Welcome to BSides Atlanta 2023! Attendees will be able to check-in or register at our tables set up in the atrium. Check-in will begin at 8am, and be open most of the day. If you registered with us ahead of time, we'll have your badge and whatever swag we're able to get for everyone! If you didn't register ahead of time, we can't promise you anything except cool talks at a great venue!

Come learn how to pick locks at the Lockpick Village. All are welcome, regardless of prior experience!

You've never picked a lock before? This is the place for you to get your feet wet!

This event is sponsored by Atlanta Locksport!

We are happy to present the Student of the Year award for the Bachelor of Science in Cybersecurity degree program to Ms. Tammy King!

Presenting the award is Dr. Herb Mattord, Professor of Information Security and Assurance at KSU.

The BSides Atlanta organizers will use this time to welcome our attendees! We will walk everyone through the schedule and various important details for the day, including talk tracks, villages, room locations, restrooms, wireless internet access, lunch, and our terrific sponsors! We will also take this opportunity to take any questions, then welcome to the stage our keynote speaker!

Abstract is forthcoming

Vendor village

A couple of years ago, I stumbled into the world of law enforcement Digital Forensics and Incident Response (DFIR). This talk will share my journey into and discovery of a new niche of IT I didn't know existed.
Come for an introduction to the hardware, software, processes, and people of DFIR.
Learn how those pieces work together to gather data, review, build a timeline, and put the bad guys behind bars.
Leave with the curiosity to head home, image your phone/computer, and start digging around in your own data.

ELF binary infection has been around for roughly 25 years, but is still an underutilized style of persistence. Instead most persistence mechanism particularly on Linux are focused on modifications of plain-text configurations where either a malicious user account is added to the system or execution of malicious binary or script takes place. The problem with such mechanism is that they are antiquated and are well known. In the event suspicions of system compromise takes place, most system administrators and IR personnel will check these configurations for malicious modifications. ELF binary infection methods offer a more covert form of carrying out malicious activity because the code can reside in legitimate programs and execute in their context. The lack of knowledge and analysis skills surrounding ELF binaries also serves as a barrier for detection. Both current automated tools and personnel are far behind in the arena of detection and analysis in comparison to their counterparts on the Windows platform. Using applications such as d0zer, we will explore utilizing old and novel techniques to infect targets in order to demonstrate infection capability for offensive purposes. For defense/detection I will demonstrate how basic and powerful heuristics can be utilized to help bridge the gap that exists between current Linux antivirus technology and ELF binary infection algorithms.

Despite the information security field having a reported personnel shortage in the hundreds of thousands, breaking into the industry is as hard as ever. In this presentation, I will share the lessons I have learned the hard way including avoiding common pitfalls, up-skilling the right way, and finding communities that will help you prosper. Additionally, this talk will arm you with a mental model to recognize and take advantage of the opportunities available to you.

Come test your skills with Network King of the Hill!

This event is sponsored and conducted by Kammerdiener Technologies!

Ever wish you could set traps for intruders in your environment? While you can't rig explosions to stop attacks on your servers, you can set up false credentials that trigger alarms you can act against. That is the whole idea behind honeytokens!

Taking a new job, and hiring, are both extremely complex.

Taking a new job, and hiring, are both extremely complex.
When searching for a new job, or hiring, the way that opportunities are ranked has measurable metrics that can be used to improve retention, increase career growth, and improve the hiring process. In this talk, 20 minutes will be spent on the job searching side discussing how to rank opportunities by not just their salary and benefits. The growth opportunities, culture, training budgets, and much more should be considered for longevity. Following that, 20 minutes will be spent on the hiring side - how to make sure the offers being generated are the strongest they can be, to compete in this very challenging hiring climate. Knowing how people view the career opportunities, and their futures in those roles, is a very powerful element of extending offers that are accepted and retaining people in those roles. A downloadable spreadsheet will be made available, and posted after the event and a limited number of printouts will be provided.

What’s the difference between a ransomware gang and a Fortune 500 company? Not as much as you think. With millions of dollars in annual revenue and team sizes that compare to medium sized organizations, the business of ransomware is booming.

In this talk we’ll take a deep dive into the organizational structure, cost-cutting measures, and internal policies of these large criminal organizations. Using the Conti leaks of 2021 and current day evidence as our guides, we’ll discover why the business case is so appealing for both large- and small-scale ransomware operations.

Moving from Windows reversing to Linux can seem daunting. Aside from the differences between the two operating systems, Linux runs on a wide range of different architectures and devices. This talk will cover the basics of Linux malware reverse engineering from the perspective of a primarily Windows reverse engineer. It will cover the differences in APIs and system calls between the two operating systems, different architectures, tools and various pitfalls encountered when moving from Windows to Linux reverse engineering.

Get a working portable Python/Git/Java environment on Windows in SECONDS without having local administrator, regardless of your broken Python environment. Our open-source script downloads directly from proper sources without any binaries. While the code may not be perfect, it includes many useful PowerShell tricks.

Run Android apps and pentest without the adware and malware of BlueStacks or NOX.
Run BloodHound Active Directory auditing tool
AUTOMATIC1111 Stable Diffusion web UI A browser interface based on Gradio library for Stable Diffusion
AutoGPT ( Setup for Pay as you go gpt3-turbo https://platform.openai.com/account/usage )
PyCharm
Android Debloat Tools
How it works:
Temporarily resets your windows $PATH environment variable to fix any issues with existing python/java installation
Build a working Python environment in seconds using a tiny 16 meg nuget.org Python binary and portable PortableGit. Our solution doesn't require a package manager like Anaconda.

** comming soon SaftyNet Bypass from Yuzzuff AKA N2R2D2 **

Modern organizations in every industry are experiencing systemic challenges with hiring and retaining people. This talk will walk through steps myself and the risk3sixty leadership team have used to punch above our weight in a competitive industry.

With Blockchain growing, there is a new set of growing security concerns. What problems are presented in Blockchain and how can they be mitigated?

Ransomware is no longer the leading method cyber criminals use to infiltrate an organization. Cyber crime organizations have shifted to sophisticated phishing campaign and backdoor deployment to gain control of your IT infrastructure and access to your most important data. By adopting the long standing cybersecurity practice of defense in depth, storage systems can be the last line of defense that gives organizations a chance to recover their operations. In this proposal, we'll be looking at the best practices to ensure you have the harden process and systems to be cyber resilient. We'll explore the basic security such as multi-factor authentication, two person integrity, role and object-based authentication to the more advance immutable storage, quantum safe encryption of data at rest and the emerging ransom activity detection in file and block storage.

2023 was a fascinating year for cloud vulnerabilities that have shaken the shared responsibility model to its core. What happens to our risk analysis when we not only have to worry about a rogue public S3 bucket from application teams, but also threat actors tunneling through cloud provider internal infrastructure?

This talk will revolve around my experience disclosing a vulnerability to Google Cloud and my following trip down the cloud vulnerability rabbit hole. Additional anecdotes from Azure, Oracle Cloud, and AWS vulnerabilities will be covered. Folks thinking about moving to the cloud, living in the cloud, or migrating off the cloud are encouraged to share their thoughts about the ever growing cloud-prominent future. Audience members will walk away with a deeper understanding of the cloud vulnerability landscape, the evolving future of cloud provider responsibilities, and how they can get started with cloud security research.

You have been appointed as the Incident Commander for a security incident. Congratulations! Do you know what is expected of you? Have you received any training on Incident Command and role expectations? Does your IR plan or playbooks help you execute on your incident command duties? If you answer no to any of these questions, then this presentation is for you...and you are not alone. While there is a ton of educational material on DFIR and hands-on-keyboard Incident Response, there is very little focus on the Incident Commander role. In my experience a good incident commander can make a big difference in making “IR boring” - that desired state where surprises are minimized and where the IR team executes on their mission like the pit crew on an F1 race.

In this session I will share lessons learned in Incident Command from multiple types of IR engagements (product security, data breaches, network compromise, and “major risk” incidents like Log4j). We will talk about the Triangle of IR communications, how to lead an incident meeting (yes, a meeting!), and the importance of “remaining neutral”, even when handling overexcited executives. There will be some stories, but you will leave with practical advice and actions you can take in your next incident.

Join us for lunch! Lunch is courtesy of all of our terrific sponsors, so please say "thank you" to them when you have a chance!

Murphy's law says anything that can go wrong will. A colleague of my mom during her professional career once quipped that McGillicudy's law says Murphy was an optimist. Most of us here have instrumented environments, tools, run books, techniques and procedures. We know how to take those tools and find evil and eradicate from our environment. That's great, when the malicious activity is on a known server that was built to the corporate image and all tools are installed properly, functioning perfectly, and reporting back regularly. I don't think I have ever worked a case like that. Forensics cases happen on systems that are new, old, unknown, shadow IT, forgotten about in some corner and result in an email telling you that your system is part of a DDoS on their network and to cut it out, or an email from admin saying "I found this strange file on my server and I didn't put it there". What do you do now? Once you have gotten the resulting panic out of your system, refilled your soda and taken a deep breath, you have to triage and do forensics on this unknown orphan system from who knows where built with who knows what for anyone's guess at a purpose. How do you do that? You improvise! That is what this talk is about. This talk will discuss windows OS built in commands, free and open source tools, and techniques to solve this problem.

The Cybersecurity Maturity Model Certification (CMMC) is the new security program the Department of Defense (DoD) is requiring Defense Industrial Base (DIB) contractors to comply with. CMMC 2.0, released in late 2021, aims to protect Controlled Unclassified Information (CUI) with the evolving nature of contemporary cybersecurity threats in mind. In this talk, Chris Silvers will explore the historical progression of DoD cybersecurity requirements (including the 9/11 Commission Report), highlight the most impactful new components of in CMMC, and provide his expert guidance for DIB contractors to forge a path to certification.

Chris, one of less than 100 individuals officially certified as both a Certified CMMC Provisional Assessor and Instructor, has led CMMC instruction for more than 500 students. His positioning on the front lines of the CMMC 2.0 rollout, and his cumulative 25-plus years in cybersecurity, uniquely qualify him to guide DIB contractors through the certification process.

For many, IT security is still perceived as a sometimes-helpful nuisance, but an all-the-time cost center.

The most common exception is in compliance, often disproportionately handled by IT staff due to the technical evidence gathering requirements. And it’s hard for security staff to argue the case, since you can draw a direct line from compliance reports to revenue. A clean SOC 2 report or PCI DSS certification can determine the outcome of multi-million-dollar deals. The same cannot usually be said for a clean vulnerability assessment, penetration test, or red team report (much less a not clean one).

So how can security professionals compete with compliance for budgets, and how can IT professionals garner buy-in and internal support from executives and decision makers so they can affect organizational change and improvement?

This session will cover how purple teaming activities can elevate an organization beyond exception management in revenue-generating deals, to providing multiple mechanisms for demonstrating substantial ROI, and quantifiably protecting existing and future revenues. I will detail actionable approaches – with real world examples – that showcase how purple team exercises can accomplish the following:

• Establishing measurable security baselines and resilience across companies and supply chains
• Validating the efficacy of security investments and identifying potential areas for greater efficiency.
• Providing a blueprint for organizational advancement and agility via penetration tests and red teams
• Evidence-based ROI communication to leadership and stakeholders
• Demonstrable and continuous protection against headline grabbing, and investor rattling, emerging threats

I would like to share 5 important lessons I have learned over the last 7 years born from my experience founding and building a cybersecurity company. Lessons about life, what it means to be a leader, business, and serving others. These are lessons about what I thought was true - and what I have found to be true instead. The Art of Service will help leaders rethink how to be a more effective and fulfilled leader. This presentation is ideal for current or emerging cybersecurity leaders looking for tools to shape their career. We will discuss 5 important lessons and 15 tactical tools that they can take from this presentation and apply immediately.

You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).

Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight modern day attackers. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from constant firefights.

How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?

This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.

Cobalt Strike is the go-to C2 framework for security professionals and cyber criminal. Cobalt Strike's popularity has come at a cost to red teamers. It has become heavily signatured and requires a lot of customization to bypass a competent blue team.

Sliver is an excellent alternative to Cobalt Strike and is free. This will be mainly a technical presentation on the ins and outs of Sliver. Still, it should have some good high-level info for a general audience.

Would you like to search petabytes of security logs in milliseconds? Lower the cost of your SIEM or swap out your vendor with the push of a button? Easily deliver logs to multiple tools in real time? Deliver a consistent search experience to your SOC regardless of source? Then this is the talk for you! We'll cover our journey from a bunch of devices blasting data into an expensive and ineffective black hole to a modern architecture built on open source components.

Your brain can only hold so much information about any given topic, so getting that information out of your brain and into a more long term storage solution is a highly effective way to take your career to the next level. In this presentation I will distill the lessons I've learned after passing over 15 industry certifications and taking dozens of industry trainings by demonstrating with live demos of how I keep all that knowledge easily accessible.

As security professionals we are often expected to know every detail about every technology/attack/tool as soon as it comes out. Unfortunately our brains did not evolve to think this way. This presentation delves into the importance of note-taking in cybersecurity and offers actionable strategies and techniques to maximize the value you get out of your research, training, and certifications.

Howdy y’all, cybersecurity incident response is my passion. I have 5 years of experience in Incident Response, with a total of almost 9 years of experience in Cybersecurity as a whole. I have built SOC teams and have created Incident Response Playbooks for several companies in my 5 years doing this. I wanted to share this passion with you.
As you know, cyberattacks are becoming more and more common. In fact, a recent study by the Ponemon Institute found that the average cost of a data breach is now $3.86 million.
That's why it's so important for organizations to have a strong incident response plan in place. A good incident response plan will help you to quickly identify and contain a cyberattack, minimize the damage, and recover your systems and data.
In this presentation, we'll discuss the basics of incident response, including:
• What is incident response?
• Why is it important?
• What are the steps of incident response?
• How can you improve your incident response plan?
We'll also provide some additional tips for improving your cybersecurity posture and reducing the risk of a cyberattack.
So, whether you're just starting to think about incident response or you're looking for ways to improve your existing plan, I hope you'll find this presentation helpful.
Let's get started!
What is Incident Response?
Why it is important.
What are the steps of Incident Response?
How can you improve your Incident Response?

SCAP can be an "Easy Button" for Linux security, and there are lots of documentation and tutorials for tools using existing SCAP content to harden or scan a system. But wouldn’t you like to write your own content? Wouldn’t you like to be able to build or customize the SCAP to your needs rather than waiting on someone else to do it for you? It doesn’t have to be scary. We’ll teach you how. In under an hour we’ll take you from completely new to SCAP to able to use it to create your own automated checks.

Discussing various applicable ways to pivot into cloud environments such as AWS from web applications by abusing the Instance Metadata Service (IMDS) through a variety of misconfigurations.

In today's digital landscape, organizations constantly face the challenge of protecting their networks and assets from myriad cyber threats. With limited resources, staying ahead of sophisticated adversaries is a challenge. In this talk I will highlight the benefits of utilizing open-source software (OSS) to conduct effective threat hunting on a budget. Threat hunting is a proactive approach to identifying and mitigating potential cyberattacks before they escalate into full-blown incidents. This process involves detecting malicious activities, anomalies, and intrusions that may have evaded traditional security measures. However, commercial threat-hunting tools can be expensive, putting them out of reach for many organizations with constrained budgets. Open-source software offers a cost-effective alternative to commercial tools, enabling organizations to enhance their cybersecurity posture without breaking the bank. OSS provides a wide range of customizable solutions that can be tailored to meet specific organizational needs. Additionally, the collaborative nature of open-source communities fosters continuous improvement and innovation, ensuring that OSS tools remain up-to-date and effective against emerging threats. We will discuss some of the more popular OSS tools for threat hunting, like Security Onion, Wazuh, and ELK Stack. These solutions offer robust network analysis, intrusion detection, and log management capabilities. By integrating these tools, organizations can gain comprehensive visibility into their networks, allowing them to detect and respond to threats more effectively.

Responding to a post-compromise cyber incident often stops after recovery, however organizations and their associates remain the target of attacks long after suffering a breach. The impact of attacks like ransomware extends beyond the initial encryption or exfiltration, with residual threats often lingering in the shadows. In this presentation, we'll explore the critical aftermath of ransomware attacks, focusing on deep/dark web research and the integration of threat intelligence for effective post-recovery considerations.

With a small budget and not much support from Senior Leaders where do you begin to carve out a Cyber Security program?

BSides Atlanta organizers will put a "bow on the day" here! We will give out door prizes, take questions, and give a big thank you to our sponsors once again! We will also take questions from the attendees, add any additional end-of-day details as needed, and thank our attendees for spending their Saturday with us!