HACKER DOUBLE SUMMER 2022 GUIDES — Part Fourteen: Blue Team Con

DCG 201
27 min readAug 27, 2022

Welcome to the DCG 201 guide to Hacker Double Summer! This is part of a series where we are going to cover all the various hacker conventions and shenanigans at the start of July to the end of August both In Person & Digital! 2022 is a GIGANTIC year for hacker hysteria with so many events this will break the most guides we have ever written with the lucky number 13 as the goal. As more blog posts are uploaded, you will be able to jump through the guide via these links:

HACKER DOUBLE SUMMER — Part One: Surviving Las Vegas, New York & Virtually Anywhere

HACKER DOUBLE SUMMER — Part Two: Capture The Flags & MLH INIT Hackathon

HACKER DOUBLE SUMMER — Part Three: SummerC0n




HACKER DOUBLE SUMMER — Part Seven: Back2Vegas by RingZero

HACKER DOUBLE SUMMER — Part Eight: BSides Las Vegas


HACKER DOUBLE SUMMER — Part Ten: The Diana Initiative



HACKER DOUBLE SUMMER — Part Thirteen: Wiki World’s Fair

HACKER DOUBLE SUMMER — Part Fourteen: Blue Team Con


Blue Team Con 2022

Date & Time: Friday, August 27th (6:00PM) — Sunday, August 28th (4:30 PM)

Location: Fairmount Chichago (200 N Columbus Dr, Chicago, IL 60601)

Website: https://blueteamcon.com/

Tickets: https://blueteamcon.eventbrite.com/

Virtual Platform(s): NONE (In-Person Only)

Schedule: https://btcon.link/Program

Live Streams:


Virtual Chat: NONE

Affordability: Blue Team Village is In-Person only with $200 tickets for normal hackers. There is a $60 discount option for Students but MUST USE .EDU ADDRESS OR WILL BE REFUNDED. Children under 18 can get in for FREE with an acompyoning adult and there is a $5 charges for the Child Care area and Hak4Kidz area. (DETAILS BELOW)

Code Of Conduct: https://blueteamcon.com/about/code-of-conduct/

While traveling around the country to various conferences, through a mix of observation, participation, and attendance of many talks it became quite clear a gap within the information security industry currently exists. When it comes to these industry standard conferences and gatherings, the information sharing network for red team and offense research and activities was very mature while those for blue team and defense are lacking.

There are a multitude of industry standard offerings ranging from small regional meetups to the much larger well-known conferences held at summer camp in Las Vegas. These information-sharing networks benefit all teams encompassed within information security but are limited in how much they can benefit defenders of the enterprise. This realization made evident a strong need for a conference specific to blue teams and defense to kickstart the maturation process of information-sharing on this side of the house. Enter Blue Team Con.

The goal of Blue Team Con is to have talks that are almost exclusively focused on sharing information amongst defenders and protectors of organizations. This can span from SOC Analysts through CISOs and across the aisle to auditors and compliance personnel and application developers focusing on security. There are many professionals hard at work struggling to keep up with the vast amount of information in the cybersecurity space. Our goal is to help organize that information in a fun and collaborative way while offering a platform for those that have figured it out to share their knowledge.

The conference audience will include students, professionals, executives, and sales personnel from all over the United States and potentially beyond. We limit the amount of each of these categories of attendees to ensure this conference contains actual information security practitioners that need to benefit from the knowledge-transfer contained within.

We look forward to seeing you at Blue Team Con!

Blue Team Con is an annual cybersecurity conference for individuals interested in cyber security defense. A SIG (Special Interest Groups) focused convention that is reminiscences of single topic gatherings such as Fuzzcon (canceled this year) and PasswordCon (before it was absorbed into BSidesLV), if you love the Blue Team Village at DEF CON 30 you will love this one! We also wanted to highlight this convention as we feel that defense is something that is overlooked in modern digital security which is creating an entire generation of glass canons. We feel this is a great way to end Hacker Summer Camp for Double Summer and an end to our guide series!



COVID-19 Safety

Blue Team Con 2022 will require:

– Full vaccination as per CDC guidelines for any authorized ages; and

– Masks will be required to be worn throughout the entire conference at all times, except while eating and drinking or if you are a speaker and are currently presenting.

Last Minute CTF

The Last Minute Capture the Flag [CTF] event is back for another year during Blue Team Con. We’re looking to bring another beginner-friendly CTF competition. As we were happy to announce last time around, this was originally a very last minute thing. This time, not quite so late, but still pretty last minute. However we aim to provide continue to provide a fun game via a unique learning experience. As this is being run at Blue Team Con, all of the puzzles and challenges will be related as best we can to defensive cybersecurity topics.

Our goal is to create somewhat friendly introduction to CTF-style challenges and being very accessible to users of all skill levels. We have reworked and rebuilt how we want to start the competition in effort to help show newer CTF players a bit of what we have going on. To this end, the competition requires you to complete two introductory challenges that walk you through some important information and will hopefully help get you into the spirit of the competition. Remember, we want you to learn, we just might not make everything too easy…

However, a big difference that we can impart on this competition compared to other competitions, as we did last year, is that the Last Minute CTF wants to see you document your work and provide write-ups for each of the challenges. This is totally not because we’re doing this at the last minute and don’t want to do it ourselves… However, half of the available points will come directly from these write-ups. While documentation is not something for everyone, it is a highly desirable skill to have and use in any day-to-day operation and who knows, we may even feature your write-up and tell everyone how awesome you did the thing.

CTF Hours:

The competition homepage will go live for player signups (and to allow people early access to complete the introduction) when registration opens on Friday, August 26th, at 6:00pm CDT.

The rest of the challenges and the competition will begin Saturday, August 27th, at 10:30am CDT until Sunday, August 28th, at 1:00pm CDT.

Help and Assistance:

  • Join the Blue Team Con Discord and then the #ctf channel
  • Stop by the CTF Room during Admin Availability Hours* for Assistance
  • Saturday, August 27th: 10:30am to 5:00pm
  • Sunday, August 28th: 10:00am to 1:00pm
  • These hours are subject to change.


Villages are individual rooms throughout the conference that provide unique experiences. The villages will run through the entire conference, and most are free to walk in and out of as you like. Ones that are restricted will be listed as such.

Career Village

Saturday from 10:30am to 6:00pm CDT.
Sunday from 10:00am to 12:00pm CDT.

A Career Village that involves hiring managers and business professionals.

Are you starting a new career in cybersecurity? Or maybe you’re looking for a change in scenery or direction? This village is your opportunity to schedule one-on-one insider advice and tips from real recruiters and hiring managers. Seek guidance about what could be your (next) career in cybersecurity. Learn how to effectively highlight your knowledge, experiences, and abilities on your resume. Learn how to prepare for interview settings that employers are utilizing today. Practice your interview skills and get direct feedback so you can feel more confident in your job search.

The signup sheet will be announced at a later date.

Hands-On Village

Saturday from 10:30am to 6:00pm CDT.
Sunday from 10:00am to 3:00pm CDT.

Black Hills Information Security: BHIS will be playing Backdoors & Breaches, an Incident Response Card Game with conference attendees. Backdoors & Breaches contains 52 unique cards to help you conduct incident response tabletop exercises and learn attack tactics, tools, and methods. TRAIN YOUR TEAM OR YOUR STUDENTS… WHILE HAVING FUN! Feel free to read How to Play ahead of time.

CompTIA: CompTIA will have representatives from different internal groups (Community/ISAO, Tech Academy (CTCA), Certifications, etc.) to converse with attendees and show what our industry association can do around cybersecurity for you and your organization. We will also be running games of Jenga themed ‘Cybersecurity is a Team Sport’.

Trimarc: Darryl Baker (@dfirdeferred) is proudly presenting Trimarc’s all new Identity Security Village along with other members of the Trimarc team. We hope AD admins, security professionals, and all interested in AD security will walk away from the village with a deeper understanding of modern Tactics, Techniques, and Procedures used by attackers, as well modern defense techniques and configurations to combat these attacks.

Last Minute CTF Room

Open during the entire time (even through the night) of the conference.

Note: CTF Room Admin Availability Hours are* Saturday from 10:30am to 5:00pm and Sunday from 10:00am to 1:00pm.
*These hours are subject to change.

A space dedicated to all things Capture the Flag [CTF]. The Last Minute CTF admins will be available, during competition hours, to assist as appropriate. Some challenges may require a physical presence to obtain flags, this would be a good place to start. Devices will not be provided; you will need to source your own. And no, this is not a flag.

Childcare Village

Village Restricted to Children and Parents Only

Saturday: 7:30am CST to 7:30pm CDT
Sunday: 9:00am CST to 5:30pm CDT

The Childcare Village is a free childcare offering to parents on a first come, first serve basis. Seats are limited. The Childcare Village is setup to help watch all children from the ages of 3 through 12 while the parents enjoy the conference or go network with peers.

The vendor College Nannies will be providing this service through Blue Team Con. College Nannies is a registered and insured company. All sitters go through a thorough vetting process including reference checks, a background check, and several in-person interviews. Many of their sitters have extensive experience with group settings, such as camp, daycare, and in the classroom.

NOTE: Any child that is capable to receive COVID-19 vaccination is required to have their full vaccination as per CDC guidelines.

NOTE: Childcare Village tickets will end their sales in early August to properly account for and properly plan with College Nannies. Children names, ages, and the parent’s email will be shared to College Nannies for the purposes of them providing information in advance. More information will be provided to all ticket holders once Childcare Village ticket sales end.

Hak4Kidz Village

Village Restricted to Children and Parents with a Hak4Kidz’s Ticket Only.

Saturday: 10:00am to 5:00pm CDT

Hak4Kidz operates as a public charity registered with the IRS under 501(c)(3) regulations.

Ethical hackers, information security professionals, and educators will bring the benefits of white hat hacking to the children and young adults at the conference. Hak4Kidz plans to accomplish this mission by putting their collective expertise and passion on display for the attendees to interact with at their will. An open area of stations will enable the attendees to expand and enlighten their technical interests. For innovation to perpetuate, it’s imperative that today’s young users are exposed to the bigger picture of how we got here and to help realize their potential.

Activities for kids will include SpyMath, SnapCircuits, Heal’s Ask Me Anything, and more. If participating, please have kids bring a laptop with Wireshark installed and tested.

Their website can be found at https://www.hak4kidz.com/.


Open during the entire time (even through the night) of the conference.

No talks are selected or scheduled before the start of the conference. Once the conference opens, you can sign up for a slot to present. If your amazing talk didn’t get selected by the Blue Team Con CFP committee, this is your chance to present on your topic in a creative way. If you didn’t submit but wished you would have — here you go! If you want to do a fish bowl about knitting — have at it! It’s an Unconference!

Wellness Village

Saturday from 10:30am to 6:00pm CDT.

Sunday from 10:00am to 3:00pm CDT.

The Wellness Village will be ran by Mental Health Hackers, a 501(c)(3) organization.

The Mental Health Hacker’s (MHH) mission is to educate tech professionals about the unique mental health risks faced by those in our field — and often by the people who we share our lives with — and provide guidance on reducing their effects and better manage the triggering causes. This will be done through numerous talks and speakers conducted within the village during the conference. There will also be fun activities, crafts, coloring, and more to help you reduce stress and take a mental break from the conference activities and attendees.

MHH also aims at providing support services to those who may be susceptible to related mental health issues such as anxiety, depression, social isolation, eating disorders, etc.

Please understand that MHH does not provide counseling or therapy services.

Their website can be found at https://www.mentalhealthhackers.org/.

The following events are taking place at this village:

Saturday: 7:30am to 8:30am CDT
Sunday: 9:00am to 10:00am CDT

The following talks are taking place at this village:

Saturday, August 27th

12:00pm to 1:00pm CDT
“You’re Not Broken…Just Different: Don’t Let Undiagnosed Neurodivergence Ruin Your Life” — Chris Culling

Warnings: Topic includes Substance Abuse, depression, anxiety, ADHD

Have you ever felt that there’s something different as to how your brain works, but you can’t quite put a finger on it? That you excel in some parts of life, but fall behind in others?The type of person drawn to InfoSec seems to include a lot of folks from the neurodivergent side of the tracks. Autism, ADHD, anxiety, depression, dyslexia, Tourette’s, bipolar disorder, and OCD are some of the more common types of neurodivergence. However, many folks are unaware of their own neurodiversity and how to live with it. If left undiagnosed and untreated, it can cause untold harm to them, their families, and their careers.I was undiagnosed…and I fell into addictive behaviors and substance abuse to self-medicate away the pain of not knowing what was different about me. But I found help. And after finding the right medication, along with therapy, I can mostly function these days…and without the substance abuse.This short presentation will explain neurodiversity and show some of the issues that undiagnosed neurodivergents face and how they can be overcome…using my own life as a case study.

1:30pm to 2:30pm CDT
“12-Step Programs — Not Just for Addicts” — Gary Rimar

12-step programs such as Alcoholics Anonymous and Al-Anon have existed for many years. While participation in a 12-step program doesn’t guarantee successful addiction management, many people that benefit from these programs and improve their life quality.

As hackers, we find alternate ways to use tools and methods others create to accomplish our goals. This talk will explain the essence of how 12-step program principles can be applied to the lives of non-addicts for a positive effect, regardless of any belief or disbelief in religion and/or spirituality.

3:00pm to 3:45pm CDT
“Gaslighting and Cognitive Dissonance” — Priscilla Aubrey

Warning: Topic can trigger individuals that have experienced abusive relationships.

Gaslighting is probably one of the most overlooked forms of emotional abuse. It is easy to wave away as an overreaction or misunderstanding. Individuals that rely on gaslighting to control their loved ones count on that reaction. How do you recognize gaslighting and what is it? Does gaslighting have long-term effects? Physical? Mental? Gaslighting is much more than a few harshly placed words in the heat of the moment. Gaslighting is one of the cruelest forms of abuse because the person experiencing the abuse is not even sure if it’s happening. Let’s shed some light on how to detect it and options for countering it.

4:15pm to 5:15pm CDT
“Rebalance every 10,000 miles” — Wolfgang Goerlich

Careers are long. Jobs are short. One day, things are going well and in balance. The next day, there’s twenty hours of work to do. Pull back some and it is more of the same. The first half of the year, things were great. Then change came and chaos reigned and burn out followed. Pull back even further, and the demands of work and life over decades comes into sharp relief. This session presents strategies to maintain your mental health over the long haul. Handle imposter syndrome and stress. Know when to stick it out but recognize the signs when it is just not worth it. Fail and recover gracefully. Pulling on personal lessons and anecdotes from mentoring others, the presentation provides a career owner’s manual.


This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlights lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)

Saturday, August 27th

Blue Team Con 2022 Keynote

The Best Offense is Defense: How Blue Teamers are at the heart of the security movement

Tazin Khan

In order to make change and inspire behavior, we must build movements. And whether we like to believe it or not, what we’re doing in the security industry is building micro movements to influence a better world. The work of a Blue Teamer is very similar to that of someone looking to motivate and inspire change. As a Blue Teamer you must analyze existing systems, ensure security across sectors, conduct forensic investigations and most importantly — communicate to stakeholders on why they should not only care but fund and support the work that the Blue Team does.

This talk will cover:

  • What it takes to inspire change and build movements
  • How Blue Teamers sit at the heart of the cybersecurity industry
  • How to leverage radical candor, compassion and communication skills to get buy in from key stakeholders on defense strategy

Tazin Khan

Founder and CEO, Cyber Collective

As a cybersecurity specialist of 10+ years with a focus on program compliance, third party risk management, and product mapping for Fortune 500 companies, Tazin has an acute understanding of transforming problems into product solutions and translating product benefits into the customer’s environment. This skill-set, paired with firsthand experiences of poverty, racial bias, gaslighting, and the all-too-common formalities that immigrant-American women in tech face, is what inspired her to educate people on the impact of their data and its effect on their real lives.

In 2019, Tazin mobilized her community and founded Cyber Collective in an effort to increase awareness of the importance of digital protection. Today, Cyber Collective is recognized by Forbes as “the only women of color owned and operated community-centered research organization that focuses on data ethics, privacy, and cybersecurity research.” Tazin and her team at Cyber Collective are dedicated to creating approachable and interactive content, workshops, and resource guides for people to educate themselves and learn freely about these topics.

Going Atomic: The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach

Alfie Champion

11:20am to 11:50am

Atomic purple teaming, i.e. testing individual permutations of offensive techniques outside of a scenario-based exercise, offers an approach that can maximise kill chain coverage and provides a means to benchmark a SOC’s detective capability.

Initially, the methodology for atomic testing will be presented, alongside example results from a typical engagement. We’ll evaluate the significant data set that such testing can produce — e.g. which test cases produce telemetry, which produce alerts, which were prevented — and consider its application in informing SOC strategy, demonstrating Return on Investment, and providing insight into general security posture.

This empirical, data-driven approach is invaluable in developing a bottom-up view of our defenses, i.e. understanding how our detection stack fares when faced with the tactics, techniques and procedures of legitimate actors, but it is not a one-stop shop for adversary emulation. As such, this talk will consider the limitations of such an approach, and how other supplementary collaborative testing can offer a more complete view of detective capability.

Hacking (and Defending!) APIs

Robert Wagner

12:30pm to 1:20pm

APIs are a leading attack vector that often get pushed into production without proper security testing. In this presentation we will provide an overview of the OWASP API Security Top 10 vulnerabilities from an adversarial perspective. Then we will discuss how vulnerability management programs often use the wrong tools to test APIs and how to build an effective API security stack.

A VEXing Question: Am I Affected or Not?

Justin Murphy, Dr. Allan Friedman

12:50pm to 1:20pm

With recent events like Log4Shell, more attention is being paid to software security and the underlying components used in developing software. SBOMs (Software Bill of Materials) are a great tool in uncovering vulnerabilities in software components, and aid software providers in becoming fully transparent about the components that comprise their software products. As SBOMs become more widespread, many security advisories released by organizations could contain “false positives,” when the underlying component contains a vulnerability, but that vulnerability is not exploitable. A key idea at the intersection of security advisories and SBOM is the “Vulnerability Exploitability eXchange” (VEX). A VEX allows software providers to explicitly communicate that they are NOT affected by a vulnerability, and software users (e.g., network defenders, developers, and services providers) to reduce effort and resources spent in investigating non-exploitable vulnerabilities that do not affect a product. VEX provides a machine-readable approach to support automation to help software users understand, am I affected or not?

This talk will give a brief overview of the SBOM concept and review the challenge of understanding when a vulnerability actually affects a product. We’ll discuss the implementation of VEX in current standards, highlight future directions, and conclude with a call for participants to get involved.

Improving the security posture of MacOS and Linux with Azure AD

Mark Morowczynski

1:30pm to 2:20pm

The majority of organizations have Windows, MacOS and Linux in their environment. Typically many of the security controls that are applied to Windows are not applied to MacOS or Linux, due to the size of the footprint and the difficulty of implementation. This can lead to holes in an organization’s overall security posture as well as a poor end user experience.

Recently, Azure AD has released some new functionality to help improve the overall environment security posture for MacOS and Linux, both servers and clients. We’ll discuss how these pieces work deep down and some best practices on deploying them.

In this session you’ll learn how to reduce authentication prompts, further lockdown your Conditional Access policies, and leverage modern credentials like Passwordless on these platforms.

How to Win Over Executives and Influence the Board

Alyssa Miller

2:30pm to 3:20pm


Stop me if you’ve heard these before (or maybe you’ve said them yourself), “Management just doesn’t listen”, “The executives don’t care”, “The board just doesn’t understand”. These exasperations can be very common for blue teamers. We know what needs to be done but we just can’t seem to get the support of our organizational leadership. Even when CISOs or high-level security leaders break through and get time with the board, it’s not uncommon to see them with their heads down looking at their phones. Well, this session is your master class in turning that around and making these conversations work for you.

Come learn from an experienced cyber security executive about what works and what doesn’t when you’re engaging with your leadership teams. Learn actual techniques you can employ tomorrow for effectively planning and delivering a presentation, recovering engagement from an audience that’s tuned out, and overcoming some the skepticism and animosity that can derail your efforts. You’ll see re-world examples from presentations that succeeded as well as from those that failed. Whether you’re in an individual technical role or in the executive suite, this is a chance to up your game and start gaining the support you need.

Hunting down rogue Managed Identities

Ram Pliskin

2:10pm to 2:40pm

Usage of Cloud managed-identities is on the rise in all cloud providers. But are they really as secure as we assume them to be?
Recently, more and more attacks have been leveraging legitimate usage of managed identities to advance the attack and pivot across multiple resources. Managed identities are the latest phase in the evolution of protecting secrets, but without being properly protected, they themselves can serve as double edged swords introducing new risks and vulnerabilities. Powered by OAuth 2.0, Cloud managed identities blur the distinction between Identity protection and Endpoint solutions leaving crucial terrain unclaimed.

OAuth 2.0 introduces an authorization layer and separates the role of the client from that of the resource owner. In this session I will dive into delegation flows and together we will understand how they are related to ghost managed identities which pop-up on a compromised network. Together, we will extract Cloud-unique aspects out of known attacks, isolating managed identities as overlooked soft spots.
We will wrap-up with several high-fidelity detections giving every blue-side attendee, practical tools to implement in their own environment.

Building Better Security Metrics

Jake Williams

3:40pm to 4:30pm

Let’s face it: most of us don’t like gathering and reporting metrics. But the boss says “that which isn’t measured isn’t managed.” Of course there’s the problem of users gaming metrics to paint unrealistic pictures to stakeholders. Good metrics should serve as a heuristic for stakeholders to understand a situation at a high level without needing to understand all the nuance of how the sausage is made. In other words, metrics should tell a story. Since you’ll be generating security metrics anyway, shouldn’t they tell the right story?

Beyond the obvious justification of “management says you have to,” as an aspiring security leader you should be self-motivated to create and deliver better metrics. If there’s one thing leadership abhors, it’s uncertainty. Better metrics don’t eliminate uncertainty, but they do promote better understanding, leading to better evaluation of risk.

In this presentation, you’ll learn the principles of generating compelling metrics. We’ll then cover examples of easy-to-gather metrics across a range of security disciplines, including SOC, cyber threat intelligence, threat hunting, and incident response. Come learn how to level up your metrics game in this session!

Hey! Your database got pwned

Sarit Yerushalmi

4:10pm to 4:40pm

A data breach is an organization’s worst nightmare.

Your databases can be used as a pivot to infiltrate the organization or may be the target to exfiltrate sensitive data.

In this talk we will explore different exploitation techniques used by attackers to attack databases.

We will dive into practical real life examples captured by our honeypots around the world and present advanced detection approach to identify attacks such as:
ransom and crypto mining campaigns, malware deployment, distributed brute-force attacks, evasion techniques and slow & low exfiltration.

Everyone Can Play! Building CTFs To Teach Non-Security Folks

Joe Kuemerle

4:40pm to 5:30pm

Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges and seeing new ways to compromise systems teaches and entertains.
CTFs are also a great tool to give non-security folks a hands-on understanding of how security vulnerabilities enable criminal activities, reduce user privacy and degrade system reliability.

In this session you will learn to build interesting, educational and easy to use Capture the Flag events targeted at developers and other technical, non-security, users.
We will cover specific considerations for each audience you target, how to create interesting (yet solvable) challenges, and how to make the overall experience friction free for the participants.

You will also learn tools and techniques to create easily repeatable, consistent events with minimal work. We will cover collaborative development, external system integration techniques, tooling and a fully automated deployment pipeline to make spinning up a new CTF as easy as pushing a button.

Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program

Ross Flynn

5:30pm to 6:00pm

In a sea of candidates, why should you consider hiring a teacher as a SOC analyst? In what world would you hire a salesperson as a pen tester? As the need for more holistic security professionals grows, the Infosec field has a unique opportunity to address security concerns by leveraging the unprecedented number of converts from seemingly unrelated field.

The bad guys will always continue to develop and evolve their techniques, so strategic organizations are finding success pulling from more diverse backgrounds. Fresh thinking and function-specific experience can help these diverse defenders protect data and the basic human right to security and privacy.

Let’s talk about the influx of new blood, strategic positioning, and how qualified professionals from other industries can leverage their experiences to benefit your security team.

Session attendees will leave with:
1. Advice on qualities to look for when searching for non-traditional team members — what can we give HR to help them help us find the right people?
2. Tips for supporting employees with non-traditional backgrounds in demonstrating their strengths
3. Real world examples of diverse backgrounds uniquely benefiting security programs

Life beyond the SIEM — Take control of your SOC with Jupyter

Pete Bryan, Ian Hellen

5:40pm to 6:30pm

The SIEM is the center-point for most SOC activity: providing tools for handling threat detection, incident investigation, threat hunting, and more. Even the best SIEM though, is only as capable as the features it includes. Analysts often have to develop processes and scripts to fit alongside it. What if it didn’t need to be this way? What if there was a tech stack that allowed you to take control?

Jupyter is the solution that allows analysts to investigate threats, conduct hunts, and manage processes in a flexible, agile manner. Use visualizations, analysis techniques, data sources and workflows that your SIEM doesn’t possess.

In this talk, we will look at the Jupyter ecosystem and how it can empower SOC analysts (from tier 1 to specialized hunters) in a wide range of tasks: from creating custom visualizations to automating triage and enrichment tasks.

We’ll cover some Jupyter basics then dive deeper on how to use standard Python libraries and techniques to customize your analysis flow. Then look at using MSTICPy (Python InfoSec library) and how its data, enrichment and visualization features can speed up your workflow with generate elegant, low-code notebooks.

We will also show how you can deploy notebooks in your organization in a consistent, secure and reliable manner using tools like Docker and Git.

Finally, we will demonstrate how to use Jupyter to automate investigation and hunting, to drive great efficiency and consistency benefits for the SOC.

Sunday, August 28th

Protecting Application and Service Principal Permissions in Azure AD

Eric Hall

10:00am to 10:50am

Do you know what your service principals are doing? Service principals represent non-human accounts in Azure AD. They’re a big improvement over the on-premises service account model, but the permissions they are granted can introduce new risks. In this talk we’ll explain the threats to the permission consent model posed by app sprawl and malicious actors. We’ll show you how to discover what apps are in your environment and how to understand the risk associated with those apps.

Key topics we’ll cover include:
• Understanding the service principal and application directory objects
• Evaluating the impact and blast radius of permissions
• Delegated (on behalf of a user) and application (without a user) permissions
• Identifying threats to your applications and service principals
• Managing requests from app developers

Based on our experience implementing an application permission security assessment model across Microsoft’s internal IT environment, we’ll share lessons learned, gotchas, and product features that can help you manage the security of service principals and applications in your Azure AD tenant.

Becoming the Threat, The Making of A World Class Security Team

Aaron Rosenmund

11:00am to 11:50am

Are you cleverer than a Malware author? Do you feel like you are just waiting on someone or groups of someone’s to make their next move and hoping that your defenses can manage? Of course, they don’t always do they? And that is because, waiting for the threat to happen, means you are forever behind the power curve. I have created malware that can consistently morph to blow past defenses, but in this case, it is tamed, it doesn’t actually cause harm, and stays within your control. Why would I do that? To test the defenses, I wanted to become the malware author so the threat I am working to beat is me! And I want to teach you to do the same. I will walk you through simulated ransomware with various techniques that can be launched in a test environment to test your defenses. Then I am going to show you where common security products fail, where humans fail, and where you can iterate to teach yourself to be different.

Breaking Boundaries, Securing Perimeters: A pragmatic approach to Attack Surface Management

Katie Inns

11:20am to 11:50am

Security teams can often become overwhelmed by large lists of vulnerabilities that affect their systems and have trouble knowing which to prioritise first when it comes to remediation. This can lead to ineffective vulnerability management processes that focus on addressing issues from a top-down approach and do not reflect real-world exploitation or the risk to the organisation. This becomes more problematic when organisations don’t fully understand their attack surface and their systems that may be at risk.

This talk will discuss how organisations can adopt a more pragmatic approach to attack surface management, by understanding the assets at risk, how to prioritise remediation and how to adapt based on emerging threats.

Holistic AWS Cloud Security Design for Organizations

Cassandra Young

1:00pm to 1:50pm

Ditch the kale smoothie, it’s time to go big picture. Your organization is moving to AWS, and you’re in a panic. Which of the 42 billion AWS service offerings do you really need? How do you manage user and service accounts? What about those 7 different rogue AWS accounts you just found out about? We’ll talk about securing, organizing and standardizing your AWS environment(s), managing authentication, protecting your applications, and we’ll walk through a few key guardrails you can plan today. Throughout the presentation, we’ll talk about balancing security with usability, how your existing architecture can work for you and against you, and how to identify and protect your attack surface in (and even out of) the cloud.

Easy Defender Playbooks to Make Ransomware Criminals Cry

Drew Hjelm

1:00pm to 1:30pm

The last few years of continuous assault by ransomware gangs against businesses and organizations have left a large mess in their wake. The onslaught makes it seem like the adage “the attackers only have to be right once” holds some truth, even if it is wildly inaccurate.

Let’s talk about what we can do as defenders to flip the script and give the bad guys a hard time. These are architecture patterns and tactics you should bake into your policies, procedures, and runbooks that would have stopped literally hundreds of ransomware attacks. And best of all, most are free and/or easy to implement.

Why I Keep Building My Security On Open Source Year After Year

Joe Gresham

1:40pm to 2:10pm

After 15 years of developing a network sensor, log analyzer, and SIEM, based primarily on open-source tools, the future still points to open source. Something is inherently different about open source that makes it more viable for security analysis. Too many analysis processes need to run narrowly and in parallel, or sometimes serial. These require rich interconnections and openness between each specialized tool. The open source community has provided these with thousands of developers working on the projects they are passionate about and fulfilling a function, narrowly, and extremely well. This is what’s lacking in the closed source world where vendors keep out the competition in an attempt to provide a “complete security stack” which has ruined more than a few initially powerful open source tools.

In this talk the presenter recalls his 15-year journey to build and continuously improve his company’s detection platform. His experience with integrating software tools like Bro/Zeek, Snort, and ELK, and with low-level performance tuning of multi-core CPUs and network interfaces provide insight into the powerful advantage of open source. Using the specific example of modifying open-source full packet capture systems to add indexing, Joe demonstrates how just having a decent API is not enough. Open source gives you the total flexibility needed to build a rich cybersecurity SOC platform. Besides, you can’t afford to “test” the non-free stuff.



DCG 201

North East New Jersey DEFCON Group Chapter. Dirty Jersey Represent! We meet at Sub Culture once a month to hack on technology projects! www.defcon201.org