#BSidesPGH 10!
Friday June 26th at Rivers Casino!

BSidesPGH is a volunteer-run information security conference held in Pittsburgh. Security BSides is a global series of community-driven conferences presenting a wide range of information security topics.


BSidesPGH 2019

Conference Friday June 28th at Rivers Casino.

Training Thursday June 27th at CoLab18.

Time Black Track Gold Track
8:00 AM
8:45 AM
9:00 AM Open Source Adversary Simulation Toolset Review
Ryan Voloch
Data Breach Countermeasures: Actionable Actions from Actual Cases
John Grim
10:00 AM Honeypots and the Truth about Deception Tech!
Kat Fitzgerald
Picking Up the Pieces: Incident Response for 3rd Party Compromise
Adam Rauf & Conor Osthoff
11:00 AM Death by Thumb Drive: File System Fuzzing with CERT BFF
Will Dormann
BEC: The Rest of the Story
[Talk Not Recorded]

Eric Huber
12:30 PM Threat Modeling for Security Professionals
Matt Trevors
0day to HeroDay: Bringing a Company from Scorched Earth to a Modern Security Organization
Ryan Wisniewski
1:00 PM
The Overlooked Cyber-Security Risk: 3rd Party Risk Management
Rose Songer
2:00 PM GHOSTS in the Machine: Orchestrating a Realistic Cybersecurity Exercise Battlefield
Dustin Updyke
Threat Hunting: Out of the Gate with Windows Logs
Greg Longo & Brian Gardiner
3:00 PM Dead Folks Tell No Tales
Kevin Cody
How to Get Started in Cybersecurity
John Stoner
4:00 PM How to Frustrate a Penetration Tester
Justin Forbes
Crypter Miners vs ML
John Callahan
5:00 PM Transforming Government Compliance
Fen Labalme
Battling Magecart: The Risks of Third-Party Scripts
Kevin Gennuso


Open Source Adversary Simulation Toolset Review - Ryan Voloch

Goals of Presentation are to help the audience:
- Understand the practical benefits of using Adversary Simulation Toolsets such as gap/maturity assessment, threat hunt validation, and operations testing.
- Compare and contrast 4 free Adversary Simulation Toolsets to help select which one(s) are best:
Caldera -
Metta -
EndGame RTA -
Atomic Red Team -
Be encouraged to use and participate in community development of these free toolsets.

Ryan Voloch has 16 years of experience in leading and maturing Cyber Security programs for large national enterprises.  With executing major enhancements of two Security Operations programs under his belt, he has considerable experience with improving defenses via maturity assessments, incident response, and red-teaming.  As a Pittsburgh native, Ryan started his career in retail and in higher education. He is currently working with one of the largest healthcare insurers and providers in the United States.  Among many, some of Ryan’s passions include blue teaming, maturing processes, and developing people.

Data Breach Countermeasures: Actionable Actions from Actual Cases - John Grim

Many data breach victims believe they're in isolation when dealing with sophisticated tactics and zero-day malware never seen before. Our Data Breach Investigations Report (DBIR) findings indicate few breaches are unique: consistently nine (9) cybersecurity incident patterns can be seen, six (6) of these are data breach related.

The Data Breach Digest consists of scenario-driven case studies of these DBIR incident patterns. John will cover some of the more lethal and some of the more common scenarios to illustrate five of the incident patterns: Cyber-Espionage, Crimeware, Web App Attacks, PoS Intrusion, and Insider and Privilege Misuse. For each of these, John will roll through initial detection, response (and investigation), and then cover the countermeasures from an incident response and cybersecurity perspective.

John Grim, the primary author of the Verizon Insider Threat Report, has over 16 years of experience investigating data breaches and cybersecurity incidents within the government and civilian security sectors. John manages a highly technical investigative response team who investigates data breaches and advises on containment / eradication / remediation measures for customers worldwide.

Honeypots and the truth about Deception Tech! - Kat Fitzgerald

<This talk was not recorded.>

Gathering Threat Intelligence is an art. Using it to your advantage is magic. Do you even know what your real security profile is and who/what is attacking you? Vulnerability scans are great, but are you really vulnerable?

Using OSS across honeypots and even Raspberry Pis, none of which requires rocket-science technical skills to deploy, allow you to see the profile of those who might be attacking you. Gathering real Threat Intel, in a live environment, directed at your systems and using the data to be more secure!

This session will demonstrate the use of worldwide honeypots to show how “deception technology" can be gathered and analyzed to more thoroughly understand your environment and the threats facing you.

This talk focuses on Honeypots, threat intel, deception tech and using all the concepts to truly understand the bad actors attacking our servers and appliances. Honeypots and the tech behind them can make a huge difference in real threat intel.

Kat Fitzgerald’s background goes back 30+ years, mostly under the radar, but let’s just say I am a “Purple” Kat. I took my parents stereo apart at the age of 7 to find out where the music came from. I was based in Chicago but now Pittsburgh and a natural creature of winter, you can typically find me sipping Grand Mayan Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos against a barrage of attackers. And I have honeypots all over the world.

Picking up the pieces: Incident Response for 3rd party compromise - Adam Rauf, Conor Osthoff

As individuals, our data is floating around all over the web through social media sites, gaming sites, healthcare, and more. What do we do when our data is compromised by one of those partners, and how does that change when it's our company's data at risk?

We will walk through example de-identified breach cases that have been resolved by us in the past. Through this, we hope to make your incident response more prepared for the challenges these cases encompass and help mature your SOC.

We are hoping to make this more of an interactive discussion so that we can show our methodologies for Incident Response (derived from the PICERL model from SANS) and the checklists we've built from years of experience for handling these types of incidents. These types of incidents leave us handcuffed because we can't be the analysts with our hands on the keyboard. It's important to emphasize what types of data to request and to expect the stewards of our information to provide to us.

Join us for a discussion on lessons learned from dealing with third parties who safeguard our data and how we can prevent them from making those critical mistakes with our data in the future.

Adam Rauf is a team manager working in Incident Response and Forensics at a large regional healthcare company. Previously, he worked at the Managed Security Services Provider (MSSP) Solutionary (now known as NTT), and CERT. Adam holds a Masters of Science in Information Security & Assurance from Carnegie Mellon University, and a Bachelor's in Communications and a minor in Music from the University of Pittsburgh. He holds a Security+ from CompTIA and a GCIH certification from SANS, and is working to obtain his CISSP this spring. In his spare time, Adam enjoys playing music in odd time signatures, obsessively discussing the nuances of flavors in food and craft beer/whiskey, and spending too much money on Steam sales.

Conor Osthoff is a Senior Incident Response Analyst with a strong background in Healthcare and Finance. He possesses a proven track record of responding to compromises of all shapes and sizes. He is an avid hiker and automobile enthusiast that finds enjoyment in difficult challenges both inside the office and out. Conor currently holds a GIAC Certified Forensic Analyst certification and a GIAC Mobile Device Analyst certification.

Death By Thumb Drive: File System Fuzzing with CERT BFF - Will Dormann

CERT BFF is a file mutation fuzzer. Recent changes to BFF enable the ability to extend the operations that are performed by the fuzzer. In this talk I will discuss how I used CERT BFF to fuzz filesystems, and also how I analyzed kernel-level crashes.

As the result of a brief amount of fuzzing, I was able to create a single USB thumb drive that will crash Windows, macOS, Linux, and other operating systems. I will also discuss impacts beyond OS crashes, and attack vectors that do not require physical access to a machine.

Will Dormann has been a software vulnerability analyst with the CERT
Coordination Center (CERT/CC) since 2004. His focus areas include web
browser technologies, ActiveX, mobile applications, and fuzzing. Will has discovered thousands of vulnerabilities using a variety of tools and techniques.

BEC: The Rest of the Story - Eric Huber

<This talk was not recorded.>

Most BEC presentations range from awful to adequate. The better ones nail the information security and incident response portion, but then either neglect to cover what happens after the payment has been initiated by the victim or provides abject erroneous content such as saying that recovery of funds is impossible after a certain amount of time. This presentation will, of course, cover the history of business email compromise attacks starting with how organized crime rings used malware such as Dyre and active social engineering methods to steal banking credentials including 2FA information to initiate fraudulent payments using primary wire transfers. We'll then dive into what happened with fraudsters figured out that just asking for money was lower cost by using social engineering, open source intelligence, and email account takeovers. I'll discuss the different types of fraud rings that are engaging in this activity and also illustrate how organized crime rings engage in poly-fraud methods where they intertwine different types of fraud such as BEC, romance scams, and other fraud methods into a comprehensive flow of funds back into their criminal organizations.

The second portion of the presentation will be what distinguishes this presentation from most other ubiquitous BEC presentations which will cover what happens once the payment has been sent. The key portions of this part of the presentation is educating students on how law enforcement investigates these crimes and how the recovery process works and can be maximized by the student to greatly increase the chances of recovering funds. This part of the presentation will educate the student on correspondent banking and provide the them with an overview of the international wire payment system with an emphasis on how the recovery options work and how the student can look like a rock star in their organization by maximizing the chances of recovering the stolen funds such as leveraging the FBI's financial fraud kill chain process.

Eric Huber is the VP of International and Strategic Initiatives at NW3C. He is a former law enforcement officer with broad experience in digital forensics, incident response, fraud, and cyber crime gained through years of experience in the finance and defense sectors. Eric is a sought-after speaker and educator who writes about cyber crime and digital forensics at his award winning AFoD blog. He holds many professional degrees and certifications including an MBA from the University of Florida

Threat Modeling for Security Professionals - Matt Trevors

As security researchers, penetration testers, and other security professionals look to provide value-added services to their customers, they often find that customers are overwhelmed with the myriad of ways to look at the relationship between threats and the strategies they can employ to mitigate those threats. Enter a tabletop exercise known as STRIDE threat modeling. STRIDE threat modeling outlines a process that gives you the ability to identify threats in system architecture related to spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Furthermore, the process can be used to focus on specific risks such as those introduced by the OWASP Top 10. This talk discusses the benefits of using a threat modeling exercise as part of your workflow as well as how you can introduce the exercise to your customers.

Matt Trevors is a Technical Manager for Carnegie Mellon's Software Engineering Institute. Matt has more than 15 years of experience in information technology, information security, and secure software development strategies. Matt obtained him Master's in Computer Information Systems from Boston University and his Bachelor's in Computer Science from the University of New Brunswick. Matt also holds the CISM, CISSP, CCSP professional credentials.

0Day to HeroDay: Bringing a company from scorched earth to a modern security organization - Ryan Wisniewski

Have you ever wondered if your company could run without technology? What would you do if all of your systems were to mysteriously disappeared? Join us as Ryan takes you through a thrilling adventure of multiple breaches that resulted in company wide outages, system destruction, and all out chaos. Ryan will take you through how to build an incident response plan, create new system architecture, run a disaster recovery on the fly while the business was down. He will take you through the challenges of bringing the company back online with the large risk of reinfection. Finally, he will discuss how he started security organizations from scratch to ensure this will won’t happen again. Whatever role you play in your organization, if you touch a computer to perform your job - you will definitely want to check this talk out!

Ryan Wisniewski has been fighting evil for more than a decade. With expertise in driving security transformations with both small-scale and large-scale organizations, Ryan leads various tactical and strategic efforts to ensure the continuing success of the business. Forever a student, Ryan enjoys learning from others and sharing his knowledge whenever he can. Please stop by and say hi - or reach out on Twitter @Ry_Wiz.

The Overlooked Cyber-Security Risk: 3rd Party Risk Management - Rose Songer

<This talk was not recorded.>

An entire business can be put at risk with the simple click of a button. Speed is often considered the priority when an organization realizes a third party can offer value through increased sales, increased throughput or decreased operational expense. However, the failure to properly vet your third party relationships can have serious consequences for your business and your customers.  
Establishing a mature third party information risk assessment process is neither easy, nor a one-time event. This program uses a combination of effective policies and procedures, IT security control frameworks as part of the vendor risk assessment questionnaire, vendor management platform, automation, risk scoring, and working with business partners to facilitate an understanding of risks. This presentation will cover a more thorough examination into the lifecycle of a 3rd party vendor, with the focus on cyber security. We will also take a look into lessons learned with techniques that didn't quite hit the mark on improving the program.

Rose Songer is a GRC Consultant with Seiso, LLC. Prior to joining the Seiso team, she worked as a Third-Party Management Lead at a major retailer. Within this program, she developed a comprehensive framework and evaluation process to assess vendors, as well as integrated automation with a cloud platform. Rose has a diverse IT and Security background spanning over 13 years' in network security/administration, enterprise vendor risk management, and security awareness program development and implementation. She brings over 8 years of experience from her time spent in the Navy as an Information System Technician. Rose also has her M.S. in Cyber Security and Information Assurance and a B.S. in Advanced Networking. Her industry experience spans health care, federal government, and retail.

GHOSTS in the Machine: Orchestrating a Realistic Cybersecurity Exercise Battlefield - Dustin Updyke

As cybersecurity becomes increasingly demanding, leaders are challenged to provide optimal training and exercise in a growing number of scenarios. In order to be valuable, security operators must train as they fight. Since 2011, our team within CERT has delivered over 125 complex, large scale cybersecurity exercises to over 8,000 participants from government and commercial clients. This presentation introduces the research and technology behind a platform for realistic cybersecurity exercises called GHOSTS. The talk also describes the challenges involved in creating authentic cyber exercises, our research into building realism into each aspect of the exercise for both blue and red teams, and presents a case study of an exercise where the framework was successfully employed.

Dustin Updyke is a Cybersecurity Researcher at the Carnegie Mellon University’s CERT. Having previously served with multiple industries in an array of technology roles — Dustin transitioned into security, supporting cyber workforce development for multiple government and commercial contracts. His current interests are in Game Theory, Machine Learning and AI.

Threat Hunting: Out of the Gate with Windows Logs - Greg Longo, Brian Gardiner

Threat hunting has been a hot buzz word for the better part of the past decade. Just how far has the security community come in breaking down the concept of hunting and what has emerged as some of the industry best practices in this area? Countless blogs have been written, training courses developed, and conferences organized around the fundamentals of hunting, what it is, how to do it, and what makes it great. Nonetheless, the timeless question do I get started? Through a combination of guided discussion and hands-on demonstrations, this presentation will attempt to answer that question while also providing actionable material that attendees can immediately begin using to uncover anomalous activity given the right access to data sources and contextual information.

While focusing on the basics, this presentation will highlight the value of fundamental Windows logging and open source tools for threat hunting.
1. Introduction
A. Emergence of threat hunting as a practice
B. Challenges with getting started in an operationally effective manner
2. Methodology
A. Overview of "how" to conduct hunting operations
B. Associated frameworks (e.g. MITRE ATT&CK)
3. Data!
A. Hunting is all about the data
B. Exploring Microsoft Windows logs
4. Tools
A. Community tools to the rescue
B. Deploying and using open source tools to get your hunting expedition off the ground

Greg Longo is a senior threat analyst on the JASK Special Ops team with over a decade of cybersecurity experience in both the public and private sectors. Prior to joining JASK, Greg was the global threat management lead at Covestro and held a number of technical positions at CERT, part of the Software Engineering Institute at Carnegie Mellon University. Greg has been with the U.S. Air Force and Air National Guard since 2002 as a cyberspace operations officer and is currently the Commander of the 166th Communications Flight. Along the way, Greg has earned a Master of Science degree from Carnegie Mellon University along with a Bachelor of Business Administration degree from The University of Pittsburgh and a Master of Business Administration degree from Wright State University.

Brian Gardiner is a senior threat analyst on the JASK Special Ops team. Brian has over eight years of experience in cybersecurity with previous positions which include vulnerability analyst and security engineer, across both public and private sectors. Prior to JASK, Brian worked as a senior incident response analyst with IBM X-Force IRIS and at Aetna as the information security advisor for the Security Data Analytics team. Brian earned a Bachelor of Arts degree from The University of Pittsburgh and a Master of Science degree from Carnegie Mellon University.

Dead Folks Tell No Tales - Kevin Cody

Death, wills, estate planning… I get it, this is not a topic that many people want to discuss. However, take a moment to think about the sophisticated authentication and authorization systems we use today. Does your significant other or family have everything they need to access, archive, and disseminate the digital lives that we technologists live? Furthermore, with more and more services accepting the use of multi-factor authentication, are you adequately prepared for anyone outside of yourself to authorize access? This presentation will break down different types of authentication technology and the barriers that might face your next-of-kin, in the event that an untimely (but ultimately inevitable) situation arises. Additionally, this talk will evaluate the risks and benefits of the current beneficiary recovery mechanisms available within password vaults, social media, financial services, and more. If the goal is to have strong authentication without single points of failure, we need to plan ahead and think of how we can bequeath our digital assets – this presentation will educate and implore you to do just that.

Kevin Cody is a Principal Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. Kevin is adamant on helping build-up developers through security, which can be seen in his involvement within OWASP or while speaking at events like CodeMash or BSides. In his spare time, Kevin can be found attempting to repair something (via online DIY videos), reading tech books, fishing, or simply spending time with his wife and children.

How to get started in cybersecurity - John Stoner

John Stoner will discuss how to get into cybersecurity and discuss some myths and realities about this journey. The presentation will include technical points about important learning foundations and different paths in the field, and some pointers about getting that first real cybersecurity job.

Attendees will learn how to get started on a path in cybersecurity, beyond (but including), the traditional bootcamps, and self-study methodologies. John also will take questions and make the end a participative presentation/discussion.

Mr. Stoner is a GS14 with the Department of Defense (DoD). Mr. Stoner has over 18 years of experience in the national security and defense sector working a variety of roles, including most recently as a Cyber Threat Analyst, Cyber Counterintelligence Analyst and Cyber Instructor.

His experience includes IT, instruction and course design, cyber exercise and testing, penetration testing, threat support, SIGINT (Signals Intelligence), and Cyber Operations. He holds A+, Net+, CEH, CHFI, CEI, CISD, CASP and CISSP certifications. He also holds a Computer Studies Associates degree from UMUC. He got started in military intelligence and then government cybersecurity by secretly joining the Army when he was 19 and getting married. One of those things worked out really well!

How to Frustrate A Penetration Tester - Justin Forbes

Over the past several years, most penetration tests have shared several common steps in the attack path. These commonalities between engagements allow penetration testers quick access to critical systems and lead to full network compromise. Most penetration testers, and attackers, will work only as hard as necessary to complete the objective. By forcing them to work harder, organizations will either get a better report or discover they need a better pen tester.
This talk will examine some of the typical ways in which a penetration tester might approach an engagement, including anonymized stories from real assessments. We will look at common initial access, privilege escalation, and lateral movement techniques. For each technique, we will look at how to detect an active attack. Additionally, we will apply the concepts of defense in depth to identify multiple overlapping, preventative measures which can be used to stop the attacks. By implementing the discussed detective and preventive security controls, a penetration tester cannot rely on the same techniques used in years past, ultimately forcing the tester to work harder.

Justin Forbes is the team lead of the Applied Network Defense team at CMU/SEI/CERT. He has been leading penetration testing teams for the past five (5) years targeting federal, state, local, and critical infrastructure organizations. Justin earned his Masters in Telecommunications from the University of Pittsburgh in 2010 and his Bachelors in Information Sciences in 2008. His typical Primanti Brothers order is the ragin cajun chicken sandwich and a tall IC light.

Cryptocoin Miners vs ML - Jonn Callahan

This talk will be a walkthrough of how Jonn built a detection engine focused on finding cryptocoin miners within an AWS architecture. It utilizes AWS Flow Logs as the data source and multiple statistical analysis techniques for both massaging the data and performing the actual detection. This will not be a deep dive of the math itself, but rather a high-level overview of why Jonn chose the techniques he did. If you've ever wanted to take your blue team skills to a level beyond simple rule generation, this will be the talk for you.

Jonn Callahan spent the last six years working within appsec but have spent a lot of my free time (and R&D company time) building tooling. Jonn got a love for automation and have recently rediscovered my love for math through learning ML. While marrying these fields together is nothing new nor novel, Jonn wanted to bring these concepts into the light, showing that you don't need a PhD in mathematics to leverage these concepts to further enhance your blue team responsiveness and environment insight.

Transforming Government Compliance - Fen Labalme

The goal of compliance frameworks like HIPPA, SOX and FISMA is to ensure that basic security controls are met. The Federal government and an increasing number of state and local governments look to the Risk Management Framework (RMF) as defined by NIST SP 800-53r4 as the baseline for compliance management. Unfortunately, the RMF is rooted in static,  waterfall methods and it’s clear that compliance does not equal security. While the RMFv2 (described in NIST SP 800-37v2) talks of continuous monitoring and ongoing authorization, the culture and proprietary tool sets provide significant friction to slow down any agile efforts.

This talk will briefly overview the current state of the art as practiced by federal authorizing officials (AOs) and some of the issues faced, many of which are cultural. A small but growing community is looking at ways to automate the system security plans (SSP) creation and build security management into the CI/CD (DevSecOps) pipeline. And due to the cultural status quo, significant effort goes into creating properly formatted MS Word docs from the updated git and S3 artifact repositories. Finally, we’ll touch on how free/libre data formats and protocols are necessary to support viable continuous monitoring as application boundaries vary wildly and threat landscapes change too rapidly to rely on black-box proprietary agents to fully monitor.

Fen Labalme, CISSP, has been involved with data security and personal privacy for decades, starting with his 1981 M.I.T. thesis of an electronic newspaper that foresaw problems with personalization if privacy was ignored (NewsPeek). Today, Fen is the Chief Information Security Officer for CivicActions and is working to bring agile, free and open source security to government agencies fettered with antiquated, static cybersecurity compliance requirements. Fen’s goal for this year is to enable general purpose “Authority to Operate” (ATO) authorizations in two weeks where currently this process takes agencies from nine months to three years.

Battling Magecart: The Risks of Third-Party Scripts - Kevin Gennuso

Magecart made the news in 2018 due to the huge number of e-commerce websites those groups were able to compromise. The various groups' methods were dissimilar, but their underlying goal was the same: stealing information submitted via web forms.

This talk will focus on the risks of using third-party scripts on web sites and how to wrap protections around them. I'll do a high-level overview of Magecart and why they are able to do what they do. I'll then move into protecting against malicious scripts using Content Security Policy and Subresource Integrity. The talk will be relatively high-level, but there will be some technical discussion around JavaScript, HTTP headers, and browser hijacking.

Kevin is Sr. Infosec Architect at DICK'S Sporting Goods and a Pittsburgh native. Kevin has helped companies around the city secure their environments for over 20 years. Proud owner of a Black and Gold Badge and an FBI-issued Terrible Towel, he enjoys sharing knowledge at infosec conferences large and small.


Blue Team Investigations and Capture the Flag

Thursday, June 27th - 9:00 AM to 5:30 PM

Incident response, aka “blue”, teams have a large challenge in preventing, detecting and responding to attacks and security incidents. In this workshop, we will cover some techniques and tools to allow incident responders to identify various malicious activities using network packet captures, and logs from various systems to piece together a scenario-based attack. During the training, we will cover the following areas:

1) Network investigation using packet capture analysis. Using Wireshark, we will walk through the structure of network packet captures to allow an investigator to identify various traffic types, including, CIFS/SMB, DNS, HTTP, and other common protocols.

2) Network investigation using network metadata and logs. Using Suricata and Bro/Zeek, we will walk through network metadata and logs for traffic and compare and contrast the information provided by these types of tools when compared to network packet captures.

3) System investigation using system logs. Using the Microsoft Advanced Threat Analytics, Windows Event Forwarding, Windows System Auditing, PowerShell logging, osquery, Sysmon, and other host logging capabilities, we will walk through artifacts common on systems that have fallen victim to an attack.

4) To tie the coursework together, we will have a “Blue Team” Capture the Flag exercise in the afternoon, where we will have the attendees walk through artifacts from a scenario-based attack. The attack will be fashioned after the techniques and tactics observed through real-life attacks. 5) At the end of the day, we will recap the attack and items in the capture the flag and walk through the attack timeline with participants so they can ensure they were able to locate each of the artifacts and techniques of the attacker.

Course Duration: 7 Hours


Laptop with Wireshark installed for packet capture analysis and Oracle VirtualBox installed for running virtual machines for analysis. Attendees computers should have at least 8 GB of RAM and 60GB of free disk space on an internal or removable disk.


James Ringold is a Chief Security Advisor in the Microsoft Enterprise Cybersecurity Group. James has more than 20 years in the information security field. He has a successful track record of helping large companies, in retail, wholesale, aerospace, defense and nuclear energy sectors rebuild and recover their security programs. A former CISO, Security Architect, Security Operations Manager and Incident Responder, James has helped companies develop and mature their information security programs focusing on threat, risk and vulnerability management practices. James has authored and co-authored articles for Information Security magazine on the topics of nation-state sponsored attacks and vulnerability management. James earned an MBA from the University of Minnesota and has maintained the CISSP certification since 2004.

Jon Zeolla is the co-founder and CTO of Seiso, where he leads all technical engagements, research, and service development. He contributes heavily in the Pittsburgh Information Security community, is the founder of the largest Pittsburgh InfoSec group, Steel City Information Security, created the PittSec project to enhance local infosec collaboration, and co-founded Burgh Security Events, the organization whose primary event is the annual BSides Pittsburgh security conference. Jon also contributes to emerging open source technologies such as Apache Metron and Zeek.

Purple Team Tactics (PTTs): Emulating LOLBin Attack Strategies

Thursday, June 27th - 9:00 AM to 12:30 PM

Purple Teaming incorporates blue team "monitor, detect and respond" capabilities with the red team "surveil and assault" strategies to support one key mission: To improve the organization's security posture. To test threat detection and response capabilities, red teams are charged with simulating real world threats - the more realistic the better! Over the last few years, adversaries are increasing making use of "Live Off the Land" strategies, repurposing native Windows binaries to achieve strategic goals such as privilege escalation, lateral movement, persistence and C2 communication. Not only do these strategies allow attackers to evade AV & EDR detection, but Blue teams often have poor concept of baselining for usage of these native Windows binaries within their own environment. This 4-hour training session will provide the full purple teaming experience, with walk-throughs of LOLBin attacks to achieve "actions on objective", ensuring survivability through persistence and remote execution for lateral movement. Attendees will also perform live triage and memory analysis on affected targets to detect indications of LOLBin abuse. Key takeaways will include enterprise-scaled detection and mitigation strategies to prevent future LOLBin abuse in your own environment. Join incident response analyst and SANS Instructor Alissa Torres for exposure to some of these sneaky LOLBin and LOLScript techniques and how they can best be employed in a purple team collaboration.

Course Duration: 3.5 Hours


Laptop with VMware, VirtualBox, USB-B port or converter for USB-B storage. The instructor will provide external hard drives that will contain the three or four VMs used in class.


Alissa Torres is a Principal SANS instructor specializing in advanced digital forensics and incident response (DFIR). Alissa was recognized by SC Magazine as one of its "2016 Women to Watch." and a recipient of the Enfuse 2018 Difference Makers Award for her efforts in educational outreach. She has more than 15 years of experience in computer and network security that spans government, academic and corporate environments. Her current role as Founder and Senior Consultant at Sibertor Forensics, a security operations and incident response consulting company, provides daily challenges “in the trenches” and demands constant technical growth. Alissa is a frequent presenter at industry conferences (RSA, BSides, Shmoocon, Enfuse) and has taught hundreds of security professionals over the last 5 years in more than 12 countries. As the lead author of the SANS FOR526 Advanced Memory Forensics and Threat Detection course, she is passionate about memory management and forensic artifact hunting.

Octavio Paguaga is a penetration tester and instructor with deep roots in network and system administration. He currently works as a Senior Red Team Operator and Training Content Developer at SimSpace, architecting attack scenarios that advance the skillset of cyber professionals through real time assessments and practical skills application. He has presented and given training at various BSIDES conferences located on the east coast regarding PowerShell. His areas of interest are Active Directory, and Windows COM.

Guerrilla Blue Team: Building a robust logging and alerting infrastructure on a shoestring budget

Thursday, June 27th - 2:00 PM to 5:30 PM

Using only free and open source tools (and mostly commodity hardware) we'll show you how to build a reliable, scalable, intelligent logging and alerting infrastructure that will rival any of the paid SIEM solutions on the market. If you don't have a SIEM, aren't happy with your current solution or want to less expensive way to log more data, this workshop is for you. By the end of this four hour hands-on session you will have the tools to log anything you can imagine.

The workshop is divided into the following sections:

Deploying a logging and alerting infrastructure:
- Build and scale log ingestion nodes,
- Plan, configure, deploy, and maintain a data warehouse,
- Stand-up and use a search front-end,
- Secure your logging infrastructure

Collecting and normalizing logs:
- Collect and log from a variety of sources:
- Windows hosts (event logs, Sysmon, DNS, custom command output, and more),
- Linux hosts (system logs and Journald),
- Network data,
- Data stored within databases,
- osquery,
- File and Registry Integrity Monitoring,
- Normalize log data from all of these sources

Enriching logs and building baselines and inventories using the following sources:
- Vulnerability scanner output,
- Active Directory data,
- GeoIP data,
- Threat intelligence feeds

Create baselines to identify anomalous behavior:
- Take a systematic approach to alert writing,
- Create basic alerts with ElastAlert,
- Implement event-based scoring,
- Correlate events and implement prioritized alerting to reduce noise and alert fatigue

You'll take home all of the following from this workshop:
- PDF copy of slides,
- Production-ready, scalable containers for each of the infrastructure components,
- Custom scripts, configuration files, and example alerts,
- Cheat Sheets to help you remember and reproduce what you've done in the workshop

Course Duration: 3.5 Hours


Laptop with Admin rights, VirtualBox installed, 8 GB ram, 50 GB free space, CPU sufficient to run at least 2 VMs at once


Garrett White is a Security Engineer at Cboe Global Markets. He has over 10 years experience in InfoSec and Information Technology. Recently, he has specialized in building out SIEMs for several organizations in the energy and financial sector. He is a certified Splunk Admin and GIAC certified malware reverse engineer (GREM) and penetration tester (GPEN).

Dusty Evanoff is a Security Engineer at Cboe Global Markets. He has been studying and working in information security for over 10 years with experience in both offensive and defensive security. He has worked with multiple SIEM products, but most recently has been working on building, scaling and automating custom logging and alerting solutions. He has an MSIA from Dakota State University, and is a GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) and CISSP.

Capture The Flag

The Pittsburgh BSides CTF is designed to reflect real life scenarios faced by security professionals when deployed in the field. In this offense-only event, the individual's job is to penetrate several layers of an environment and collect flags for points along the way. Our CTF tech team consists of active security professionals with decades of experience in penetration testing. Their experience, expertise, and know how are leveraged to create a fun CTF that is technically challenging and realistic. The event lasts for 6 hours, from 9am until 3pm, at the BSides PGH main event on June 28th.

There will be prizes for the top 3 participants in the "Primary" CTF (Gear, NetWars subscriptions, challenge coins, and more!). In case of a tie for 1st, 2nd, or 3rd, the ranking will be determined by person taking least amount of time to capture the flags.

In order to participate you will need to bring your own laptop, and we suggest having at least two wireless NICs.

Warning: During the CTF, you will be connecting to a hostile network. Your laptop might be attacked. Do not have any sensitive data stored on your system. BSides Pittsburgh is not responsible for your system if someone attacks it.

Amateur Radio

Amateur Radio Exams were at 9:15AM by W3VC Carnegie Tech Radio Club

We will be offering the Amateur Radio exams during this yearʼs BSides Pittsburgh Conference. If you would like to take the test, we ask that you register on the FCC web site and get an FCC Registration Number (FRN). This allows us to process paperwork without needing your social security number. Please note that your Social Security Number or FCC Registration Number is required by the FCC, and you will not be granted a license if you decline to provide one on the application form. Certain exceptions apply for non-U.S. citizens who do not have a Social Security Number. Examinees concerned about the privacy of their Social Security Number are encouraged to request an FRN from the FCC before the exam date. This can be done by visiting the FCC ULS Online System and choosing the "Register" button in the "New Users" section. Please contact us ( if you have any questions regarding these policies. You must also present a valid state or federal issued photo ID. If you do not have one, you will not be allowed to test.

In order to become an amateur radio operator in the United States, you must first pass one or more multiple-choice exams to obtain a license from the FCC. These exams cover basic theory of electronics and radio, as well as FCC rules, and are administered by groups of volunteer examiners around the country, including a group here from Carnegie Mellon. We offer exams for Technician, General, and Extra class licenses. You can take any or all of the exams for a single fee. Knowledge of Morse code is no longer required to obtain an amateur radio license in the U.S.

What to Bring:

  • Legal photo ID, such as a driver’s license or passport

  • $15 cash, or a check made out to ARRL VEC

  • Your Social Security Number or FCC Registration Number (FRN)

  • Your existing FCC license or CSCE, if you are upgrading

  • Pen or pencil

  • Calculator, if you need one (preferably non-programmable, or we will have to erase its memory)

  • Documentation of any disabilities you feel we should accommodate, signed by a doctor

Study Materials

The ARRL Store offers many study guides in print and audio format. Additionally, the actual questions that you will see on the exam are published for anyone to review (granted, there are hundreds of possible questions and only a few dozen will be randomly selected for your exam, so you probably shouldn't try to memorize all the answers). Many web sites offer practice tests, including QRZ and AA9PW. Additionally, the KB6NU No Nonsense Study Guides for Technician and General may be helpful.


  • Premier

    • Teraswitch

  • Diamond

    • Security Risk Advisors

    • Defy Security

  • Platinum

    • TrustedSec

    • RoundTower

    • Optiv

    • XM Cyber

    • SecureWorks

    • Ethical Intruder

    • Area1

    • Checkpoint

    • FireEye

    • Cybereason

    • ISM

    • Cyber Crucible

    • Verodin

    • Crowdstrike

    • LogRhythm

  • Gold

    • Seiso

  • After Party

    • Tenable

  • Silver

    • Solutions4Networks

    • Microsoft

    • McAfee

    • Pittsburgh ISSA

    • NCFTA

    • SANS

    • Black Hills Information Security

  • Friends

    • Blacks In Cyber

    • Red Chair Pittsburgh

    • Carnegie Mellon University Information Networking Institute

    • Pittsburgh InfraGard


  • Joe Wynn

  • Andy Gish-Johnson

  • Jon Zeolla

  • Annie Howard

  • Brian Gray

  • Jonathan Baeckel

  • Zach Holt

  • Dylan McGuire

  • Eric Lansbery

  • Ryan Painter

  • Michael Schroeder