The BSidesPGH 2019 Conference Training Sessions will be on Thursday, June 27 at CoLab18 at Nova Place on the Northside.
We are featuring three courses this year. The full day Blue Team Investigation & CTF course is $100, the Purple Team Tactics morning course and the Guerrilla Blue Team afternoon courses are $50. Discounts are available.
Registration is open on our EventBrite training page!
Training sessions will follow our Code of Conduct.
Blue Team Investigations and Capture the Flag
Thursday, June 27th - 9:00 AM to 5:30 PM
Incident response, aka “blue”, teams have a large challenge in preventing, detecting and responding to attacks and security incidents. In this workshop, we will cover some techniques and tools to allow incident responders to identify various malicious activities using network packet captures, and logs from various systems to piece together a scenario-based attack. During the training, we will cover the following areas:
1) Network investigation using packet capture analysis. Using Wireshark, we will walk through the structure of network packet captures to allow an investigator to identify various traffic types, including, CIFS/SMB, DNS, HTTP, and other common protocols.
2) Network investigation using network metadata and logs. Using Suricata and Bro/Zeek, we will walk through network metadata and logs for traffic and compare and contrast the information provided by these types of tools when compared to network packet captures.
3) System investigation using system logs. Using the Microsoft Advanced Threat Analytics, Windows Event Forwarding, Windows System Auditing, PowerShell logging, osquery, Sysmon, and other host logging capabilities, we will walk through artifacts common on systems that have fallen victim to an attack.
4) To tie the coursework together, we will have a “Blue Team” Capture the Flag exercise in the afternoon, where we will have the attendees walk through artifacts from a scenario-based attack. The attack will be fashioned after the techniques and tactics observed through real-life attacks. 5) At the end of the day, we will recap the attack and items in the capture the flag and walk through the attack timeline with participants so they can ensure they were able to locate each of the artifacts and techniques of the attacker.
Course Duration: 7 Hours
Laptop with Wireshark installed for packet capture analysis and Oracle VirtualBox installed for running virtual machines for analysis. Attendees computers should have at least 8 GB of RAM and 60GB of free disk space on an internal or removable disk.
James Ringold is a Chief Security Advisor in the Microsoft Enterprise Cybersecurity Group. James has more than 20 years in the information security field. He has a successful track record of helping large companies, in retail, wholesale, aerospace, defense and nuclear energy sectors rebuild and recover their security programs. A former CISO, Security Architect, Security Operations Manager and Incident Responder, James has helped companies develop and mature their information security programs focusing on threat, risk and vulnerability management practices. James has authored and co-authored articles for Information Security magazine on the topics of nation-state sponsored attacks and vulnerability management. James earned an MBA from the University of Minnesota and has maintained the CISSP certification since 2004.
Jon Zeolla is the co-founder and CTO of Seiso, where he leads all technical engagements, research, and service development. He contributes heavily in the Pittsburgh Information Security community, is the founder of the largest Pittsburgh InfoSec group, Steel City Information Security, created the PittSec project to enhance local infosec collaboration, and co-founded Burgh Security Events, the organization whose primary event is the annual BSides Pittsburgh security conference. Jon also contributes to emerging open source technologies such as Apache Metron and Zeek.
Purple Team Tactics (PTTs): Emulating LOLBin Attack Strategies
Thursday, June 27th - 9:00 AM to 12:30 PM
Purple Teaming incorporates blue team "monitor, detect and respond" capabilities with the red team "surveil and assault" strategies to support one key mission: To improve the organization's security posture. To test threat detection and response capabilities, red teams are charged with simulating real world threats - the more realistic the better! Over the last few years, adversaries are increasing making use of "Live Off the Land" strategies, repurposing native Windows binaries to achieve strategic goals such as privilege escalation, lateral movement, persistence and C2 communication. Not only do these strategies allow attackers to evade AV & EDR detection, but Blue teams often have poor concept of baselining for usage of these native Windows binaries within their own environment. This 4-hour training session will provide the full purple teaming experience, with walk-throughs of LOLBin attacks to achieve "actions on objective", ensuring survivability through persistence and remote execution for lateral movement. Attendees will also perform live triage and memory analysis on affected targets to detect indications of LOLBin abuse. Key takeaways will include enterprise-scaled detection and mitigation strategies to prevent future LOLBin abuse in your own environment. Join incident response analyst and SANS Instructor Alissa Torres for exposure to some of these sneaky LOLBin and LOLScript techniques and how they can best be employed in a purple team collaboration.
Course Duration: 3.5 Hours
Laptop with VMware, VirtualBox, USB-B port or converter for USB-B storage. The instructor will provide external hard drives that will contain the three or four VMs used in class.
Alissa Torres is a Principal SANS instructor specializing in advanced digital forensics and incident response (DFIR). Alissa was recognized by SC Magazine as one of its "2016 Women to Watch." and a recipient of the Enfuse 2018 Difference Makers Award for her efforts in educational outreach. She has more than 15 years of experience in computer and network security that spans government, academic and corporate environments. Her current role as Founder and Senior Consultant at Sibertor Forensics, a security operations and incident response consulting company, provides daily challenges “in the trenches” and demands constant technical growth. Alissa is a frequent presenter at industry conferences (RSA, BSides, Shmoocon, Enfuse) and has taught hundreds of security professionals over the last 5 years in more than 12 countries. As the lead author of the SANS FOR526 Advanced Memory Forensics and Threat Detection course, she is passionate about memory management and forensic artifact hunting.
Octavio Paguaga is a penetration tester and instructor with deep roots in network and system administration. He currently works as a Senior Red Team Operator and Training Content Developer at SimSpace, architecting attack scenarios that advance the skillset of cyber professionals through real time assessments and practical skills application. He has presented and given training at various BSIDES conferences located on the east coast regarding PowerShell. His areas of interest are Active Directory, and Windows COM.
Guerrilla Blue Team: Building a robust logging and alerting infrastructure on a shoestring budget
Thursday, June 27th - 2:00 PM to 5:30 PM
Using only free and open source tools (and mostly commodity hardware) we'll show you how to build a reliable, scalable, intelligent logging and alerting infrastructure that will rival any of the paid SIEM solutions on the market. If you don't have a SIEM, aren't happy with your current solution or want to less expensive way to log more data, this workshop is for you. By the end of this four hour hands-on session you will have the tools to log anything you can imagine.
The workshop is divided into the following sections:
Deploying a logging and alerting infrastructure:
- Build and scale log ingestion nodes,
- Plan, configure, deploy, and maintain a data warehouse,
- Stand-up and use a search front-end,
- Secure your logging infrastructure
Collecting and normalizing logs:
- Collect and log from a variety of sources:
- Windows hosts (event logs, Sysmon, DNS, custom command output, and more),
- Linux hosts (system logs and Journald),
- Network data,
- Data stored within databases,
- REST APIs,
- File and Registry Integrity Monitoring,
- Normalize log data from all of these sources
Enriching logs and building baselines and inventories using the following sources:
- Vulnerability scanner output,
- Active Directory data,
- GeoIP data,
- Threat intelligence feeds
Create baselines to identify anomalous behavior:
- Take a systematic approach to alert writing,
- Create basic alerts with ElastAlert,
- Implement event-based scoring,
- Correlate events and implement prioritized alerting to reduce noise and alert fatigue
You'll take home all of the following from this workshop:
- PDF copy of slides,
- Production-ready, scalable containers for each of the infrastructure components,
- Custom scripts, configuration files, and example alerts,
- Cheat Sheets to help you remember and reproduce what you've done in the workshop
Course Duration: 3.5 Hours
Laptop with Admin rights, VirtualBox installed, 8 GB ram, 50 GB free space, CPU sufficient to run at least 2 VMs at once
Garrett White is a Security Engineer at Cboe Global Markets. He has over 10 years experience in InfoSec and Information Technology. Recently, he has specialized in building out SIEMs for several organizations in the energy and financial sector. He is a certified Splunk Admin and GIAC certified malware reverse engineer (GREM) and penetration tester (GPEN).
Dusty Evanoff is a Security Engineer at Cboe Global Markets. He has been studying and working in information security for over 10 years with experience in both offensive and defensive security. He has worked with multiple SIEM products, but most recently has been working on building, scaling and automating custom logging and alerting solutions. He has an MSIA from Dakota State University, and is a GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) and CISSP.