BSides Atlanta 2025

Attendee check-in

Welcome to BSides Atlanta 2025!

Visit our terrific sponsors!

Every security professional knows the grind — long hours, unpredictable conditions, and the constant push to adapt when fatigue hits. In that way, cybersecurity and ultrarunning have a lot in common. Drawing on years of experience leading security transformations at Home Depot and Equifax and competing in 50-mile and 100-mile mountain races, Zach Tisher explores how endurance thinking, shared purpose, and community can transform how we approach modern defense.

“AI to manage my inbox”, “AI to handle purchasing”, “AI to schedule CEO’s flights”, “AI to ….” - FFS! Artificial Intelligence is being baked into all kinds of products. Companies are selling mediocre and often badly developed products with “AI will solve” taglines. Sometimes it feels like us in Security teams are using duct tape to patch Hoover dam. So, what do we do?

This talk is a culmination of notes I’ve taken over past year trying to help govern AI onslaught at my day job and in non-profits I consult with. I will offer practical insights via storytelling. You will walk away with realistic view of AI’s capabilities and risks and talking points needed to address its adoption in your organization. The goal of my talk isn’t to help you stop AI adoption. I find AI to be extremely helpful when used to its fullest potential. My goal is to help prepare you for AI enablement in a mature secure manner.

In today’s threat landscape, adversaries are faster, smarter, and more elusive than ever—leveraging automation, AI, and cross-domain attack vectors to breach defenses. But defenders are not standing still. This session explores how Microsoft Defender is transforming security operations through adaptive, AI-powered capabilities that span endpoints, identities, cloud workloads, and data.

Join us as we unpack real-world scenarios where Microsoft Defender’s Extended Detection and Response (XDR) and Security Copilot agents neutralize emerging threats like ClickFix and AI-obfuscated phishing campaigns. Learn how Defender’s integration with Microsoft Sentinel, Entra ID, and Defender for Cloud Apps creates a unified shield against lateral movement, identity compromise, and cloud breaches.

We’ll also dive into how Defender’s proactive posture management, agentless scanning, and intelligent automation empower security teams to shift left, reduce alert fatigue, and stay ahead of adversaries—no matter how fast they evolve.

In this presentation, Jason Maddox, Director of IT and Chief Information Security Officer at a $40 billion private equity firm, shares strategies for crafting resumes that secure information security roles for senior college students, recent graduates (0-2 years of experience), and early-career professionals (3-5 years of experience). Drawing on years of experience hiring for high-stakes financial environments, where IT and cybersecurity are critical to protecting sensitive data, this talk delivers actionable advice tailored to early-stage career levels. Attendees will learn to create concise, ATS-friendly resumes that highlight relevant skills, certifications, and projects. The presentation will showcase examples of what to avoid in your resume, explain why, and demonstrate how to capture the hiring manager's attention. This session aims to assist soon-to-be grads / recent grads and early career professionals to craft compelling resumes that help open doors.

The DC864 group created a CTF for Bsides Greenville for a third year and this year with over 60 challenges with a maximum of 600+ points. The CTF challenges vary from lock picking, jeopardy style questions, system challenge chains with multiple exploits/challenges, docker challenges, and webapp/api challenges. We would like to bring this CTF to another Bsides.

CTF website: https://ctf.dc864.org/

In an age where digital privacy is increasingly under threat, understanding how to protect personal information is essential for everyone, regardless of technical expertise. This interactive workshop will provide participants with a unique opportunity to engage in hands-on learning at multiple stations, each dedicated to a specific aspect of digital privacy. Attendees will receive guidance from privacy experts as they navigate the installation and use of essential tools, including privacy-focused browsers, password managers, secure messaging apps like Signal, and operating systems such as Tails and TOR.

The workshop is designed to cater to a diverse audience, from beginners to seasoned tech enthusiasts. Each station will offer step-by-step instructions and personalized support, ensuring that participants leave with practical skills and a deeper understanding of digital privacy. By fostering a collaborative environment, we aim to empower individuals to take control of their online presence and enhance their security in an increasingly interconnected world. Join us to learn, share, and build a community committed to safeguarding digital privacy for all.

Atlanta LockSport would like to run a lockpicking village for BSides.

NetKotH CTF

This year, the calendar turned and I hit a milestone. I looked and realized that I had been doing this security stuff for over 20 years professionally, and it was time to take a look back and share some insight about how I earned this gray hair and these wrinkles and what I would do differently if I "could do it all over again". I think I have gained just a little bit of insight that many new to the field (or newer to the field) might just benefit from. So here goes, a nice little talk that is less tech, more human, and all of it real.

BLUF: Learn Cloud using systems engineering approach and hack cloud with LLM.

Abstract
• Challenge: Cloud ecosystems are large and complex.
• Approach: Apply a systems engineering lifecycle: needs → requirements → architecture/design → implementation → integration → verification/operations.
• Scope: Azure-focused examples with provider comparisons.
• Use Cases: From home-lab to small-business rollouts; examine cost, scalability, and security tradeoffs.
• Hands-On: PwnedLabs lab for web-app/cloud attack paths, hardening, and validation under the shared responsibility model.
• LLM Integration: Use Codex-like assistants to accelerate recon, produce playbooks/tests, and summarize findings
• Takeaway: A practical, repeatable framework to understand cloud as a systems engineer and leverage LLMs to speed security testing and automation.

The traditional cybersecurity career ladder is broken. Entry-level positions demand years of experience and the advice that worked five to ten years ago leaves aspiring professionals spinning their wheels. AI has fundamentally transformed both the work we do and how we're expected to prove we can do it.
This talk examines why the old playbook no longer works and reveals what works now. You'll learn how to leverage AI tools to build demonstrable security skills, position yourself in emerging niches where AI creates opportunity rather than competition, and make yourself visible in ways that cut through the noise of traditional job markets.

We'll explore strategies for the AI era including building proof of work that stands out, developing skills that complement rather than compete with automation, and networking in ways that bypass gatekeepers. Learn how to navigate this new landscape and learn the common pitfalls that waste time and energy.

Whether you're trying to break into cybersecurity for the first time, pivoting from another field, or stuck at a career plateau, this session provides a practical framework for rebooting your approach with actionable strategies you can implement immediately.

Governance, Risk, and Compliance (GRC) teams often operate in silos, disconnected from the hands-on efforts of cybersecurity teams such as red and blue teams. This disconnect can lead to misaligned priorities, overlooked risks, and inefficiencies in responding to threats. In this presentation, we’ll explore strategies to bridge the gap between GRC and cybersecurity teams, emphasizing the importance of collaboration in building a unified, risk-aware culture. Attendees will learn actionable techniques to align compliance frameworks with security operations, foster communication between teams, and leverage shared tools and data for better outcomes. This talk will empower both GRC and cybersecurity professionals to break down silos and work together effectively.

What happens when a security engineer builds something deeply personal, like a dating API? Suddenly, the tables turn: you’re not just reviewing code, you’re writing it. Every design choice becomes a tradeoff between speed, usability, and security.

In this talk, I share the lessons learned from creating my own dating API. Along the way, I had to navigate common security challenges like API key generation and storage, input validation, access controls, logging, and rate limiting etc., while also grappling with the frustrations and surprises of being “the developer.” Some controls were easy to implement, others forced compromises that gave me new empathy for engineering teams under pressure.

Attendees will leave with a practical checklist of API security considerations, insights into how design tradeoffs impact security decisions, and a reminder that building, even something unconventional, can sharpen both technical skills and cross-team understanding.

This research examines emerging cybersecurity awareness resources for older adults who are increasingly victims of financial scams and social engineering. This presentation draws from interviews with the FINRA Investor Education Foundation and the Identity Theft Resource Center (ITRC). It also presents preliminary findings from the cybersecurity awareness initiative, the Cybercare Institute, recently introduced to four organizations in New York City. The workshop teaches older adults about basic definitions in cybersecurity, cyber hygiene, and how older adults can protect their identity through the ITRC. The workshop materials developed are “open source” with the aim for further adoption and improved support for older victims of cybercrime.

Time to eat lunch!

We were promised autocomplete on steroids. What we got was a new attack surface, one that developers invite into their terminals, editors, CI pipelines, and even production systems.

In this talk, I walk through how AI coding agents, the ones we rely on to ship faster by offloading mental load, are quietly introducing a new class of threats. And these aren’t theoretical. They’re already being exploited in the wild.

We’ll explore how natural gaps in agent understanding can become opportunities for adversaries, and how the tools built to boost productivity can be subverted into delivery mechanisms for exploitation.

From subtle context manipulation to unexpected supply chain consequences, we’ll trace how trust in your agent can become the thing that gets you pwned.

This isn’t about prompt injection. It's about something much deeper. This is real-world exploitation. Where the agent becomes the source of the next attack.

We’ll walk through concrete examples, highlight the (surprisingly limited) tooling available today, and make the case that agent context and model provenance need to be treated with the same rigor we already apply to our dependencies and infrastructure.

AI agents are immensely useful. But if we don’t rethink how we trust and monitor them, they won’t just make our jobs easier, they’ll make attackers’ jobs easier too.

Abuse of Service Principals in EntraID has been a longstanding favorite of APT groups. In recent years, that knowledge has trickled down to eCrime actors and is leveraged for ransomware and extortion. Microsoft has introduced two new security controls to address this in 2025. Each has its pros and cons, but as with any security control an understanding of the risk it mitigates is crucial to balance the tradeoffs against potential business disruption.

In this talk, we'll go over three scenarios in which Service Principals are abused and which controls would be relevant to address this risk. We'll also explore how to perform your own testing to evaluate whether the controls you configure are functioning as expected.

Join Jason Maddox, Director of IT and Chief Information Security Officer, for an interactive afternoon workshop designed to help senior college students, recent graduates (0-2 years of experience), and early-career professionals (3-5 years of experience) build standout resumes for information technology and information security roles. This hands-on session focuses on your resume. He will help you highlight technical skills, certifications, and relevant projects. Participants will receive personalized feedback to refine their resumes and learn how to communicate their talents on paper. Attendees are required to bring their own printed resumes. A printer will not be provided.

The barrier to entry for creating sophisticated, custom phishing infrastructure has officially collapsed. Gone are the days of clunky templates and easily detectable campaigns. In this talk, we'll demonstrate how attackers can now leverage Large Language Models (LLMs) to rapidly clone and deploy pixel-perfect, convincing replicas of any target website and login page in minutes, not hours.

We will bypass the false sense of security offered by traditional MFA portals, showing exactly how modern adversary-in-the-middle (AitM) techniques render them ineffective. We'll provide a minimalist's guide to the backend, covering the bare-minimum PHP requirements for implementing convincing routing and live credential capture. This session moves beyond theory, culminating in a live Business Email Compromise (BEC) demo built from scratch specifically for the BSides Atlanta audience. We'll explore why this hyper-accessible threat is more dangerous than ever and what it means for the future of our defensive strategies. Attendees will leave with a sobering understanding of how quickly bespoke offensive tooling can be created and deployed in the real world.

The fediverse represents a radical shift in how we engage with social media, aligning closely with the hacker ethos of openness, decentralization, and user empowerment. This talk will demystify the fediverse, explaining its structure and how it operates as a network of interconnected, decentralized platforms. Attendees will learn how to get started in the fediverse, including tips for creating accounts and navigating various platforms. We will also explore the wealth of security resources available within this ecosystem, highlighting communities and tools that promote a culture of security and privacy. By embracing the fediverse, we can reclaim our digital spaces and foster a more inclusive and secure online environment.

The world of at home virtualization has become increasingly fast and affordable. This talk explores how to become your own crack dealer by distributing password-cracking workloads across Proxmox with GPU passthrough. We’ll explore how to set up and scale crack distribution pipelines across a virtual setup for both offensive cracking and research. Expect to dive into virtualization, hardware passthrough, cracking theory, and some automation.

LLMs and AI have taken the world by storm. Everyone wants to use AI (or at least have people thinking they are). Everyone thinks it is going to change the world. Some say it is going to destroy humanity. Red Team talks show us how to manipulate responses for fun and profit. But what about the rest of us who just want to use it, not hack it? It is time to deflate the balloon of the hype machine and be realistic. Let's take a candid and somewhat humorous walk through what AI is, what it isn't and what the reality of this new technology is for all the rest of us..

Quantum computing is poised to upend modern cryptography by breaking widely used public-key algorithms like RSA in a matter of minutes. Cyber adversaries are already “harvesting” encrypted data today with plans to decrypt it once quantum capabilities mature. This looming threat endangers everything from personal and financial data to military secrets and the digital signatures that underpin online trust. In response, academia and industry have joined forces with NIST to devise quantum-resistant algorithms and standards. NIST approved the first post-quantum cryptography (PQC) standards for encryption and digital signatures in 2024, marking a pivotal step toward protecting vulnerable crypto assets before large-scale quantum computers arrive.

However, achieving post-quantum readiness is a complex, collaborative journey. Organizations must first identify which cryptographic assets and systems are at risk and prioritize them for migration. We present a technical framework for crypto agility and quantum-safe adoption, starting with a thorough cryptographic inventory to pinpoint vulnerable systems and to assess data at risk from “harvest-now, decrypt-later” scenarios. Building on NIST’s guidance, our approach emphasizes cross-sector collaboration in adopting PQC. We highlight applied research initiatives from global consortia to NIST’s National Cybersecurity Center of Excellence projects that unite researchers, industry practitioners, and government to develop practical quantum-safe solutions. By aligning these efforts with NIST’s PQC standards and guidelines, we provide forward-looking, hands-on strategies for academia and cybersecurity professionals to collaboratively safeguard assets and ensure a smooth transition to a quantum-safe future.

Where did the Threat Actor go? - They RAN-SOM-WARE...
A journey into the heart of a ransomware gang; from the trade craft used to bypass defenses,
to the anatomy of attack.

Outline:
- Intro
- Who are threat actors?
- The OG's
- REvil
- Conti
- HIVE
- The Top Dogs
- LockBit
- ALPHV/BlackCat
- CL0P
- Qilin
- Akira
- Hunters International
- Medusa
- Play
- Ransomhouse
- Rhysida
- The rookies
- Scattered Spider
- Cactus
- Everest
- Silent
- Stormous
- Skira
- What motivates the bad guys?
- Money
- Politics?
- What is ransomware?
- Cryptovirology
- How does it all work?
- F#ck you, Pay me.
- Data brokers
- Who pays these people???
- Too many people
- WHY!?
- Make it stop!
- How do we stop them?
- "Only you can prevent "forest" fires..." ~ Smokey, the D.A.
- Are they here to stay?
- Organized crime is as old as time...
- Outro
- Are you ready for a ransomware attack?

Security operations teams are inundated with alerts, logs, and repetitive workflows that limit their ability to focus on meaningful analysis and rapid response. Emerging AI technologies — particularly Large Language Models (LLMs) — offer an opportunity to bridge that gap by transforming unstructured data into actionable intelligence.

This session provides a high-level exploration of how LLMs and agent-based systems can be thoughtfully integrated into Security Operations Centers (SOCs). Rather than focusing on any specific platform, we’ll discuss key decision points in designing these systems — including model selection, prompt design, context generation, agent creativity, token management, and workflow orchestration.

The presentation will conclude with a brief demo showing how these principles come together in a simple, agent-driven workflow to enrich and summarize security alerts in real time. Attendees will gain a practical understanding of how to evaluate and experiment with LLMs safely and effectively within their own security environments.

As cyber threats to Operational Technology (OT) increase, organizations are turning to assessments to gauge their security posture. Yet too often, these efforts result only in compliance checklists, missing the broader opportunity to build shared understanding and lasting resilience.

This talk explores how OT cybersecurity assessments can be transformed into vehicles for knowledge-sharing across the enterprise. More than identifying control gaps, effective assessments create a common language between engineers, operators, and security teams, ensuring that technical findings translate into actionable, operationally grounded improvements.

We will discuss how assessments can:

Illuminate workflows and vulnerabilities that only frontline staff truly understand.

Build cross-team trust by engaging operations, security, and leadership in a shared process.

Translate frameworks like IEC 62443 and NIST 800-82 into tailored, context-specific practices.

Empower teams through readiness reviews, iterative baselines, and evolving metrics that reflect real-world maturity.

By treating assessments as collaborative exercises—acts of both technical analysis and organizational diplomacy—we can ensure they leave behind more than a report. They leave behind knowledge: clarity of purpose, visible progress, and the confidence to adapt security controls as threats and operations evolve.

Attendees will gain insight into designing assessments that not only measure but also teach, bridging silos and embedding security knowledge where it matters most—within the teams who operate and safeguard critical infrastructure every day.

Malware is noisy and constantly changing but hidden in that chaos are patterns we can use to build better detections. This talk takes a look at how understanding the internals of malware like packing, code injection, and persistence can give us a clearer view of attacker behavior and help us engineer detections that stick.

Instead of focusing only on signatures or chasing IOCs, we’ll dig into how to turn lessons from real malware analysis into practical, behavior-based detections. You don’t need to be a reverse engineering expert to walk away with ideas you can bring back to your SOC or detection pipeline.

The goal is simple: cut through the noise, find the signals, and use what malware teaches us to get ahead of attackers.

Have you ever wondered what it would really be like if your developers were also security experts? Would you be around to find out? I worked for a company that makes a SAST tool, and we had the unique arrangement where developers were responsible for SDL security practices, under the guise of calling it "dogfooding". I discovered that there were indeed several key areas that the security team was still needed for... but it wasn't the areas I expected. We created a Security Champions program and found that knowledge was the key to breaking down barriers between these silos. And I learned that trying to engineer myself out of a job was harder than it seemed! :D

This talk examines the rise of scam compounds and some of the rapidly changing features of these criminal operations, where fraudulent activities occur at scale. A report last year by the UN Office on Drugs and Crime found that cyber-enabled fraud has intensified, resulting in billions of dollars in losses, with many of these crimes led by groups in Southeast Asia. The UN has estimated that hundreds of thousands of people are being trafficked and forced to work in a combination of scam centers and online operations. At the same time that cyber crime syndicates are rapidly evolving their use of technologies, they have also become more mobile and can relocate a compound after completing a “life cycle of operations.”

Like the uncanny valley tin can voice in so many AI generated commercials and ads right now, it’s the weirdness of how the AI threat lives on LAN that betrays it. It looks almost like a user; almost like a service account. Almost.
We’re in a new cyber-era, the age of AI threats. In catching my first malicious AI Agent, arguably a bleeding edge threat, the simplest logs I know of—ARP tables, Switch CAM tables, and packet forensics—revealed the shape of the threat when tools leveraging cber intelligence failed. As Agentic AI threats become the Worm 2.0, analysis of network appliances and packets give security pros the tools to understand the shape of the threat, highlighting the weirdness that betrays AI threats.
We live in a world of IPS, EDR, NDR, Next-Gen Firewalls, even many wireless access points have signature matching and check packets against threat intelligence. That's great for known threats. But the AI threat is inherently zero-day. It’s “polymorphic.” The attack evolves as the AI agent explores possible threat vectors. HR doesn’t do that. Accounting doesn’t do that. IT staff kind of do that a little bit, but we can plan for that. The point is we know the profile, the shape of human network activity.
Evolving doesn’t always mean shiny and new. Don’t neglect the basics. I’ll demonstrate how to detect AI threat activity with the simple network switch, and similar devices.

End of day remarks and giveaways