams to effectively monitor, track, and investigate events to help lower risk and increase security posture within their organizations.

Wes Lambert (Twitter: @therealwlambert) is a Senior Engineer at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks. He is a huge fan of open source software projects, and loves to solve problems and enhance organizational security using completely free and easily deployable tools.

Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum

Winnona DeSombre, Threat Intelligence Researcher at Recorded Future

While you can patch against malware infecting your tech stack or targeting your competitors, what about malware that hasn't been in the news? This presentation will cover what malware and tools are popular among underground forum members based on prevalence in forum ads, how malware presence differs between forums, and why understanding that difference matters.

Winnona DeSombre (Twitter: @__winn) is an Asia Pacific threat intelligence researcher at Recorded Future, focusing on Chinese underground hacking communities and East Asian cyber espionage campaigns. She was recently featured in Threatcare's "Tribe of Hackers" book, containing career advice from some of the world's best information security professionals.

Beyond Sandboxes. How to Execute IoT Malware and Analyze Its Evolution

María José Erquiaga
Sebastian Garcia

Hacking is curiosity, discovering, and learning. This talk shares our experience executing and capturing the traffic for more than 4 years. We will show how we designed and deployed a Windows and IoT malware execution laboratory in our University to run malware for months and how we analyzed it to find novel attacks. Executing malware is sometimes clouded in mystery. We will show how to build, to setup a Windows execution environment and an IoT environment. The talk shows how to monitor in real time, store data, the legal implications, the network protections and how to find good malware samples.

María José Erquiaga (Twitter: @MaryJo_E) is a malware researcher from Argentina. She is researcher and teacher at the University of Cuyo, Mendoza Argentina. She is collaborator on the Stratosphere laboratory since 2015. She is a member of the Aposemat project, a joint project between the Stratosphere laboratory and Avast. This project aims to execute malware and capture it from honeypots. Maria's work has been focused on execute and analyze malware for IoT devices. Spoke at CACIC, ArgenCon, SIGCOMM, BotConf and Ekoparty.

Sebastian Garcia is a malware researcher and security teacher that has extensive experience in machine learning applied on network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, Security Sessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.

CIRCO: [Cisco Implant Raspberry Controlled Operations]

Emilio Couto, eKio Security

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of "Sec/Net/Dev/Ops" enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!

Emilio Couto (Twitter: @ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)

The Cyberlous Mrs. Maisel: A Comedic (and slightly terrifying) Introduction to Information Warfare

J. Zhanna Malekos Smith, Duke Law School

Like a dear family relative who won't stop talking at Thanksgiving dinner, a backdoor exploit also talks to anyone who'll listen. Come listen to the Cyberlous Mrs. Maisel! She'll offer a satirical reflection on how we engage with technology in the Information Age and explain the basic historical principles that animate Russia's approach to information warfare. Topics covered include maskirovka (i.e., cover, concealment and deception), reflexive control, disinformation, and imitation, among others. Although a strategic objective of information warfare is to induce complacency with falsehoods, this presentation's unique style can help jolt the public's consciousness awake through its originality and bite.

J. Zhanna Malekos Smith is the Reuben Everett Cyber Scholar at Duke University Law School. Previously, she served as a Captain in the U.S. Air Force Judge Advocate General's Corps. Prior to military service, she was a post-doctoral fellow at the Belfer Center's Cyber Security Project at the Harvard Kennedy School. She holds a J.D. from the University of California, Davis; a B.A. from Wellesley College, where she was a Fellow of the Madeleine Korbel Albright Institute for Global Affairs; and is finishing her M.A. with the Department of War Studies at King's College London. She has presented her research at DEF CON, RSA, and ShmooCon, among others.

"First-Try" DNS Cache Poisoning with IPv4 and IPv6 Fragmentation

Travis Palmer, Security Research Engineer at Cisco
Brian Somers, Site Reliability Engineer at Cisco

DNS fragmentation attacks are a more recent series of cache poisoning attacks on resolvers. Even if DNSSEC is fully implemented, an attacker can still poison various unsigned records in the response. These types of attacks are difficult but have been considered feasible over IPv4, but impossible over IPv6. Unfortunately, changes to the Linux kernel have made the entropy limiting this attack inferable off-path, poisoning on the first iteration is now possible. This talk will cover how this attack is carried out, and mitigations that can be put in place by operators of DNS servers to limit its effectiveness.

Travis (Travco) Palmer is a Security Research Engineer at Cisco. Travis is a certified OSCP and OSCE who has been getting paid to either fix or break something for over seven years. He is a fan (and sometimes-contributer) of a number of simulator/sandbox video games, and keeper of too many unfinished hardware projects.

Brian Somers is a Site Reliability Engineer for Cisco Umbrella (formerly OpenDNS). He specializes in large scale development on Unix-like platforms, software design & architecture, low level C development, and FreeBSD development.

Generating Personalized Wordlists With NLP by Analyzing Tweets

Utku Sen, R&D Lead at Tear Security

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named "mask attack" where the attacker needs to assume a password's structure. Even if it narrows the combination pool significantly, it can be still too large to use for online attacks or offline attacks with low hardware resources. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.

Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.

Hacking Corporate Org Socialization: One Day You Are Out and the Next Day You Pwn the Org!

D9, Independent Researcher

There is growing community of hackers who refer to themselves as "Chameleon Hackers" and practice an organizational socialization technique they call "code switching." Code switching is a "tradecraft" practice used by chameleon hackers to consciously change their mannerisms, outward appearance, dress, thinking, physical characteristics, and their language in order to achieve socialization in either a virtual or live setting. The briefer will draw on his December 2018 doctoral dissertation to describe a framework for how these chameleons hackers go about their code switching tradecraft and then discuss examples of how they "hacked" the hacker community and the Corporate C-suite

D9 (Twitter: @D9_Pilot) is a member of the Senior Executive Service and currently serving as the Deputy Director for Expeditionary Warfare for the U.S. Navy. Twenty-six years as an U.S. Air Force officer serving as a B-52H navigator and then F-15A and A-37B pilot. Held Command, Director, and staff positions across the Air Force in training operations, policy, and advanced training technologies. Three operational deployments with the last in Pakistan in support of Operation Enduring Freedom (Afghanistan). Served in the Office of the Secretary of Defense for eleven years as the DoD Senior Executive responsible for the programming and execution of the nearly $900M/year the Department of Defense invests in worldwide joint training and training technologies. Cyber experience includes: Co-Lead with the DoD CIO to develop the strategy and implement the Secretary of Defense's DoD Cyber Strategy to "Build and Maintain Ready Forces to Conduct Cyberspace Operations." Built from scratch a six-month Cyber Operations training course that yielded a 78% cohort pass rate (average is 16%) on the Offensive Security Certified Professional certification. Worked with DEF CON officials to repurpose DEF CON's CTF and CTP technical architecture to support DoD's cyber operations training. 2018 Doctorates in Education from The University of Pennsylvania's Graduate School of Education. Dissertation advanced organizational socialization theory by improving our understanding of the plasticity of human socialization. Study population consisted of "chameleon" hackers who practiced a socialization tradecraft technique they called "Code Switching."

Hacking Kubernetes: Choose Your Own Adventure Style

Jay Beale, CTO of InGuardians

Many companies have deployed Kubernetes, but few infosec folks have experience attacking it. We aim to address that shortage, culminating in an audience-directed Choose Your Own Adventure, movie-themed demo against an intentionally-vulnerable cluster named Bust-a-Kube. You'll see how to attack Kubernetes clusters and learn what hardening techniques and freely available tools can break those attacks. We'll review the components of a Kubernetes cluster, then show how a threat actor can chain configuration vulnerabilities to pivot and escalate privilege, pilfer data and take over clusters. You will also gain exposure to a new open source Kubernetes attack tool called Peirates.

Jay Beale (Twitter: @jaybeale) works on Kubernetes and cloud native security, as a professional threat actor, a Kubernetes Contributor and as a member of the Kubernetes Security Audit working group. He's the architect and a developer on the Peirates attack tool for Kubernetes. In the past, Jay created two tools used by hundreds of thousands of individuals, companies and governments, Bastille Linux and the Center for Internet Security's first Linux/UNIX scoring tool. He has led training classes on Linux security and Kuberntes at the Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training, since 2000. As an author, series editor and speaker, Jay has contributed to nine books and two columns and given over one hundred public talks. He is CTO of the information security consulting company InGuardians.

Head in the Clouds

Matt Nash, Security Consultant at NCC Group

Availability, scalability, agility, and automation - "The Cloud" brings all of these to your fingertips. Improperly configured, it can also be a security incident waiting to happen. In this talk, we'll cover open source tools to help paint a current, accurate picture of your cloud security posture, share some insight from first-hand experience, and show examples of how you can use this approach within your organization.

Matt Nash works in a variety of realms, including internal/external network infrastructure, cloud architecture, web applications, automated teller machines (ATMs), physical security, social engineering, digital forensics and incident response, and wireless. As well, these assessments span a number of industries: oil and gas energy, utility, manufacturing, software development, financial, and retail. With more infrastructure and resources moving into "the cloud", at a staggering pace, building a skillset in large-scale cloud review was an obvious choice. Matt holds a B.S. in Food and Resource Economics, and is totally qualified to speak on this topic.

Hunting Certificates and Servers

Sam Erb

From Shodan to Certificate Transparency, it is easier than ever to use TLS certificates for DNS hostname reconnaissance. However, these sources of data are either not free, infrequently updated or are not linked to a server IP address. This talk will survey existing resources & release a new, free service for finding TLS certificates in the IPv4 space!

Sam Erb (Twitter: @erbbysam) is a 2x black badge winner with Co9 in the Badge Challenge and is working to make the Internet a safer place.

Leveraging Passive Network Mapping with Raspberry Pi and Python

Chet Hosmer, Owner of Python Forensics

Mapping of network assets and their behaviors is a vital step needed for the prevention and response to cyber-attacks. Today active tools like NMAP are used to discover network assets, however, these methods take a momentary snapshot of network devices. By passively monitoring network activity the discovery of rogue devices, aberrant behavior, and emerging threats is possible. This talk and demonstration will utilize a Raspberry Pi and a custom Python solution to map network assets and their behaviors and demonstration the identification of rogue devices and unauthorized behaviors.

Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Old Tech vs New Adversaries. Round 1... Fight!

Joseph Muniz, Security Architect at Cisco
Aamir Lakhani, Lead Researcher at Fortinet

Security venders are struggling to keep up with the tactics used by adversaries. What happens when you use really old technology as a security strategy rather than bleeding edge tech? Can ransomware infect a Commodore 64 or Windows 3.0? What happens when malware attempts to compromise a Sega Genesis? Could an adversary successfully pivot and exfiltrate data from a network running CatOS? This talk will answer these and other questions regarding how modern threats react to really old technology. Research includes running various forms of modern malware on old technologies as well as permitting cybercriminals access to really old networks to see how they handle the situation. Speakers are authors of a handful of books including a recent title on digital forensics.

Joseph Muniz (Twitter: @SecureBlogger) and Aamir Lakhani (Twitter: @aamirlakhani) together have spoken at various conferences including the infamous Social Media Deception RSA talk quoted by many sources found by searching "Emily Williams Social Engineering". Both speakers have written books together including a recent title "Digital Forensics for Network Engineers" released on Cisco Press late February 2018. They have been friends for years and continue to collaborate on research and other projects.

Patching: It's Complicated

Cheryl Biswas

Patching – it's complicated. Organizations at every level struggle with security updates in a fundamental process that seems more like a necessary evil than a best practice. The fact is, one size does not fit all when security patches get issued and things can go very wrong. What actually determines enterprise patching cycles? How should we prepare for the pernicious spread of unpatched BYOD that gets connected? We need to go beyond just finding the sweet spot between mitigating business risk with vulnerability exposure. Because the cure isn't supposed to be worse than the disease.

Cheryl Biswas (Twitter: @3ncr1pt3d) is a Strategic Threat Intel Analyst with a major bank in Toronto, Canada. Previously, she was a Cyber Security Consultant with KPMG and worked on security audits and assessment, privacy, breaches, and DRP. Her experience includes project management, vendor management and change management. Cheryl holds an ITIL certification and a degree in Political Science. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building threat intel. She actively shares her passion for security online, as a speaker and a volunteer at conferences, and by encouraging women and diversity in Infosec as a founder and member of the "The Diana Initiative".

Phishing Freakonomics

Russell Butturini

This presentation is the story of the success and failures of building a security awareness program at a Top 20 CPA firm, and finding "the hidden side" of why users fail phishing exercises (both simulated and not!). The presentation will cover how Elasticsearch was used to correlate awareness training, phishing test, and HR data together, examine real results from this work, and the improvements that were made to improve user awareness and reduce phishing related security incidents.

Russell Butturini (Twitter: @tcstoolhax0r) is head of information security for a top 20 CPA and financial services firm. He has authored tools for both red and blue teams with his C- and Python coding skills. His most popular tool, NoSQLMap, was featured in the Hacker Playbook 2.

(Re)Thinking Security Given the Spectre of a Meltdown (hold my beer)

Jeff Man, InfoSec Curmudgeon

Have you ever noticed that much of the mission of cyber- and information security professionals seems to be focused on vulnerabilities? Have you ever heard of the risk equation? Perhaps you are familiar with one or more versions that help you derive the risk to your organization (sometimes referred to as residual risk). I have been wondering for a while how to suggest to our industry that there is perhaps TOO much focus on vulnerabilities and not enough attention or focus on the other elements that derive the standard risk equation. The recent disclosure of Meltdown/Spectre introduced a "perfect storm" scenario where the vulnerability wasn't easy to patch or fix, and the solution seemed to be break things. This created a situation where the "security solution" wasn't simply to apply the patch - and that left many organizations scrambling to figure out how to deal with this example of a persistent vulnerability. This is a great example of what I've wanted to discuss for a while - what else should we focus on in terms of security if/when the vulnerabilities still remain. Interested? Intrigued? Come join the discussion!

Jeff Man (Twitter: @MrJeffMan) is an infosec curmudgeon.

Sandbox Creative Usage For Fun and Pro...Blems

Cesare Pizzi, Sorint.lab

Malware analysis sanboxes are pervading our IT environments and the internet as well. So, a lot of systems are available to be used and may be abused. Let's have a look on what we can get there and get your own tools ready to express yourself in this field.

Cesare Pizzi (Twitter: @red5heep) is a computer and technology enthusiast from the early '80. Computer and programming were his hobbies and then became also a real job. On the professional side, he works from more then 20 years in IT field, covering during the years a lot of different roles: programmer, system admin, DBA and in the last years, network and security engineer and analyst.

Security to Make the CFO Happy

Adam, Engineer

As a security professional you're hungry to learn everything you can but training isn't quite free. Meanwhile, your boss, and the bosses in a bunch of other business units are fretting all they can about DoD 8570, just one more "unfunded mandate". How does anyone justify the cost of these nonfunctional requirements? This talk will draw some indirect lines in the org chart and cite documentation in various parts of a company to show how training can be a win for the entire organization.

Adam is an engineer. Several years ago, Adam's program got whacked with the compliance stick. If Adam wanted to fly he had to comply. In an odd turn of events, Adam found that all this security compliance made him level-up his systems engineering game. After satisfying a number of security "one-offs", Adam started to realize where non-engineers had strengths and willingness to bolster his program's overall security. As a lonely security engineer in a feature-driven world he credits the infosec community for providing so much "professional development". He is happy to show engineers how fun (less painful?) security can be. Tragically, he has yet to meet anyone who can wrestle failed vuln scanners as well as he can - but he knows that special someone is out there.

Solving Crimes with Wireless GeoFencing and Multi-Zone Correlation Analytics

Gleb Esman, Senior Project Manager, Fraud Analytics and Research at Splunk Inc.

The presentation will introduce viewer to geofencing - the technique successfully used by law enforcement agencies to pinpoint suspects in an array of anonymous metadata coming from wireless devices. The presentation will teach viewer how to build such system from scratch using freely downloadable analytical tools. Different ways to visually define GeoFencing zones and investigation constraints will be explained. Samples of working scripts, search queries, data formats and working dashboard layouts will be provided.

Gleb Esman (Twitter: @gesman) helps to guide research, product planning and development efforts in the areas of fraud detection, data security analytics and investigations at Splunk Inc. Currently Gleb manages number of security projects in healthcare space such as drugs and opioids diversion platform and healthcare privacy monitoring platform. Before Splunk Gleb was engaged at Morgan Stanley overseeing fraud detection platform and enterprise wide data analytics systems within retail banking space. During his career, Gleb worked in a various positions at a number of enterprises involved in research and development of solutions against advanced malware and computer viruses as well as solutions for secure payments and data protection in e-commerce space. Gleb is an author of several patents in Deep Learning, Security, Behavior Biometrics and Healthcare Data Analytics.

State Sponsored Hacking: How to Intercept/Decrypt TLS Traffic and How to Prevent TLS Interception Attacks

Chris Hanlon, Agile Data Security Ltd.

Recent reports of the Global DNS Hijacking Campaign campaign show state sponsored attackers using Man In The Middle attacks to generate fraudulent TLS certificates and intercept web traffic. In this presentation, we show the audience how they can perform similar attacks and use the certificates to intercept web traffic, emails or their coworker's VPN credentials. After demonstrating ways to trick 3 different certificate authorities into generate fraudulent TLS certificates, we explain simple ways to prevent these attacks.

Chris Hanlon (Twitter: @ChrisHanlonCA) runs an Information Security Consulting Business where he monitors and protects Endpoints, Routers, Servers, and Cloud Systems. In addition to protecting infrastructure, Chris also coaches software companies on ways to minimize vulnerabilities in their code, and reduce their vulnerability to social engineering attacks. During his "free time", Chris finds/reports security vulnerabilities, hosts hack-a-thons, uses real world exploits to help developers understand security vulnerabilities, lectures at colleges, presents at conferences, organizes security conferences, and volunteers on the presentation review board for for a BSides Conference.

StegoAugmented Malware

Mike Raggo, CSO at 802 Secure
Chet Hosmer, Owner of Python Forensics

As adversaries look for new methods of creating malware, steganography has seen a resurgence. In this session, we'll review this black art and uncover recent steganographic malware weaponizing techniques. We'll cover techniques that include file and image embedding techniques invisible to malware and intrusion detection systems, methods of exploiting weak networking protocols for covert communications, mischievous IoT devices, and cloud data hiding methods. But we don't stop there, our organic research has uncovered numerous other ways in which malware could be embedded in an effort to prepare threat researchers with the knowledge to improve their tools and fortify their networks.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Wi-Fi Threat Modelling and Monitoring (WiNT)

Besim Altinok, Barikat Internet Security
Can Kurnaz, Senior Cybersecurity Consultant at KPMG Netherlands

With the widespread use of wireless Internet access, we see that the use of portable technologies is rapidly increasing. Increasing public networks and facilitating access to these networks have attracted the attention of attackers. Due to easy availability of mature honeypot creation tools, this attack is a slam dunk for even the most novice of Wi-Fi attackers. Enterprise security products have tried but failed to solve this problem with rule and lockdown based approaches. In this talk, we are going to tell a story experienced about Wi-Fi network attackers. We will practically demonstrate how using new detection and deception techniques we can make Wi-Fi clients and environmentally secure.

Besim Altinok (Twitter: @AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, ASIA, Defcon, and others. Besim ALTINOK works currently at BARIKAT Internet Security in Turkey. Besim also founded Pentester Training project.

Can Kurnaz (Twitter: @0x43414e) is conducting penetration tests from internet and internal networks to web-based applications, network infrastructures, wireless devices, IoT devices and operational technology infrastructures such as ICS/SCADA systems and components.

Your Phone is Using Tor and Leaking Your PII

Milind Bhargava, Manager at Deloitte Canada
Adam Podgorski, Manager at Deloitte Canada

Do you have a cellphone? Do you run apps on it? Your personal information is most probably traversing over TOR without your knowledge or consent. As part of our research, we identified a surprising amount of unencrypted, sensitive and confidential user data originating from mobile devices traversing the TOR network, which included: GPS coordinates, WiFi BSSID, and general keys typed by the user. In some cases, we were able to build a complete user profile from physical movements to purchasing habits. At the end of the day, how comfortable are you that anyone can track you?

Milind Bhargava is a Manager with Deloitte's Risk Advisory team where he performs security audits and assessments, leads the incident response team. He also leads his own security consulting company that is known for Darknet Threat Intelligence Research.

Adam Podgorski is a Manager at Deloitte Canada. He has managed and lead the delivery of a broad range of IT strategies and multiple technical advisory engagements. He presented at Black Hat in 2017.

Workshops Schedule

Friday, August 9th

9:00-12:00 Reverse Engineering Malware 101
Amanda Rousseau
12:15-14:15 Wireshark for Incident Response & Threat Hunting
Michael Wylie
14:30-16:30 Hacking Kubernetes - Choose Your Own Adventure Style
Jay Beale
16:45-18:45 Intel-driven Hunts for Nation-state Activity Using Elastic SIEM
Sean Donnelly, Peter Hay

Saturday, August 10th

9:00-11:00 Burp Suite Workshop
Sunny Wear, Nestor Torres
11:20-13:20 Tools? We Don’t Need No Stinkin’ Tools: Hands-on Hacking with Python
Jason Nickola, Wayne Marsh
13:40-15:40 Writing Wireshark Plugins for Security Analysis
Nishant Sharma, Jeswin Mathai
16:00-18:00 Advanced APT Hunting with Splunk
John Stoner, Ryan Kovar

Sunday, August 11th

11:00-14:00 Threat Hunting with Suricata
Josh Stroschein, Jason Williams, Jack Mott, Travis Green

Workshops Abstracts and Bios

Reverse Engineering Malware 101

Amanda Rousseau, Facebook

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.

Prerequisites: Basic understanding of programming C/C++, Python, or Java

Amanda Rousseau (Twitter: @malwareunicorn) absolutely loves malware. She was as a Senior Malware Researcher at Endgame who focused on dynamic behavior detection both on Windows and OSX platforms. She worked as a malware researcher at FireEye before joining Endgame. She previously worked a reverse engineer and computer forensic examiner working for DoD forensic investigations and commercial incident response engagements. She received her MS in Information Systems Engineering from Johns Hopkins University. Research interests include malware evasion techniques, dynamic behavior classification, and developing runtime detections.

Wireshark for Incident Response & Threat Hunting

Michael Wylie, Director of Cybersecurity Services, Richey May Technology Solution

This workshop will take student’s Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and malicious network traffic analysis. We will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Placement, techniques, and collection of network traffic will be discussed in detail. Throughout the workshop, we’ll examine what different attacks and malware look like in Wireshark. Students will then have hands-on time in the lab to search for Indicators of Compromise (IOCs) and a potential breach to the network. There will be plenty of take home labs for additional practice.

Michael Wylie (Twitter: @TheMikeWylie) is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, Moorpark College, California State Universities, and for clients around the world. Michael is the winner of the SANS Continuous Monitoring and Security Operations challenge coin and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more.

Hacking Kubernetes - Choose Your Own Adventure Style

Jay Beale, CTO of InGuardians

Kubernetes continues to gain steam, as developers build microservice-based applications and everyone moves to the software-defined data center. A small minority of our Infosec industry has experience attacking container orchestration systems like Kubernetes.  We aim to address that shortage, culminating in an audience-directed Choose Your Own Adventure, "Hackers" movie-themed demo. In this demo-heavy talk, we will show you how to attack Kubernetes clusters and discuss what hardening techniques and freely available tools can break those attacks.  We'll review the components of a Kubernetes cluster, then show how a threat actor can chain configuration vulnerabilities to pivot and escalate privilege, pilfer data and take over clusters and the cloud environments on which they run. To be clear, you'll see multiple attacks against real clusters from start to finish.  You will also gain exposure to a new open source tool attack tool for Kubernetes called Peirates, available on Github. You will leave this talk with exposure to attacks against clusters that organizations have built themselves, as well as clusters provided by the major cloud providers, like AWS, Azure and GCP. You will be able to repeat specific attacks and know what defenses can break those attacks.

Jay Beale (Twitter: @jaybeale) works on Kubernetes and cloud native security, as a professional threat actor, a Kubernetes Contributor and as a member of the Kubernetes Security Audit working group. He's the architect and a developer on the Peirates attack tool for Kubernetes. In the past, Jay created two tools used by hundreds of thousands of individuals, companies and governments, Bastille Linux and the Center for Internet Security's first Linux/UNIX scoring tool. He has led training classes on Linux security and Kuberntes at the Black Hat, CanSecWest, RSA, and IDG conferences, as well as in private corporate training, since 2000. As an author, series editor and speaker, Jay has contributed to nine books and two columns and given over one hundred public talks. He is CTO of the information security consulting company InGuardians.

Intel-driven Hunts for Nation-state Activity Using Elastic SIEM

Sean Donnelly, CEO, Resolvn, Inc.
Peter Hay, Director of Strategy and Innovation, Resolvn, Inc.

Hunting for advanced threats can be a daunting task for network defenders. In this workshop we’ll demystify threat hunting by guiding attendees through the development and execution of network traffic and host analysis workflows. Using a six-stage model, attendees will leverage threat intelligence to plan and conduct 20 small hunts, configuring and tuning their defensive tool-suite along the way. The use of IOC-based, tool-based, and TTP-based detection methods will ultimately lead to the discovery of nation-state activity on a complex, near-to-spec enterprise network.

Sean Donnelly (Twitter: @resolvn) is the CEO of Resolvn, Sean is a passionate cybersecurity researcher with extensive experience in the industry. As an active-duty U.S. Navy Cryptologic Warfare Officer, Sean worked for the National Security Agency (NSA) before becoming the Technical Director of the Navy Blue Team (NBT). Sean has developed internal tools for threat detection, such as the NBT’s Blue P.E.A.R and Expanse’s ETHIR, trained countless service members on detection techniques, and led critical security operations around the world. He holds CISSP, GPEN, and OSCP certifications along with a B.S. and M.S. from the United States Naval Academy and Boston University, respectively.

Peter Hay (Twitter: @ResolvnPete) is Resolvn’s director of strategy and innovation, Pete has an extensive and diverse background in technology driven fields including Computer Network Operations (CNO), Network Forensics, and Nuclear Chemistry. From his Navy service in leading a quick-response team of NSA cryptologists and developers who designed solutions to some of the agency’s most vital problems, to delivering multi-domain cyber security training to thousands of students world-wide, or applying for cyber security patents in the U.S. and Europe, Pete continues to stretch the edges of technology, its use, and application.

Burp Suite Workshop

Sunny Wear, Nestor Torres

Gain hands-on experience with Burp Suite in this four-hour workshop with the author of the Burp Suite Cookbook, Sunny Wear. You will learn how to use Burp Suite to hone your web application penetration testing skills. Each student receives a virtualized environment complete with a copy of Burp Suite and a vulnerable web application to hack. Lessons covered in the workshop include Burp configuration settings, Injections attacks such as Cross-site Scripting and SQL Injection attacks, automated attacks using Intruder, recommended BApp extensions and their uses, and finally, how to build and use Burp Macros.

Sunny Wear (Twitter: @SunnyWear) is an Application Security Architect and Web Application Penetration Tester. Her breadth of experience includes network, data, application and security architecture as well as programming across multiple languages and platforms. She is the author of several security-related books including her most recent, Burp Suite Cookbook, assists pentesters and programmers in more easily finding vulnerabilities within applications while using Burp Suite. She conducts security talks and classes locally and at conferences like BSides Tampa, BSides Orlando, AtlSecCon, Hackfest CA, and BSides Springfield.

Nestor Torres (Twitter: @N3S____) is a security analyst working closely with developers to pentest and fix their Web Applications. He is passionate about helping others and teaching others who are hungry for learning cybersecurity. Some of his hobbies involve building labs for vulnerability testing and setting up small to medium enterprise network.

Tools? We Don’t Need No Stinkin’ Tools: Hands-on Hacking with Python

Jason Nickola, Directory of Technical Services, Pulsar Security
Wayne Marsh, Senior Software Engineer, Pulsar Security

The hacking world is full of fantastic tools, but the ability to write your own in order to customize and achieve new functionality is the real black magic. This workshop quickly builds from programming and python fundamentals to manual construction of real-world attack tactics and techniques. Prior hacking and programming skills are not required (although they help), but basic technical knowledge and an ahead-of-time review of introductory topics are highly recommended. Come in with nothing and leave with experience writing your own host and port scanner, reverse shell, packet parser, and more in a controlled (legal) environment.

Jason Nickola (Twitter: @chm0dx) is the Director of Technical Services at Pulsar Security where he also serves as Principle Security Consultant. He can frequently be found working with clients to develop creative solutions to red- (and increasingly blue-) team challenges. Passionate about both technology and the lifelong learning process, Jason enjoys enabling others via teaching and aiding in career development. Jason is a SANS instructor for SEC560: Network Penetration Testing and Ethical Hacking and holds the GIAC Security Expert, GXPN, GREM, and OSCP certifications among others.

Wayne Marsh (Twitter: @infogroke) is a Security Consultant and the Senior Software Engineer at Pulsar Security where he spends his time programming, architecting enterprise products, and breaking into the occasional network. His varied career has involved television and satellite broadcast systems, games development, and marketing before finally focusing on the infosec industry in recent years, where he realized that the common thread in all of these areas of development is security. He loves both obsolete and new, as well as increasingly unfashionable genres of music. Wayne’s security credentials include OSCP, GPYC, GXPN, and GCIA.

Writing Wireshark Plugins for Security Analysis

Nishant Sharma, R&D Manager, Pentester Academy
Jeswin Mathai, Security Researcher, Pentester Academy

Network traffic always proves to be a gold mine when mined with proper tools. There are various open source and paid tools to analyze the traffic but most of them either have predefined functionality or scalability issues or one of a dozen other problems. And, in some cases when we are dealing with non-standard protocols, the analysis becomes more difficult. But, what if we can extend our favourite traffic analysis tool Wireshark to accommodate our requirements? As most people know, Wireshark supports custom plugins created in C and Lua which can be used to analyze or dissect the packets. In this workshop, we will learn the basics of Wireshark plugins and move on to create different types of plugins to perform dissection of non-standard protocol, provide macro statistics, detect attacks etc. We will use examples of older and newer protocols (including non-standard ones) to understand the plugin workflow and development.

Nishant Sharma (Twitter: @wifisecguy) is an R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 7+ years of experience in information security field including 5+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, DEF CON China, Wireless Village, IoT village and Demo labs (DEFCON USA). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.

Jeswin Mathai (Twitter: @jeswinmathai) is a Researcher at Pentester Academy and Attack Defense. He has presented/published his work at DEF CON China, Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Advanced APT Hunting with Splunk

John Stoner, Principal Security Strategist, Splunk
Ryan Kovar, Principal Security Strategist, Splunk

You wanna learn how to hunt the APTs? This is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the “fictional” APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre ATT&CK framework and how these concepts can frame your hunting. Using the freely available version of Splunk and OSINT, we will hunt for APT activity riddling a small startup's network. During the event, you will be presented a hypothesis and conduct your own hunts, whether it is for persistence, exfiltration, c2 or other adversary tactics. Heck, there might be some PowerShell to be found, too. We will regroup and review the specific hunt and discuss findings and what opportunities we have to operationalize these findings as well. At the end, we give you a dataset and tools to take home and try newly learned techniques yourself.

John Stoner (Twitter: @stonerpsu) is a Principal Security Strategist at Splunk where he enjoys writing, problem solving and building stuff. When not doing cyber things, you can find him reading or binge watching TV series that everyone else has already seen.

Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.

Threat Hunting with Suricata

Josh Stroschein, Director of Training, Open Information Security Foundation (OISF) / Suricata
Jason Williams, Jack Mott, Travis Green

Finding threats in your network traffic starts with understanding your traffic. ​More than just an IDS/IPS, Suricata can provide the visibility to solve incidents quickly and more accurately by enabling context before, during, and after an alert. In this workshop, you will learn how to leverage Suricata to generate alerts, produce protocol specific logs and identify malicious or anomalous activity in your network traffic. You will get hands-on with managing alerts through EveBox and hunting through traffic with Moloch. You will also learn how to create custom Kibana visualizations and dashboards to help focus your analysis efforts. In-depth log analysis and hands-on real-world exercises will be used to reinforce the detection techniques and tactics explained throughout the workshop. This is an ideal workshop for security analysts, blue teamers and malware researchers to get hands-on diving deep into malicious traffic and see what Suricata can do.

Prerequisites: To help prepare for this workshop, we recommend that you are familiar with the basics of network security monitoring, IDS/IPS systems and Linux environments. Familiarization with IDS rules is recommended, but not required.

Josh Stroschein (Twitter: @suricata_ids) is a subject matter expert in malware analysis, reverse engineering and software exploitation. He is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis, reverse engineering, software exploitation and other related security topics. Josh is also an accomplished trainer, providing training in the aforementioned subject areas at Black Hat, DerbyCon, Toorcon, Hack-In-The-Box and other public and private venues. Josh is also the Director of Training for OISF/Suricata, an author on Pluralsight and a threat researcher for Bromium.

Jason Williams (Twitter: @switchingtoguns) is a security researcher with global enterprise experience in detecting, hunting and remediating threats with open source technologies. Primarily focusing on network communications, Jason has written thousands of commercial and community Suricata rules for Emerging Threats to help defenders protect their networks. Jason participates as a Signature Development and User Training instructor for the OISF.

Jack Mott (Twitter: @malwareforme) is a security researcher who focuses on open source solutions to detect, track and hunt malware and malicious activity. He has been a signature writer for the Emerging Threats team for several years, producing community/premium Suricata signatures to help protect networks worldwide. Jack is a strong believer in the open source mission as well as helping people and organizations solve security issues with open source solutions. He resides in the USA.

Travis Green (Twitter: @travisbgreen) is a passionate Cyber Security researcher and consultant with a 20-year career that includes extensive international work leading security initiatives and advising government and military clients, consulting to enterprise businesses, and mentoring teams in best practices. Effective communicator and self-starter able to analyze data to create security policy, develop and execute strategy, and develop tools to automate processes. OISF core team member with conference presentation experience and multiple certifications.

DJ Schedule

Friday, August 9th Saturday, August 10th Sunday, August 11th
10:00 some people playing music probably TBD CLOSED
11:00 phreakocious kampf
12:00 Percent27 phreakocious
13:00 TBD Tineh Nimjeh TBD
14:00 Yesterday & Tomorrow Closed for teardown.
15:00 tense future
16:00 Percent27
17:00 Icetre Normal Icetre Normal
18:00 Yurk Terrestrial Access Network

DJ Bios

phreakocious (@phreakocious, https://mixcloud.com/phreakocious)

phreakocious is just this guy, you know?

Yurk (@yurkmeister, https://soundcloud.com/yurkmeister)

DJ / Producer from San Juan, Puerto Rico. Now resides in Brooklyn, New York.

tense future (@tensefutur3, https://soundcloud.com/tensefuture)

Los Angeles, CA. The soundtrack to autonomous vehicle gridlock.

kampf (@nerd_show, https://www.mixcloud.com/NerdShow/)

Resident Chillout DJ with SomaFM on Fluid and DEF CON Radio. Vinyl hangover cure.

DJ %27 (@djpercent27, https://www.mixcloud.com/djpercent27)

DJing since the 80s, Performed at chill out and pool at DEFCON XX, XXI. DEFCON XXIII.

Tineh Nimjeh (@tinehnimjeh, https://soundcloud.com/tinehnimjeh)

With 20+ years djing, including residencies at various nightclubs, Tineh Nimjeh live sets will always get your body moving. Tineh is an active member of DC562, and works in Vulnerability Management.

Icetre Normal (https://www.facebook.com/icetre.normal/, https://soundcloud.com/icetre-normal)

Icetre has been dj'ing since defcon 13. One of Icetre's superpowers is rearranging space and time in the process of epic party creation. He isn't always available to chat, as he may be being smuggled past hotel security for his own safety. When not digging in the crate to field a request for Freebird, Icetre is usually being asked to turn down the volume on his house and electro beats.

Yesterday & Tomorrow (@wompapmow, https://soundcloud.com/tomorrow-yesterday)

DJ duo inspired by the masters, they seek to bring listeners on a journey ranging from the depths of techno to the expansive sounds of progressive house

Terrestrial Access Network (https://soundcloud.com/collinsullivan, https://soundcloud.com/shockedatmusic)

Classic Electro - "If network packets were to dance, they would surely dance to this..."