#BSidesPGH 10!
Friday June 26th at Rivers Casino!

BSidesPGH is a volunteer-run information security conference held in Pittsburgh. Security BSides is a global series of community-driven conferences presenting a wide range of information security topics.



Open Source Adversary Simulation Toolset Review

Ryan Voloch

Goals of Presentation are to help the audience:
- Understand the practical benefits of using Adversary Simulation Toolsets such as gap/maturity assessment, threat hunt validation, and operations testing.
- Compare and contrast 4 free Adversary Simulation Toolsets to help select which one(s) are best:
Caldera -
Metta -
EndGame RTA -
Atomic Red Team -
Be encouraged to use and participate in community development of these free toolsets.

Ryan Voloch has 16 years of experience in leading and maturing Cyber Security programs for large national enterprises.  With executing major enhancements of two Security Operations programs under his belt, he has considerable experience with improving defenses via maturity assessments, incident response, and red-teaming.  As a Pittsburgh native, Ryan started his career in retail and in higher education. He is currently working with one of the largest healthcare insurers and providers in the United States.  Among many, some of Ryan’s passions include blue teaming, maturing processes, and developing people.

Data Breach Countermeasures: Actionable Actions from Actual Cases

John Grim

Many data breach victims believe they're in isolation when dealing with sophisticated tactics and zero-day malware never seen before. Our Data Breach Investigations Report (DBIR) findings indicate few breaches are unique: consistently nine (9) cybersecurity incident patterns can be seen, six (6) of these are data breach related.

The Data Breach Digest consists of scenario-driven case studies of these DBIR incident patterns. John will cover some of the more lethal and some of the more common scenarios to illustrate five of the incident patterns: Cyber-Espionage, Crimeware, Web App Attacks, PoS Intrusion, and Insider and Privilege Misuse. For each of these, John will roll through initial detection, response (and investigation), and then cover the countermeasures from an incident response and cybersecurity perspective.

John Grim, the primary author of the Verizon Insider Threat Report, has over 16 years of experience investigating data breaches and cybersecurity incidents within the government and civilian security sectors. John manages a highly technical investigative response team who investigates data breaches and advises on containment / eradication / remediation measures for customers worldwide.

Honeypots and the truth about Deception Tech!

Kat Fitzgerald

Gathering Threat Intelligence is an art. Using it to your advantage is magic. Do you even know what your real security profile is and who/what is attacking you? Vulnerability scans are great, but are you really vulnerable?

Using OSS across honeypots and even Raspberry Pis, none of which requires rocket-science technical skills to deploy, allow you to see the profile of those who might be attacking you. Gathering real Threat Intel, in a live environment, directed at your systems and using the data to be more secure!

This session will demonstrate the use of worldwide honeypots to show how “deception technology" can be gathered and analyzed to more thoroughly understand your environment and the threats facing you.

This talk focuses on Honeypots, threat intel, deception tech and using all the concepts to truly understand the bad actors attacking our servers and appliances. Honeypots and the tech behind them can make a huge difference in real threat intel.

Kat Fitzgerald’s background goes back 30+ years, mostly under the radar, but let’s just say I am a “Purple” Kat. I took my parents stereo apart at the age of 7 to find out where the music came from. I was based in Chicago but now Pittsburgh and a natural creature of winter, you can typically find me sipping Grand Mayan Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos against a barrage of attackers. And I have honeypots all over the world.

Picking up the pieces: Incident Response for 3rd party compromise

Adam Rauf & Conor Osthoff

As individuals, our data is floating around all over the web through social media sites, gaming sites, healthcare, and more. What do we do when our data is compromised by one of those partners, and how does that change when it's our company's data at risk?

We will walk through example de-identified breach cases that have been resolved by us in the past. Through this, we hope to make your incident response more prepared for the challenges these cases encompass and help mature your SOC.

We are hoping to make this more of an interactive discussion so that we can show our methodologies for Incident Response (derived from the PICERL model from SANS) and the checklists we've built from years of experience for handling these types of incidents. These types of incidents leave us handcuffed because we can't be the analysts with our hands on the keyboard. It's important to emphasize what types of data to request and to expect the stewards of our information to provide to us.

Join us for a discussion on lessons learned from dealing with third parties who safeguard our data and how we can prevent them from making those critical mistakes with our data in the future.

Adam Rauf is a team manager working in Incident Response and Forensics at a large regional healthcare company. Previously, he worked at the Managed Security Services Provider (MSSP) Solutionary (now known as NTT), and CERT. Adam holds a Masters of Science in Information Security & Assurance from Carnegie Mellon University, and a Bachelor's in Communications and a minor in Music from the University of Pittsburgh. He holds a Security+ from CompTIA and a GCIH certification from SANS, and is working to obtain his CISSP this spring. In his spare time, Adam enjoys playing music in odd time signatures, obsessively discussing the nuances of flavors in food and craft beer/whiskey, and spending too much money on Steam sales.

Conor Osthoff is a Senior Incident Response Analyst with a strong background in Healthcare and Finance. He possesses a proven track record of responding to compromises of all shapes and sizes. He is an avid hiker and automobile enthusiast that finds enjoyment in difficult challenges both inside the office and out. Conor currently holds a GIAC Certified Forensic Analyst certification and a GIAC Mobile Device Analyst certification.

Death By Thumb Drive: File System Fuzzing with CERT BFF

Will Dormann

CERT BFF is a file mutation fuzzer. Recent changes to BFF enable the ability to extend the operations that are performed by the fuzzer. In this talk I will discuss how I used CERT BFF to fuzz filesystems, and also how I analyzed kernel-level crashes.

As the result of a brief amount of fuzzing, I was able to create a single USB thumb drive that will crash Windows, macOS, Linux, and other operating systems. I will also discuss impacts beyond OS crashes, and attack vectors that do not require physical access to a machine.

Will Dormann has been a software vulnerability analyst with the CERT
Coordination Center (CERT/CC) since 2004. His focus areas include web
browser technologies, ActiveX, mobile applications, and fuzzing. Will has discovered thousands of vulnerabilities using a variety of tools and techniques.

BEC: The Rest of the Story

Eric Huber

<This talk will not be recorded.>

Most BEC presentations range from awful to adequate. The better ones nail the information security and incident response portion, but then either neglect to cover what happens after the payment has been initiated by the victim or provides abject erroneous content such as saying that recovery of funds is impossible after a certain amount of time. This presentation will, of course, cover the history of business email compromise attacks starting with how organized crime rings used malware such as Dyre and active social engineering methods to steal banking credentials including 2FA information to initiate fraudulent payments using primary wire transfers. We'll then dive into what happened with fraudsters figured out that just asking for money was lower cost by using social engineering, open source intelligence, and email account takeovers. I'll discuss the different types of fraud rings that are engaging in this activity and also illustrate how organized crime rings engage in poly-fraud methods where they intertwine different types of fraud such as BEC, romance scams, and other fraud methods into a comprehensive flow of funds back into their criminal organizations.

The second portion of the presentation will be what distinguishes this presentation from most other ubiquitous BEC presentations which will cover what happens once the payment has been sent. The key portions of this part of the presentation is educating students on how law enforcement investigates these crimes and how the recovery process works and can be maximized by the student to greatly increase the chances of recovering funds. This part of the presentation will educate the student on correspondent banking and provide the them with an overview of the international wire payment system with an emphasis on how the recovery options work and how the student can look like a rock star in their organization by maximizing the chances of recovering the stolen funds such as leveraging the FBI's financial fraud kill chain process.

Eric Huber is the VP of International and Strategic Initiatives at NW3C. He is a former law enforcement officer with broad experience in digital forensics, incident response, fraud, and cyber crime gained through years of experience in the finance and defense sectors. Eric is a sought-after speaker and educator who writes about cyber crime and digital forensics at his award winning AFoD blog. He holds many professional degrees and certifications including an MBA from the University of Florida

Threat Modeling for Security Professionals

Matt Trevors

As security researchers, penetration testers, and other security professionals look to provide value-added services to their customers, they often find that customers are overwhelmed with the myriad of ways to look at the relationship between threats and the strategies they can employ to mitigate those threats. Enter a tabletop exercise known as STRIDE threat modeling. STRIDE threat modeling outlines a process that gives you the ability to identify threats in system architecture related to spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Furthermore, the process can be used to focus on specific risks such as those introduced by the OWASP Top 10. This talk discusses the benefits of using a threat modeling exercise as part of your workflow as well as how you can introduce the exercise to your customers.

Matt Trevors is a Technical Manager for Carnegie Mellon's Software Engineering Institute. Matt has more than 15 years of experience in information technology, information security, and secure software development strategies. Matt obtained him Master's in Computer Information Systems from Boston University and his Bachelor's in Computer Science from the University of New Brunswick. Matt also holds the CISM, CISSP, CCSP professional credentials.

0Day to HeroDay: Bringing a company from scorched earth to a modern security organization

Ryan Wisniewski

Have you ever wondered if your company could run without technology? What would you do if all of your systems were to mysteriously disappeared? Join us as Ryan takes you through a thrilling adventure of multiple breaches that resulted in company wide outages, system destruction, and all out chaos. Ryan will take you through how to build an incident response plan, create new system architecture, run a disaster recovery on the fly while the business was down. He will take you through the challenges of bringing the company back online with the large risk of reinfection. Finally, he will discuss how he started security organizations from scratch to ensure this will won’t happen again. Whatever role you play in your organization, if you touch a computer to perform your job - you will definitely want to check this talk out!

Ryan Wisniewski has been fighting evil for more than a decade. With expertise in driving security transformations with both small-scale and large-scale organizations, Ryan leads various tactical and strategic efforts to ensure the continuing success of the business. Forever a student, Ryan enjoys learning from others and sharing his knowledge whenever he can. Please stop by and say hi - or reach out on Twitter @Ry_Wiz.

The Overlooked Cyber-Security Risk: 3rd Party Risk Management

Rose Songer

An entire business can be put at risk with the simple click of a button. Speed is often considered the priority when an organization realizes a third party can offer value through increased sales, increased throughput or decreased operational expense. However, the failure to properly vet your third party relationships can have serious consequences for your business and your customers.  
Establishing a mature third party information risk assessment process is neither easy, nor a one-time event. This program uses a combination of effective policies and procedures, IT security control frameworks as part of the vendor risk assessment questionnaire, vendor management platform, automation, risk scoring, and working with business partners to facilitate an understanding of risks. This presentation will cover a more thorough examination into the lifecycle of a 3rd party vendor, with the focus on cyber security. We will also take a look into lessons learned with techniques that didn't quite hit the mark on improving the program.

Rose Songer is a GRC Consultant with Seiso, LLC. Prior to joining the Seiso team, she worked as a Third-Party Management Lead at a major retailer. Within this program, she developed a comprehensive framework and evaluation process to assess vendors, as well as integrated automation with a cloud platform. Rose has a diverse IT and Security background spanning over 13 years' in network security/administration, enterprise vendor risk management, and security awareness program development and implementation. She brings over 8 years of experience from her time spent in the Navy as an Information System Technician. Rose also has her M.S. in Cyber Security and Information Assurance and a B.S. in Advanced Networking. Her industry experience spans health care, federal government, and retail.

GHOSTS in the Machine: Orchestrating a Realistic Cybersecurity Exercise Battlefield

Dustin Updyke

As cybersecurity becomes increasingly demanding, leaders are challenged to provide optimal training and exercise in a growing number of scenarios. In order to be valuable, security operators must train as they fight. Since 2011, our team within CERT has delivered over 125 complex, large scale cybersecurity exercises to over 8,000 participants from government and commercial clients. This presentation introduces the research and technology behind a platform for realistic cybersecurity exercises called GHOSTS. The talk also describes the challenges involved in creating authentic cyber exercises, our research into building realism into each aspect of the exercise for both blue and red teams, and presents a case study of an exercise where the framework was successfully employed.

Dustin Updyke is a Cybersecurity Researcher at the Carnegie Mellon University’s CERT. Having previously served with multiple industries in an array of technology roles — Dustin transitioned into security, supporting cyber workforce development for multiple government and commercial contracts. His current interests are in Game Theory, Machine Learning and AI.

Threat Hunting: Out of the Gate with Windows Logs

Greg Longo, Brian Gardiner

Threat hunting has been a hot buzz word for the better part of the past decade. Just how far has the security community come in breaking down the concept of hunting and what has emerged as some of the industry best practices in this area? Countless blogs have been written, training courses developed, and conferences organized around the fundamentals of hunting, what it is, how to do it, and what makes it great. Nonetheless, the timeless question do I get started? Through a combination of guided discussion and hands-on demonstrations, this presentation will attempt to answer that question while also providing actionable material that attendees can immediately begin using to uncover anomalous activity given the right access to data sources and contextual information.

While focusing on the basics, this presentation will highlight the value of fundamental Windows logging and open source tools for threat hunting.
1. Introduction
A. Emergence of threat hunting as a practice
B. Challenges with getting started in an operationally effective manner
2. Methodology
A. Overview of "how" to conduct hunting operations
B. Associated frameworks (e.g. MITRE ATT&CK)
3. Data!
A. Hunting is all about the data
B. Exploring Microsoft Windows logs
4. Tools
A. Community tools to the rescue
B. Deploying and using open source tools to get your hunting expedition off the ground

Greg Longo is a senior threat analyst on the JASK Special Ops team with over a decade of cybersecurity experience in both the public and private sectors. Prior to joining JASK, Greg was the global threat management lead at Covestro and held a number of technical positions at CERT, part of the Software Engineering Institute at Carnegie Mellon University. Greg has been with the U.S. Air Force and Air National Guard since 2002 as a cyberspace operations officer and is currently the Commander of the 166th Communications Flight. Along the way, Greg has earned a Master of Science degree from Carnegie Mellon University along with a Bachelor of Business Administration degree from The University of Pittsburgh and a Master of Business Administration degree from Wright State University.

Brian Gardiner is a senior threat analyst on the JASK Special Ops team. Brian has over eight years of experience in cybersecurity with previous positions which include vulnerability analyst and security engineer, across both public and private sectors. Prior to JASK, Brian worked as a senior incident response analyst with IBM X-Force IRIS and at Aetna as the information security advisor for the Security Data Analytics team. Brian earned a Bachelor of Arts degree from The University of Pittsburgh and a Master of Science degree from Carnegie Mellon University.

Dead Folks Tell No Tales

Kevin Cody

Death, wills, estate planning… I get it, this is not a topic that many people want to discuss. However, take a moment to think about the sophisticated authentication and authorization systems we use today. Does your significant other or family have everything they need to access, archive, and disseminate the digital lives that we technologists live? Furthermore, with more and more services accepting the use of multi-factor authentication, are you adequately prepared for anyone outside of yourself to authorize access? This presentation will break down different types of authentication technology and the barriers that might face your next-of-kin, in the event that an untimely (but ultimately inevitable) situation arises. Additionally, this talk will evaluate the risks and benefits of the current beneficiary recovery mechanisms available within password vaults, social media, financial services, and more. If the goal is to have strong authentication without single points of failure, we need to plan ahead and think of how we can bequeath our digital assets – this presentation will educate and implore you to do just that.

Kevin Cody is a Principal Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems. Kevin is adamant on helping build-up developers through security, which can be seen in his involvement within OWASP or while speaking at events like CodeMash or BSides. In his spare time, Kevin can be found attempting to repair something (via online DIY videos), reading tech books, fishing, or simply spending time with his wife and children.

How to get started in cybersecurity

John Stoner

John Stoner will discuss how to get into cybersecurity and discuss some myths and realities about this journey. The presentation will include technical points about important learning foundations and different paths in the field, and some pointers about getting that first real cybersecurity job.

Attendees will learn how to get started on a path in cybersecurity, beyond (but including), the traditional bootcamps, and self-study methodologies. John also will take questions and make the end a participative presentation/discussion.

Mr. Stoner is a GS14 with the Department of Defense (DoD). Mr. Stoner has over 18 years of experience in the national security and defense sector working a variety of roles, including most recently as a Cyber Threat Analyst, Cyber Counterintelligence Analyst and Cyber Instructor.

His experience includes IT, instruction and course design, cyber exercise and testing, penetration testing, threat support, SIGINT (Signals Intelligence), and Cyber Operations. He holds A+, Net+, CEH, CHFI, CEI, CISD, CASP and CISSP certifications. He also holds a Computer Studies Associates degree from UMUC. He got started in military intelligence and then government cybersecurity by secretly joining the Army when he was 19 and getting married. One of those things worked out really well!

How to Frustrate A Penetration Tester

Justin Forbes

Over the past several years, most penetration tests have shared several common steps in the attack path. These commonalities between engagements allow penetration testers quick access to critical systems and lead to full network compromise. Most penetration testers, and attackers, will work only as hard as necessary to complete the objective. By forcing them to work harder, organizations will either get a better report or discover they need a better pen tester.
This talk will examine some of the typical ways in which a penetration tester might approach an engagement, including anonymized stories from real assessments. We will look at common initial access, privilege escalation, and lateral movement techniques. For each technique, we will look at how to detect an active attack. Additionally, we will apply the concepts of defense in depth to identify multiple overlapping, preventative measures which can be used to stop the attacks. By implementing the discussed detective and preventive security controls, a penetration tester cannot rely on the same techniques used in years past, ultimately forcing the tester to work harder.

Justin Forbes is the team lead of the Applied Network Defense team at CMU/SEI/CERT. He has been leading penetration testing teams for the past five (5) years targeting federal, state, local, and critical infrastructure organizations. Justin earned his Masters in Telecommunications from the University of Pittsburgh in 2010 and his Bachelors in Information Sciences in 2008. His typical Primanti Brothers order is the ragin cajun chicken sandwich and a tall IC light.

Cryptocoin Miners vs ML

Jonn Callahan

This talk will be a walkthrough of how Jonn built a detection engine focused on finding cryptocoin miners within an AWS architecture. It utilizes AWS Flow Logs as the data source and multiple statistical analysis techniques for both massaging the data and performing the actual detection. This will not be a deep dive of the math itself, but rather a high-level overview of why Jonn chose the techniques he did. If you've ever wanted to take your blue team skills to a level beyond simple rule generation, this will be the talk for you.

Jonn Callahan spent the last six years working within appsec but have spent a lot of my free time (and R&D company time) building tooling. Jonn got a love for automation and have recently rediscovered my love for math through learning ML. While marrying these fields together is nothing new nor novel, Jonn wanted to bring these concepts into the light, showing that you don't need a PhD in mathematics to leverage these concepts to further enhance your blue team responsiveness and environment insight.

Transforming Government Compliance

Fen Labalme

The goal of compliance frameworks like HIPPA, SOX and FISMA is to ensure that basic security controls are met. The Federal government and an increasing number of state and local governments look to the Risk Management Framework (RMF) as defined by NIST SP 800-53r4 as the baseline for compliance management. Unfortunately, the RMF is rooted in static,  waterfall methods and it’s clear that compliance does not equal security. While the RMFv2 (described in NIST SP 800-37v2) talks of continuous monitoring and ongoing authorization, the culture and proprietary tool sets provide significant friction to slow down any agile efforts.

This talk will briefly overview the current state of the art as practiced by federal authorizing officials (AOs) and some of the issues faced, many of which are cultural. A small but growing community is looking at ways to automate the system security plans (SSP) creation and build security management into the CI/CD (DevSecOps) pipeline. And due to the cultural status quo, significant effort goes into creating properly formatted MS Word docs from the updated git and S3 artifact repositories. Finally, we’ll touch on how free/libre data formats and protocols are necessary to support viable continuous monitoring as application boundaries vary wildly and threat landscapes change too rapidly to rely on black-box proprietary agents to fully monitor.

Fen Labalme, CISSP, has been involved with data security and personal privacy for decades, starting with his 1981 M.I.T. thesis of an electronic newspaper that foresaw problems with personalization if privacy was ignored (NewsPeek). Today, Fen is the Chief Information Security Officer for CivicActions and is working to bring agile, free and open source security to government agencies fettered with antiquated, static cybersecurity compliance requirements. Fen’s goal for this year is to enable general purpose “Authority to Operate” (ATO) authorizations in two weeks where currently this process takes agencies from nine months to three years.

Battling Magecart: The Risks of Third-Party Scripts

Kevin Gennuso

Magecart made the news in 2018 due to the huge number of e-commerce websites those groups were able to compromise. The various groups' methods were dissimilar, but their underlying goal was the same: stealing information submitted via web forms.

This talk will focus on the risks of using third-party scripts on web sites and how to wrap protections around them. I'll do a high-level overview of Magecart and why they are able to do what they do. I'll then move into protecting against malicious scripts using Content Security Policy and Subresource Integrity. The talk will be relatively high-level, but there will be some technical discussion around JavaScript, HTTP headers, and browser hijacking.

Kevin is Sr. Infosec Architect at DICK'S Sporting Goods and a Pittsburgh native. Kevin has helped companies around the city secure their environments for over 20 years. Proud owner of a Black and Gold Badge and an FBI-issued Terrible Towel, he enjoys sharing knowledge at infosec conferences large and small.