Initial release of talks below, more to come

image description

Jayson E Street

Thursday Keynote


image description

Johnny Xmas

Friday Keynote


image description

Gabriel Ryan (solstice)

The Black Art of Wireless Post-Exploitation
Wireless is an inherently insecure protocol. Most companies recognize this, and focus their resources on minimizing the impact of wireless breaches rather than preventing them outright. During red team engagements, the wireless perimeter is cracked within the opening days of the assessment, or it isn’t cracked at all. From an attacker’s perspective, the real challenge lies in moving laterally out of the isolated sandbox in which network administrators typically place their wireless networks. Enterprise network teams are typically aware of this fact, and many will attempt to justify weak wireless perimeter security by pointing out how difficult it is to pivot from the WLAN into production.

However, preventing an attacker from doing so is only easy when the network in question is used exclusively for basic functions such as providing Internet connectivity to employees. When wireless networks are used to provide access to sensitive internal infrastructure, the issue of access control gets significantly messier. A door must be provided through which authorized entities can freely traverse. As with cryptographic backdoors, a door that requires a key is a door no less.

In this presentation, we will focus on methods through which red team operators can extend their reach further into the network after gaining their initial wireless foothold. We’ll begin with a quick recap on how to use rogue access point attacks to breach all but the most secure implementations of WPA2-EAP. We’ll then demonstrate methods of evading the most commonly used methods of WLAN access control, and explore whether segmentation of a wireless network is truly possible. Finally, we will demonstrate how contemporary network attacks can be combined with wireless man-in-the-middle techniques to create brutal killchains that would be impossible to achieve over a wired medium.


image description

Arron ‘Finux’ Finnon

3rd Party Data Burns
Data-Loss via 3rd party data-breaches is a subject that most have a little time for, yet the impact of what has been lost in recent years is yet to be fully understood. From work related emails, to corporate passwords, its all out there. Billions and billions of individual pieces of data are floating around the internet, none of them really have any value individually but when put together and indexed they can become very costly. This talk looks at the journey one can take to build a data-dump search-engine, that is fast, efficient and plentiful in results, and of course all the bumps along the way. It is so much more than just passwords, its a peak behind the curtain of what is really waiting for us in the next few years. You’ll walk away from this talk knowing what to expect from data-driven hacking attacks, and get an understanding for how dangerous this passive OSNIT enumeration can actually be.


image description

Chris Roberts

Subject matter to be determined by the number of federal agents present in the audience.

image description

David Kennedy

More info to be announced shortly


J Wolfgang Goerlich

We got it wrong
This session is on all the things we all say all the time, about all the things we call know. Security through obscurity is bad. Defense in depth is good. Stop clicking things. Next generation is bad, or maybe, next generation is good. The list goes on and on. The resulting rules of thumb are sometimes contradictory and often misleading. With war stories and anecdotes, we’ll explore what happens when teams run security by tribal knowledge instead of research and reason. Spoiler alert: they get pwned. Turns out, we were wrong.


image description

Duncan Manuts

Duncan Vs the Internet!
Enjoy the show as Duncan debates the internet on a variety of topics. With some special guest appearances.
Gauranteed to delite and offend


image description

Joel Cardella

The Shuttle Columbia Disaster: Lessons That Were Not Learned
When the shuttle Challenger was destroyed in 1986, poor NASA culture was significant in the events the led to the disaster. NASA made serious changes to their space program to ensure human life was at the least risk possible. But in 2003, the shuttle Columbia suffered a disaster and all hands were lost upon re-entry. The ensuing investigation specified that “NASA organizational culture had as much to do with this accident as the foam.”

This talk will look at how culture affects risk in organizations, using both the Challenger and Columbia as examples, and talk about the difficulties of risk management, and give guidance on how to deal with and overcome difficult risk decisions, such as the final decision by NASA not to inform the astronauts they were doomed.
Takeaways will be how to understand how culture impacts risk, what you can do about it, and how to make better risk decisions.


Kevin Johnson

Thursday Opening Keynote

More info to be announced shortly


image description


Cyber, Cyber, Cyber – Using the killchain to accomplish something
Everyone talks about the cyberkill chain(tm). I want to show you how to map some of the common threats to the different steps along with how to defend against and monitor for each along the way. Threats like ransomware, data exfiltration, and application vulnerabilities will be broken down for a better understanding of how to improve the standard of defense.


image description

Dr. Jared DeMott

Embedding Security in Embedded Systems
If security were easy, we’d have solved it 20 years ago. Unfortunately for complex systems, we need all-hands-on-deck: developer training, correct implementation, proper deployment, monitoring, secure updates, and response planning. Come be encouraged by Dr. DeMott to apply security best practices to the embedded specific domains.


image description

Brett “GOllumfun” Johnson

Shadowcrew: A history and future of cybercrime
Presenter will detail a representative history of cybercrime, concentrating on Shadowcrew, Carderplanet, and its members (Brett Johnson, Albert Gonzalez, Max Butler, Roman Vega, Dmitry Golubov, and others). Presentation will center on how those groups are the precursors of darkweb marketplaces and online criminal communities. Issues of Group Structure, Trust, Anonymity, networking among criminals, etc. will be examined. Further discussed will be the current state of cybercrime, specific crimes and intrusion techniques, future implications, and ways to prevent.


image description

atlas 0f d00m

More info to be announced shortly


image description

Dr. Phil Polstra

I’ve got a (Pocket) Bone to pick with you
This session is on all the things we all say all the time, about all the things we call know. Security through obscurity is bad. Defense in depth is good. Stop clicking things. Next generation is bad, or maybe, next generation is good. The list goes on and on. The resulting rules of thumb are sometimes contradictory and often misleading. With war stories and anecdotes, we’ll explore what happens when teams run security by tribal knowledge instead of research and reason.

Spoiler alert: they get pwned. Turns out, we were wrong.


image description

Aaron Shanas & Joe Petroske

The Need for Speed – Benefits of Speed Driven Incident Response
Threat actors, like your IR team, need time to complete their mission. By short-circuiting the IR process, we will show you how to recover from attacker footholds and prevent what you really care about — Attacker mission completion. We propose and demonstrate the benefits of a new approach, focusing on rapid identification and containment of threats using sniper forensics and live response techniques in place of classical investigative methods.


image description

David “HealWHans” Schwartzberg

Building a Usable Mobile Data Protection Strategy
Mobile smart devices from the consumer perspective are easy to activate for a enriched user experience. Enable smart devices in the enterprise, after the basics, the user experience they know drops while users and InfoSec demand more with competing agendas. This presentation will provide you with a blueprint of the various mobile data protection technologies. We will review what is provided natively, as well as, third party options to help you decide what will fit best in your environment and corporate culture.


image description

Charles Parker, II

Oops! Was that your pacemaker?
Medical devices have become more prevalent as the population has aged. The earlier applications included the exterior utilized devices. As time passed the technology improved markedly. Technology has improved these devices by, among other modifications, connecting these (IoT). Over more than the last two decades, a portion of these have been implanted in the human body. Although these have proven to be significantly useful, there have also been the issues that have been shown to be problematic and others that could prove to have issues (proof of concept). This connective-ness has created its own vulnerabilities and allowed these to be attacked and potentially breached, as a POC. This is a direct result of the engineering primarily being focused with the equipment operating and not addressing the security aspect. The presentation shall address the historical aspect of the equipment, manufacturers, communication channels, and how these are attacked.


image description

Zee Abdelnabi

Importance of Cloud Framework and Strategy so you don’t get PWNED
Data transfers grow increasingly both internally and externally across companies. It’s the responsibility to protect your data as well as your costumer’s data.So, why do companies barely scratch the surface when it comes to their data in the cloud? This framework was designed to focus on how we protect our data in the cloud.


image description

Justin ‘Buckaroo’ Whitehead & Jim Allee

vAp0r and the Blooming Onion
vAp0r is a Linux distro that brings together a specific set of tools to allow for secure Tor use on the Raspberry Pi 3. Due to the standard Tor Browser bundle’s inability to support the ARMHF architecture. Included in the distro is Mozilla Firefox setup as a Tor browser with custom privacy settings to harden it and privacy add-ons which allow for extra layers of security.

Bloomin’ Onion is a Red Team inspired leave-behind device, based on RPi3, which opens your targets network up like an Onion blossom. Deploy a rogue hotspot remotely and tunnel traffic back to your vAp0r and funnel through Burp proxy for MitM. Do remote arp spoofing, collect Windows authentication information, packet capture and more!


image description

Hilary Louise

#PartitionLikeAJournalist: A Look at Open Source Intelligence
Governmental and private agencies provide a vast amount of publicly-available information on individuals and companies for those driven or savvy enough to find it. This talk aims to ease the digital and bureaucratic guesswork from the perspective of an investigative reporter. We’ll go through where and how to find certain types of data, and talk search tips to make the best of any future digital intelligence-gathering efforts.


image description

Brent White & Tim Roberts

Skills For A Red-Teamer
Want to incorporate hybrid security assessments into your testing methodology? What does going above and beyond look like for these types of assessments? How do you provide the best value with the resources and scope provided? What do some of these toolkits encompass?
If you’re interested in what skills are needed for a Red-Teamer, or taking your red teaming assessments to the next level, here’s the basic info to get you started. We’ll discuss items of importance, methodology, gear, stories and even some tactics used to help give you an edge.


image description

Rhett Greenhagen

How to hide from the FBI
This talk will be somewhat humorous, taking real world examples from my work that are unclassified with mug shots of them on there way to prison. Each example will start with what I had at the time I was given the targets name and personals, and ending each example with how I came across there information or lured them to a specific location for extraction by federal agents. Some of the examples include creating a phishing website based off of the targets resume, finding a ip address through xbox live, using cell phone information as well as Facebook metadata to track the user, etc.


image description

Tom Mead

PCI Compliance: A Crash Course for Beginners
You’ve heard of the mythical beast, and now it’s staring you in the face. The mandate has come: “We need PCI, and we need it now!” You’re the security guy, so now it’s your “opportunity” to make it happen. This presentation will help. We’ll discuss the PCI-DSS, PCI-SSC, Merchant VS Service Provider compliance, SAQs, ASVs, and more alphabet soup.


image description


Pen Test War Stories – Why my job is so easy, and how you can make it harder
As a Pen Tester and security professional, I get it. You are faced with a behemoth of a network, constrained by budget, and every day seems to bring a new zero-day to patch. However, there are some basic steps you can take to secure your network without having to plead for budget. This talk will take attendees on a magical journey through the pillaging and looting that occurs during penetration tests, and the wonderful war stories that come with it. Once the dust settles, we will break down fixing most common vulnerabilities and misconfigurations, so that on your next penetration test, your domain will withstand the siege.

So sit back, laugh or cry, and learn easy ways to make my job harder.


image description

Richard Thieme/neuralcowboy

Staring into the Abyss: The Dark Side of Security and Professional Intelligence
Nothing is harder to see than things we believe so deeply we don’t even see them. This is certainly true in the “security space,” in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think. We become assimilated by the conversation and cease to see the bigger picture.

An analysis of deeper political and economic structures reveals that narrative and therefore our core beliefs in a new context which illuminates mixed motivations, some of the reasons we chose to do this work, and the interpenetration of overworlds and underworlds in our global society and profession. This analysis will make you hesitate before uncritically using the buzzwords and jargon of the profession – words like “security,” “defense,” and “cyberwar,” and thinking in a binary fashion of good guys and bad. By the end of this presentation, simplistic distinctions between foreign and domestic, natural and artificial, and us and them will have gone liquid while the complexities of information security will remain … and continue to challenge us personally and professionally.


image description

Derek Milroy

Learning from InfoSec Fails
This presentation will highlight some of the reasons why InfoSec either fails or is perceived to fail. People, Process, and Technology issues will be presented with examples. The goal of this talk is to allow people to pick up some pointers for doing things better by analyzing real world failures. This talk makes use of jaded and cynical humor to get some of the lessons learned across.


image description

Adam Hogan

Eye on the Prize – a Proposal for Legalizing Hacking Back
The myriad objections to legalizing hacking back all agree that an undisciplined horde of skids responding aggressively to every threat presents significant risks we would all like to avoid. Unfortunately the debate has advanced little from this well established point. I propose we continue the discussion by exploring ways in which hacking back can be legalized responsibly. To this end I argue that stopping piracy in the age of sail shared a number of the same problems we face stopping cyber attackers. This also presents a framework with which to allow responsible hacking back: that of the Admiralty Prize Courts. Prize Courts served as adjudicators to the legitimacy of capturing pirates, and held illegitimate attackers responsible for their misdeeds. This system limited who was legally allowed to attack pirates, held control over the viable targets, and controlled the incentives for pirate hunting. I will argue this is a system we can emulate to regulate hacking back.


image description

Kyle Shattuck & Kyle Eaton

The Credentials in the High Castle
Account takeover (ATO) incidents can be obfuscated from an analyst in a magnitude of ways. Analysts will learn a number of ways to detect and respond to these ATO events. The analysts will be taken through reactive and proactive ATO activity, as well as developing and validating patterns to detect this traffic. Blocking methods are also important considerations we will cover. We will go through three simulated ATO attack scenarios to express this process. It is important to have knowledge of what legitimate traffic should look like, for an analyst to respond appropriately. This will not cover the setup of appropriate logs or focus on a particular tool.


image description

Keith Wilson

Defending The De-funded
There is a cyber poverty mark that plagues the Cyber Security Industry. The global 2000 have budgets that allow them to build strong defenses, hire large teams, and perform full and complete investigations. In this talk, we discuss what can be done if your cyber security budget has been cut, or is extremely limited. We will discuss solutions, metrics, and questions to ask your vendors to make sure you are getting the most out of every dollar your department has been allocated.


image description

Swaroop Yermalkar

Practical Exploitation of IoT Devices over Software Defined Radio and ZigBee
With arrival of new smart devices every day, Internet of Things is one of the most upcoming trends in technology. Most of these devices have component to communicate over Wireless. This paper will start with implementations of ZigBee (802.15.4), SDR (Software Defined Radio) and then will cover practical approach for identifying attack surface and exploiting IoT Devices over SDR and ZigBee. This paper will cover ZigBee Sniffing Hardware, SDR Hardware – RTL SDR, HackRF, Radio Frequencies Basic, ZigBee Profiles, ZigBee Security with IoT devices Practical Exploitation and also walkthrough of audacity, GNU radio.


image description

Andrew Brandt

You Got Your SQL Attacks In My Honeypot
Among the many automated attacks that target the honeypots hosted on my lab network, one of the most interesting in recent memory is also, now, among the most frequent: An automated, Mirai-like attempt to worm malware onto what the attackers clearly think is a Microsoft SQL server, using SQL commands in the tabular data stream (TDS) format. The attacks employ easily-readable commands, some of which have been encoded into base64 to be used as stored procedures for, one might presume, more efficient attack delivery.

In this session, attendees will get a detailed walkthrough of the attack methods in use by the operator(s) of this campaign, including but not limited to analysis of malware the attacker attempts to deliver to a victim server. The attacker(s) appear to be using this method to infect server-grade hardware with a variety of malware including RATs and ransomware. The attackers also employ a number of dead-drop servers of their own, used for hosting malware payloads, and appear to validate connections to ensure the requests for the malware originate from a server and not from an analyst — but we’ve managed to get around that, too. Attendees will also learn what we’re able to determine about the network addresses from which the attacks appear to originate, using Symantec+Blue Coat’s network reputation data.


image description

Zac Brown

Hidden Treasure: Detecting Intrusions with ETW
Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don’t capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows.

ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Be- cause our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open- source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service.

In this talk, we’ll discuss a few ETW sources we’ve found to be high value as well as the detections they enable. We’ll also demo a few examples of using krabsetw to consume them as well as share some strategies for scaling ETW monitoring.


image description

Ernest “Cozy Panda” Wong

A GRReat New Way of Thinking about Innovating for Cyber Defense (and even Cyber Offense)
Since the origins of the Republic, the American people have shown a strong speculative knack that lead to novel ideas for tackling tough problems. From the first American colonists who made do with limited resources, to NASA astronauts who boldly explored space with minimal supplies in order to break free of gravity, Americans have a proud history of advancing new and effective ways of getting the job done. However, the Internet’s rapid growth has meant that the tools for operating in cyberspace are constantly changing. In such a fluid environment, does America still have the capacity to gain the advantages necessary to out-hack those who attack us in the cyber domain? This talk analyzes what innovation really means and highlights differences between disruptive, breakthrough, sustaining, and incremental innovations. Through this straight-forward yet impactful framework, we gain tremendous insights that help to progress how our nation can develop more effective cyber tools for the defense (as well as the offense, but you didn’t officially hear that from me).


image description

Jerod Brennen

Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
With global information security spending rapidly approaching $100 billion, you’d think we’d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you’re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester’s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we’ll discuss the fundamental security controls that will shut down attackers time and again.


image description

Shannon Fritz

An Employee, their Laptop and a Hacker walk into a Bar
If one of your company laptops were lost, what might an attacker be able to do with it? In this string of live hacking demos, we begin as an attacker who has no user account credentials and demonstrate how to hack into the warm juicy center of the corporate domain and then STEAL ALL THE THINGS. Learn some easy parlor trick hacks that really work, and more than a dozen ways to protect your organization from them.


image description

Chris J

Threat Intelligence: Zero to Basics in presentation
This is an audience participation talk, on going from having DFIR with no Threat Intelligence to building a basic threat intelligence program. The majority of the data needed to start a Threat Intelligence program is probably already being captured by the DFIR program, and this talk is about taking that data, putting context around it to make it information, and then make that into something actionable (intelligence).

Attendees of this talk should be able to go back to the office after the conference and enhance their IR programs with Threat Intelligence. The presentation will show what Threat Intelligence is and how to collect the data from their own networks. The talk will cover why the majority Threat Intelligence shouldn’t be paid for until later in the program, while discussing the few things that should be paid for at the start.

In parts of the talk Attendees will help pick the data points to capture, and work through the Alternative Competing Hypotheses to figure out the most likely reason for the event / incident.


image description

Ray Davidson

National Guard for Cyber? How about a Volunteer Cyber Department?
Increased public awareness of “hacking” activities has led to an increase in calls for organized response, some which have better intentions than understanding. The devil is always in the details. For the past 3 years, the State of Michigan has been cultivating a community of information security professionals and developing a team of volunteers to respond in the event of a cyber emergency.

We have identified and addressed (sometimes multiple times, with varying degrees of success) issues including sponsorship, leadership, authorization, legislative and budgetary support, the makeup of stakeholder and customer groups, and other bedevilments.
Other state governments are now reaching out to learn from Michigan’s experience. Some will undoubtedly create similar efforts in their own regions, potentially led by those who understand the importance of cyberdefense, without understanding cyberdefense itself. This presentation is an attempt to share our experience with practitioners and subject matter experts, so that when the organizers come calling, the practitioners will be equipped to contribute to the effort in the most effective way possible.

Attendees will leave with detailed awareness of some of the pain points of a formal cyber volunteer organization, and some specific knowledge to bring to the table, when it is set.

*Speakers are subject to change and little or no notice