Upcoming Blue Team Con Online Events
New events are being scheduled – check back regularly to see upcoming BTC Online presentations.
Previous Blue Team Con Online Events
August 22, 2024 @ 10:00 AM CDT
Vulnerability Cognition: Adding Psychology to VulnMgmt Programs
Presented by Dr. Nikki Robinson
Vulnerability Management continues to be more and more complex, especially with large sprawling API’s, containers and serverless deployments, and introducing a CI/CD pipeline. With all of these factors, it is increasingly important to understand psychological concepts behind VulnMgmt programs. Without understanding mental workloads, cognition, and perception, it will continue to be a struggle to keep up on vulnerabilities. With the numerous vulnerability scoring metrics, increasing severity and exploitability, blue teams must consistently learn about new exploits and what that means to their environments. This session will cover what “Vulnerability Cognition” is, how it affects VulnMgmt programs, and how Blue Teams can use these skills to increase awareness and effectiveness in their VulnMgmt programs.
August 8, 2024 @ 10:00 AM CDT
Keep the F in DFIR: The Importance of Digital Forensics in Incident Response
Presented by Partha Alwar and Carly Battaile
In recent years, blue teamers have greatly benefited from advanced security tools such as EDRs and XDRs. While these tools provide valuable visibility and containment mechanisms during DFIR investigations, over-reliance of these tools in DFIR investigations may lead to an incomplete picture of the incident. In this presentation, we will discuss how traditional forensic analysis methods can provide a more holistic look at an incident and reduce gaps in visibility.
Our presentation will provide an overview of challenges encountered when using EDR tools such as telemetry retention, OS compatibility, deployment scope and the lack of forensic artifacts that track interactive activity by an attacker. Next, we will introduce several forensic artifacts such as Amcache, Shellbags, Windows UAL etc. that provide deeper, historical visibility into attacker activity. Using forensic artifacts introduced in this presentation, blue teamers will be able to piece together and timeline crucial pieces of evidence on systems that provide insight into historical process executions, file/folder access, lateral movement, etc. Finally, we will introduce real-life case studies where forensic methods have proved vital in incident response investigations.
Attendees of this presentation will gain a better understanding of forensic artifacts and how they can be utilized in incident response investigations. They will also learn about free and open-source tools available to parse these artifacts at scale.
July 25, 2024 @ 10:00 AM CDT
Non-Traditional Paths Into Cyber-Security: How recognizing and targeting complimentary skillsets can ease the skills shortage
Presented by Kayla Williams
Since inception, the Information Security industry has had a perpetual human capital and skills gap. With the advent of a variety of Massive Open Online Course (MOOC) programs such as EdX, Khan Academy and The Great Courses, the barrier to upskill across numerous domains is easier than ever. In addition, as companies explore removing college degree requirements, job requisitions open up to more candidates. As a result, the opportunity for a growing successful career in Information Security has not been greater. Despite this, the perception of the skills gap still exists.
As a result of these false perceptions, employers may miss out on skilled candidates with unique backgrounds and perspectives. Thus, organizations may suffer from the same issues as intelligence agencies by being stuck in old ways of thinking, much in the way Richard Heuer describes in The Psychology of Intelligence in 1999. By integrating these new and unique perspectives, employers can build in diversity of thought with different base skill-sets and come up with new perspectives and innovations.
This talk will dissect how to approach this systemic issue. Included will be the presenter’s personal experiences, professional experiences with individuals transitioning into the industry, and provide concrete solutions for companies looking to overcome this hurdle. Solutions will focus on how to apply these new hiring paradigms from the top down, in addition to a potential avenue to resolution by building a pipeline avenue by creating relationships with education institutions.
July 11, 2024 @ 10:00 AM CDT
Building Yourself Into a Strong Identity Practitioner
Presented by Eric Woodruff
Whether you’re a seasoned Active Directory admin who cut your chops as a sysadmin, or coming into the identity space fresh, it can be daunting to understand how to get started within the identity space or transform yourself at the rapid pace the industry moves. And while “identity is the new security perimeter”, it is often overlooked as a skillset in most cybersecurity degree programs.
In this conversation we’ll dive into building yourself as a strong identity practitioner. For those newer to identity, we’ll take a look at the many areas available for specialization. If you’re looking to advance or change your career, we’ll explore the different types of roles available as well – from security researchers to identity program managers, the types of jobs available in identity are as deep as identity platforms themselves. Along with a look at the field, we’ll explore ways to gain the technical and non-technical skills to bring yourself and your career to the next level.
June 27, 2024 @ 10:00 AM CDT
Dude, Where’s My Domain Admins?
Presented by Joel M. Leo
*Attacker pops a workstation on your domain*
*Attacker establishes her foothold and local persistence*
*Attacker begins recon of AD, starting with Domain Admins*
ERROR: The group name could not be found.
Attacker, with a disconcerted look on her face: “Dude, where’s my Domain Admins?”
Killchains that involve AD usually involve enumeration of highly-privileged accounts: members of Domain/Enterprise/Builtin Admins, Server Operators, etc. Those groups and their members can be enumerated in AD by default, exposing members as targets of exploitation to obtain those privileges. However, there’s a way to use in-the-box AD capabilities to thwart these attempts. Using List Object mode, implicit deny, and AdminSDHolder/SDProp, AD defenders can hide these principals from unprivileged users. In this talk, I’ll walk you through the principles, process, and pitfalls, so you can raise the bar on your AD defenses without blowing things up.
May 30, 2024 @ 10:00 AM CDT
There is no ‘I’ in team, but if you look closely, there is a me: being the first dedicated security hire and growing a team
Presented by Mike Sheward
Being the first dedicated security hire at any organization is an incredible learning experience. One moment you could be hands-on deploying EDR and MDM tools, the next, you’re on a sales call with a prospect, or talking to the board. But amongst the opportunity, there is of course plenty of stress, anxiety, and burnout. When you’re doing the things that might otherwise be done by a team of folks, how do you know where to get started? How do you prioritize? In this talk we’ll answer those questions.
I’ve gone from being the first dedicated security hire, to building teams on three separate occasions now, and each time, I’ve done some things in the same way, and some things differently. The talk is a lesson’s learned going from absolutely nothing on day one to a reasonably large security team with dedicated sub teams.
We’ll discuss how the decisions you make early on, as the wearer of many hats, can have long lasting impacts when you start to distribute those hats. This includes technology and process decisions, along with hiring and delegation.
A final key message in the talk will be that even though there may only be one dedicated security person at a company, that person should never be expected to carry the weight of the whole company’s security and privacy decisions, so we’ll talk about how to set that boundary as well.
After all, there is no ‘I’ in team, but if you look closely, there is a me.
May 2, 2024 @ 10:00 AM CDT
Defending Beyond Defense
Presented by Dr. Catherine J. Ullman
Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability. But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain first hand experience into this perspective than immersion in the offensive security space. In this talk we’ll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications. By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior. Join me as I discuss how there’s more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.
March 21, 2024 @ 10:00 AM CDT
Your OT/ICS Security Blackhole
Presented by Huxley Barbee
The rise of Operational Technology (OT) and Industrial Control System (ICS) networks has created new challenges for security teams. Existing tools and practices for securing IT environments tend to be ineffective or even damaging when applied to OT/ICS environments. Protecting OT/ICS environments involves a different mindset, fit-for-purpose tooling, and engaging with a different organizational culture. This presentation will explore why culturally and technically securing OT environments is so different. This presentation is a primer to equip the audience with the knowledge and skills to protect their organizations’ OT/ICS networks while ensuring these systems’ safety and availability.
March 7, 2024 @ 10:00 AM CST
PCI DSS v4.0 Is Here – Now What?
Presented by Kyle Hinterberg
The Payment Card Industry Security Standards Council (PCI SSC) released v4.0 of the PCI Data Security Standard (DSS) in 2022 and the countdown is on. Organizations that need to comply with PCI DSS only have until April 2025 to implement all the new requirements. Are you ready and, more importantly, do you even know what it will take to be ready?
Many organizations need to comply with the PCI DSS and a major version change can be daunting. To make things worse, most of the information provided by the PCI SSC and other organizations can be vague and/or marketing focused. This leaves individuals confused as to what they really need to be doing to prepare themselves and their organizations. My goal is to break it down Barney-style so that no one gets stuck behind the eight ball when they run their first v4.0 assessment.
This presentation will:
- Provide brief definitions of the PCI SSC and PCI DSS
- Explain the history of the PCI DSS (how we got to where we are)-Provide an overview of the changes in v4.0, specifically avoiding any vague marketing talk and focusing on actionable items to help prepare organizations for v4.0
- Provide a summary of the big-ticket items that organizations should be working on to ease into v4.0
July 20, 2023
Everyone Can Play! Building CTFs To Teach Non-Security Folks
Presented by Joe Kuemerle
Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges and seeing new ways to compromise systems teaches and entertains.
CTFs are also a great tool to give non-security folks a hands-on understanding of how security vulnerabilities enable criminal activities, reduce user privacy and degrade system reliability.
In this session you will learn to build interesting, educational and easy to use Capture the Flag events targeted at developers and other technical, non-security, users.
We will cover specific considerations for each audience you target, how to create interesting (yet solvable) challenges, and how to make the overall experience friction free for the participants.
You will also learn tools and techniques to create easily repeatable, consistent events with minimal work. We will cover collaborative development, external system integration techniques, tooling and a fully automated deployment pipeline to make spinning up a new CTF as easy as pushing a button.
July 6, 2023
Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program
Presented by Ross Flynn
In a sea of candidates, why should you consider hiring a teacher as a SOC analyst? In what world would you hire a salesperson as a pen tester? As the need for more holistic security professionals grows, the Infosec field has a unique opportunity to address security concerns by leveraging the unprecedented number of converts from seemingly unrelated field.
The bad guys will always continue to develop and evolve their techniques, so strategic organizations are finding success pulling from more diverse backgrounds. Fresh thinking and function-specific experience can help these diverse defenders protect data and the basic human right to security and privacy.
Let’s talk about the influx of new blood, strategic positioning, and how qualified professionals from other industries can leverage their experiences to benefit your security team.
Session attendees will leave with:
- Advice on qualities to look for when searching for non-traditional team members – what can we give HR to help them help us find the right people?
- Tips for supporting employees with non-traditional backgrounds in demonstrating their strengths
- Real world examples of diverse backgrounds uniquely benefiting security programs
June 22, 2023
Blue Team Social Impact: How to volunteer your cyberdefense skills without getting burned out
Presented by Tom Costello
Want to give back to your community by volunteering your blue team skills, but don’t want to turn into a small nonprofit’s 24/7 unpaid on-call helpdesk? We’ll explore ways you can maximize your happiness & social impact by taking your blue team talents into the volunteer space. You’ll learn how to avoid re-inventing the wheel when it comes to blue team charity work, along with many lessons learned on avoiding volunteerism burnout due to a busy dayjob. When done properly, volunteering your technology skillset or helping to train/mentor others interested in your occupation can have a gigantic positive impact both to your community and your mental wellbeing! When done poorly, you might burn bridges and find yourself more stressed out than necessary due to a volunteer situation gone wrong. Don’t do that to yourself; attend this talk and let’s make the world a better place one blue team volunteer opportunity at a time!
June 1, 2023
Improving Alert Recall: miss fewer attacks through customizable ML anomalies
Presented by Karishma Dixit, Sharon Xia
In the ongoing game of cat and mouse between attackers and defenders, attackers continually find new ways to evade detection. Whilst high fidelity security detections tend to have high precision, they can sometimes have low recall, therefore some new attack techniques can go undetected. Anomalies on the other hand are much noisier but can capture attacks that would otherwise be missed. Anomalies don’t necessarily indicate malicious behavior on their own. But when combined with other anomalies or alerts their cumulative effect is much stronger.
In this talk, we explore our approach at Microsoft Sentinel to provide the user with customizable anomaly rules. Our engineering methodology uses a PySpark backend to implement a variety of ML techniques including both supervised and unsupervised learning. We deep dive into the ML behind one of our customizable anomalies and then demonstrate the ease at which the rules can be configured by the user. Lastly, we demonstrate, via simulated attacks, how anomalies and alerts can be combined at various stages of the kill chain to produce high quality incidents.
Thus, we can see how customizable anomaly rules improve recall while reducing the noise of traditional anomalies via machine learning and customization.
May 18, 2023
Formulating An Intelligence-Driven Threat Hunting Methodology
Presented by Joe Slowik
Consultants and marketing departments refer to “threat hunting” as a desired position for network defenders. By adopting this mindset, defenders can take an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.
April 27, 2023
From the Ground Up: Lessons Learned from Starting a Vulnerability Management Team
Presented by Bryan Garcia
As the Cybersecurity field continues to mature and vulnerability numbers increase, there is a growing need to form specialized teams to handle dedicated areas of Cybersecurity. From the Ground Up shares the lessons learned from the creation of a dedicated Vulnerability Management team, the successes and struggles the team faced, the impact and value the team would bring to the company, and what choices could be made to help others be more effective in their decision-making to create an efficient Vulnerability Management team.
April 13, 2023
Breaking Boundaries, Securing Perimeters: A pragmatic approach to Attack Surface Management
Presented by Katie Inns
Security teams can often become overwhelmed by large lists of vulnerabilities that affect their systems and have trouble knowing which to prioritize first when it comes to remediation. This can lead to ineffective vulnerability management processes that focus on addressing issues from a top-down approach and do not reflect real-world exploitation or the risk to the organization. This becomes more problematic when organizations don’t fully understand their attack surface and their systems that may be at risk.
This talk will discuss how organizations can adopt a more pragmatic approach to attack surface management, by understanding the assets at risk, how to prioritize remediation and how to adapt based on emerging threats.
March 30, 2023
The Defender’s Guide to Budgetless Endpoint Hardening
Presented by Matt Coons
Hardening the endpoint is one of the first and most effective measures implemented by defenders to protect organizations against attackers. The EDR, XDR and antivirus space is full of vendor solutions to detect and prevent malware, but what can a budget conscious blue team do to block malware without spending a dime?
This talk will dive into cost free hardening tools and techniques that can be implemented to better protect endpoints from attack. Hardening techniques like leveraging Windows Firewall to block unwanted outbound network traffic, implementing Windows Attack Surface rules, disabling unneeded endpoint services and more will be discussed throughout the interactive session.
Session participants will leave with zero cost, actionable, and easy to implement endpoint hardening measures that can be implemented in various types of computing environments.
March 16, 2023
Building Better Security Metrics
Presented by Jake Williams
Let’s face it: most of us don’t like gathering and reporting metrics. But the boss says “that which isn’t measured isn’t managed.” Of course, there’s the problem of users gaming metrics to paint unrealistic pictures to stakeholders. Good metrics should serve as a heuristic for stakeholders to understand a situation at a high level without needing to understand all the nuance of how the sausage is made. In other words, metrics should tell a story. Since you’ll be generating security metrics anyway, shouldn’t they tell the right story?
Beyond the obvious justification of “management says you have to,” as an aspiring security leader you should be self-motivated to create and deliver better metrics. If there’s one thing leadership abhors, it’s uncertainty. Better metrics don’t eliminate uncertainty, but they do promote better understanding, leading to better evaluation of risk.
In this presentation, you’ll learn the principles of generating compelling metrics. We’ll then cover examples of easy-to-gather metrics across a range of security disciplines, including SOC, cyber threat intelligence, threat hunting, and incident response. Come learn how to level up your metrics game in this session!
March 2, 2023
Going Atomic: The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach
Presented by Alfie Champion
Atomic purple teaming, i.e. testing individual permutations of offensive techniques outside of a scenario-based exercise, offers an approach that can maximise kill chain coverage and provides a means to benchmark a SOC’s detective capability.
Initially, the methodology for atomic testing will be presented, alongside example results from a typical engagement. We’ll evaluate the significant data set that such testing can produce – e.g. which test cases produce telemetry, which produce alerts, which were prevented – and consider its application in informing SOC strategy, demonstrating Return on Investment, and providing insight into general security posture.
This empirical, data-driven approach is invaluable in developing a bottom-up view of our defenses, i.e. understanding how our detection stack fares when faced with the tactics, techniques and procedures of legitimate actors, but it is not a one-stop shop for adversary emulation. As such, this talk will consider the limitations of such an approach, and how other supplementary collaborative testing can offer a more complete view of detective capability.
February 16, 2023
Preparing your IT SOC for OT Network Security Monitoring
Presented by Wesley Lee
OT and IT convergence is here. One of the biggest push in OT/ICS is the implementation of better visibility and increased network security monitoring. No matter if you have a fully in-house or hybrid Security Operation Center augmented with Managed Security Services. If you don’t have the funding or time to implement a separate OT Security Operations Center dedicated to monitoring your OT environment. This talk will discuss strategies, tactics, people, processes, and lessons learned in effectively integrating your OT NSM program into you IT SOC. This talk will lay out a flexible roadmap and walk you through the process of the before, during, and after steps that should be done in order to integrate your OT NSM program in your IT SOC, how to integrate, mature, response, and measure your OT NSM program within your IT SOC without losing the focus and critical aspect with better OT NSM monitoring within your organization.
