OS19 Blue Background 1609x579 Anniversary v2

Pre-Conference Workshops

W1 Data Science Driven Threat Intelligence Hands-On

Saturday, March 17 - Sunday, March 18, 2018 
9:00 AM – 5:00 PM
Two-Days, 16 CPEs
Lance James, Chief Scientist, Flashpoint

Intelligence teams are increasingly tasked with sifting through countless data sets from numerous sources—creating risk that a threat may actualize before preventative actions are taken.

One of these sources — the Deep & Dark Web — complicates threat intelligence, providing data on black market products and services, weapons and training manuals, malicious tactics, techniques, and procedures (TTPs), and dialogue between threat actors.

With this vast amount of information, the question becomes, “where does one begin”?

This workshop will cover the benefits and challenges of introducing data science to augment threat analyst teams. We will discuss data sanitization and unbiased collections, automated analysis, and machine learning with Natural Language Processing (NLP). By demystifying the entire processes of threat intelligence development, we will walk attendees through a cradle-to-grave build-out for supporting incoming threat intelligence within your environment, including the people, the process, and the technology.


Day 1
Planning and Direction
  • Designing for Decisions
  • Hands-on Intelligence Collections Planning
  • Knowing How to Assess Vendors
  • Open Source vs. Vendor Decisions
  • Understanding Intelligence Requirements
  • Building for Agility
Automating Collections
  • Open Source Tools
  • Engineering Support
    • Build vs. Buy
    • Estimating Costs
  • Data Management and Classification:
    • C2s
    • IPs/Domains
    • Contextual Data
    • Communications
  • Deployment and storage
    • JSON
    • ELK Stack
    • Pub/Sub and high performance models
    • Scalable Storage Models           
Day 2
Processing and Analysis
  • Threat Intelligence vs. Threat Information
  • Understanding the Data
    • Basic Statistics
      • Seeking correct answers
      • Signal vs. noise reduction processes
      • Data Normalization 
  • Human vs. Machine Learning
    • Costs of Data Science
    • Capabilities of Data Science
    • Human-Driven Data Science
      • Building supervised feedback into analysis process
      • Neural Network Learning
      • Dealing with Language
Scalable Dissemination
  • Design
    • Who, What, Where, Why, When, and How?
    • Pitfalls
      • No customer/department is perfectly happy
  • SIEM Management
    • Pros and Cons
    • Basic considerations
    • Example Architecture and Set up
  • Alerting Design
    • Empathetic Software Development
      • Analyst Process Defined and Designed
  • 100 lines or less
    • Hands on architecture and designing of an alerting system with Python, ZeroMQ and Elasticsearch.
Feedback for Success
  • Building a Successful Feedback Program
  • Tangible Metrics to Show your Boss!
From Analyst to Operations
  • Marrying Analyst to Operations
  • Analyst Attribution Framework
  • Analyst-Driven Success
  • Technology-Augmented Analyst

Technical requirements:

Students must bring a laptop loaded with Ubuntu server or desktop and 16-32 gigs of RAM. Prior to the event, students will be sent instructions on downloading the following, which will also be used throughout the exercises:

  • Python 3.5
  • ElasticSearch
  • PostgreSQL
  • MongoDB
  • IntelliJ or some familiar IDE (Sublime Text can work too)
  • Apache Spark
  • OpenSIEM
  • Optional: virtual box with https://www.alienvault.com/products/ossim/download ISO

Students must be comfortable in Linux and Python and have a general idea of systems such as ElasticSearch and SQL databases.

W2 Adversarial Attacks and Hunt Teaming (Red Team vs. Blue Team) Hands-On

Saturday, March 17 - Sunday, March 18, 2018  
9:00 AM – 5:00 PM
Two-Days, 16 CPEs 
Larry Spohn, Team Lead, Force and Research, TrustedSec
Ben Mauch, Senior Principal Security Consultant, TrustedSec

This course is completely hands-on, focusing on the latest attack techniques and building a defense strategy around them. This workshop will cover both red and blue team efforts and provide methods for understanding how to best detect threats in an enterprise. It will give penetration testers the ability to learn the newest techniques, as well as teach blue teamers how to defend against them.


Day 1
  • Introduction to Linux
  • OSINT Gathering Techniques
  • CrackMapExec
  • Hashcat
  • Metasploit
  • SQL Hacking
  • Web Attacks
Day 2
  • PowerShell Empire
  • PowerSploit
  • Defensive Methodologies
  • User Security Awareness
  • PowerShell Primer
  • Detection, Deflection, and Deterrence

Technical requirements: Students can have a penetration testing background, or have a focus on defense. We recommend having basic systems administration experience.Students must bring their own laptop, with a recommended minimum of 100 GB of free hard drive space and 16 GB of RAM. Also, VMware Player/Workstation/Fusion installed. A virtual machine will be provided in advance of the class.

W3 Open Source Intelligence (OSINT) Gathering  Hands-On

Saturday, March 17, 2018  
9:00 AM – 5:00 PM
One-Day, 8 CPEs 
Jerod Brennen, Security Architect, GBQ Partners

Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never (or rarely) touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even realize they are there.

This workshop provides participants with both an introduction to numerous OSINT tools and techniques, as well as methods you can use to minimize your exposure. By the end of the workshop, participants will have a working knowledge of how to collect OSINT on their organizations, as well as on individuals associated with their organizations. More importantly, participants will understand how attackers might exploit that information in an effort to compromise a company’s internal network.


  • An introduction to OSINT gathering
  •  A survey of OSINT gathering tools
  •  Offensive OSINT: OSINT’s role in penetration testing
    •  Effective web-based OSINT gathering tools
    •   Useful OSINT gathering scripts
    •  Organizing and analyzing collected OSINT
  •  Defensive OSINT: Using OSINT to harden your defenses
    •  Looking at OSINT from an attacker’s POV
    •  Tactics for minimizing available OSINT for your organizations
    •  Minimizing employee OSINT through awareness training
  •  Hands-on mini-labs throughout the day
  •  Cumulative lab at the end of the day

Technical Requirements

This workshop includes hands-on exercises, so participants who wish to participate will need to bring a laptop with either VirtualBox or VMware Workstation Player installed. A virtual machine image will be provided for class use.

Laptops should have a minimum of 10 GB available storage, 8 GB RAM, a wireless network adapter (for Internet connectivity), and either one of the two virtualization programs installed. We’ll be conducting all labs from within the VM’s, so local administrator rights on your physical machines shouldn’t be necessary.

W4 Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows and Your Wits  Hands-On

Sunday, March 18, 2018
9:00 AM – 5:00 PM
One-Day, 8 CPEs
Adrian Sanabria, Director of Research, Threatcare

There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.

Part one of this workshop will address the anatomy of malware and why it succeeds so often.

The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.

  • Passive prevention is effectively free and ideal
  • Prevention will always fail a percentage of the time, so detection is essential
  • Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
  • Remediation, because someone has to clean up this mess...

Every successful security strategy includes planning to handle failure quickly and effectively.

The remainder of the workshop will be hands-on.

Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.

For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.

Technical Requirements

Attendees will need to bring a laptop with an RDP client installed.
For Windows: An RDP client is installed by default
For Mac OSX: Use the Microsoft default, or one of your choice
For Linux: RDesktop (http://www.rdesktop.org/) is built-in for most distributions, but there are other choices
For ChromeBook: Chrome RDP is widely used and decently rated.


Post Conference Workshops

W5 Making Meaningful Metrics 

Wednesday, March 21, 2018 
1:00 PM – 5:00 PM
Half-Day, 5 CPEs
Chris Clymer, Director of Security, MRK Tech In 2017's "Moving Mountains with Metrics" Chris, Jack, and Jason provided InfoSec World attendees with a playbook for developing security metrics program.

In this 2018 training session, we will dive deeper into the concepts introduced in our previous session.

This workshop will walk attendees through building a metrics program from start to finish, offering a number of different techniques to apply, depending on your own culture and environment. While this workshop will touch on some advanced data visualization and data gathering techniques, you will not require anything more sophisticated than Excel to put these practices into action in your own security program tomorrow.


  •  Introduction
    •  Why do we need metrics?
    •  What makes a good metric?
    •  Data vs. metrics vs. KPI's
  •  Key source of metrics
    •  Data you already have
    • Data you can readily gather
    •  Data you aspire to add
  •  Reporting
    •  What metrics do you want to see?
    •  What metrics do you want your team to see?
    •  What metrics do you want your boss to see?
    •  Prepping for an executive audience
  • Techniques
    •  Developing a monthly dashboard
    •  Developing a monthly report-out presentation
    •  Automated integration of Excel data into presentations
    •  Developing an SQCD board
    •  Developing a Heatmap and Risk Register
    •  Advanced visualization techniques
  • Putting it into action
    •  Day-to-day operations
    •  Reporting out
    •  Use in the budgeting process
    •  Getting feedback
  • Course correction
    •  PDCA: the Deming Cycle
    •  What if we picked the wrong metrics?
    •  What if the process takes too long?
    •  What if the environment changes?
  • Resources/Further Reading

Technical requirements

A laptop with MS Excel (recommended, not required)

W6 Establishing Your Information Security Brand

Wednesday, March 21, 2018
1:00 PM – 5:00 PM
Half-Day, 5 CPEs
David Etue, VP Managed Services, Rapid 7

Whether you realize it or not, you have a brand. You have a brand as a chief information security officer (CISO) or security leader, and your security organization has a brand too. (If you don’t like the term “brand,” consider it a synonym for” reputation.”)

This workshop will provide relevant branding knowledge aligned with information security experiences to help security leaders position their organization for success. There is not a single brand that is right for everyone, so this workshop will present real-life experiences as case studies to help you align to yourself, your team, and your organization’s culture.


  • Why have a brand?
  • What is your brand today?
  • Potential elements to the security leader branding and positioning
  • Implementing your brand
  • Overcoming negative branding
  • Brand equity


W7 Kali Dojo  Hands-On

Wednesday, March 21, 2018
1:00 PM – 5:00 PM
Half-Day, 5 CPEs
Alain Hernandez, Kali Linux
Johnny Long, Kali Linux

Join the Kali Linux team for this special opportunity to strengthen your Kali skills and knowledge in a hands-on environment:

Kali Live USB with Persistence and LUKS (section 1, 2.25 hours)

USB speeds keep getting faster and faster, to the point now where they are viable storage for a secondary system. In this workshop we will help students understand how to deploy customized Kali ISO to a secure, encrypted, USB install. This workshop will include advanced features such as USB persistence and the use of LUKS Nuke to safely travel with your data. USB drives will be provided in class.

Customizing Kali ISOs using live-build (section 2, 1.5 hours)

One to the most useful aspects of Kali Linux is its ability to be customized based on your unique and specific needs. Define your toolsets, your desktop environment, customized scripts and wallpapers – and of course, pre-seed your installation media as needed. In this workshop, we will customize Kali Linux into a specific offensive tool, and walk you through the process of customization step by step.

 Hardware Pre-requisites

  • Powerful 64bit laptop with updated Kali Rolling installed natively (or in a Virtual Machine).
  •  At least 50 GB free hard disk space.
  •  Wired networking! Please make sure your laptop has an ethernet connection available, or bring a USB ethernet dongle with you.
  •  USB 3.0 port or adaptors.

Technical Pre-requisites

  • You should be familiar with Linux and comfortable in the command line.
  • Navigate files and folder in Linux, edit text files and scripts.

W8 Applying the Cybersecurity Framework (CSF) to Organizations

Wednesday, March 21, 2018
1:00 PM – 5:00 PM
Half-Day, 5 CPEs
Tom Conkle, Commercial Lead/Cybersecurity Engineer, National Institute of Standards & Technology 

The Cybersecurity Framework, prepared by the National Institute of Standards and Technology (NIST) with extensive private sector input, can help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.

A Framework Profile ("Profile") represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a "Current" Profile (the "as is" state) with a "Target" Profile (the "to be" state). To develop a Profile, an organization can review the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation.

This workshop will guide participants in developing a Framework Profile and action plan for a hypothetical organization. This Profile development exercise will empower participants to subsequently develop Profiles and action plans for their organizations in collaboration with colleagues.


  • How the Cybersecurity Framework develops an enterprise, business-centric view of information security
  • The benefits of the Cybersecurity Framework to an organization
  • How the elements of the Cybersecurity Framework can be applied to help an organization manage risk
  • The many resources that are available to help organizations implement the Cybersecurity Framework
  • Ways that a Cybersecurity Framework Profile provides value to an organization
  • Utilizing a 7-step process to learn how to develop a Profile
  • Obtaining the knowledge and skills needed to develop a Profile and action plan for your organization

W9 Integrating Mobility and Internet of Things into Your Security Testing Hands-On

Thursday, March 22, 2018
9:00 AM – 5:00 PM
One-Day, 8 CPEs
Georgia Weidman, CTO, Shevirah, Inc.

The perimeter has been shattered. We don’t sit at desks in offices working on corporate issued workstations. We work from home, at client sites, on airplanes using laptops, mobile phones, tablets, smartwatches, and Internet of Things devices. Bring Your Own Device has introduced thousands of devices of unknown security postures to the network. There is an IoT meeting scheduler outside every room at office, a Smart TV in every meeting room, and maintenance just switched the entire building to smart lightbulbs. Yet our security testing programs and tools focuses almost exclusively on the traditional idea of an enterprise, workstations, servers, a hardened perimeter with a firewall. Attackers are not so generous and are launching attacks against the ubiquitous mobile and IoT endpoints. Security must catch up.

In this course, we will study the risks of mobility and IoT to the enterprise, discuss the landscape of security options available to us, and most importantly become competent at vulnerability assessment, impact analysis, and determining the effectiveness of security products you deploy to protect mobility and IoT from attacks.


  • Foundations
  •  Mobile and IoT Threat Model
  •  Countermeasures and security solutions for mobile and IoT
  •  Assessing the risk of mobility and IoT
    •  Phishing assessments
    •  Vulnerability assessment
    •  Penetration testing/red teaming
    •  Impact analysis
    •  Return of investment of security products
  •  Integrating mobile and IoT into your existing security testing program

Technical Requirements

Attendees must bring a laptop with at least 30GB of free space and a virtualization platform (VMware and Virtual Box officially supported). Downloads will be made available to attendees before class.

Attendees should also bring any mobile devices (smartphones, tablets, IoT devices) on which they would like to experiment with testing. Virtualized mobile devices will be used for basic exercises, but there will be an opportunity to branch out, time permitting.