Automation has been the forefront of almost every tool or talk in the recent years. The DFIR
industry has been moving rapidly towards automating everything! With some great work being
done in the area of integrating workflows and various toolsets to make things easier for
analysts, automation has really taken off. While that sounds like a worthwhile solution to help
SOC analysts weed out the run of the mill adware/PUPs or phishing expeditions, can we really
automate a response to the more sophisticated or targeted attack on our company’s crown
The current argument being made, is that -- rather than building in house Incident Response
teams, we should utilize automation to substitute analysts and use third party retainers for
skilled analysis. Large investments in automation technologies, rather than resource
development reflect this strategy. What does this mean for career progression for budding DFIR
analysts? With security engineering taking the forefront, is analysis as a career in DFIR a dying
star? Is automation moving us towards click forensics rather than intelligent analysis? I’d like to
challenge groupthink, and debate where automation will lead the industry trends. Additionally, I
will share some of my experiences in the changing face of DFIR.
Rainbow_Tables is an experienced incident responder and forensic investigator. She enjoys her
forays in various industries - media, telecom and software. She finds that her most intriguing
experiences stem from the application of DFIR to those industries. Her passion lies within
automating analysis methodologies to streamline the incident response process. She believes in
innovating simple and innovative solutions to the challenges poised to incident responders by
proliferation of advancing technologies.
Cloud Security Myths
Friday at 10:40-11:30
Cloud Security is a magical world of as-a-service miracles. Just spin up your intrusion-detection-
as-a-service, SOC-as-a-service, incident-response-as-a-service, and start feeding it security-
intelligence-as-a-service. Come hear from this CISO-as-a-service unwrap the onion of cloud
access security brokers (CASB), cloud workload protection platforms (CWPP),
microsegmentation, cloud security posture management (CSPM), software-defined perimeters
(SDP), and bunch of other cloud related topics. What do they do? Do they really work? What do
you with all those security appliances you’ve accumulated?
Xavier Ashe Xavier Ashe is a Georgia Institute of Technology
alumnus and has 25 years of hands-on experience in information security. Working for various security
vendors and consulting firms for the last 15 years,
including IBM, Gartner, and Carbon Black, Xavier has been focused on helping secure companies of all
sizes. Xavier was the first hire at the startup Drawbridge Networks, where he was instrumental in
bringing the first microsegmentation solution for servers and workstations to market. Xavier served on
the IBM Security Architecture Board and published several papers. Mr. Ashe holds many industry
certifications, including CISM, CISSP, ITIL, SOA, and others. Xavier is currently running Xavier Enterprises,
an information security consulting firm.
Effective Log & Events Management
Friday at 11:50-12:10
Logs, right? Do you run an expensive SIEM? If not, this talk is for you. An effective process for
managing logs and security events with built-in and open-source tools will be detailed. I'll share
reports and tickets from our organization and describe how we analyze them to improve IT
operations, situational awareness, security posture, and pass audits.
Russell is an IT Infrastructure & Security Director for a DC-area software services company and
an organizer with BSides Charm. Russell has seventeen years' experience in IT operations and
Enterprise Defense and is responsible for the organization's compliance with SOC and FISMA
requirements. He holds degrees from UMBC, UMUC, and Towson University as well as CISSP and
several vendor certifications.
Evolving security operations to the year 2020
Friday at 12:30-13:20
The security operations aspect of your Information Security risk management program is where
the “rubber meets the road” — the tools and people you have to implement the process and
procedures you put together to find the badness and put out the fires. How has the concept of
security operations evolved, and where are we headed? There is plenty of buzzword bingo:
UBA, UEBA, machine learning and artificial intelligence, network abnormality detection, the
marketing conversations of evolving to that SOC of 2020 — what do all these really mean to you
and your operations and which can be useful in your efforts to find the badness?
IrishMASMS is an old school hacker, fighting the good fight in Computer Network Defense
(CND)/blue team efforts for more than 18 years. He has been lurking about since DEFCON 10, a
panel member at HOPE 5, a presenter at a couple of Notacons, and a few other conferences
where it may be hard to remember what really occurred. Having progressed through the ranks
from a Security Operations Center (SOC) analyst to manager and director of Information
Security risk management programs, he has experienced the wide opportunities for pain in our
industry — and desires to help improve rather than perpetuate, nurture rather than exclude.
Hacking Your Dev Job to Save the World - Where Programming and Hacking Meet
Friday at 13:40-14:30
Have you wondered whether developers can play any significant role in the security world?
Come hear from a diehard programmer and hacker who loves to break and loves to build, and
learn how a regular programmer can make major contributions to security from the trenches.
This presentation will dive into the intersection between development and security. You will
learn about the SDL -- Secure Development Lifecycle, and why in the world a hacker would care
about processes and procedures. You will learn how "processes" and "lifecycles" can be useful --
and how they can be a complete waste of time. Included are real world success stories of
organizational hacking -- getting other engineers to change their practices -- and real world fail
stories. Attendees will come away with knowledge of how development and security intersect,
and how they can use their programming day job to save the world. If you are a developer who
cares deeply about security, enjoys exploits, and wants to make the world a better place, this is
Joshua is a software engineer specializing in information and network security.
He has worked in the critical infrastructure and cloud computing industries with employers
heavily invested in software and hardware security.
While he currently hunts vulnerabilities full time, his roles have evolved from programmer to
hacker to organizational hacker to regular hacker again.
Not only has Joshua found vulnerabilities in safety critical software, he has started long term
security programs, changing the way an entire business works.
Joshua has written software, hacked software, and hacked companies.
In his free time, Joshua enjoys improving open source software, teaching kids to program,
attending orchestral concerts with his wife, and figuring out how he can get paid to do it all...
How not to suck at Vulnerability Management [at Scale]
Friday at 14:50-15:40
@Plug and mwguy
In the current cyber landscape several vulnerabilities are discovered every day.
The volume of information and multiple sources to consume this information create interesting challenges for
any security team. In the recent months several organizations have been prey of bad actors,
exposing private data of millions of users, many times from month old vulnerabilities.
Vulnerability management is often disregarded, improperly staffed and rarely discuss in the
infosec community, yet is one of the single point of failures allowing for breaches to take place.
Under this circumstance, are you prepared to deal with vulnerabilities accordingly?
In this talk, we’ll share our experiences dealing vulnerabilities at scale.
What works, what does
not and why. More importantly, what actions you should consider improving or build your
Vulnerability program. In the process, we’ll introduce some of the custom tools created
internally to automate and enhance the program.
Unlike most Vulnerability Management talks, this talk is about the hands-on portion and day-to-
day activities that must take place. Whether you are a seasoned infosec professional or new to
the field, there is something for you to take away, especially at scale.
Plug is currently a Senior Security Analyst at Verizon Digital Media Services. He started his journey in
computer security back in 1996 when he discovered a 2600 magazine that eventually that lead him to his
first LA2600 meeting in 1998. From that point forward, he has been involved in computer security. With
over 16 years of IT experience, he has worked as Systems Administrator, Security Analyst and Security
Engineer in the Finance and Telecom sector. In his free time, he enjoys building Legos, playing with
synthesizers and modular systems, when possible he volunteers his time to computer security events.
Chris is currently a Senior Security Engineer at Verizon Digital Media Services (formerly EdgeCast).
Started working with computers in High School, and having older slower computers quickly
made the move to Linux and BSD's to improve performance. From then on, he's worked with
*nix systems almost exclusively, and a couple of years ago made the switch from being a
Systems Administrator to working exclusively in Security. When not working, Chris enjoys
crypto-currencies, his dogs, and putting wacky stuff on various Raspberry Pis.
SAEDAY: Subversion and Espionage Directed Against You
Friday at 16:00-16:40
Industrial espionage is the practice of secretly gathering information about competing
corporation or business interest, with the objective of placing one’s own organization at a
strategic or financial advantage. A common practice to achieve this advantage is to elicit
information from unwitting individuals through what today is called social engineering (SE). We
all hear the term SE so often that we become desensitized to it, thereby INCREASING the
effectiveness of it against ourselves and organizations. Thus, will call it what it is - Human
Intelligence, also known as HUMINT.
Presenting personal experiences as an Army counterintelligence agent with examples of military
and industrial espionage, will examine tradecraft employed against individuals every day. We
will apply lessons learned from the US military and the intelligence community by using two
acronyms taught to Army counterintelligence agents: SAEDA (Subversion and Espionage
Directed against the Army) and MICE (Money, Ideology, Coercion, Ego). By presenting different
aspects of HUMINT collection efforts will enable individuals to possibly detect, deflect, and
protect oneself from such actions.
As an active duty US Army Counterintelligence Agent (6 yrs), Judy provided weekly SAEDAY briefings for
new incoming unit soldiers and for yearly awareness training requirements. Judy received an Army
award for the presentation’s effectiveness in engaging the audience, thereby enhancing self-awareness
of the threat. Her experiences include training in traditional espionage tradecraft, along with supervising
and conducting counterintelligence investigations of individuals, organizations, installations and activities
in order to detect, assess and counter threats to national security. After leaving the Army, Judy started a
civilian career in information security as: domain admin for a global company, an IT manager
implementing incident response system, Fraud department investigating people stealing company
services, and now a Cyber Threat Intelligence Analyst, augmented by a 2nd Master’s Degree in
Cybersecurity and Computer Forensics.
Stop, Drop, and Assess your SOC
Friday at 1710-18:00
Traditionally SOCs look outward from their network perimeters, missing the adversaries already
operating in their networks. As SOCs improve their capabilities by turning inwards, where
should they start? What techniques should they be worried about? What tools will help them?
Without knowing what your adversaries can do and what your current capabilities are, it’s hard
to make improvements.
This talk will describe how to use the MITRE ATT&CK framework as a “scorecard” within the SOC
to understand and tune defensive capabilities, making it easier to answer these hard questions.
We’ll describe key use cases for how SOCs can use ATT&CK, covering hunting, threat
intelligence, red teaming, and security engineering. To enable these use cases, we’ll present a
non-invasive technique to construct a detective coverage map that highlights the SOC’s
strengths and weaknesses, focusing on minimizing resource requirements while still providing
usable results. To accompany this, we describe a process to create a remediation plan that
provides the highest return on investment by orienting on the most relevant threats and
prioritizing defensive improvements based on current coverage. Throughout the talk, we will
provide real examples, making it easy for those in attendance to understand and replicate at home.
Andy Applebaum is a Lead Cyber Security Engineer at MITRE where he works on applied and
theoretical security research problems, primarily in the realms of cyber defense, security
automation, and automated adversary emulation. Andy has contributed to MITRE’s ATT&CK
framework and CALDERA adversary emulation platform, as well as other projects within MITRE’s
internal research and development portfolio. Prior to working at MITRE, Andy received his PhD
in computer science from the University of California Davis, where his dissertation topic was
using argumentation logic for reasoning in cyber security. Andy’s work has been published in
multiple conferences and workshops and has most recently spoken at Black Hat Europe. In
addition to his PhD, Andy holds a BA in computer science from Grinnell College and the OSCP
Open Source Endpoint Monitoring
Friday at 18:20-19:00
Rik van Duijn and Leandro Velasco
There is a rising trend within Threat actors to find newer, more effective and stealthy ways to
attack and gain persistence in a network. One way to achieve this is by abusing legitimate
software such as Windows Management Instrumentation and PowerShell. This is the case for
Living Off the Land and Fileless threats. By using these techniques, attackers can distribute their
malicious code bypassing software whitelisting and avoid antivirus detection. A method to
detect these threats is by monitoring endpoints activity. However, this option comes with many
challenges that range from getting enough system’s activity information to handle hundreds of
events per second.
In our research, we analyze this monitoring method and the design challenges involved in it.
Furthermore, we propose a solution that aims to detect and alert when advance threats are
identified in a system. In order to provide an endpoint monitoring system free of any vendor
lock-in, this solution combines the capabilities of different open source projects as well as free
tools. These include, Sysmon for monitoring system activity, Elastic Stack (ELK) to store and
search the collected data, ElastAlert to trigger alarms and the Sigma Project to define the rules
for the alarms. This highly customizable solution would enable organizations to hunt for threats
inside their network or create rules that would automatically detect specific threats upfront.
Rik van Duijn
Rik van Duijn, has over 5 years of experience as a penetration tester. His first job was auditing web
application source code for a Dutch bank. Rik holds the OSCP, OSCE certifications, and is currently
practicing for the OSEE certification. Rik has spoken at SHA2017, Tweakers Security/DEV Meetups and
Leandro Velasco has over 4 years of experience in IT security. After his initial introduction
managing SIEM systems Leandro completed the OS3 master. In his current role Leandro is a
member of the security research team, analyzing threats and designing detection or mitigating