Friday: 10:00-18:00
Location: Savoy - Flamingo

Automating DFIR: The Counter Future

Friday at 10:00-10:20
20 minutes


Automation has been the forefront of almost every tool or talk in the recent years. The DFIR industry has been moving rapidly towards automating everything! With some great work being done in the area of integrating workflows and various toolsets to make things easier for analysts, automation has really taken off. While that sounds like a worthwhile solution to help SOC analysts weed out the run of the mill adware/PUPs or phishing expeditions, can we really automate a response to the more sophisticated or targeted attack on our company’s crown jewels?

The current argument being made, is that -- rather than building in house Incident Response teams, we should utilize automation to substitute analysts and use third party retainers for skilled analysis. Large investments in automation technologies, rather than resource development reflect this strategy. What does this mean for career progression for budding DFIR analysts? With security engineering taking the forefront, is analysis as a career in DFIR a dying star? Is automation moving us towards click forensics rather than intelligent analysis? I’d like to challenge groupthink, and debate where automation will lead the industry trends. Additionally, I will share some of my experiences in the changing face of DFIR.

Rainbow_Tables is an experienced incident responder and forensic investigator. She enjoys her forays in various industries - media, telecom and software. She finds that her most intriguing experiences stem from the application of DFIR to those industries. Her passion lies within automating analysis methodologies to streamline the incident response process. She believes in innovating simple and innovative solutions to the challenges poised to incident responders by proliferation of advancing technologies.

Cloud Security Myths

Friday at 10:40-11:30
50 minutes

Xavier Ashe@XavierAshe

Cloud Security is a magical world of as-a-service miracles. Just spin up your intrusion-detection- as-a-service, SOC-as-a-service, incident-response-as-a-service, and start feeding it security- intelligence-as-a-service. Come hear from this CISO-as-a-service unwrap the onion of cloud access security brokers (CASB), cloud workload protection platforms (CWPP), microsegmentation, cloud security posture management (CSPM), software-defined perimeters (SDP), and bunch of other cloud related topics. What do they do? Do they really work? What do you with all those security appliances you’ve accumulated?

Xavier Ashe
Xavier Ashe is a Georgia Institute of Technology alumnus and has 25 years of hands-on experience in information security. Working for various security vendors and consulting firms for the last 15 years, including IBM, Gartner, and Carbon Black, Xavier has been focused on helping secure companies of all sizes. Xavier was the first hire at the startup Drawbridge Networks, where he was instrumental in bringing the first microsegmentation solution for servers and workstations to market. Xavier served on the IBM Security Architecture Board and published several papers. Mr. Ashe holds many industry certifications, including CISM, CISSP, ITIL, SOA, and others. Xavier is currently running Xavier Enterprises, an information security consulting firm.

Effective Log & Events Management

Friday at 11:50-12:10
20 minutes

Russell Mosley@sm0kem

Logs, right? Do you run an expensive SIEM? If not, this talk is for you. An effective process for managing logs and security events with built-in and open-source tools will be detailed. I'll share reports and tickets from our organization and describe how we analyze them to improve IT operations, situational awareness, security posture, and pass audits.

Russell Mosley
Russell is an IT Infrastructure & Security Director for a DC-area software services company and an organizer with BSides Charm. Russell has seventeen years' experience in IT operations and Enterprise Defense and is responsible for the organization's compliance with SOC and FISMA requirements. He holds degrees from UMBC, UMUC, and Towson University as well as CISSP and several vendor certifications.

Evolving security operations to the year 2020

Friday at 12:30-13:20
50 minutes


The security operations aspect of your Information Security risk management program is where the “rubber meets the road” — the tools and people you have to implement the process and procedures you put together to find the badness and put out the fires. How has the concept of security operations evolved, and where are we headed? There is plenty of buzzword bingo: UBA, UEBA, machine learning and artificial intelligence, network abnormality detection, the marketing conversations of evolving to that SOC of 2020 — what do all these really mean to you and your operations and which can be useful in your efforts to find the badness?

IrishMASMS is an old school hacker, fighting the good fight in Computer Network Defense (CND)/blue team efforts for more than 18 years. He has been lurking about since DEFCON 10, a panel member at HOPE 5, a presenter at a couple of Notacons, and a few other conferences where it may be hard to remember what really occurred. Having progressed through the ranks from a Security Operations Center (SOC) analyst to manager and director of Information Security risk management programs, he has experienced the wide opportunities for pain in our industry — and desires to help improve rather than perpetuate, nurture rather than exclude.

Hacking Your Dev Job to Save the World - Where Programming and Hacking Meet

Friday at 13:40-14:30
50 minutes


Have you wondered whether developers can play any significant role in the security world? Come hear from a diehard programmer and hacker who loves to break and loves to build, and learn how a regular programmer can make major contributions to security from the trenches. This presentation will dive into the intersection between development and security. You will learn about the SDL -- Secure Development Lifecycle, and why in the world a hacker would care about processes and procedures. You will learn how "processes" and "lifecycles" can be useful -- and how they can be a complete waste of time. Included are real world success stories of organizational hacking -- getting other engineers to change their practices -- and real world fail stories. Attendees will come away with knowledge of how development and security intersect, and how they can use their programming day job to save the world. If you are a developer who cares deeply about security, enjoys exploits, and wants to make the world a better place, this is for you.

Joshua is a software engineer specializing in information and network security. He has worked in the critical infrastructure and cloud computing industries with employers heavily invested in software and hardware security. While he currently hunts vulnerabilities full time, his roles have evolved from programmer to hacker to organizational hacker to regular hacker again. Not only has Joshua found vulnerabilities in safety critical software, he has started long term security programs, changing the way an entire business works. Joshua has written software, hacked software, and hacked companies. In his free time, Joshua enjoys improving open source software, teaching kids to program, attending orchestral concerts with his wife, and figuring out how he can get paid to do it all... legally.

How not to suck at Vulnerability Management [at Scale]

Friday at 14:50-15:40
50 minutes

@Plug and mwguy

In the current cyber landscape several vulnerabilities are discovered every day. The volume of information and multiple sources to consume this information create interesting challenges for any security team. In the recent months several organizations have been prey of bad actors, exposing private data of millions of users, many times from month old vulnerabilities.

Vulnerability management is often disregarded, improperly staffed and rarely discuss in the infosec community, yet is one of the single point of failures allowing for breaches to take place. Under this circumstance, are you prepared to deal with vulnerabilities accordingly?

In this talk, we’ll share our experiences dealing vulnerabilities at scale. What works, what does not and why. More importantly, what actions you should consider improving or build your Vulnerability program. In the process, we’ll introduce some of the custom tools created internally to automate and enhance the program.

Unlike most Vulnerability Management talks, this talk is about the hands-on portion and day-to- day activities that must take place. Whether you are a seasoned infosec professional or new to the field, there is something for you to take away, especially at scale.

Plug is currently a Senior Security Analyst at Verizon Digital Media Services. He started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually that lead him to his first LA2600 meeting in 1998. From that point forward, he has been involved in computer security. With over 16 years of IT experience, he has worked as Systems Administrator, Security Analyst and Security Engineer in the Finance and Telecom sector. In his free time, he enjoys building Legos, playing with synthesizers and modular systems, when possible he volunteers his time to computer security events.

Chris is currently a Senior Security Engineer at Verizon Digital Media Services (formerly EdgeCast). Started working with computers in High School, and having older slower computers quickly made the move to Linux and BSD's to improve performance. From then on, he's worked with *nix systems almost exclusively, and a couple of years ago made the switch from being a Systems Administrator to working exclusively in Security. When not working, Chris enjoys crypto-currencies, his dogs, and putting wacky stuff on various Raspberry Pis.

SAEDAY: Subversion and Espionage Directed Against You

Friday at 16:00-16:40
40 minutes

Judy Towers@LadyRed_6

Industrial espionage is the practice of secretly gathering information about competing corporation or business interest, with the objective of placing one’s own organization at a strategic or financial advantage. A common practice to achieve this advantage is to elicit information from unwitting individuals through what today is called social engineering (SE). We all hear the term SE so often that we become desensitized to it, thereby INCREASING the effectiveness of it against ourselves and organizations. Thus, will call it what it is - Human Intelligence, also known as HUMINT.

Presenting personal experiences as an Army counterintelligence agent with examples of military and industrial espionage, will examine tradecraft employed against individuals every day. We will apply lessons learned from the US military and the intelligence community by using two acronyms taught to Army counterintelligence agents: SAEDA (Subversion and Espionage Directed against the Army) and MICE (Money, Ideology, Coercion, Ego). By presenting different aspects of HUMINT collection efforts will enable individuals to possibly detect, deflect, and protect oneself from such actions.

Judy Towers
As an active duty US Army Counterintelligence Agent (6 yrs), Judy provided weekly SAEDAY briefings for new incoming unit soldiers and for yearly awareness training requirements. Judy received an Army award for the presentation’s effectiveness in engaging the audience, thereby enhancing self-awareness of the threat. Her experiences include training in traditional espionage tradecraft, along with supervising and conducting counterintelligence investigations of individuals, organizations, installations and activities in order to detect, assess and counter threats to national security. After leaving the Army, Judy started a civilian career in information security as: domain admin for a global company, an IT manager implementing incident response system, Fraud department investigating people stealing company services, and now a Cyber Threat Intelligence Analyst, augmented by a 2nd Master’s Degree in Cybersecurity and Computer Forensics.

Stop, Drop, and Assess your SOC

Friday at 1710-18:00
50 minutes

Andy Applebaum

Traditionally SOCs look outward from their network perimeters, missing the adversaries already operating in their networks. As SOCs improve their capabilities by turning inwards, where should they start? What techniques should they be worried about? What tools will help them? Without knowing what your adversaries can do and what your current capabilities are, it’s hard to make improvements.

This talk will describe how to use the MITRE ATT&CK framework as a “scorecard” within the SOC to understand and tune defensive capabilities, making it easier to answer these hard questions. We’ll describe key use cases for how SOCs can use ATT&CK, covering hunting, threat intelligence, red teaming, and security engineering. To enable these use cases, we’ll present a non-invasive technique to construct a detective coverage map that highlights the SOC’s strengths and weaknesses, focusing on minimizing resource requirements while still providing usable results. To accompany this, we describe a process to create a remediation plan that provides the highest return on investment by orienting on the most relevant threats and prioritizing defensive improvements based on current coverage. Throughout the talk, we will provide real examples, making it easy for those in attendance to understand and replicate at home.

Andy Applebaum
Andy Applebaum is a Lead Cyber Security Engineer at MITRE where he works on applied and theoretical security research problems, primarily in the realms of cyber defense, security automation, and automated adversary emulation. Andy has contributed to MITRE’s ATT&CK framework and CALDERA adversary emulation platform, as well as other projects within MITRE’s internal research and development portfolio. Prior to working at MITRE, Andy received his PhD in computer science from the University of California Davis, where his dissertation topic was using argumentation logic for reasoning in cyber security. Andy’s work has been published in multiple conferences and workshops and has most recently spoken at Black Hat Europe. In addition to his PhD, Andy holds a BA in computer science from Grinnell College and the OSCP certification.

Open Source Endpoint Monitoring

Friday at 18:20-19:00
40 minutes

Rik van Duijn and Leandro Velasco

There is a rising trend within Threat actors to find newer, more effective and stealthy ways to attack and gain persistence in a network. One way to achieve this is by abusing legitimate software such as Windows Management Instrumentation and PowerShell. This is the case for Living Off the Land and Fileless threats. By using these techniques, attackers can distribute their malicious code bypassing software whitelisting and avoid antivirus detection. A method to detect these threats is by monitoring endpoints activity. However, this option comes with many challenges that range from getting enough system’s activity information to handle hundreds of events per second.

In our research, we analyze this monitoring method and the design challenges involved in it. Furthermore, we propose a solution that aims to detect and alert when advance threats are identified in a system. In order to provide an endpoint monitoring system free of any vendor lock-in, this solution combines the capabilities of different open source projects as well as free tools. These include, Sysmon for monitoring system activity, Elastic Stack (ELK) to store and search the collected data, ElastAlert to trigger alarms and the Sigma Project to define the rules for the alarms. This highly customizable solution would enable organizations to hunt for threats inside their network or create rules that would automatically detect specific threats upfront.

Rik van Duijn
Rik van Duijn, has over 5 years of experience as a penetration tester. His first job was auditing web application source code for a Dutch bank. Rik holds the OSCP, OSCE certifications, and is currently practicing for the OSEE certification. Rik has spoken at SHA2017, Tweakers Security/DEV Meetups and #whiskyleaks.

Leandro Velasco Leandro Velasco has over 4 years of experience in IT security. After his initial introduction managing SIEM systems Leandro completed the OS3 master. In his current role Leandro is a member of the security research team, analyzing threats and designing detection or mitigating solutions.