To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
No sessions on Thursday, Aug. 11, 2022.
10:00
10:00
30min
Blue Team Village Opening Ceremony

Blue Team Village Opening Ceremony

Main Stage (In-person)
10:30
10:30
60min
Obsidian CTH: Go Phish: Visualizing Basic Malice
SamunoskeX

Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment? We will take a journey as if we are a new member of the Magnum Tempus Financial Security Team and proceed through a Threat Hunt through the eyes of a newbie in the field of Threat Hunting.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience.

Project Obsidian: Track 0x42 (In-person)
10:30
60min
Obsidian Forensics: Kill Chain 1 Endpoint Forensics Walkthrough
Omenscan

Obsidian Forensics Station: Kill Chain 1 Endpoint Forensics Walkthrough

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
10:30
60min
Obsidian Live: Eating the Elephant 1 byte at a Time
aviditas, ChocolateCoat

Incident Response: This is a live walkthrough of a real world incident focused on the first half of incident response. We will be breaking down scoping, triage, and communication aspects of incident handling into digestible and actionable recommendations.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Main Stage (In-person)
11:00
11:00
30min
Attribution and Bias: My terrible mistakes in threat intelligence attribution
Seongsu Park

The threat intelligence industry suffers from the flow of inaccurate information. This symptom is because of irresponsible announcements and different perceptions of each vendor. In this presentation, I would like to share how we can quickly go to the wrong decisions and what attitude we need to prevent these failures.

Talks (Virtual)
11:00
90min
Practical Dark Web Hunting using Automated Scripts
Apurv Singh Gautam

How can you effectively hunt data from the dark web using scripts? How can you circumvent scraping defenses on the dark web? If you are curious about the answers to these questions and want to learn how to effectively write automated scripts for this task, then this workshop is for you. In this workshop, you will learn why collecting data from the dark web is essential, how you can create your tools & scripts, and automate your scripts for effective collection. The workshop's primary focus will be on circumventing defenses put by forums on the dark web against scraping.

Workshops (Virtual)
11:30
11:30
60min
Obsidian CTI: Generating Threat Intelligence from an Incident
ttheveii0x, l00sid, Stephanie G.

This session presents an overview of how threat intelligence can be generated from an incident and shared with various stakeholders. We'll run through an incident and demonstrate how the CTI team plays a critical role by performing research and providing insights based on stakeholder requirements.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x42 (In-person)
11:30
60min
Obsidian: IR - It all starts here, scoping the incident
ChocolateCoat

You can't analyze what you don't know, learn to prepare yourself for any investigation no matter the subject.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
11:45
11:45
60min
Malicious memory techniques on Windows and how to spot them
Connor Morley

Malicious actors are always trying to find new ways to avoid detection by evermore vigilant EDR systems and deploy their payloads. Over the years, the scope of techniques used has branched from relatively simplistic hash comparison and sandbox avoidance to low level log dodging and even direct circumvention of EDR telemetry acquisition. By examining some of the techniques used on Windows systems this talk will highlight will highlight the range of capabilities defensive operators are dealing with, how some can be detected and, in rare cases, the performance and false-positive obstacles in designing detection capability.

Talks (Virtual)
13:00
13:00
60min
Improving security posture of MacOS and Linux with Azure AD
Mark Morowczynski, Michael Epping

Most organizations have Windows, MacOS and Linux in their environment. Typically many of the security controls that are applied to Windows are not applied to MacOS or Linux, due to the size of the footprint and the difficulty of implementation. This can lead to holes in an organization's overall security posture as well as a poor end user experience.

Recently, Azure AD has released some new functionality to help improve the overall environment security posture for MacOS and Linux, both servers and clients. We'll discuss how these pieces work deep down and some best practices on deploying them.

Talks (Virtual)
13:00
60min
Obsidian CTH: Hunting for Adversary's Schedule
Cyb3rHawk

Once an adversary gained a foothold, they typically would like to keep their access and establish persistence. Scheduled tasks are one of the most commonly used persistence techniques in adversary intrusions and for a good reason. In this session we take a look at Scheduled Tasks. We start with the basics, and then learn how to create a hypothesis to conduct a threat hunt. In the end, we'll take a stab at detection engineering concepts surrounding the creation/revision of detections/analytics from telemetry we obtain from hunting this technique.

Project Obsidian is an immersive, defensive cybersecurity learning experience.

Project Obsidian: Track 0x42 (In-person)
13:00
60min
Obsidian Forensics: KillChain1 - Adventures in Splunk and Security Onion
Omenscan, Wes Lambert, ExtremePaperClip

A Live Forensics Walkthrough of Obsidian Kill Chain 1 (KC1) forensics analysis using Splunk and Security Onion

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Main Stage (In-person)
13:00
60min
Obsidian: IR - Mise En Place for Investigations
CountZ3r0, aviditas, ChocolateCoat

If you don't document it, it didn't happen. A real world approach to IR communication.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
13:00
90min
Ransomware ATT&CK and Defense
Ben Hughes, Ronny Thammasathiti, Daniel Chen, Nick Baker, Esther Matut

This hands-on training workshop will walk attendees through hunting for Tactics, Techniques, and Procedures (TTPs) frequently used by ransomware adversaries. From Reconnaissance and Initial Access to Exfiltration and Impact, attendees will be exposed to a compressed ransomware attack lifecycle. Workshop TTPs will be mapped to the MITRE ATT&CK Framework, and it will incorporate offensive operation elements such as adversary emulation, but while emphasizing purple and blue teaming. We will explore the endpoint and network logs left behind by attack TTPs and how the blue team can utilize such logs and defensive tooling to detect and disrupt the attack.

Workshops (Virtual)
14:00
14:00
60min
Obsidian CTH Live: Killchain 1 Walkthrough

Come take a dive into the data lake and cast some queries to find proof that users have run files from malicious actors. How can we prove the existence of troublesome activity in the environment?

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Main Stage (In-person)
14:00
60min
Obsidian Forensics: The Importance of Sysmon for Investigations
ExtremePaperClip

In this video we will discuss Sysmon -- what it is, how to get it, the configuration file, the events it logs, and why it's so valuable to forensic investigations.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
14:00
60min
Obsidian REM: Long Walks On The Beach: Analyzing Collected PowerShells
Alison N

So you just got a bunch of Powershell scripts dumped on you. What now?

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x42 (In-person)
14:15
14:15
60min
Lend me your IR's!
Matt Scheurer

Protecting systems and networks as a tech defender means withstanding a constant barrage of unsophisticated attacks from automated tools, botnets, crawlers, exploit kits, phish kits, and script kiddies; oh my! Occasionally, we encounter attacks worthy of style points for creativity or new twists on old attack techniques. This talk features demoed reenactments from some advanced attacks investigated by the presenter. The demos showcase technical deep dives of the underpinnings from both the attacker and investigator sides of these attacks. Attendee key takeaways are strategies, freely available tools, and techniques helpful during incident response investigations.

Talks (Virtual)
15:00
15:00
60min
Heavyweights: Threat Hunting at Scale
nohackme, Jamie Williams, Ryan Kovar, Sean Zadig, Sherrod DeGrippo, Ashlee Benge

Panel Discussion discussing how evolving techniques for defenders is amplified, from some of the teams behind the blogs.

Main Stage (In-person)
15:30
15:30
60min
Malware Hunting - Discovering techniques in PDF malicious
Filipi Pires

Demonstrate different kind of structures in the binaries as a PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more

Talks (Virtual)
16:00
16:00
60min
Take Your Security Skills From Good to Better to Best!
Neumann Lim (scsideath), Tanisha O'Donoghue, Ricky Banda, Kimberly Mentzell, Tracy Z. Maleeff

Why dwell in the lobby of the Security field when you could be enjoying the view from the penthouse? Get insight from our esteemed panel on how to stay up to date on hacker news, increase your technical skills, and be aware of opportunities for professional development. Our panel will also discuss the importance of sending that elevator back down to help others so that our entire industry can grow and thrive, just like you will. Open up your ears and your mind and enjoy the gems that will be dropped.

Main Stage (In-person)
16:45
16:45
15min
YARA Rules to Rule them All
Saurabh Chaudhary

Malware developers work just like legitimate software developers, aiming to reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters and threat intelligence researchers, we can learn how to create search rules to detect this kind of code reuse, Traditional Yara rules are written on strings, but if we implement code leveraging YARA code reuse rules in addition to the strings rule the rule will last decades.

Talks (Virtual)
17:00
17:00
60min
Blue Teaming Cloud: Security Engineering for Cloud Forensics & Incident Response
Cassandra Young (muteki), John Orleans, Misstech, Andrew Krug, Toni de la Fuente

Whether you’re in AWS, Azure or GCP, cloud security engineering doesn’t stop at basic guardrails and sending logs to a SIEM. So how do you engineer for the challenges unique to cloud forensics and incident response? This panel of cloud security engineers and incident responders will share their experiences and insights to help you take your security engineering from “just the basics” to “prepared for the inevitable”.

Main Stage (In-person)
10:30
10:30
60min
Obsidian CTH: Sniffing Compromise: Hunting for Bloodhound
CerealKiller

Join us on a journey as we chase BloodHound through a compromised environment via host and network telemetry. We will dive quickly into detections to become better prepared for next time.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x42 (In-person)
10:30
60min
Obsidian Forensics: KillChain3 - Continued Adventures in Splunk and Security Onion
Omenscan, Wes Lambert, ExtremePaperClip

A Live Forensics Walkthrough of Obsidian Kill Chain 3 (KC3) forensics analysis using Splunk and Security Onion

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Main Stage (In-person)
10:30
60min
Obsidian: IR - OODA! An hour in incident responder life
juju43

Let's dance and fly from dogfight to cyberworld. How to investigate and win against threats.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
11:00
11:00
60min
Threat Hunt Trilogy: A Beast in the Shadow!
Dr. Meisam Eslahi

File-less threats operate in silence and stealth, enabling adversaries to bypass automated cybersecurity, lurk in our digital wonderland, and avoid standard detections. They are hidden beasts in shadow! This technical talk will briefly explain the different types of file-less threats and the importance of threat hunting to combat them. A Windows-based file-less threat will also be hunted via the live system, memory, and network packet analysis, followed by a comparative discussion about each method's capabilities. The threat hunts' hypotheses used in this presentation are practical, and all will be mapped with MITRE knowledge bases.

Talks (Virtual)
11:00
240min
Web Shell Hunting
Joe Schottman

Web Shells are malicious web applications used for remote access. They've been used in many of the recent prominent breaches/vulnerabilities including Equifax, SolarWinds, and ProxyLogon and are used by APTs and other threats. With ProxyLogon, the FBI was authorized to remove them from victim machines.

This session will help you avoid telling your employer that the FBI is now doing volunteer admin work by teaching you about Web Shells, how to hunt for them, and doing hands-on hunting in a VM. A little groundwork goes a long way and this class will show what to do.

Workshops (Virtual)
11:30
11:30
60min
Obsidian CTI: Operationalizing Threat Intelligence
ttheveii0x, l00sid, Stephanie G.

This module presents an overview of how threat intelligence gleaned from a single CTI report can be operationalized across an organization. We'll run through a report based on content from Project Obsidian's kill chain 3 and demonstrate how it can be operationalized by different teams (SOC, IR, forensics, security management, and executives.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x42 (In-person)
11:30
60min
Obsidian Forensics: Kill Chain 3 Endpoint Forensics Walkthrough
Omenscan

Obsidian Forensics Station: Kill Chain 3 Endpoint Forensics Walkthrough

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
12:15
12:15
30min
Even my Dad is a Threat Modeler!
Sarthak Taneja

The talk will mainly focus on different frameworks of Threat Modelling and how threat modelling can be more efficient. Learning from the past experiences and common mistakes which organizations make while doing threat modelling.

Talks (Virtual)
13:00
13:00
60min
Obsidian CTH Live: Killchain 3 Walkthrough

Obsidian CTH Live: Killchain 3 Walkthrough

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Main Stage (In-person)
13:00
60min
Obsidian REM: Phishing In The Morning: An Abundance of Samples!
Alison N

Coming soon

Project Obsidian: Track 0x42 (In-person)
13:00
60min
Obsidian: IR - Final Reporting Made Exciting*
CountZ3r0, aviditas

*Insert eye catching and compelling abstract on IR final reporting here. Make it seem exciting and not at all a dreaded yet critical part of incident handling.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
13:00
60min
The DFIR Report Homecoming Parade Panel
Ch33r10, Jamie Williams, Kostas, nas_bench - Nasreddine Bencherchali, Justin Elze, ICSNick - Nicklas Keijser

Follow along as we take the DEF CON Hacker Homecoming theme to the next level with a DFIR Report Homecoming Parade. The panel will provide additional context to various DFIR Reports released in the past year. Pick up some tips and tricks to up your game!

Talks (Virtual)
14:00
14:00
60min
Obsidian CTH: The Logs are Gone?
ExtremePaperClip

What happens when an attacker clears the logs in an effort to hide their tracks? Here we will dive into that question, build a Threat Hunting hypothesis, develop some ways to detect this activity, and document the process.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x42 (In-person)
14:00
60min
Obsidian Forensics: Using Chainsaw to Identify Malicious Activity
Danny D. Henderson Jr (B4nd1t0)

When time is of essence in IR, having a tool to quickly collect data from Windows Event Logs is the way to go. We'll LET IT RIP with Chainsaw, hosted by B4nd1t0 as part of Project Obsidian.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
14:00
60min
Obsidian Live: May We Have the OODA Loops?
CountZ3r0, juju43

Incident Response Live Walkthough: This will go over how to use OODA to effectively investigate and respond to a real world incident. Come work through the demos alongside experts during this live walkthrough.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Main Stage (In-person)
14:15
14:15
30min
Hunting Malicious Office Macros
Anton Ovrutsky

When reviewing threat intelligence reports it is common to see malicious Office macros of various types used as an initial access vector. Recently, Microsoft announced big changes to Office behavior in the context of malicious macros. However, organizations still struggle with detecting malicious macros which is often a prerequisite for implementing any type of hardening changes. The aim of this talk is to address this gap and provide guidance on how to detect malicious macro usage in environments and highlight the necessary steps to ensure systems are properly hardened against this threat.

Talks (Virtual)
14:30
14:30
30min
Obsidian Forensics: Creating a custom Velociraptor collector
Omenscan, Wes Lambert

Obsidian 4n6 Station: Pre-Recorded - Obsidian 4n6: Creating a custom Velociraptor collector

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).

Project Obsidian: Track 0x41 (In-person)
15:00
15:00
60min
Challenges in Control Validation
Jake Williams, AJ King, Kristen Cotten

Testing security controls is hard. Really hard. Every incident responder has lived with victims who are sure existing security controls should have prevented or detected the intrusion. While some organizations don’t do any security control validation, those that do understand the challenges. While red team operations allow for point-in-time validation, how are organizations dealing with control validations during product updates or configuration changes? By and large the answer is “they aren’t.” On this panel, we’ll discuss why control validation is difficult. Then we’ll discuss recommendations for scaling control validation operations in practically any organization.

Main Stage (In-person)
15:00
15min
Horusec - Brazilian SAST help World
Gilmar Esteves

Presentation of the Horusec tool (https://github.com/ZupIT/horusec) that was developed by ZUP IT in Brazil to help companies identify security problems in the most common languages still in a development environment or the IDE.

Talks (Virtual)
16:00
16:00
60min
Making Your SOC Suck Less
Carson Zimmerman, Sebastian Stein, Shawn Thomas, Alissa Torres, Jackie Bow

The Security Operations Center: is it really more than a place to go where dreams die? So many analysts feel that there’s no way to improve and they’re in a dead end job. How can you turn your nightmare into something more bearable? By the end of this panel, you will gain a series of tips and tricks to take back to your SOC, you will learn how to get the most from your individual experience, lift up your team around you, or at least recognize when it’s time to run like mad.

Main Stage (In-person)
17:00
17:00
60min
Latest and Greatest in Incident Response
plug, Lauren Proehl, LitMoose, zr0, Jess

IR is constantly in motion, adversaries change tactics and techniques and so do Incident Responders. Come hear from IR professionals what they've been up to for the past year.

Main Stage (In-person)