Track 3
5 Feb 2022 4:00 PM - 5:00 PM

Despite your best efforts, there is a good chance your organization will be the victim of a ransomware attack. What do you do when that happens? Organizations need to plan for a ransomware attack. This talk will cover steps organizations can take to prepare for a ransomware attack and review the initial steps after an attack happens. Topics include:

1. What log sources should be collected.
2. Getting the right people involved
3. Testing your IR plan

Allan Liska
Intelligence Analyst, Recorded Future
@uuallan

With more than 20 years of experience in ransomware and information security, Allan Liska has improved countless organizations’ security posture using more effective intelligence. Liska provides ransomware-related counsel and key recommendations to major global corporations and government agencies, sitting on national ransomware task forces and speaking at global conferences. Liska has worked as both a security practitioner and an ethical hacker at Symantec, iSIGHT Partners, FireEye, and Recorded Future. Regularly cited in The Washington Post, Bloomberg, The New York Times, and NBC News, he is a leading voice in ransomware and intelligence security. Liska has authored numerous books including “The Practice of Network Security, Building an Intelligence-Led Security Program;” “Securing NTP: A Quickstart Guide;” “Ransomware: Defending Against Digital Extortion;” “DNS Security: Defending the Domain Name System;” and “Ransomware: Understand.Prevent.Recover.”

Track 1
5 Feb 2022 4:00 PM - 5:00 PM

Panel talk with real-world examples from this year's CFP (sanitized, of course, and presented without making anyone feel bad about their submission.)

Topics include:

- Making sure the talk is applicable to the conference you're submitting to
- Selling yourself and your talk
- How to NOT sound like a vendor pitch
- WRITE. AN. OUTLINE.
- Submit one or two REALLY GOOD talks - don't "spray and pray" your entire back pocket of topics into a single CFP

Track 1
5 Feb 2022 3:00 PM - 4:00 PM

Offensive forensics is the concept of using forensics technique to find secrets or other valuable data to further attack paths. Offensive security tools such as Mimikatz that employ strong forensics and reverse engineering techniques have proven invaluable in red teaming and penetration testing.

This talk will discuss finding the golden nuggets in .NET dumps using existing tools and provide scenarios in which exercising forensic skills can be a game-changer in offensive security operations. Additionally, this talk will demonstrate Turdshovel, a tool for quickly analyzing .NET dumps for objects of interest.

So go ahead, fam. Take a huge dump.

Leron Gray
Azure Red Team/Hottest Rapper @ Microsoft
@mcohmi
https://daddycocoaman.dev/

Leron Gray is on the Azure Red Team at Microsoft. He holds a Bachelors in Cyber Operations, a Masters in Cyber Defense, and is currently a PhD in Cyber Operations student at Dakota State University. Between the NSA, web application testing, and his current position at Microsoft, he has 8 years of offensive security experience and enjoys writing tools in Python to automate tedious things. He's an advocate of 100% keeping it real, will absolutely roast you, and is the dopest rapper at Microsoft.

Track 2
5 Feb 2022 3:00 PM - 4:00 PM

Ten years ago, Lockheed Martin introduced the Intrusion Kill Chain. Since then, it has morphed into the Cyber Kill Chain and remains as a widely used framework for cybersecurity and incident response strategy. However, ransomware does not fit into the traditional Cyber Kill Chain attack lifecycle, and many organizations make the mistake of simply folding ransomware attacks into existing incident response programs. What’s really needed is a new “Ransomware Kill Chain,” which can form the framework for ransomware response plans.

In this session, Nicole Hoffman, a Threat Intelligence Analyst and Kurtis Minder, CEO/Expert Ransomware Negotiator, both at GroupSense, will explain the best way to defend against ransomware is “The Ransomware Kill Chain.” They will explain the 15-step framework of the chain – from first access through encryption – by using client case studies and examples of custom-made ransomware playbooks. Discover the power and effectiveness of “The Ransomware Kill Chain” and keep your organization one step ahead during an attack.

Track 3
5 Feb 2022 3:00 PM - 4:00 PM

The speakers have an abundance of experience working with organizations across many different sectors and regions. Something they have seen be the most effective use of tactical Threat Intelligence and Purple Teaming is the concept of “Active Defense Exercises”. “Active Defense Exercises” involve the creation of realistic and timely, adversary specific, kill chain scenarios. During this talk the speakers will discuss the best approaches for scenario selection. The speakers will then pivot to discuss the nuances of liaising Purple Team testing to determine the level of effectiveness of the organization’s security controls. The speakers will also discuss strategies for engaging internal security teams and detail the most effective mechanisms for conveying the “Active Defense Exercise” lessons learned to technical and non-technical stakeholders.

Track 3
5 Feb 2022 2:00 PM - 3:00 PM

The threat of ransomware is ever-evolving, just as artificial intelligence is. It’s clear that businesses need better defense, but the answer isn’t solely AI – it’s actually human intelligence.

In this session, Bryce Webster-Jacobsen, an expert ransomware negotiator who deals with ransomware negotiations on a daily basis, will challenge the ideas of human intelligence versus artificial intelligence when it comes to ransomware attacks. Learn how expert ransomware negotiators can validate the reputation of the threat actor and why dark web monitoring and human reconnaissance is an indispensable part of the resolution process.

Bryce Webster-Jacobsen
Director of Intelligence Operations, GroupSense
@BrycexWJ

Bryce Webster-Jacobsen is the Director of Intelligence Operations at GroupSense, a digital risk protection services company. He leads a team delivering fully managed cyber intelligence and reconnaissance services to help organizations manage risk.

Track 1
5 Feb 2022 2:00 PM - 3:00 PM

As individuals and companies look for ways to save money, cloud providers incentivize choosing their service over others. Unless they are demoing a security project, security isn't a forethought until an incident happens. Free cloud tiers are the focus, as there may not be money invested by the individual/organization, especially in something like a project demo. There are two simulated threats, so we cover what artifacts are generated, and opinions on the ease and quality of the information.

Kyle Nordby
DFIR Enthusiast
@youmusec

Kyle Nordby (GCFE, GCFA, GCIH, GCIA) is an information security professional that has years of experience in a large retail Security Operations Center (SOC), and works in an Incident Response (IR) focused role. He is currently working on his Master's with an IR focus. His work ranges in threat hunting, IR, SOC operations, and endpoint triage. He is survived by his two cats, Lina and Jupiter.

Workshop
5 Feb 2022 2:00 PM - 4:00 PM

Learn Network Forensics with PacketCTF!

Have you ever wanted to learn more about network traffic and network forensics? Come play PacketCTF!

PacketCTF is a capture the flag (CTF) game using packet capture files (pcaps). Participants will download and analyze pcaps using Wireshark to answer questions on the gameboard. PacketCTF uses a jeopardy-style gameboard. Questions and collaboration are encouraged, but players will compete as individuals (no teams please).

Wireshark skills will be demonstrated throughout the workshop and prizes will be awarded for top finishers.

This event is for all skill levels. A computer running Wireshark is required to play. All required pcap files will be provided.

Jeremy Pierson
Program Architect - CompuNet Inc.

Infosec Professional, Hackercamp Founder, DC801 grey beard, Packet Janitor and Raconteur.

Track 2
5 Feb 2022 2:00 PM - 3:00 PM

I love vulnerability management as a core discipline of what makes an effective security operations program because it can help to both reduce risk and improve efficiency. However, I still find many organizations are still stuck after rolling out a scanning tool (and then stopping). I've seen the reason for this being one of three main reasons (but there are more).


1 - Conflicting information between patching processes and vulnerability scanning tools

2 - Lack of guidance or frameworks to prioritize the growing list of vulnerability

3 - Very manual process without a clear understanding how to automate activities

This talk is for anyone who is working as a security analyst or leader who directly performs vulnerability management activities (identify, assess, triage, and track). Additionally, this will be really informative for those who have process inputs (any pentesters out there?) or outputs (IT and critical process owners).

This talk will give you all the tools and processes that you'll need to level up your program TODAY, without having to go ask for more budget (again).

Andy Jordan
Owner & Founder of New Genesis Solutions

Andy Jordan (CISSP, CISM, MCSA, MCP, Security+, Network+, ITIL v3, LeanIT) is the owner/founder of New Genesis Solutions, a managed services provider that focuses on cybersecurity program development and vulnerability Management services.

Andy has built and managed multiple security programs for numerous large and small organizations throughout his 15-year career. He uses lean and agile methodologies to create demonstrable value within complex infrastructure and security programs. He is an active figure in the information security community, having presented multiple times at Cactuscon.

Track 3
5 Feb 2022 12:00 PM - 12:30 PM

SOC analysts are familiar with Wireshark and all of it's capabilities but are often at a roadblock when the pcap is relatively large. My tool, PacketSifter, and the open-source tool TShark will enable analysts to jump over that hurdle and learn to analyze pcaps on the command line!

Gone are the days of opening a large pcap in Wireshark and waiting two days for Wireshark to parse and load the pcap. PacketSifter will carve out noteworthy traffic as well as provide enrichment capabilities with GeoIP lookups via AbuseIPDB and hash lookups via VirusTotal.

This talk will demo PacketSifter as well as introduce TShark to continue on with the output files provided by PacketSifter.

Ross Burke
Mandiant - Security Consultant | University of Houston - Instructor
@packetsifter

Ross Burke is a Security Consultant at Mandiant and also an Instructor of Information Science and Technology at the University of Houston. Ross has worked across several aspects of cybersecurity including operating as a SOC analyst at an MSSP as well as staff augmentation and strategic consulting projects.

Ross has two degrees from the University of Houston including a Bachelor of Science in Computer Information Systems and Master of Science in Cybersecurity. He also holds several cybersecurity certifications including CISSP, GCIA, GCDA, GCFA, and Security+. Ross is also the developer of the open-source tool PacketSifter (https://github.com/packetsifter/packetsifterTool) which he presented at Wild West Hackin' Fest - Way West 2021.

On his free time, he enjoys kickstarting board games after having a few drinks.

Track 2
5 Feb 2022 11:00 AM - 12:00 PM

Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to "run fast and break things"? Just because we’re moving fast doesn't mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We'll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously.

Rob Richardson
@rob_rich

Rob Richardson is a software craftsman building web properties in ASP.NET and Node, React and Vue. He’s a Microsoft MVP, published author, frequent speaker at conferences, user groups, and community events, and a diligent teacher and student of high quality software development. You can find this and other talks at https://robrich.org/presentations and follow him on twitter at @rob_rich.

Track 3
5 Feb 2022 11:00 AM - 12:00 PM

Advanced Persistent Threat (APT) groups do not like to have the evidence of their crime into their targets, usually, they would develop or use file-less malware to not leave any fingerprints traces proof their crime and unleashed their operations. Network forensics analysis became an essential skills to uncover APTs operation and identify what has happened by utilizing Wireshark and other open-source tools to analyze network packet captures (PCAP). In this lecture, we will introduce couple of APT attack scenarios and walk-through how to analyze them.

Rami AlTalhi
Incident Response Consultant @ Cisco Talos

Rami has experience across different information security and cybersecurity fields for over 13years. Worked as Incident Response Expert in the past for four years to handle different cyber incident and events. Provided DFIR and Cyber Range training for different regions in the world (Europe, Asia, Middle East and US). Dealt with different sophisticated APT cyber incident cases that ranging from cyber espionage until data destruction.

Track 1
5 Feb 2022 11:00 AM - 12:00 PM

For some people, trying to figure out if you’re being followed is a matter of physical safety for themselves or others. In this talk we’ll discuss a methodology for using low cost, off the shelf parts and some adequate python code to help determine if you’re being followed by analyzing wireless signals nearby.

We’ll cover methodology and best practices as well as challenges encountered during development and field testing. We’ll release the code so anyone who wants to build their own easily can, likely with parts they already have laying around.

Matt Edmondson
Govt Lackey, Principal at Argelius Labs and Certified SANS Instructor
@matt0177
https://www.digitalforensicstips.com/

By day, Matt performs technical duties for the U.S. government. By night, he is a Principal at Argelius Labs and a Certified SANS instructor. Basically a much lamer version of Batman.

Track 3 (Virtual)
5 Feb 2022 10:00 AM - 11:00 AM

LockBit ransomware operators have been active since September 2019, but still there’s very limited pieces of information on their operations available in public space. The ransomware-as-a-service program and ransomware itself have updated in June 2021, so now we are dealing with LockBit 2.0. Despite the fact the updated RaaS has quite short lifecycle, their affiliates already performed at least a hundred of successful attacks. In this talk, we’ll look at the threat actor’s tactics, techniques and procedures, from gaining the initial access to impact, as well as some custom tools leveraged by them for data exfiltration (StealBit) and files encryption (LockBit).

Oleg Skulkin
Head of DFIR Team, Group-IB
@oskulkin

Oleg Skulkin is the Head of DFIR Team at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for almost a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and co-authored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications.

Track 2
5 Feb 2022 10:00 AM - 11:00 PM

While APIs have clear and obvious benefits, they’re also creating a rapidly-growing attack surface that isn’t widely understood and is sometimes completely overlooked by developers and software architects. With recent reports suggesting that by 2022, API abuses will be the most responsible vector for data breaches within enterprise web applications, securing them is a top challenge and must be a bigger priority.

The first step in accomplishing this goal is generating awareness around the most critical API-related vulnerabilities and ways of protecting these programs.

This significant gap in knowledge drove me to spearhead the development of the OWASP API Security Top 10 list, which was officially published at the end of 2019, to inform organizations, developers, and security professionals about the top issues impacting API-based applications. Since deploying, it has been adopted as the de-facto standard by many organizations and security specialists.

In this talk, I'll emphasize the uniqueness of API-centric design from the security angle, highlight the risks presented by API use, and show why an increased level of awareness is required to mitigate the risks. From there, I'll dive into the top security risks presented in the OWASP API Top 10 list, and provide example attack scenarios for each. Some offensive tips and tricks will be mentioned to get you hacking APIs.
Finally, I will share what we can expect to see when it comes to API exploitation moving forward as modern software is increasingly targeted by adversaries.

Erez Yalon
Head of Security Research at Checkmarx | Co-Founder of DEF CON's AppSec Village | Co-Leader of OWASP API Security Project
@erezyalon

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table.
Erez is also leading the OWASP API Security Project and a founder of the AppSec Village in DEF CON.

Track 1
5 Feb 2022 10:00 AM - 11:00 AM

I'll be going over how to reverse engineer dll files in the windows space. We'll cover common vulnerabilities, loading dll files, intrinsics, exported functions, loading orders, dynamic loading vs static loading.

Joe Giron
Reversing Windows DLLs
@gironsec

Computer hacker guy from Phoenix. Phoenix 2600 leader. Reverse engineer, malware dissection expert.

Workshop
5 Feb 2022 10:00 AM - 12:00 PM

Pivoting, tunneling, and redirection are essential skills that separate the junior and senior operators in the offensive security landscape. This workshop describes various techniques used to creatively route traffic through multiple network segments. Various tools and techniques will be discussed and demonstrated. Attendees will be able to practice these skills in a provided cyber range during and after the workshop. These are essential skills for every pentester, bug bounty hunter, and red team operator. But that's not all! Defenders will learn techniques for detecting this sort of suspicious traffic.

Barrett Darnell
Security Researcher and Experiential Learning Lead with Threat Simulations
@pwnEIP

Barrett Darnell is a Security Researcher and Experiential Learning Lead with Threat Simulations, and a Certified Instructor for SANS. Previously he was a Managing Senior Operator at Bishop Fox, a security firm providing professional and managed services to the Fortune 1000, global financial institutions, and high-tech startups. Prior to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Barrett led an offensive operations team in the US Air Force's premier selectively-manned cyber attack squadron.

Barrett holds a B.S. in Computer Science from Washington State University and a M.S. in Software Engineering from the University of West Florida. In addition Barrett also holds various industry certifications including the CISSP, GXPN, GPEN, GREM, GWAPT, GCED, GCIH, GCIA, GCTI, GMON, GAWN, and GSEC.

Workshop
5 Feb 2022 9:30 AM - 12:30 PM

What exactly is security analytics? Quite simply, it's leveraging large data sets through queries and visualization. And in security…we have a lot of data! This lab will introduce the attendee to tips, tricks, and other magic to get the information out of data that helps a security organization specifically get the value out of log data.

Kristy Westphal is a versatile information technology professional with specific experience in providing advisory and management services in the area of information security and risk is currently employed as the Vice President, Security Operations at a financial services company. Specializing in leadership and program development, her specific expertise in security areas includes process analysis, risk assessments, security awareness programs, operating system security, network security, incident handling, vulnerability analysis, and policy development.

Track 3
5 Feb 2022 9:00 AM - 10:00 AM

Nefilim’s malware sample uses a polymorphic dropper, meaning the file it drops may be one of over 2000 different file hashes. Polymorphism is used in a dropper to make a malware sample harder to detect, and I will explain a lot of basics about reverse engineer for a diverse IT security crowd.

Mark Embrich
Malware Analyst

Mark has been a Network Admin, System Admin, SOC Analyst, Sec Eng, Forensics Analyst, Threat Detection Analyst, and Malware Analyst.

Mari DeGrazia is an Associate Managing Director at Kroll Cyber Risk, which provides cyber security services on a global scale. Throughout her career, Mari has investigated high-profile breach cases, worked civil and criminal cases and provided testimony as an expert witness. She has written and released numerous programs/scripts to the forensics community; presented her research at industry conferences; and is a published author in several magazines. She is also a SANS instructor where she loves sharing her knowledge with students. She holds several industry certifications in addition to earning a B.S. in Computer Science from Hawaii Pacific University.