Blue team con online

Upcoming Blue Team Con Online Events

May 2, 2024 @ 10:00 AM CDT

Defending Beyond Defense

Presented by Dr. Catherine Ullman

Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability.

But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain first hand experience into this perspective than immersion in the offensive security space.

In this talk we’ll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications. By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior.

Join me as I discuss how there’s more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.

Previous Blue Team Con Online Events

March 21, 2024 @ 10:00 AM CDT

Your OT/ICS Security Blackhole

Presented by Huxley Barbee

The rise of Operational Technology (OT) and Industrial Control System (ICS) networks has created new challenges for security teams. Existing tools and practices for securing IT environments tend to be ineffective or even damaging when applied to OT/ICS environments. Protecting OT/ICS environments involves a different mindset, fit-for-purpose tooling, and engaging with a different organizational culture. This presentation will explore why culturally and technically securing OT environments is so different. This presentation is a primer to equip the audience with the knowledge and skills to protect their organizations’ OT/ICS networks while ensuring these systems’ safety and availability.

March 7, 2024 @ 10:00 AM CST

PCI DSS v4.0 Is Here – Now What?

Presented by Kyle Hinterberg

The Payment Card Industry Security Standards Council (PCI SSC) released v4.0 of the PCI Data Security Standard (DSS) in 2022 and the countdown is on. Organizations that need to comply with PCI DSS only have until April 2025 to implement all the new requirements. Are you ready and, more importantly, do you even know what it will take to be ready?

Many organizations need to comply with the PCI DSS and a major version change can be daunting. To make things worse, most of the information provided by the PCI SSC and other organizations can be vague and/or marketing focused. This leaves individuals confused as to what they really need to be doing to prepare themselves and their organizations. My goal is to break it down Barney-style so that no one gets stuck behind the eight ball when they run their first v4.0 assessment.

This presentation will:

• Provide brief definitions of the PCI SSC and PCI DSS
• Explain the history of the PCI DSS (how we got to where we are)-Provide an overview of the changes in v4.0, specifically avoiding any vague marketing talk and focusing on actionable items to help prepare organizations for v4.0
• Provide a summary of the big-ticket items that organizations should be working on to ease into v4.0

July 20, 2023

Everyone Can Play! Building CTFs To Teach Non-Security Folks

Presented by Joe Kuemerle

Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges and seeing new ways to compromise systems teaches and entertains.

CTFs are also a great tool to give non-security folks a hands-on understanding of how security vulnerabilities enable criminal activities, reduce user privacy and degrade system reliability.

In this session you will learn to build interesting, educational and easy to use Capture the Flag events targeted at developers and other technical, non-security, users.

We will cover specific considerations for each audience you target, how to create interesting (yet solvable) challenges, and how to make the overall experience friction free for the participants.

You will also learn tools and techniques to create easily repeatable, consistent events with minimal work. We will cover collaborative development, external system integration techniques, tooling and a fully automated deployment pipeline to make spinning up a new CTF as easy as pushing a button.

July 6, 2023

Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program

Presented by Ross Flynn

In a sea of candidates, why should you consider hiring a teacher as a SOC analyst? In what world would you hire a salesperson as a pen tester? As the need for more holistic security professionals grows, the Infosec field has a unique opportunity to address security concerns by leveraging the unprecedented number of converts from seemingly unrelated field.

The bad guys will always continue to develop and evolve their techniques, so strategic organizations are finding success pulling from more diverse backgrounds. Fresh thinking and function-specific experience can help these diverse defenders protect data and the basic human right to security and privacy.

Let’s talk about the influx of new blood, strategic positioning, and how qualified professionals from other industries can leverage their experiences to benefit your security team.

Session attendees will leave with:

1. Advice on qualities to look for when searching for non-traditional team members – what can we give HR to help them help us find the right people?
2. Tips for supporting employees with non-traditional backgrounds in demonstrating their strengths
3. Real world examples of diverse backgrounds uniquely benefiting security programs

June 22, 2023

Blue Team Social Impact: How to volunteer your cyberdefense skills without getting burned out

Presented by Tom Costello

Want to give back to your community by volunteering your blue team skills, but don’t want to turn into a small nonprofit’s 24/7 unpaid on-call helpdesk? We’ll explore ways you can maximize your happiness & social impact by taking your blue team talents into the volunteer space. You’ll learn how to avoid re-inventing the wheel when it comes to blue team charity work, along with many lessons learned on avoiding volunteerism burnout due to a busy dayjob. When done properly, volunteering your technology skillset or helping to train/mentor others interested in your occupation can have a gigantic positive impact both to your community and your mental wellbeing! When done poorly, you might burn bridges and find yourself more stressed out than necessary due to a volunteer situation gone wrong. Don’t do that to yourself; attend this talk and let’s make the world a better place one blue team volunteer opportunity at a time!

June 1, 2023

Improving Alert Recall: miss fewer attacks through customizable ML anomalies

Presented by Karishma Dixit, Sharon Xia

In the ongoing game of cat and mouse between attackers and defenders, attackers continually find new ways to evade detection. Whilst high fidelity security detections tend to have high precision, they can sometimes have low recall, therefore some new attack techniques can go undetected. Anomalies on the other hand are much noisier but can capture attacks that would otherwise be missed. Anomalies don’t necessarily indicate malicious behavior on their own. But when combined with other anomalies or alerts their cumulative effect is much stronger.

In this talk, we explore our approach at Microsoft Sentinel to provide the user with customizable anomaly rules. Our engineering methodology uses a PySpark backend to implement a variety of ML techniques including both supervised and unsupervised learning. We deep dive into the ML behind one of our customizable anomalies and then demonstrate the ease at which the rules can be configured by the user. Lastly, we demonstrate, via simulated attacks, how anomalies and alerts can be combined at various stages of the kill chain to produce high quality incidents.

Thus, we can see how customizable anomaly rules improve recall while reducing the noise of traditional anomalies via machine learning and customization.

May 18, 2023

Formulating An Intelligence-Driven Threat Hunting Methodology

Presented by Joe Slowik

Consultants and marketing departments refer to “threat hunting” as a desired position for network defenders. By adopting this mindset, defenders can take an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.

April 27, 2023

From the Ground Up: Lessons Learned from Starting a Vulnerability Management Team

Presented by Bryan Garcia

As the Cybersecurity field continues to mature and vulnerability numbers increase, there is a growing need to form specialized teams to handle dedicated areas of Cybersecurity. From the Ground Up shares the lessons learned from the creation of a dedicated Vulnerability Management team, the successes and struggles the team faced, the impact and value the team would bring to the company, and what choices could be made to help others be more effective in their decision-making to create an efficient Vulnerability Management team.

April 13, 2023

Breaking Boundaries, Securing Perimeters: A pragmatic approach to Attack Surface Management

Presented by Katie Inns

Security teams can often become overwhelmed by large lists of vulnerabilities that affect their systems and have trouble knowing which to prioritize first when it comes to remediation. This can lead to ineffective vulnerability management processes that focus on addressing issues from a top-down approach and do not reflect real-world exploitation or the risk to the organization. This becomes more problematic when organizations don’t fully understand their attack surface and their systems that may be at risk.

This talk will discuss how organizations can adopt a more pragmatic approach to attack surface management, by understanding the assets at risk, how to prioritize remediation and how to adapt based on emerging threats.

March 30, 2023

The Defender’s Guide to Budgetless Endpoint Hardening

Presented by Matt Coons

Hardening the endpoint is one of the first and most effective measures implemented by defenders to protect organizations against attackers. The EDR, XDR and antivirus space is full of vendor solutions to detect and prevent malware, but what can a budget conscious blue team do to block malware without spending a dime?

This talk will dive into cost free hardening tools and techniques that can be implemented to better protect endpoints from attack. Hardening techniques like leveraging Windows Firewall to block unwanted outbound network traffic, implementing Windows Attack Surface rules, disabling unneeded endpoint services and more will be discussed throughout the interactive session.

Session participants will leave with zero cost, actionable, and easy to implement endpoint hardening measures that can be implemented in various types of computing environments.

March 16, 2023

Building Better Security Metrics

Presented by Jake Williams

Let’s face it: most of us don’t like gathering and reporting metrics. But the boss says “that which isn’t measured isn’t managed.” Of course, there’s the problem of users gaming metrics to paint unrealistic pictures to stakeholders. Good metrics should serve as a heuristic for stakeholders to understand a situation at a high level without needing to understand all the nuance of how the sausage is made. In other words, metrics should tell a story. Since you’ll be generating security metrics anyway, shouldn’t they tell the right story?

Beyond the obvious justification of “management says you have to,” as an aspiring security leader you should be self-motivated to create and deliver better metrics. If there’s one thing leadership abhors, it’s uncertainty. Better metrics don’t eliminate uncertainty, but they do promote better understanding, leading to better evaluation of risk.

In this presentation, you’ll learn the principles of generating compelling metrics. We’ll then cover examples of easy-to-gather metrics across a range of security disciplines, including SOC, cyber threat intelligence, threat hunting, and incident response. Come learn how to level up your metrics game in this session!

March 2, 2023

Going Atomic: The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach

Presented by Alfie Champion

Atomic purple teaming, i.e. testing individual permutations of offensive techniques outside of a scenario-based exercise, offers an approach that can maximise kill chain coverage and provides a means to benchmark a SOC’s detective capability.

Initially, the methodology for atomic testing will be presented, alongside example results from a typical engagement. We’ll evaluate the significant data set that such testing can produce – e.g. which test cases produce telemetry, which produce alerts, which were prevented – and consider its application in informing SOC strategy, demonstrating Return on Investment, and providing insight into general security posture.

This empirical, data-driven approach is invaluable in developing a bottom-up view of our defenses, i.e. understanding how our detection stack fares when faced with the tactics, techniques and procedures of legitimate actors, but it is not a one-stop shop for adversary emulation. As such, this talk will consider the limitations of such an approach, and how other supplementary collaborative testing can offer a more complete view of detective capability.

February 16, 2023

Preparing your IT SOC for OT Network Security Monitoring

Presented by Wesley Lee

OT and IT convergence is here. One of the biggest push in OT/ICS is the implementation of better visibility and increased network security monitoring. No matter if you have a fully in-house or hybrid Security Operation Center augmented with Managed Security Services. If you don’t have the funding or time to implement a separate OT Security Operations Center dedicated to monitoring your OT environment. This talk will discuss strategies, tactics, people, processes, and lessons learned in effectively integrating your OT NSM program into you IT SOC. This talk will lay out a flexible roadmap and walk you through the process of the before, during, and after steps that should be done in order to integrate your OT NSM program in your IT SOC, how to integrate, mature, response, and measure your OT NSM program within your IT SOC without losing the focus and critical aspect with better OT NSM monitoring within your organization.