Activities

Training & Workshops

Friday, September 23rd

Penetration Testing for Systems and Network Admins (All Day)

Instructor: Byron Roosa (Senior Security Consultant at Blue Bastion), Jake Nelson (Senior Security Consultant at Blue Bastion)
Date(s): Friday, September 23rd
Audience: Foundation – just starting out or hobbyists, Intermediate – good IT and security foundation required
Cost: $200/student

The objective of this Capture-the-Flag style class is to take students with existing networks or systems administration experience and teach them how to:
1. Perform a comprehensive penetration test against Active Directory environments.
2. Spot a bad penetration test.

We understand that not everyone taking a pen test class will want to be a penetration tester. Hence, we have organized this class to be a well-rounded experience, allowing both aspiring red teamers and blue teamers to get the most out of it. This class will provide students with hands-on experience with all phases of a penetration test, from information gathering to reporting.

Cloud Forensics Challenge - COVID Hangover Edition (All Day)

Instructor: Kerry Hazelton
Date(s): Friday, September 23rd
Audience: Intermediate – good IT and security foundation required, Advanced – “deep in the weeds” technical talk
Cost: $75/student

During the onset of COVID-19 and its impact on the global economy, many businesses had shifted towards the Cloud to leverage its capabilities to allow their employees to work from home. However, this shift to Cloud did not come without risks as there was a sharp uptick in cyberattacks, and it was implied that many of these same corporations experienced a significant security incident. Two years later since the start of the pandemic (and who knows how much alcohol was consumed during that time), the question still remains: Due to the fluid and dynamic nature of the Cloud, how does one gather evidence and conduct a forensic investigation? What are the tools and techniques used? More importantly, how does one write up the report?

After many, many revisions and updates to their training workshop and CTF Challenge, the Cloud Forensics Challenge team is back with their latest offering dubbed the “COVID Hangover Edition”. Rather than try to cram an entire day’s worth of training and CTF into one day, the team has opted to expand this into a one-day course with a corresponding CTF at the conference on Saturday. Day zero will focus specifically on the training and demos: how to recognize IoCs (indicators of compromise) in a Cloud environment, locking down an account to prevent further lateral movement, gathering the evidence, examining the evidence for artifacts, and what should go into the report (including the post-incident analysis). Day one is the CTF challenge itself; an all-day contest in a live environment searching for “flags” to redeem and earn points. And yes, prizes will be up for grabs for the top three teams and for the top individual scorer.

Students may opt to bring their laptops for the training day but will be required for the CTF. They are also free to form teams, but it will be noted that they are free to drop in or drop out during the competition. (It will be to the advantage of the students who attend the training will get their first choice of teams and seating on Competition Day, and will have a considerable edge over those who missed out. Also, it is encouraged that teams stay together and persist until the end if they want a shot at placing in the top three.)

IR Tabletop and Sandbox (All Day)

Instructors: Evan Wagner & Christopher Williams
Dates: Friday, September 23rd
Audience: Foundation – just starting out or hobbyists, Intermediate – good IT and security foundation required, Advanced – “deep in the weeds” technical talk
Cost: $100/student

Overview

The training will begin with a short real world tabletop scenario exercise to set the scene for performing an IR escalation.

After that there are 13 other modules to explore which have associated VMs to perform the steps.

These include:

  • Using MISP to explore and gather threat intelligence
  • Using Iris for Case Management
  • Performing manual triage operations on a machine mentioned in the tabletop exercise which have active C2 infection
  • Building an automated enterprise telemetry triage collection package using KAPE and Velociraptor to execute remotely against multiple machines mentioned in the tabletop exercise
  • Analyzing the triage collection data to determine the actions which led to the infection
  • Identifying the persistence mechanism used
  • Identifying lateral movement using Graylog and Sysmon logs
  • Detecting DNS Exfiltration using PCAPs, Zeeklogs and Rita
  • Basic of Volatility memory analysis
  • Producing a timeline of events from physical memory to trace actions to left of boom
  • Using PCAPs, Zeeklogs and Rita to detect HTTP C2 Beacon
  • Developing high fidelity YARA rules to help faster detect the behavioral characteristics observed in the precious exercises
  • Exploiting Log4J exercise to get experience with popping a remote shell.

Students can do the exercises in order or select the ones they are most interested in. In addition since there is active C2 on the lab network we can also demonstrate how to use Bishop Fox Sliver for control over the victim machines and some of its functionality if anyone in the class is interested.

Defensive PowerShell (All Day)

Instructor: Jay Honeycutt (Cyber Operations Technician at Maryland National Guard Cyber Protection Team)
Date(s): Friday, September 23rd
Audience: Intermediate – good IT and security foundation required
Cost: $100/student

This workshop touches on the difference between PowerShell versions. It will detail how to use PowerShell to secure the systems, PowerShell remoting, and set up auditing. During this section, the specific modules discussed are PowerShell DSC (Desired State Configuration) and PowerShell JEA (Just Enough Admin). We will use PowerShell remoting to query system logs, query the registry, search for unwanted executables, and determine the type of file and if it is executable. The rest of the day, we will use PowerShell to investigate a system and hunt for evil.

The workshop starts with getting everyone on the same page with PowerShell. We will discuss the expectations of the workshop. We will have a brief discussion about the history of PowerShell and talk about the various terminals and IDEs. We move quickly into PowerShell Remoting and the multiple techniques; we will attempt to run ADUC from a Linux machine.

Once we are baselined, we start working on securing our systems. We first disable PowerShell v2 and enable PowerShell logging and transcriptions. We talk about PowerShell JEA (Just Enough Admin) and how you can limit the PowerShell Remoting actions of other Admins or Power Users. We then talk about using PowerShell to configure Windows Auditing locally and remotely. We will introduce the desired state configuration and how it keeps our systems configured. We will configure our systems to the Critical Security Control standard using desired state configuration.

Then we move into hunting/investigating. We will spend time talking about the difference between Get-WinEvent and Get-EventLog. We will start collecting local and remote logs and formating the output to be helpful. We will also deploy Sysmon with the Swift on Security configuration file.

An Introduction To Zeek For Network Forensics And Incident Response - 1/2 Day (Morning)

Instructor: Corelight
Date(s): Friday, September 23rd
Audience: Intermediate – good IT and security foundation required, Advanced – “deep in the weeds” technical talk
Cost: $50/student

An Introduction To Zeek For Network Forensics And Incident Response, from the ground up. Includes a discussion of the various logs that Zeek generates, extensibility through using Zeek scripts from the Zeek package manager, and hands-on experience running Zeek and analyzing Zeek logs.

Participants will need to bring a laptop and have internet connectivity* to participate in hands-on labs.

CTF description: A Zeek-focused CTF from a Blue Team perspective. Hunt your way through Zeek logs in a SIEM looking for the answers to progressively-harder network Incident Response questions.

Open Source Intel For Everyone - 1/2 Day (Morning)

Instructor: Michael James
Date(s): Friday, September 23rd
Audience: N/A – a talk everyone can benefit from, Foundation – just starting out or hobbyists, Intermediate – good IT and security
Cost: $75/student

In this training, we will go over the core princibles of OSINT and what it is used for. We will review the security to keep in mind when starting an investigation, where to search for pivot points, browser based search structure verses linux command line searches and much more. If you ever wanted to level up your OSINT experience, you will not want to miss this training.

Advanced Open Source Intel - 1/2 Day (Afternoon)

Instructor: Michael James
Date(s): Friday, September 23rd
Audience: Intermediate – good IT and security foundation required, Advanced – “deep in the weeds” technical talk
Cost: $75/student

This training will dive deeper into the OSINT realm. We will assume that you have a basic understanding of OSINT so we will not review OPSEC and set up. We will dive into various socail media platforms and how to leverage both tools and the platforms themselves to gather information, we will review Web3 and the details we can extract from smart contracts, we will review data breach research and how it helps everyone, we will explore the Deepweb (Tor) and understand why it can benefit us in our research.

After Party

Saturday, September 24th from 6:00pm – 10:00pm

** Must present BSidesKC badge for entry, guest permitted with BSidesKC attendee **
** Any participant 18 and over, but 21 to drink **

Where: Firefly Lounge, 4118 Pennsylvania Ave, Kansas City, MO 64111

Join us in the Historic Neighborhood of Westport for the BSidesKC After Party.
Alcoholic and Non-Alcoholic Drink tickets sponsored by Cisco.

Beats by @sysaaron!

We will also have HAKCER JEOPARDY: it’s a less polished, more KC version of your favorite DEFCON game. Come see how closely @sysaaron can mimic the magnanimous @lintile.

Create a team and sign up at the party around 6pm!

Huge thank you to @d0rkph0enix for pulling the after party together