To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
08:00
08:00
480min
Attendee check-in and registration

Welcome to BSides Atlanta 2022! Attendees will be able to check-in or register at our tables set up in the atrium. Check-in will begin at 8am, and be open most of the day. If you registered with us ahead of time, we'll have your badge and whatever swag we're able to get for everyone! If you didn't register ahead of time, we can't promise you anything except cool talks at a great venue!

Atrium
08:45
08:45
15min
Organizers welcome remarks
Yvette Johnson, JoEtta LeSueur, Andy Green

The BSides Atlanta organizers will use this time to welcome our attendees! We will walk everyone through the schedule and various important details for the day, including talk tracks, villages, room locations, restrooms, wireless internet access, lunch, and our terrific sponsors! We will also take this opportunity to take any questions, then welcome to the stage our keynote speaker!

Room 400
09:00
09:00
25min
We've Come A Long Way Matey
Mike Pearson

As we prepare to re-engage, re-imagine, and re-ignite let's take a subjective look back at where the industry has come over the last 30 years.

Room 400
09:30
09:30
50min
A Tale of Two SaaS Providers around Session Hijacking - A case study in Vuln Disclosure Response, Session Hijacking & the Realities of Reverse Proxies in Compromising SaaS Accounts
Tony UV

Tenant hopping via compromised web sessions is one of a SaaS provider's worst nightmares. Then why are so many shrugging at mitigating real risks from users victimized by reverse web proxies? In recent months, VerSprite's OffSec team uncovered the prevalence and ease of abusing session tokens for SaaS providers via this attack pattern. This talk speaks on the effectiveness of this attack patterns against SaaS providers and depicts two distinct SaaS providers responses with regards to responsible disclosure and puts into question shared responsibility models maintained by the Cloud service provider.

We all know attack patterns are commonly layered, traversing over various means (e.g. – phishing, smishing, XSS, etc.). SaaS providers presented with an attack path that ultimately ends with session token compromise often claim that pre-requisites of an attack negate their responsibility for improved session management. This talk will speak on the ease of leveraging reverse web proxies for hijacking user web sessions in SaaS products, responses from two SaaS providers within the same industry and how the regard around responsible disclosure for high impact flaws can be treated extremely differently, and how/ what countermeasures exist to limit these attacks from becoming more widespread in abuse.

Key takeaways from this talk will center around the following:
1. Ease of leveraging reverse web proxies for account takeover and defeating MFA/ OTPs
2. Lessons in responsible disclosure for web application researchers
3. Countermeasures that SaaS providers should take for pre-authentication/ post-authentication

Room 401 - "Re-Engage" track
09:30
50min
Building an Effective Security Strategy: It's More Than A List Of Tech
Martin Fisher

In this discussion we will discuss the process of developing a workable and effective security strategy for an enterprise. Covering steps from Evaluation to Context to Mission to Budget we will discuss what a security strategy is, what a security strategy isn't, and why much of what you think you know about creating a strategy likely isn't correct. This talk can help leaders rethink how they approach strategy and can help individual contributors realize why sometimes their leader does things that seem odd.

Room 402 - "Re-Imagine" track
09:30
50min
Death by a thousand cuts: How to secure Windows network protocols and frustrate your next pentester
AshAndree

For years internal network penetration tests have taken advantage of weak network protocols and a plethora of insecure defaults found within Windows environments.

In some cases, you might hear a pentester even say "we can basically write the report before we even test" due to the prevalence and repeatability of these attack vectors.

This sucks.

How do you know you're moving the needle?

How do you ensure that you won't be hit with the same findings year after year?

How do you know you're winning?

You can think of this talk alternatively as "10 tips pentesters don't want you to know about… you won't believe number 6!" I'll walk through the history of internal network penetration testing, what we find in almost every test, and give you actionable steps you take to make your next pentester have a tough time.

I will focus specifically on attacks that target on premise Active Directory, as this receives the most attention by red teamers and actual adversaries (think ransomware gangs) alike.

Does this sound aggressive? It should. As a penetration tester, it is a good thing if my job is frustrating.

That means you're winning.

I want you to win.

Room 460 - "Re-Ignite" track
09:30
420min
Lockpick Village

Come learn how to pick locks at the Lockpick Village. All are welcome, regardless of prior experience! You've never picked a lock before? This is the place for you to get your feet wet!

The village is being conducted by the good folks at Atlanta Locksport. You can find out more about them by visiting their website at https://atlantalocksport.org/

Room 174 - Lockpick village
09:30
420min
Resume village

BSides Atlanta is happy to be once again partnering with Mike Vaughan and Advanced Business Engineering, Inc. to provide resume review and feedback for attendees! Mike will provide one-on-one feedback for you, so don't miss this opportunity!

Attendees must bring a hard copy of their resume for Mike to review, as he will not be able to view them electronically.

Room 461 - Resume village
09:30
420min
Secure Code Warrior CTF

Secure Code Warrior CTF

Room 462 - Secure Code Warrior CTF
10:30
10:30
50min
A Tale of the Times: Flying Under the Radar Screen[Connect]
Fernando Tomlinson

Many organizations are employing technology to help lessen the burden on helpdesk personnel. In some cases, that technology is the vector that enables advanced actors to gain a foothold in a network. In other cases, actors are installing the technology to enable command and control. In both cases, the organization generally is unaware as an actor is running rampant in their network. This talk will dive into firsthand tactics from an advanced actor as they took advantage of helpdesk and IT software on their way to owning the domain and critical assets within a few hours of gaining initial access. We will also highlight actionable detection mechanisms that an organization can employ to reduce the chances of them being the next victim.

Room 401 - "Re-Engage" track
10:30
50min
Cyber Defense with Security as Code
David Hall

"Why are things like Deployment Consistency, Automated Scanning, Secrets Management, Configuration Drift, Disaster Recovery, Dynamic Provisioning, and Version Control all so important from a security perspective. For some this may be a rhetorical question with a set of obvious answers, for others, not so much.

As organizations move infrastructure to the cloud, the need for automating processes has become a requirement. No longer can Operations administrators spend countless hours clicking through web interfaces to deploy or configure cloud assets, it is too time consuming and more importantly prone to human error. In most organizations it's the IT Operations teams that are primarily responsible for deploying and configuring these assets and many of these people often have little code development experience. I come from an IT Operations background and want to show you how simple it can be to get started with source control and deploying resources in the Cloud. We will also dive into why we should care from a security perspective and what it means going forward."

Room 402 - "Re-Imagine" track
10:30
50min
GAMBLING WITH SECURITY - Comparing Casino and Slot Machine Security with Corporate Security.
Scott "Duckie" Melnick

When I first jumped into the Slot Machines and Casino industry, I was expecting a super airtight security system and procedures. What I found out was shocking. They were just the same as most corporate and government organizations if not worse in some cases. I have taken this on in three different angles as a Pen tester, gaming lab researcher and head of a slot development department.
Regulations for Casinos vary from state to state and mostly focus on financials and player fairness. When it does refer to system security it usually is vague, out of dat. Some gaming vendors take advantage of security testing while other do not and assume they are going to be in air-gapped environment. The trend continues today even with online gambling and wagering systems online.
This talk is meant to be fun as I am often asked; “How do you cheat a slot machine?”. Until now, I have never been allowed to answer and this will be my first public talk on the subject out of many!!

Room 460 - "Re-Ignite" track
11:30
11:30
20min
It is not a SIEM Failure. Its a data failure!
Michael Taylor

Over the past few years as a consultant, it’s become apparent organizations struggle to operationalize SIEM technologies resulting in failure of the system. As a result, they tend to look for alternative technologies that could provide easier transition. In doing this transition, the maturity of the security organization is halted and sometimes decreased. In this talk, I want to offer a different perspective. Instead of investing in changing SIEM technologies every few years, invest in ensuring technology stacks that correctly establish the appropriate security controls and provide much more enrichment in the data.

Room 460 - "Re-Ignite" track
11:30
20min
Protecting the Centerpiece Jewel in your Crown Jewels: Enterprise Financial System- Forensic Model, Detection and Logic
Ashwin Rajendra

ERP systems are critical systems in all enterprises worldwide. Its common usage and large number of users within organizations makes it vulnerable to external threats and internal activity,
which if breached can lead to dire consequences and great loss to an organization. Understanding financial systems and its architecture would help build security used cases and detection rules useful for cyber security incident response techniques.

Attendees would gain insight into ingesting ERP logs to a security management tool or log collector, an example of how to develop a base forensic model on financial data would be demonstrated.
One easy and one medium-hard detection and correlation rules and its logic would be shown.
Central repository of an analytical dashboard for a single panel view would be explained for management viewing.

All of above would be summed up to improve incident analysis, pattern analysis and operational security posture of financial systems in enterprises.

Room 402 - "Re-Imagine" track
11:30
20min
Why Automated DAST Scanners Fail Today
Ray Kelly

Automated DAST scanners have been around for over 20 years now, so why is it that we have so much trouble using them? From numerous false positives, complicated configurations to scans that take days raging through a single website, why is this still happening? Many factors have changed in the past several years for businesses when it comes to the complexity and number of assets needed to be scanned for security vulnerabilities. How can these businesses meet compliance and regulation requirements when appsec tools can't do the job? In this talk you will see the challenges of automated DAST scanners and why businesses are struggling to keep up with the ever expanding appsec threat landscape.

Room 401 - "Re-Engage" track
12:00
12:00
50min
Lunch

Join us for lunch, catered once again by Dreamland BBQ! Lunch is courtesy of all of our terrific sponsors, so please say "thank you" to them when you have a chance!

The menu will consist of:
- BBQ chicken
- BBQ pork
- Baked beans (no meat, vegetarian-friendly)
- Mac and cheese
- Salad (vegetarian-friendly)
- Banana pudding
- Tea (sweet and unsweet)

Room 400
13:00
13:00
50min
Hell, Firewire and Infosec: A Sermon
Xavier Ashe

How does one face the world with so many vulnerabilities out there? Another day, another 0-day, but yet we must overcome. We are the front line; we are the last line. WE ARE INFOSEC. We are the chosen people to protect the flock. We must find the inspiration to harness the energy of the Multicolored Hat. Whether you worship the red or the blue, we must join together as a nation, as a people, as a subculture.

Wait… Do I spot a sinner? Do you tell your neighbor, “Don’t reuse thine password”, yet do so yourself? Are you guilty of committing your keys to GitHub? Do you covet thy neighbor’s bandwidth? Come to the sermon of the Holy Multicolored Hat to securely erase those sins. Let your conscious be free of guilt so that you can carry the good word to the world. Be cool.

Room 402 - "Re-Imagine" track
13:00
50min
IR in the Cloud: Don't panic, take a deep breath, you've got this.
Chris Farris

The dangers of the cloud are many. Are you prepared for the email from AWS saying your access keys are in GitHub? Do you know what to do when your bill spikes 500% overnight? What about when GuardDuty tells you your middleware server is engaged in intimate traffic patterns with the Kremlin?

Panic is an appropriate and very human response to all of the above. Or you could attend this talk and we'll talk through a cloud-centric version of Preparation, Identification, Containment, Eradication. Then, if one of these unfortunate events happens to your company, you'll be ready to rise to the occasion and lead your responders to victory.

Room 460 - "Re-Ignite" track
13:00
50min
Offensive Window Event Logs for Red Teams
Tim Fowler

Do you know what could be lurking in your Windows event logs? For years, blue teams have been using Windows event logs to track the activities of red teams and threat actors alike, but now we flip the table and use the logs for offensive purposes. Starting with the first public disclosure, this talk takes the attendees through the steps of developing working PoCs and the lessons learned along the way. Attendees will be shown multiple techniques to leverage this capability for persistence and potentially more. Windows event logs are a prime place to store payloads and shellcode, so blue teams better be ready.

Room 401 - "Re-Engage" track
14:00
14:00
50min
IoT Spy: Observability and Alerting for Internet of Things (IoT) Security
Xenia Mountrouidou

Observability is the method of revealing the state and measuring attributes that characterize a system. Observability in information security has been prevalently synonymous to Splunk logs, metrics, and dashboards. Interestingly, a multitude of open source monitoring tools that are used for network telemetry can offer a holistic view of the security of an organization by deploying metrics, logs, flows, and structured data processing.

The contributions of my talk are twofold. First I will introduce a modern, open source, observability stack, Telegraf-Influx-Grafana (TIG) and discuss what makes it a robust stack for security observability. Telegraf is an open source collector agent that is expandable, offers 200+ plugins, and can be scaled easily with multiple instances for streaming data. Influx Database (DB) is a powerful time series database that offers speed with time series processing, storing, and correlating. Grafana is a visualization tool that specializes in presenting time series with the user experience in mind. In the second part of my talk, I will present a use case of TIG stack for IoT security observability and alerting. I will demonstrate how one can measure, forecast, and alert for anomalies in IoT devices using TIG stack and a set of prevalent home devices such as security cameras, smart plugs, lights, and home assistants. This talk will demonstrate new techniques for security observability and will show the potential for a modern telemetry stack to improve the state of observing and measuring security.

Room 401 - "Re-Engage" track
14:00
50min
Planning is Indispensable: Tools to Ensure Threat Intelligence Success
Brian Kime

This presentation will educate users on the importance of the overlooked Planning & Direction step of the Intelligence Cycle. Most presentations on this step merely teach "Go elicit requirements". In the real world, when a stakeholder is asked, “What are your intelligence requirements?” the answer is almost always, “Aren’t you supposed to tell me that?” Only about 10% of CISOs have military or intelligence community experience and within that cohort, even fewer have been intelligence commanders or policymakers trained to integrate intelligence into planning or policy. In this presentation, we'll discuss how to reverse engineer intelligence requirements via empathetic techniques. Then, attendees will learn how requirements drive the rest of the Intelligence Cycle (spoiler alert: the cycle isn’t a simple circle!). Attendees will learn best practices for eliciting intelligence requirements, designing an intelligence architecture, creating a robust collection plan, and collecting the right metrics!

Room 402 - "Re-Imagine" track
14:00
50min
Security Team Operating System
Christian Hyatt

Based on building security programs at 100s of organizations and interviews with dozens of security leaders, Christian provides a 6 part system for managing high performing security teams. This leadership framework is not based on theory, but real world experience building and managing security programs for organization across the nation.

Room 460 - "Re-Ignite" track
15:00
15:00
50min
These Violent Delights: Burnout Recovery and Prevention 101
Ryan Basden

Burnout is too common among working people, especially those in the information security industry. Our idea of security is undergoing massive change and growth, and for that to be a successful process, we need people who are passionate and energized. This will be about how to recover from burnout and how to proactively avoid it in the future based on what has actually worked (and not worked) for me.

Room 460 - "Re-Ignite" track
15:00
50min
What Air Disasters Can Teach Us about Incident Response
Tony Drake

Computer Forensics is a relatively new field when compared to other related fields. By contrast, the men and women of the NTSB have been investigating air accidents for as long as there have been airplanes, and well before the advent of computers. Computer Intrusions and Air Disasters share a lot in common. While computer intrusions thankfully seldom involve loss of life or serious injury, just as with Air Disasters, they are cascade failures of people, process and technology. In this talk a look is taken at how Air Disasters are investigated, and how we can apply that to Computer Forensic investigations.

Room 402 - "Re-Imagine" track
15:00
50min
Why Your CloudSec Team Should Be Using Your SIEM
John Heasman

In the last few years, detection of cloud misconfigurations, aka Cloud Security Posture Management, has evolved from a specialized technology into a commodity technology. First came the proliferation of vendors, then came native cloud provider capabilities and open-source solutions, and finally vendor consolidation and a rush to incorporate other selling points such as workload vulnerability management and nebulous support for "supply chain security".

In this talk, we'll take a whistlestop tour of CSPM options then we'll discuss why your SIEM and CSPM should actually be one and the same. Wait, what? I thought SIEMs were dying a death? And why should your CloudSec team be going anywhere near your SIEM!?

Hear me out. If you combine transactional cloud logs (CloudTrail) with asset management data (AWS Config or similar), and you put a general purpose query engine on top of this (Elasticsearch, Splunk), CSPM rules are not only easy to write, but it also opens up a whole new world of enrichment (who actually launched that Windows EC2 server exposing RDP to the internet?) and "hybrid" checks that neither your CSPM nor your SIEM can provide you on their own. In short, we can turn everything into a query.

For a concrete example, we'll focus on subdomain takeovers in AWS, a continual source of bug bounty fodder. We'll explain the root cause of two types (spoiler: it's an "order of operations" problem) and walk through building hybrid checks to detect these in real-time.

Room 401 - "Re-Engage" track
16:00
16:00
50min
Re-Imagining Incident Response with Velociraptor
Wes Lambert

Can you imagine easily investigating alerts or triaging hosts – even thousands at once – using a single cross-platform, lightweight, open source tool?

Can you imagine quickly dissecting adversary activity and locating malware through YARA, Sigma, process memory scanning, and more?

Can you imagine then actively responding to an infection by quarantining hosts, removing persistence mechanisms, and performing overall remediation using your favorite commands or tools using the same tool?

Can you imagine post-processing and reducing the result set using the same tool, or easily shipping the data off to s3, Elastic, Splunk or other platforms to tie in with other types of data?

It's time to re-imagine the level of effort, expertise, and funding necessary to keep the enterprise safe. It's time to learn more about Velociraptor. This presentation will provide several examples of how this open source tool platform can be used for threat hunting, detection, and incident response.

Attendees will walk away with an immediate understanding of how they can start using Velociraptor to monitor for, investigate, and respond to evildoers in their environment.

Room 402 - "Re-Imagine" track
16:00
50min
Spilling the Beans: How to Spot a Bad Pentest
Qasim Ijaz, Andrew Clinton

Ever wondered what the magic is behind a penetration test? Did you receive a pentest report that does not line up with your expectations? Do you want to get more out of your consulting partners or want to know the secret to landing that job at a consulting firm? Come join us as we spill the beans and disclose how the (halal) sausage is made. We will discuss pentesting from the perspective of both the client and the consultant. If you're looking to land a job at a consultancy, this talk is for you too. As we peel the curtain and talk through real-world examples, everyone walks out with the magic sauce.

Room 401 - "Re-Engage" track
17:00
17:00
30min
Organizers closing remarks and giveaways
Yvette Johnson, Andy Green, JoEtta LeSueur

BSides Atlanta organizers will put a "bow on the day" here! We will give out door prizes, take questions, and give a big thank you to our sponsors once again! We will also take questions from the attendees, add any additional end of day details as needed, and thank our attendees for spending their Saturday with us!

Room 400
17:30
17:30
120min
After Party

Please join us for the BSides Atlanta 2022 after-party!

Hudson Grille - Kennesaw location
2500 Cobb Place Lane NW
Kennesaw, Georgia 30144

https://goo.gl/maps/8Wjwrg8Qx3ZueieU8

Hudson Grille - Kennesaw