Name: Justin Williams

Title: Threat Hunting Event Logs w/ Powershell

Abstract: This talk will cover the basics of using the system events on Windows to perform threat hunting and tracking using Sysmon and PowerShell. It will give the attendee some introductory functions and introduce them to larger threat hunting frameworks they can take back to their networks to correlate events across their enterprises. It will allow them to better tune their existing policies if using a SIEM to make sure they’re capturing useful event data, and not just logging everything to look for the needle in the haystack.  

Bio: Justin Williams is an Information Security professional focused on defense strategies with his current organization. During his career, he has worked in systems and server administration, .NET development, database management, and help desk operations. He spends his free time learning about offensive PowerShell attack techniques, reading current malware trends, and has been a member of the OWASP Omaha leadership team since 2015.

Name: Brad Duncan

Title: Malware Distribution Trends – April 2018

Abstract: Criminals distribute malware using both wide-scale methods and targeted attacks. In this presentation, Brad discusses malware distribution trends noted during his day-to-day research as of early early April 2018. He first discusses the prevalence of ransomware, then examines three distribution methods: email, social media, and the web. This presentation contains several up-to-date examples of malware distributed through email, and Brad also covers a recent rise in tech support scams through popup browser windows with phone numbers to criminals posing as Microsoft support personnel.

Bio: After 21 years of classified intelligence work for the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad specializes in network traffic analysis. He is also a handler for the Internet Storm Center (ISC) and has posted more than 100 diaries at Brad routinely blogs technical details and analysis of infection traffic at, where he also provides traffic analysis exercises. His efforts have provided over 1,200 malware and pcap samples during the past 4 years to a growing community of information security professionals.

Name: Brad Beltman

Title: Better Burping – Improving Efficiency with Plugins and DIY

Abstract: From time-to-time most pentesters get asked which Burp Suite plugins are useful and which ones they use on a regular basis. Loading Burp with too many plugins can have a significant impact on its performance, so choosing the right ones for the job is important. As a professional application penetration tester I use a slew of plugins daily to help me be more efficient, and have dumped others along the way. This talk will focus on which plugins I find especially useful, and how they can help anyone improve their testing. I will also touch briefly on how to write your own plugins using Python. Attendees will leave with ideas on how they can improve their own effectiveness and efficiency in future tests, and write their own plugins when the need arises.

Bio: Brad is a consultant with Secureworks doing full time web application penetration testing. He has a masters degree in Information Assurance from Dakota State University. Certifications include OSCP, GWAPT, GPEN, GCIH, GCED, and CISSP. He is an active member of the local information security community. When not on a computer, Brad is usually tormenting his wife, playing with his two kids, or playing guitar.

Name: Aaron Blythe

Title: Alexa and Google are listening, how much are they transmitting?

Abstract: Over the past couple years, we have invited Alexa and Google into our homes to listen in. They are only supposed to transmit when they hear the key words of “Alexa” or “OK Google”, however are they transmitting more? Using networking tools I have been able to analyze the traffic being sent from these devices. Is it what you would expect? Come to this talk and find out.

Bio: Aaron Blythe is genuinely curious. He loves taking things apart, understanding them and making them better. He has created software for over 20 years. Aaron is the lead organizer of the Kansas City DevOps Meetup and the DevOpsDayKC conference. He has given many presentations on Development, Operations, Business, Marketing and DevOps over the past several years, most can be found here:

Name: Eric Johnson

Title: Continuous Security: Monitoring & Active Defense in the Cloud

Abstract: Monitoring and feedback loops from production is a critical tenant in DevOps for measuring performance, runtime errors, statistics, and changes. In the SecDevOps world, security teams can take advantage of DevOps monitoring tools to increase security visibility, identify anomalies, and respond swiftly to real time attacks.

Cloud providers are offering powerful infrastructure, development, and application continuous monitoring services that generate a wealth of data. But, building continuous security monitoring on top of the data can be challenging. Where are the log files? What is the log file format? What security events are captured? How do we display meaningful metrics? Can we detect and defend in real time?

This talk will introduce attendees to a realistic AWS environment’s monitoring and active defense system and discuss real data collected during a war game exercise. Afterwards, we will walk through the postmortem, review the alerts raised during the incident, determine if there were any surprises, and identify opportunities to improve the system. Attendees will walk away with actionable techniques for building an active defense framework to help protect your organization’s cloud resources.

Bio: Eric Johnson is a Principal Security Consultant at Cypress Data Defense where he leads secure software development lifecycle consulting, web and mobile application penetration testing, secure code review assessments, static source code analysis, security research, and security tools development. He also founded the Puma Scan static analysis open source project, which allows software engineers to run security-focused .NET static analysis rules during development and in continuous integration pipelines.

As a Certified Instructor with the SANS Institute, Eric authors application security courses on DevOps, cloud security, secure coding, and defending mobile apps. He serves on the advisory board for the SANS Securing the Human Developer awareness training program, delivers security training around the world, and has presented his security research at conferences including SANS, BlackHat, OWASP, BSides, JavaOne, UberConf, and ISSA.

Eric completed a bachelor of science degree in Computer Engineering and a master of science degree in Information Assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.

Name: Ben Schmitt

Title: Immutable Architecture and Ruthless Automation

Abstract: What the hell is immutable architecture and why does it matter? In cloud environments, it means treating your servers like cattle, not like pets. You deploy them and you don’t touch them until it is time for new ones. You knock them over, spawn new ones and since all of this is load balanced and your services are stateless, you get fresh servers without downtime. What’s more…if you monitor them, any interactive use is rogue. Let’s discuss this in-practice and cover the benefits related to security. If course, this is enabled through ruthless automation and this means embracing git, python/ruby/other and apis is the new normal. If we can automate things, software can become a force multiplier and we can monitor things differently.

Title: Threat Modeling in practice

Abstract: Threat Modeling is hard to define – is it a noun, verb or neither? For this presentation, we will discuss the creation of a threat model using the STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege).

We will decompose an application/system and look for key elements such as: data stores, business processes, trust boundaries, external entities and everything in-between. After we build this diagram, we will look at key areas and see how STRIDE can help us design for better security.

Bio: Ben Schmitt is the VP of Information Security at Dwolla working with a team tasked with securing data and identities. Prior to Dwolla, Ben was the Global Director of Information Security and Compliance at Danfoss and a Security Architect at TDS Telecom. He doesn’t like long walks on the beach, fancy GUIs or single factor authentication but he does like big IPAs, rare steak and solving problems using perl from time to time.

Name: Dr. Matthew Miller

Title: Investigating the FBI’s use of Network Investigative Techniques (NIT)

Abstract: Network Investigative Techniques are used to investigate cyber criminal activities. These techniques have been used to unmask users of TOR whom are downloading illegal content from the Tor network. This talk will discuss such techniques, discuss ethical and legal issues and describe a methodology to test and verify such techniques.

Bio: Matt Miller is a computer science professor at the University of Nebraska at Kearney. He earned his doctorate at Kansas State University in Computer Science. He has worked for Lawyers and with the ACLU to help them understand hacking techniques used by the FBI and the ramifications of those attacks. Dr. Miller co-created the new cybersecurity major at UNK where enrollment starts in the spring.

Name: John Kennedy

Title: Finding and Exploiting Zerodays (Yes, you can do this!)

Abstract: John Kennedy (JK) of First National Bank will check
in with us regarding the zero-day he reported in
June 2017. He will walk through how he discovered
it, developed a proof-of-concept exploit for it,
and disclosed it. Topics will include fuzzing,
seh buffer overflow analysis, and exploit development
in python.

Bio: Cybersecurity Researcher / Whitehat Hacker / Bug Bounty Hunter:
Engineered, executed, and submitted numerous real-world cybersecurity exploits, receiving cash bounties and recognition from programs like Hack The Pentagon, Hackerone, and Bugcrowd.

Ranked #300 of 25,550 ethical hackers on (pentest lab)

Latest zero day discovery/exploit and disclosure:

Former Naval Officer

Name: James Beal

Title: Drug Dealing in IOC’s: a retrospective on threat intel and threat hunting in a SOC for the lulz

Abstract: As a part of building up the new SOC at work and because it seemed like a great idea at the time, I started researching readily available threat intelligence sources and threat hunting tactics. This lead me to looking at both open source/free options and the many vendors out there with TI offerings. These can be either a source of data or tools themselves that offered to attempt to tame the firehose of “information” coming out on a daily basis from all over the net. I also started looking into using this data as a way of doing some threat hunting in our environment and any uses from a personal research perspective. I plan to discuss what I have seen so far, what works, what REALLY does not, and attempt a discussion about where we should go into the future with these tools. At this point, after almost a year and a half, it feels like beyond a few great examples, we are still in the initial stages of this research. The overall industry is “drug dealing in Indicators Of Compromise” instead of looking at overall behaviors, tactics and techniques of the attacker community.

Bio: James Beal is one half of the SOC at Casey’s General Stores as a SOC Analyst, part of the blue team at CGS, along with the Security Engineering team and Risk teams, tasked with defending all of the company assets from cyber attack. On the side, I am an independent info sec researcher and sysadmin, last of the freelance threat hunters specializing in software-related intel.

Name: Andrew Freeborn

Title: Windows COM from the bottom up

Abstract: There has been lots of buzz surrounding Windows COM and the various attacks that take advantage of this crucial subsystem. This talk starts at the basics of Windows COM and by the end leaves the listeners with attacks they can start implementing immediately.

Bio: As an IT Internal Audit Manager at ACI Worldwide, Andrew Freeborn oversees compliance and information security for major global partners in payment processing. By anticipating the latest threats with research, he specializes in the perspective of an attacker to identify specific threats in each partner’s unique security needs. Prior to joining ACI, Andrew served in Red Teams, Penetration Testing, and Quality Assurance roles for various global corporations

Name: Antoinette Stevens

Title: Hacker for the Holidays

Abstract: During Christmas, I decided to give the SANS Holiday Hack challenge another shot. In recent years I would start, become hopelessly overwhelmed and eventually give up, defeated. This time was different. Even though I started a little late, I made it further than I imagined and I’d like to share the new tricks I’ve picked up and a few things I’ve learned about how to get through some of these CTF-like challenges as a novice. During this talk, I’ll walk the audience through an overview of the SANS Holiday Hack (its rules and general information), the different types of challenges that they had this year and how I solved a few of them, and advice for anyone who would like to give it a shot in 2018. While the SANS Holiday Hack is the focal point of this talk, it will mainly focus on specific concepts and tools. For this talk, I will recreate some of the side challenges (cranpi challenges) that were used for this year’s Holiday Hack and walk through them. Technical topics covered during this talk include, linux command line utilities, sql basics, and basic networking. Soft skill topics include, communication skills and problem solving. This is the perfect talk for beginners who are interested in diving into penetration testing and online challenges.

Bio: Antoinette moved to Des Moines from Atlanta, GA in 2015 after graduating with her degree in Computer Science from the University of Georgia. She works as a network security analyst at Principal Financial Group and serves as Executive Director of Reboot Iowa, Inc, a non-profit she founded to teach adults about coding and technology. In her spare time she is an instructor and coordinator for Iowa’s first Girls Who Code club, the chair for TAI’s Diversity and Inclusion committee, and, formerly, a dancer for the Iowa Barnstormers Arena Football Team.  

Name: John O’Keefe-Odom

Title: Evaluating Injection Attack Tools Through Quasi-Natural Experimentation to Inform Risk Assessments and Policies

Was our solution to an attack right, and can we prove it?
How can we know if our response behavior is scientific and effective?  When adjusting defenses to protect web programs in a small shop, sometimes we will be unable to immediately observe if the defensive changes we’ve made will work to protect our assets.  Following the examples of Benjamin Dean and William Shadish, we can design quasi-natural experiments that will allow us to reasonably assess the effectiveness of our treatments.
In most situations, conducting a traditionally controlled scientific experiment for simulating an injection attack will require too many resources and too much time.  Quasi-natural experimental designs, when chosen carefully, can help us conserve testing and experimentation.  They can help us step closer to proving that a patch or treatment will work to defend against a style of attack.  By tying our choices about experimental design back to a standard NIST model of risk assessments, we can support reasonable plans for evaluating injection attack tools and their defenses.
We will address using these techniques to “Respond” to attacks.  We will cover:• Understanding experimental design principles that support situationally sound testing• Selecting an experimental design to support testing patch implementations• Relating repairs to risk controls for NIST-based risk assessments.
Injection attacks have long been at the forefront of our most frequently observed attack styles.  I would suggest that the more automated an attack suite is and the less technical knowledge an operator needs to use it:  the more dangerous that tool is to websites.  As part of my studies, I will show a basic pattern of analyzing the effects of SQL Injection Attack tools by using quasi-natural experimentation.  Using those trials, we will be able to see concrete examples of how the experimental design process can inform the practical planning of defensive tests.
In this talk we will examine the relationship of some popular attack tools, experimental design techniques, and risk assessments. We’ll also cover experimental design and risk analysis for policy change in response to attacks involving: buffer overflows, code injection, network scripting attacks, WiFi replays, LAN wiretaps, phishing campaigns, RFID cloning, and mechanical lockpicking. We’ll cover some experimental design patterns and their strengths and weaknesses. We’ll focus on how the type of quasi-natural experiment we choose, based on a NIST-style risk analysis, can help us direct our attention toward evaluating the effectiveness of solutions to attack problems.
Talk OutlineWhoami –Brief introduction.  An overview of how I came to be interested in this particular type of problem.  A comparison of military tactical and operational risk assessment predicates to contemporary industry standards.  An example topology of criminal transactions related to prostitution and identity theft on carding sites established after exploit.  A brief explanation of site discovery and mitigation attempts.  William Shadish and Benjamin Dean.  An overview of concepts from two influential scientists whose publications shaped my research.  Shadish’s history and work with quasi-natural experiments in Education.  Dean’s relation of Shadish’s experimental constructs to testing.  Key concepts and vocabulary related to validity and experimental design.Attacks and Experimental Design Choices.  Proposed situations involving different attack types and their relationship to risk controls.  Relationships between NIST-based risk controls and experimental design.  Cementing a relationship among risk assessments and testing risk controls to forecast defensive effectiveness in implementation.  Situations include:  buffer overflows, code injection, network scripting attacks, WiFi replays, LAN wiretaps, phishing campaigns, RFID cloning, and mechanical lockpicking.

Bio: John O’Keefe-Odom is a full stack developer in a growing IT department in support of a 5,000 employee chemicals company. His recent projects include development for peracetic acid pathogen control systems used in food processing facilities. His skill set includes: database programming, dynamic web page creation, automated telecommunications, network troubleshooting, packet capture, and general application programming. He was worked with a variety of technologies from punched paper tape and Bell Labs modems to single page applications in Aurelia and ASP.NET Core.

Name: Dan O’Day & Ilya Kobzar

Title: BITS and pieces: Abusing BITS for persistence and privilege escalation

Abstract: As incident responders / reverse engineers, we often learn new things about how Windows works from malware authors. We’ll share how threat actors are leveraging the Windows Background Intelligent Transfer Service (BITS) for persistence and privilege escalation. We’ll present proof-of-concept code demonstrating how this could be abused further, and we’ll show what you’d expect to see both from static and dynamic reverse engineering of this code as well as system artifacts. We’ll be sharing what we’ve learned in our experiences and research in a way that benefits both blue and red team members (insert your favorite “purple team” one-liner here).

Bio: Dan O’Day is a cyber response professional for a large global consulting firm that provides services to clients in the areas of digital forensics and incident response (DFIR) and whatever related technical challenges clients want to pay him to solve. Dan used to do cool stuff for the government, has taught in academic and corporate settings, loves reading, and likes tacos al pastor.

Ilya Kobzar works for a large multinational company and provides incident response, computer forensics, and malware reverse engineering services, in other words: he enjoys finding bad guys in your network, understanding what they’ve done, and how their tools work. Ilya likes reading books and playing video games. He was born and raised in Moscow, Russia.

Name: Nick Starke

Title: IoT Device Post Exploitation

Abstract: So you have a shell on an Internet of Things device. What do you do now? This talk will cover some of the capabilities of common IoT devices “under the hood”. The conversation will then turn to how bad guys can leverage these capabilities to attack end users in a variety of ways. There will be a live demonstration as well so we can see firsthand the impact these devices can have, then extrapolate that impact to discuss IoT attacks at scale

Bio: Nick Starke is an Iowa based penetration tester and security researcher.

Name: Chad Smith

Title: Threat Intelligence Collection Strategy

Abstract: Basic building blocks around building collection strategies for threat intelligence. – More coming.

Bio: Senior Cyber Security Analyst at Sutter Health in Roseville, CA.

Name: Chad Brewbaker

Title: LANGSEC: Defending against iOS text bombs

Abstract: On February 15, 2018 another iOS text bomb crashed phones worldwide that attempted to render a class of unicode strings.

LANGSEC uses formal parsers to eliminating entire classes of security defects caused by human error in eyeballing ad-hoc parsers. In this talk we will introduce the defensive coding practices of LANGSEC, how to spot LANGSEC violations in your existing code, and give a brief introduction to the HAMMER tool for writing formally correct binary parsers.

Bio: On February 15, 2018 another iOS text bomb crashed phones worldwide that attempted to render a class of unicode strings.

LANGSEC uses formal parsers to eliminating entire classes of security defects caused by human error in eyeballing ad-hoc parsers. In this talk we will introduce the defensive coding practices of LANGSEC, how to spot LANGSEC violations in your existing code, and give a brief introduction to the HAMMER tool for writing formally correct binary parsers.