Loading…
October 25-28, 2017!! We’re going to have so much fun! Hopefully you can join us!
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 24
 

16:00

Class Registration
If you're taking a class on Wed-Thurs, this is your registration.

Tuesday October 24, 2017 16:00 - 18:00
Foyer
 
Wednesday, October 25
 

07:00

Class Registration
We'd like to try and get you all registerd on Tuesday evening, but if you get in too late, no worries! 

Wednesday October 25, 2017 07:00 - 08:00
Foyer

08:00

Class Day 1
If you registered for one of the training classes, they start on Wednesday.

Wednesday October 25, 2017 08:00 - 17:00
TBA
 
Thursday, October 26
 

08:00

Class Day 2
If you registered to take a class, this will be the second day.

Thursday October 26, 2017 08:00 - 17:00
TBA

16:00

Registration
Thursday October 26, 2017 16:00 - 20:30
Foyer

18:00

Speaker Dinner - Speakers only
Thursday October 26, 2017 18:00 - 20:00
TBA

19:00

Welcome Party - ALL! - sponsored by Black Hills Business Development Center
Join us post registration for a preview of the labs, hacker trivia, slide roulette, snacks and cash bar! A big thanks to the Black Hills Business Development Center for providing the snacks!

Thursday October 26, 2017 19:00 - 21:00
TBA
 
Friday, October 27
 

07:00

Registration
Friday October 27, 2017 07:00 - 08:00
Foyer

08:30

Welcome & Opening Remarks
Friday October 27, 2017 08:30 - 08:50
Pine Crest A

09:00

Morphing to Legitimate Behavior Attack Patterns

Let's face it, the industry is getting better at detection. Not everyone, but it's getting there. Companies are focusing on getting logs from their endpoints and looking for abnormal patterns of behavior. As attackers, our tactics have been shifting over time to become more compliant with standard protocols and behavior. This has implications on how we test, length of engagements, and the level of effort to attack. It’s not as easy as it once way (with many exceptions), but as defense grows, our capabilities as attackers has to grow as well.

This talk will dive into what I'm seeing out there as far as detection capabilities, and how to get around them. Let’s take a dive into multiple detection and preventive capabilities and how to circumvent them without getting detected. As the offense, we can't rely on hoping for multicast to DA every time. The times are changing, our skills need to match that appropriately.


Speakers
avatar for Dave Kennedy

Dave Kennedy

Trusted Sec
David Kennedy is the founder of TrustedSec, Binary Defense Systems, and DerbyCon.  TrustedSec and Binary Defense are focused on the betterment of the security industry from an offense and a defensive perspective.  David also serves as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC... Read More →


Friday October 27, 2017 09:00 - 09:45
Pine Crest A

09:00

Capture the Flag
Friday October 27, 2017 09:00 - 17:00
TBA

09:00

Hacking Labs
Friday October 27, 2017 09:00 - 17:00
TBA

09:50

Open Source Pentesting

How many different types of pentest / “red team assessments” / “adversarial assessments” are there? EVERYONE pitches, sells, and performs them differently. How is a company supposed to gauge effectiveness of a program of these tests? In this talk, I will not only be talking through my list of tests, but open sourcing all of the documents to support it right here at WWHF 2017. I hope that we might start to standardize penetration tests, even if it’s at a broad level. As well as give new firms and pentest 1099s a framework to start with. Want to get a sneak peak, game for providing feedback? DM me on Twitter for the link to the docs. Have a question before or during the talk? Go to slido.com and join #OSPT starting Oct 24.


Speakers
avatar for Rob Fuller

Rob Fuller

Rob has over 11 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks - as well as performing penetration tests and Red Team assessments against those same networks. More recently, Rob has performed numerous successful Red Team assessments against commercial Fortune 50 companies representing some of the best defensive teams in the... Read More →


Friday October 27, 2017 09:50 - 10:35
Pinecrest B

09:50

Vapor Trail - Data Exfiltration via Faraday's Law & Ponies
As red team members and even "evil attackers", we've been finding numerous ways to exfiltrate data from networks with inexpensive hardware: ethernet, WiFi and cellular (2G, 3G, and LTE). The first two are highly detectable, while the latter is expensive and both leave a paper trail. We found a way to use a medium that is right under everybody's nose; low power, broadcast FM radio. With a Raspberry Pi and a length of wire, we can send text and raw binary data with a method nobody (until now) would think to look for. We receive the data with an RTL-SDR, putting our overall hardware budget at $20.

In this talk, we will show you how to build and use this system. We'll share tales of the custom software and transmission protocols. You want to see it in action? We've got demos. You want the software? Yep, you can have that too. We're excited to offer Vapor Trail to you, the first FM radio data exfiltration tool. Sure, HAM radio folks have had digital modes for years, but we've done better AND cheaper. We've effectively created our own RF digital mode for pwnage, HAM radio data transfer, and redundant communication methods.

Why? Because we can. We want to go undetected with current capabilities. Turns out, our approach is quite novel for pulling data right from a network via Pcaps or tool output.

Speakers
avatar for Larry Pesce

Larry Pesce

Director of Research, Senior Managing Consultant, InGuardians
Larry is a Senior Security Analyst with InGuardians after a long stint in security and disaster recovery in healthcare, performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the Paul's Securit... Read More →


Friday October 27, 2017 09:50 - 10:35
Pine Crest A

10:40

A Google Event You Won't Forget

As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.

In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.


Speakers
avatar for Beau Bullock

Beau Bullock

Security Analyst, Black Hills Information Security
Beau Bullock is a Senior Security Analyst at Black Hills Information Security. Prior to joining BHIS, Beau‘s primary role has been implementing security controls to protect information and network assets. He has held information security positions in the financial and health indu... Read More →
avatar for Mike Felch

Mike Felch

Black Hills Information Security
Michael began his career in 1997 as a Linux Administrator which eventually led to numerous offensive security roles, software development and hardware/software security research. Michael is also a lead forensics instructor for TeelTech, an Officer for OWASP Orlando (Chief Breaker... Read More →


Friday October 27, 2017 10:40 - 11:25
Pinecrest B

10:40

Certification? College?: How do you get into Cybersec really?
Doug White talks about College options, Certifications, and what you need to do to break into the Cybersec field.  How to start and move your career if you want to make a living, legally.

Speakers
avatar for Doug White

Doug White

Chair of the Dept of Cybersecurity & Networking, Roger Williams University
Doug White holds a PhD in Computer Information Systems and Quantitative Analysis from the University of Arkansas and an M.B.A. from Western Kentucky University. Dr. White also holds certifications in Digital Forensics, CyberSecurity, and Cisco Networking. Dr. White has more than 30 publications in the Cybersecurity field in his career which spans 3 decades. Currently, he serves as the Chair of the Department of Cybersecurity and Networking at Roger Williams University in Bristol, RI. Dr. White has served on the Core Team of the Rhode Island Joint Cyber Task Force and the... Read More →


Friday October 27, 2017 10:40 - 11:25
Pine Crest A

11:30

0wning the network with CrackMapExec v4.0
Ever needed to pentest a network with 10 gazillion hosts with a very limited time frame? Ever wanted to Mimikatz entire subnets? How about shelling entire subnets? How about dumping SAM hashes? Share spidering? Keeping track of all the credentials you pillaged? (The list goes on!) And doing all of this in the stealthiest way possible? Look no further than CrackMapExec!  CrackMapExec (a.k.a CME) is a modular post-exploitation tool written in Python that helps automate assessing the security of *large* Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection, IDS and IPS solutions. Although meant to be used primarily for offensive purposes, CME can be used by blue teams as well to assess account privileges, find misconfigurations and simulate attack scenarios. In this demo heavy talk, I will be showing off v4.0, a major update to the tool bringing more feature and capabilities than ever before! Additionally, we will be taking a deep dive into the internals of the tool itself to understand what makes it 'tick', how to properly defend against it and how to customize it to your needs! If you are interested in the latest and greatest Active Directory attacks/techniques, weaponizing them at scale and general cool AD stuff this is the talk for you!

Speakers
avatar for Marcello Salvati

Marcello Salvati

Security Consultant
Marcello Salvati (@byt3bl33d3r) is a security consultant who's really good at writing bios. He's so good at writing bios that he was awarded the 'The Best Bio Ever from *insert date when bios became a thing* to 2017" award. (Totally legit award. Don't Google it, Bing it). His bos... Read More →


Friday October 27, 2017 11:30 - 12:15
Pine Crest A

11:30

Domain Password Audit Tool
Live demo and more information on the tool I wrote to generate password usage statistics in a Windows domain. This tool is useful to penetration testers and security professionals who have the ability to dump password hashes from a Windows domain controller. The Domain Password Audit Tool (DPAT) is a python script that will generate an interactive HTML report to help you understand password use in an environment and identify issues. https://github.com/clr2of8/DPAT

Speakers
avatar for Carrie Roberts

Carrie Roberts

Sr Red Team Engineer, Walmart


Friday October 27, 2017 11:30 - 12:15
Pinecrest B

12:15

LUNCH - sponsored by BHIS
Provided for all attendees by Black Hills Information Security

Friday October 27, 2017 12:15 - 13:30
Foyer

13:30

Extending BloodHound for Red Teamers
BloodHound has changed how red and blue teams approach risk in Active Directory environments. The interface is slick, the install is painless enough considering the dependencies, and the pre-built analytics deliver actionable intelligence. However, BloodHound isn’t just another fire & forget tool, it’s a platform for users to build on. The foundational elements – a reliable backend, a means for ingesting, querying, and displaying data – are already taken care of. The piping is in place for users to extend the already-great features and tailor it to their specific job function or workflow.

This talk will cover how I’ve adapted BloodHound to enhance my workflow as a penetration tester. I’ll demonstrate custom extensions used to track and visualize compromised nodes, highlight privilege gains, represent password reuse between users or computers, blacklist unwanted nodes and relationships, and more. Folks who attend this talk will gain a solid understanding of BloodHound’s underlying Neo4j data structures, as well as how to write Cypher queries in order to build their own BloodHound customizations.

Speakers
avatar for Tom Porter

Tom Porter

Sr. Security Consultant, FusionX
Tom (@porterhau5) is a red teamer by trade, however his roots are on the blue team writing netflow analytics and providing network situational awareness. Tom holds a handful of certifications from SANS, as well as degrees in Mathematics and CS. When there's not a baseball game ne... Read More →


Friday October 27, 2017 13:30 - 14:15
Pine Crest A

13:30

The Art of the Jedi Mind Trick
The hacker/security community continues to struggle with how to get our message across to others. We know what's wrong, what's insecure, and what needs to be done to fix the problems. BUT...we seem to hear more stories about failure rather than success stories. Maybe WE are part of the problem. It's easy to give a talk at a conference where you're "preaching to the choir" and everyone speaks your language, but how do you fare when you are trying to give the message to your boss, or your bosses' boss, or C-Level management? This talk explores a variety of techniques that I’ve learned over my 20+ years of consulting/advising customers about how to get the right message to the right people so real change happens. I'll explore obstacles, attitudes, and challenges that I've faced in hundreds of companies; practical methods for getting your point across; helping others to understand what you are saying; learning to speak their language; and helping them to draw the desired conclusion. This is part art, part science, and maybe a little luck - but I believe there are skills you can learn that will make you a successful communicator and get your message heard.

Speakers
avatar for Jeff Man

Jeff Man

Respected Information Security expert, advisor, evangelist, mentor, and co-host on Paul's Security Weekly. Over 34 years of experience working in all aspects of computer, network, and information security, including risk management, vulnerability analysis, compliance assessment... Read More →


Friday October 27, 2017 13:30 - 14:15
Pinecrest B

14:20

Security Theme Parks: You Must Be This Tall to Ride the Internet
In this presentation, I'll be walking attendees through some of the primary attacks causing breaches today. He will discuss what the attacks are, how they happen and what organizations and employees can do to prevent them. This presentation is designed to discuss the breaches based on real-world examples and provide actionable solutions.

Speakers
avatar for Kevin Johnson

Kevin Johnson

CEO, Secure Ideas
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security s... Read More →


Friday October 27, 2017 14:20 - 15:05
Pine Crest A

14:20

Windows Operating System Archaeology
The modern Windows Operating System carries with it an incredible amount of legacy code.The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence and privilege escalation. We will present novel persistence techniques using only the registry and COM Objects.

Speakers
avatar for Matt Nelson

Matt Nelson

Security Researcher
Matt Nelson (@enigma0x3) is a red teamer and security researcher. After spending time as a system administrator, he brings a passion for researching and pushing new offensive and defensive techniques into the security industry. | | Blog: enigma0x3.net
avatar for Casey Smith

Casey Smith

Casey Smith (@subtee) has a passion for understanding and testing the limits of defensive systems.


Friday October 27, 2017 14:20 - 15:05
Pinecrest B

15:10

I'll Let Myself In: Tactics of Physical Pen Testers
Many organizations are accustomed to being scared at the results of their network scans and digital penetration tests, but seldom do these tests yield outright "surprise" across an entire enterprise. Some servers are unpatched, some software is vulnerable, and networks are often not properly segmented. No huge shocks there. As head of a Physical Penetration team, however, my deliverable day tends to be quite different. With faces agog, executives routinely watch me describe (or show video) of their doors and cabinets popping open in seconds. This presentation will highlight some of the most exciting and shocking methods by which my team and I routinely let ourselves in on physical jobs.

Speakers
avatar for Deviant Ollam

Deviant Ollam

The CORE Group
While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the... Read More →


Friday October 27, 2017 15:10 - 15:55
Pine Crest A

15:10

Monitoring and Incident Response on a Shoestring Budget
As pen testers, we are familiar with the techniques used to attack an environment. Knowing these techniques informs us with respect to various methods of potential detection. In fact, we are often asked by our clients what they could have done to detect the methods we used to successfully compromise their environment. There are so many great community projects out there that allow defenders to assemble their own toolkit for tactical, and focused environment monitoring. If you follow the Black Hills blogs, webcasts, and tool releases you know that we tend to not neglect the network defenders in the community and cover these tools and how to implement them. That's because while we know that while offense can be and flashy and fun, defense wins the game. In this updated talk, we will cover a continuing evolution of how you can use free and open source tools to help detect potential attackers in your network.

Speakers
avatar for Derek Banks

Derek Banks

Security Analyst, Black Hills Information Security
Derek Banks is a Security Analyst for Black Hills Information Security and has over 20 years of experience in the IT industry as a systems administrator for multiple operating system platforms, monitoring and defending enterprise systems from potential intruders, vulnerability an... Read More →
avatar for Joff Thyer

Joff Thyer

Security Analyst, Black Hills Information Security
Joff has over 15 years of experience in the IT industry in roles such as enterprise network architect and network security defender. He has experience with intrusion detection and prevention systems, penetration testing, engineering network infrastructure defense, and software de... Read More →


Friday October 27, 2017 15:10 - 15:55
Pinecrest B

16:00

Peakaboo - I own you: Owning hundreds of thousands of devices with a broken HTTP packet
Imagine that you've purchased your small a cheap IP security camera to feel just a little better with your own physical security. Now imagine that the people who designed that camera know nothing about secure programming, security or programming at all. Imagine that your precious camera can be hijacked into a botnet with only one broken HTTP packet. Now stop imagining. In the end of 2016, my fellow researcher Yoav Orot and I published our research paper about hundreds of thousands of white labeled IP security cameras being vulnerable to a simple attack that allows an attacker to gain complete control of the camera, including code execution as root without any ability to patch. Our research was published in dozens of website and was even covered by security blogger Brian Krebs. We did not publish any technical details yet since we had to wait for the vendor's answer. This talk will dive deeply into the product, our research process and into the vulnerabilities themselves. I will walk through all of the steps in our research (from hardware hacking to firmware dumping and just plain old reversing) and demo the exploits and explain, step by step, where the developers went wrong, what could have been done to avoid this situation and why this problem is so severe. There will be root shells, there will be exploits, there will be tears. Attendees of this talk will leave with some insights about IoT security and embedded device hacking.

Speakers
avatar for Amit Serper

Amit Serper

Principal Security Researcher, Cybereason
Amit leads the security research at Cybereason's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS. He also has extensive experience researching , reverse engineering, and exploiting IoT... Read More →


Friday October 27, 2017 16:00 - 16:45
Pinecrest B

16:00

Programming with Google
An introduction to programming for those with no experience. Covers some really basic concepts then goes interactive and builds a script to help with a pen-test challenge.

Speakers
avatar for Robin Wood

Robin Wood

Hacker, coder, climber. Co-founder of UK conference SteelCon, freelance tester, author of many tools. Always trying to learn new things.


Friday October 27, 2017 16:00 - 16:45
Pine Crest A

17:00

Dinner - early registrants only
If you got your WWHF tickets before 8/18 you are on the list for this event.

Friday October 27, 2017 17:00 - 20:00
TBA

20:30

DUAL CORE! (with open mic pre show incl John Strand, Joff Thyer, Mike Poor & Beau Bullock)
This even is open to all! Missed the dinner? Eat dinner anywhere in Deadwood, and then come on over! Location to be announced - but will be in downtown.

Friday October 27, 2017 20:30 - 23:30
TBA
 
Saturday, October 28
 

06:00

Run with Staff - ALL!
Saturday October 28, 2017 06:00 - 07:00
Foyer

09:00

Sun Tzu and the IoT of War
TLDR: “In the midst of chaos, there is also opportunity” Applying the strategies and precepts of this ancient treatise on bellicose arts to the attack and defense of Internet of Things. Using examples from recent InGuardians work, we will look at some of the most common ways to exploit IOT devices and what we suggest can be done to raise the bar in their defense.TLDR: “In the midst of chaos, there is also opportunity” Applying the strategies and precepts of this ancient treatise on bellicose arts to the attack and defense of Internet of Things. Using examples from recent InGuardians work, we will look at some of the most common ways to exploit IOT devices and what we suggest can be done to raise the bar in their defense.

Speakers
avatar for Mike Poor

Mike Poor

Wartime Consiglieri, InGuardians
Mike is a founder and senior security analyst for the DC firm InGuardians, Inc. In the past he has worked for Sourcefire as a research engineer and for SANS leading their intrusion analysis team. As a consultant, Mike conducts incident response, breach analysis, penetration tests... Read More →


Saturday October 28, 2017 09:00 - 09:45
Pine Crest A

09:00

Capture the Flag
Saturday October 28, 2017 09:00 - 15:00
TBA

09:00

Hacking Labs
Saturday October 28, 2017 09:00 - 15:00
TBA

09:50

Bitcoin At The Gates: Cybersecurity & The Coming Global Financial Revolution
Fiat currencies around the world are beginning to transition to a purely digital form. Venezuela just killed the 100 bolivar note, India removed the 2000 and 4000 rupee notes, and the EU just removed the 500 euro note.  With a purely digital fiat currency, governments expect to expose black market monetary stockpiles, increase the number of participants in the banking system, and improve fiscal efficiency.  But there is also a juggernaut preparing to assault financial institutions: cryptocurrencies.  Money is flowing freely, with no capital controls, and the metadata surrounding financial transactions is more valuable than the money itself--yet often poorly secured.  It does not really matter if bitcoin is a fad or if the Hyperledger project can live up to its promise: blockchains are a disrupting technology and they will destroy established business models.  It is very likely the Bretton Woods economic system as we know it will transform before our eyes in the next few years.

This all poses a huge security risk as fintech businesses can no longer be secured in the way a traditional bank was, with locks, vaults, and stern guards.  The digitalization and outsourcing of digital processes in the financial world transforms IT companies handling these assets and processes into new forms of banks themselves.  We’ll discuss how the collision of infosec and finance is leading to a redefinition of what money itself means to governments and to you.

Speakers
avatar for Tarah Wheeler

Tarah Wheeler

Born in a log cabin on the prairie to a ___ and an itinerant ___, Tarah Wheeler had a humble upbringing of fighting the status quo, sticking it to the man, and shooting prairie dogs because they’re good eatin’.  An emeritus member of the Order of the Orange Badge, Tarah has founded or been in the first 10 employees of many successful companies, mostly because she hates filling out job... Read More →


Saturday October 28, 2017 09:50 - 10:35
Pinecrest B

09:50

Honey, Please Don’t Burn Down Your Office: Further Adventures in IoT and Office Automation
In the last 12 months, Ed Skoudis has been on a tear adding new automation features to his office. Some are practical, others are whimsical and weird. All of them provided valuable learning opportunities that Ed would love to share. This talk will describe some of the new technologies he’s been experimenting with and the lessons he’s learned, including:

- Alexa versus Siri: Development tips for each environment and how to make them work together
- Amazon Voice Services: High-quality, real-time, cloud-based voice synthesis for free
- The Raspberry Pi Zero as a development platform
- The Intel NUC as a development platform
- Integrating animatronic toys into your ecosystem: How creepy is too creepy?
- Do’s and don’ts of home Tesla coils, Geissler tubes, and other high-voltage apparatus
- Tips for keeping your mind fresh with new dev projects
- Security implications of all of this stuff
- Where is this all headed?  When does Skynet reveal its big plan?

This lively talk will cover a lot of ground, but also include specific, practical advice for keeping your technical skills sharp while having fun.

Speakers
avatar for Ed Skoudis

Ed Skoudis

Counter Hack
Ed Skoudis has taught cyber incident response and advanced penetration testing techniques to more than 12,000 cyber security professionals. He is a SANS Faculty Fellow and the lead for the SANS Penetration Testing Curriculum. His courses distil the essence of real-world, front-line... Read More →


Saturday October 28, 2017 09:50 - 10:35
Pine Crest A

10:40

492063616E207374696C6C2073656520796F7521
Everything leaves footprints on the network, whether it’s a frontal assault on an Internet-facing SMB, or a lateral move living off the land with harvested creds. The Red Team only has the advantage up until the window breaks (I heard that!). Once you are in my house, I have the advantage (I know that squeaky floorboard!). Here’s what it looks like when you think you can steal my TV. And in Montana (Deadwood too?) we are armed…

Speakers
avatar for Jonathan Ham

Jonathan Ham

Principal Security Consultant, jham corp.
Jonathan is an independent consultant who specializes in large-scale enterprise security issues, and a Certified SANS Instructor and published author. He has helped his clients achieve greater success for over 20 years, advising in both the public and private sectors, from small... Read More →


Saturday October 28, 2017 10:40 - 11:25
Pinecrest B

10:40

Authenticated Code Execution by Design
The most effective way to gain and maintain access to computers on a network is by using passwords to login to existing administrative services. Logging into existing services has several clear advantages over exploitation. There is no unusual traffic on the network for those pesky IDS and next-gen firewalls to meddle with -- it looks just like normal user activity. With many administrative services, you get encryption for free as well, making it even harder for those network devices to cause you grief. There are often no new files on victim machines to draw the suspicions of nosy incident responders.

Despite these services holding the keys to the kingdom, or perhaps because they do, they are ubiquitous. Every single network of any size will have some or even many of them. As a penetration tester, you want to own these things. As an administrator, you want to lock them down and watch them like a hawk.

In this talk I will discuss some of my favorite Authenticated RCE by Design services and how to use them for nefarious purposes.

Speakers
avatar for James Lee

James Lee

Black Hills Information Security
James Lee, better known as egypt is a vocal advocate for open source and strongly believes that open source security tools are vital to the future of the internet. Note that egypt is not Egypt. The two can be distinguished easily by their relative beards -- Egypt has millions... Read More →


Saturday October 28, 2017 10:40 - 11:25
Pine Crest A

11:30

Building a Successful Internal Adversarial Simulation Team
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a roadmap to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format

Speakers
avatar for Chris Gates

Chris Gates

Sr Security Engineer, Uber
Chris joined Uber in 2016 as a Sr Security Engineer. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regu... Read More →
avatar for Christopher Nickerson

Christopher Nickerson

Lares Consulting
Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on Information security and Social Engineering in order to help companies better defend and protect their critical data and key information systems. He has created a blended method... Read More →


Saturday October 28, 2017 11:30 - 12:15
Pine Crest A

11:30

Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics

"Windows Defender Advanced Threat Protection is now available for all Blue Teams to utilize within Windows 10 Enterprise and Server 2012/16, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.

 

This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon."


Speakers
avatar for Chris Thompson

Chris Thompson

Red Team Ops Lead, IBM X-Force Red
Chris is Red Team Operations Lead at IBM X-Force Red. He has extensive experience performing penetration testing and red teaming for clients in a wide variety of industries. He's led red teaming operations against defense contractors and some of North America’s largest banks... Read More →


Saturday October 28, 2017 11:30 - 12:15
Pinecrest B

12:15

LUNCH - sponsored by BHIS
Provided for all attendees by Black Hills Information Security

Saturday October 28, 2017 12:15 - 13:30
Foyer

12:30

Sponsored Talk: Secure Set Academy
In this talk, Ajay Menendez reveals how to remedy the CyberSecurity talent gap by overcoming hiring practice pitfalls specific to this industry. Ajay has practical advice for how companies and individuals can conquer inherent industry biases by making staffing decisions which involve both hard and soft skills. Putting his tips into practice means that companies can easily find the right cybersecurity workers to address their 21st Century needs.

Saturday October 28, 2017 12:30 - 13:00
TBA

13:30

What Is the Hacker Community?
I’ve had some interesting adventures in my twenty-or-so years as a professional hacker and INFOSEC dude, and I’ve learned quite a few things about the hacker community. In this talk, I’ll unload some of the stories of my adventures all over the globe and share the valuable insights I’ve gained about what it means to be a hacker and why this community is unique, valuable and worth fighting for.

Speakers
avatar for Johnny Long

Johnny Long

Hackers for Charity
Johnny Long spent his career as a professional hacker. He is the author of numerous security books including No-Tech Hacking and Google Hacking for Penetration Testers. Johnny spent seven years living in Uganda, East Africa, where he focused on his work with Hackers for Charity... Read More →


Saturday October 28, 2017 13:30 - 14:15
Pine Crest A

14:20

Make Email Great Again – Lessons Learned from a Year of Malicious Emails
Email is a large threat vector for many organizations. This is an area that could allow any outside entity to communicate directly with employees. Two of the most common attacks are phishing and malicious content delivery. Phishing is an attempt to capture a victim’s credentials or information that could lead to a system compromise or data leakage. Malicious content delivery, on the other hand, is a way for an attacker to send the victim an email with a malicious email attachment or link that could potentially compromise the victim’s system. In an effort to combat this attack vector a process was designed to annihilate emails that contained such threats. Emails that get reported are analyzed to determine which comprise of threats. Emails containing threats are eradicated, whereas benign emails are silently disregarded. The whole process and life cycle of the malicious emails were documented in way to show the efficiency of the process and are detailed to get a full understanding of this attack vector. The metrics that will be mentioned are from reported malicious emails, which is a good start to understanding how defenses could be implemented or improved against the email threat vector. The talk will emphasize the whole process from emails that get reported, to the analysis, and to the remediation of threats. This talk will also mention the various techniques to prevent compromises from malicious office documents and other dangerous attachments.

Speakers
avatar for Nicholas Penning

Nicholas Penning

Security Technology Engineer, BIT SD
Born and raised in Hulett, Wyoming. Dakota State University Graduate (B.S. Computer and Network Security, M.S. Information Assurance [Cyber Security Spec]). Employed at State of South Dakota Bureau of Information and Telecommunications as a Security Technology Engineer. Typical... Read More →


Saturday October 28, 2017 14:20 - 15:05
Pinecrest B

14:20

The World is Y0ur$: Geolocation-based Wordlist Generation with Wordsmith
Popular wordlists such as Rockyou and Uniq are great when used with a variety of rules and big hash sets. But what about the hashes that you aren't able to crack? And what about those users with a base word not found in a standard dictionary?

Queue Wordsmith, a tool that creates wordlists that are tailored to the target’s location. We’ve parsed and analyzed several geographic databases to find road names, cities, counties, landmarks, sports teams, and more for regions all around the world. Built using a modular framework and hosted on GitHub, Wordsmith’s database can easily be updated by anyone with a text editor and an interest in geolocation or spatial databases. With data from 249 countries and territories, Wordsmith can bolster typical dictionaries by adding the name of that unique street that a person grew up on, or by appending a region’s postal codes, all so you crack those hard-to-get hashes.

Speakers
avatar for Sanjiv Kawa

Sanjiv Kawa

Sr. Penetration Tester, PSC/NCC Group
I enjoy searching for creative ways to break into restricted networks and applications. I also like to write tools that automate things or make a life a little easier. Something I’m trying to get better at is binary analysis and exploit development. When my laptop battery dies... Read More →
avatar for Tom Porter

Tom Porter

Sr. Security Consultant, FusionX
Tom (@porterhau5) is a red teamer by trade, however his roots are on the blue team writing netflow analytics and providing network situational awareness. Tom holds a handful of certifications from SANS, as well as degrees in Mathematics and CS. When there's not a baseball game ne... Read More →


Saturday October 28, 2017 14:20 - 15:05
Pine Crest A

15:10

Closing Ceremonies
Closing remarks, awards, and costume contest!

Saturday October 28, 2017 15:10 - 16:00
Pine Crest A