2018-02-04 11_25_27-social engineering wikipedia - Google Search.png

Social Engineering for the Blue Team

February 4, 2018

I am happy to announce that I will be doing a workshop at Converge and BSides Detroit this year. The conference is May 10-12 in Detroit, Michigan, at Cobo Hall. Tickets are currently available for this event. It's a great conference with some really great trainers and speakers. I am humbled to be a part of the experience again this year.

I decided I wanted to do the training on this topic, because I think it's something our industry needs. Building relationships is very important for security. It's what allows us to get buy in from leadership, probably the most important factor in setting the tone for security at an organization. It's also what allows us to more easily get security implemented from a compliance and technical stand point.

I tried submitting this idea to some conferences (DerbyCon) at the end of the year last year. I wanted to avoid the use of the term social engineering, because I saw it as a sexy word. Something the red team only did. I didn't get any traction on the idea. I had a really long title. Something like, "Building relationships to get more security blah blah blah (boring!)."

After I read, Chris Hadnagy's book, Social Engineering: The Art of Human Hacking I realized that it's more than just a red team activity. In fact Wikipedia has multiple entries on the topic. It's not just security focused. It's also political. Reading the book it's even more than that. Sales and marketing people use social engineering. In fact, we all do it, to varying degrees. Some better than others. The book is focused on red teaming for social engineering. A lot of those concepts, though, I could easily apply and even provide examples of doing on a day-to-day basis.

Maybe I should backup for a moment and explain what I do. I sit with a development team. I don't sit with the security team. I am their security resource. I liaison security needs to them and development needs to security. The role has expanded to working with multiple teams and multiple departments. A large part of that is because I seem to have a knack for getting along with people. And that's because I apply a lot of social engineering techniques that red teamers us to breaking into a building or network. I never truly understood why until I started studying social engineering.

That has resulted in me not only understanding the why, but also how I can be even better at what I do. I would like to share that with the infosec community. I think we can all be better at interacting with other departments. I think using these techniques we can get even more done. We can reduce frustration and stress. We can have more opportunity to talk about security and influence others into a more secure mindset.

I've submitted this topic to multiple conferences. I was accepted as an alternate for BSides Nashville (tickets go on sale February 14.2018). I'm waiting to hear back on others. In the interim, I've started working on my slides and training. I plan to use the podcast and this blog as an opportunity to get my ideas and thoughts out of my head. Feedback is encouraged either in the comment section below, on Twitter, or email (timothy[dot]deblock[at]gmail[dot]com).

This blog post first appear on Exploring Information Security.

Blue Team Starter Kit - Computer hardening with EMET

December 17, 2015

EMET is awesome.

Microsoft's Enhanced Mitigation Experienced Toolkit (EMET) is also free and adds an extra layer of protection to computers. Released in the fall of 2009, EMET is currently at version 5.2, with a 5.5 beta available for download. Each application and program on a Windows-based computer runs in a predefined way on a Windows-based OS. When malware infects a machine, it tries to take advantage of the predefined interaction. EMET attempts to hide that interaction from malicious software. This article will explore more of this idea, as well as talk about how to deploy it to an organization.

What is EMET?

When Windows XP was nearing end of support, we realized that we weren’t going to meet that date. This lead me to research ways of mitigating this issue. Soon after I discovered the EMET.

This wonderful tool added another layer of protection to our machines. The user guide has a good technical breakdown on all the protection features. The gist of it is that EMET attempts to randomize or hide how applications interact with the Windows OS. When malicious code attempts to run using a predictable process, EMET blocks and alerts on it.

EMET can be installed in the enterprise or even on a home computer. At home, simply download and install.

2015-12-17 22_12_32-Application Configuration.png

It's interface is easy to use. The main window features the ability to enable, disable, or opt-in applications to the defense features. It also shows the processes EMET is protecting. Navigate to the "Application Configuration" window by clicking the Apps button. Here is where individual protections can be enabled or disabled for applications.

These two windows are the main windows for configuring most of EMET's functionality. We'll talk more about configuration as we dive into deploying EMET.

How to deploy EMET

EMET can be deployed any number of ways. If your organization has Microsoft System Center Configuration Manager, congratulations you win! If you don’t deployment will be a bit trickier, but still painless. The article next week will cover PDQ Deploy. Which is a low-cost option for deploying EMET (as well as other software). Before EMET can be deployed some preperation work needs to be done..

I would highly recommend deploying it to a group of test users. To setup a test group, identify one user and computer from each department. The more people added to the group the better. Try to have a good relationship with these people. A relationship is key to getting prompt and informative feedback on any issues. Offer up something like personalized help for issues with EMET.

The reason for the test group is to ensure that the computers in an organization work with EMET. As great as EMET is, it can have issues with certain programs on the computer. I deployed EMET 4.0 to my organization without a hitch. I tried to push 5.0 and derped Microsoft Office and IE on all developer and mainframe machines. That was a fun morning! I resolved the issue on each computer quickly, but it caused some consternation. Do it once or twice and people will eventually forgive you. Do it more than that and it will be much harder to get new security initiatives deployed.

To configure EMET, Open the interface by right clicking on the icon in the bottom right corner of the screen. The main interface shows the protections and the process EMET is running on. Protection profiles can be imported or exported. Clicking the Import button will have some predefined profiles to use including:

CertTrust
Popular Software
Recommended Software

Start with Recommended Software.

Next, click Apps to open the Application Configuration interface. This interface allows for the configuration of each individual protection on specific applications. When an application is blocked by EMET, a small pop-up will appear in the bottom right corner of the screen. The pop-up contains information for what application and what defense fired. This is useful for troubleshooting when a legitimate application is blocked. To resolve the issue, uncheck the protection for the that application. EMET requires a reboot after each change, but the issue may be resolve after unchecking the box.

That's the general idea of configuring EMET. Each organization and department is unique. Finding the right configuration can take time.

After finding the best configuration for your organization, you'll want to have central control of the configuration. This is possible with Group Policy. Group Policy allows for control of the options on the main interface. To gain control of the Application Configuration window a logon script will need to be setup.

There are a few different ways to get the options for EMET to show up in Group Policy. There will be links at the bottom of this post leading to those options. One of the great things about EMET is that a lot of information security professionals have written about it. The method I used was to drop an .adml and .admx file onto one of the Domain Controllers.

Check the more resources section for different methods on getting control of EMET.

Conclusion

I'll reiterate the opening statement: EMET is awesome. It's free. Easy to use. There's been a lot of article and guides written on it. Best of all it adds an extra layer of protection to machines. There is some work and planning involved, but it will pay off in the end.

More resources

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Forensics with Redline

December 8, 2015

“I guess we’ll just re-image the box then” is the phrase I often used early in my IT career. That was standing operating procedure for a compromised machine. We would receive a SOC alert. We would go kick the user off the box and have it re-imaged. That is until I found Mandiant’s (Now Fireye’s) Redline tool.

What is Redline?

It’s a free tool that allows me to do an investigation on potentially compromised boxes. With the tool, I started getting a better understanding of why compromises occurred. That information allowed us to make better decisions about defenses in place. It also allowed us to provide valuable feedback to the Security Operations Center (SOC).

The tool has several features that can be useful for analysis. This article will focus on the timeline feature. The timeline collects all the log sources from the computer and puts it all in one location for analysis. This is useful for investigating incidents where an incidents specific time frame is available.

The tool also features a Malware Risk Index (MRI) score and Indicators of Compromise (IOCs). MRI is for analyzing processes and IOCs for artifact defining. Refer to the user guide for more information on using these.

Alternative Tools

Before we get to Redline, I would like to mention a few alternatives. Volatility is a tool that I hear a lot of infosec people raving about. It’s a memory forensics and analysis tool and from the sound of it does a lot of the same things Redline does. I have never used the tool, but I see plenty of professionals talking about it.

There’s also the SANS Investigative Forensics Toolkit (SIFT). Which is a VMware workstation loaded with forensics tools. It’s been awhile since I’ve used the tool. From what I remember this tool requires a little more advanced knowledge of forensics. Still, it’s another free option to perform forensics analysis on potentially compromised computers.*

*As you may have noticed by now I keep using the word “potentially” compromised computers. That’s because one of things I discovered using Redline is that false positives happen.

How to use Redline

Download and install Redline. I would also recommend downloading the user guide as well. The user guide is how I got started using the tool. It will explain the ins and the outs in much more depth than I intend to here. In fact, I recommend stopping here and just using the user guide.

Still with me? Let us proceed.

Launch Redline and, click on the “Create a Comprehensive Collector” link. This will create the collection package. Check the box for “Acquire Memory Image.” A lot of malicious activities happen in memory. Collecting what’s in memory is vital.* Next, decide where the collection package will reside on the computer. Click OK to create the package.

*When responding to an incident, disconnect the computer from the network or contain it in a separate VLAN. Avoid rebooting or shutting down. A reboot or shutdown will wipe whatever is in memory.

When a compromised computer is discovered, get the collection package on the computer. There are a few options for getting the package on a computer. Packages can be pre-deployed to all boxes in the organization. USB is another option. The organization’s environment will determine the best method for accomplishing this.

To run the package, execute the “RunRedlineAudit” batch file in the collection package. A command prompt (black box) will pop-up and begin run a script to collect all the events on the computer. The collection can take several hours depending on how much is on the computer, it’s processing power, how much memory it has, etc.

Once the script completes, open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to Sessions -> AnalysisSession and select the .mans file. Click Open. Redline will now load the session. This part of the process can take some time as well.

After the session opens, click on the option to investigate based on an external source. There are other options for starting an investigation. Refer to the user guide for explanations on these. A Timeline will appear with all events from registry changes, browsing history, event logs. A Timeline Configuration pane is available for refining the timeline. Computers create a ton of events, so it can take some time to load everything. Which is why it's a good idea to define a time period. Go to the Time Wrinkle tab and set a number of minutes before and after a certain time period. If the information available on the incident is vague, a wider time period may be needed. For more accurate time a smaller time period can be used.

For the most part, when I received a SOC alert the information I received was exact down to the second. I would use only two minutes before and after a specific time. When I didn’t have an exact time, I would go as high as 15 mins before and after. One thing to note is that the time on events is in GMT time. A conversion to GMT is needed to match the time from the incident to the computer (+4 or +5 hours).

Now go through the timeline and look for anything associated with the incident. Use Google to research any suspicious events. One incident I responded to, several users had clicked a phishing email. A block box had popped up on their machine and then went away. We ran Redline on the machines and found that an .exe had been dropped in the Windows temp folder. In other instances I would see the anti-virus or EMET step in and block the attack. Look for anything suspicious. If unsure Google it.

That's pretty much it. The process I use is very simple. It gets me the answers within a relatively quick time period and helped me make better decisions. Doing the analysis above I was able to determine when our defenses failed. I also discovered that we were being sent false positives and that the machines were perfectly fine. In those instances we could put the computers back in service with a high level of confidence. The benefits of doing that is that people aren't without machines for longer than needed. It also helped reduce workload in the IT department by reducing the number of computers that needed to be re-imaged.

The tool and its alternatives are much deeper and offer valuable information for decision making.

Conclusion

With Fireye’s Redline, security teams can make better decisions about potentially compromised computers. It’s a free tool, so it should fit nicely in the budget (no procurement process). It’s also an easy tool to pickup and just start using. There’s some good documentation and I know of at least one YouTube video available.

Of course, there are plenty of other reputable options. Volatility being the one that I see most people talking about. Whatever tool, taking the time to do some analysis on potentially compromised boxes is important. That information will provide a better picture of what’s happening in an environment. How to adjust defenses and identify false positives and just make better decisions overall.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - ZAP for application security

November 30, 2015

I remember hearing about ZAP on my ride into work, listening to Security Weekly. After a little researched I discovered that it was a tool supported by the Open Web Application Security Project. OWASP is an open source non-profit organization focused on providing better application security to organizations. The best part about the tool is that it is free!

What is ZAP?

ZAP stands for Zed Attack Proxy. Named such by Simon Bennetts who told me that he really wanted to name the tool ZAP (OWASP. Bugs. Get it?). Simon is not a security person by trade. He’s a developer and built the tool to help developers write better code. It just so happened that security people found the tool and started using it.

Setting up ZAP as a proxy allows for a tester to run through an application and find vulnerabilities. It uses the methods in OWASP’s Top 10 as part of its scan. I’ll get into the methodology of using the tool later. This automates and streamlines a lot of testing. Beware, the scanner is not perfect (no scanner is). Confirming vulnerabilities found by the tool is a very important part of the process. One false positive with developers and we lose credibility.

After testing is complete ZAP has an export report feature. The report can be exported in either an HTML or an XML format. The HTML is great for working with developers and researching and confirming each finding. With the XML format, a tool like ThreadFix or Dradis can be used to help track vulnerabilities.

The tool also has advanced features for further digging into the application. This is great as a tester gets more comfortable and better with the tool he has an opportunity to dig deeper into an application.

The alternative

The alternative to ZAP is Burp Suite. It does a lot of the same things that ZAP does with some minor differences. Burp has two versions: A community version (free); and a premium version (paid). The premium version costs $300 a year. For those looking to make a career in application security, getting familiar with Burp is a must. Learning both is a plus. Each tool has it's strengths and weaknesses.

How to get started

Download ZAP from the OWASP website and install. Launch the application. The first screen you will see is asking, “Do you want to persist the ZAP Session?” Persisting the session will allow you to close and re-open the ZAP session quickly. You can either:

YES Persist: Save it in the default directory (first option)
YES Persist: Specify the name and location (second option)
Do Not Persist: Or don't bother (third option)

If you intend to save your own sessions then select the third option.

One of the first things available when ZAP opens, is the Quick Start tab. This can be used to perform a very quick, top-level scan. To dig much deeper into an application it will need to be setup as a proxy. To do this go to: Tools -> Options -> Local proxy.

Select your settings (or leave everything default). Then open internet options. Click the Connections tab and click the LAN settings button. Under the Proxy server section check the box for “Use a proxy server for your LAN.” Make sure the Address field says "localhost" (default) and the Port field reads "8080" (default). Click OK and then Apply. ZAP is now intercepting all internet traffic. This includes any browsers or applications using the internet. I recommend running the application assessment from a separate machine or virtual machine. As a proxy it will collect all internet traffic your computer performs. Including browser traffic and any updaters installed.

Now that we’re setup, time to test.

Methodology

Run through the entire application. When I say the entire application, I mean the ENTIRE APPLICATION. Click on every link and button. Fill out every field and submit forms. This is best done in a test environment which developers should have. Coordinate with them for any functions that need handling on their end. Once the application has been explored, it’s time to use ZAP to map the rest of the application.

Before we do that though, it is a good idea to exclude any sites you don’t want to run ZAP on. Right-click any sites you want to exclude. Select Exclude From Proxy and click OK. There is some flexibility here, but for the most part I just exclude the sites from the proxy all together.

To map the application ZAP uses a Spider. Right-click the site, highlight Attack, and select Spider. The spider will run through the application and map it. The more the application was explored by the tester, the more it will find. ZAP also features an Ajax Spider attack for ajax content. This will open a browser, run through the website, and map the ajax content in the application.

After running the spider function, run the forced browse attack. This function will use a text file with common directory names to look for hidden directories. This attack can usually take several hours to run, depending on the size of the list. ZAP supports user created lists.

Active scan is run next. This is where discovery of vulnerabilities of the application occurs. The function will run through techniques in the OWASP Top 10. Clicking on the heartbeat monitor icon will allow you to watch the progress of the scan.

I want to mention one other type of attack that may or may not be used. The Fuzz attack or fuzzer. This is typically used for things like user enumeration (username discover). The attack allows for requests sent to be modified using a text file. This allows for the automation of sending many modified requests to the application. Viewing the responses we can build a list of usernames in automated and quick fashion.

Once the Active Scan completes we have a (hopefully not long) list of vulnerabilities. Export and view a report of the findings by clicking Report -> Generate HTML report. The report includes:

The type of attack
A short description
The vulnerable link
The attack
The solution
References.

Once the vulnerabilities are confirmed or rejected, it’s report writing time.

Conclusion

OWASP ZAP is a great tool for those just starting out in application security. Or those needing to stand up a security assessment program. The instructions above are meant to just get someone started with using ZAP. Both ZAP and Burp Suite provide a lot of granular control of and customization of it's features and functions. But both are very simple to use. Both are well documented (check the more resources section below).

If $300 is within the budget, Burp Suite is the tool of choice by application security professionals. I've tinkered with Burp Suite, but for the most part I've used ZAP. Free is hard to beat, but it also came in handy working with developers. As I was implementing the security assessment program in my organization, I quickly discovered that the developers were interested in the tool. That probably had more to do with managements support of the program. Still, when the developers started asking questions on how I tested, I simply installed the tool on their system. From there I showed them my techniques for performing assessments. Now, I'm easily showing the developers how to run their checks of the application before it even reaches me.

I probably could do the same with Burp Suite, but I have a few more hoops to jump through with the $300 price tag. The community version does a lot of the same things the premium does. It's just throttled. Again, if you're sure application security is where you want to be $300 is not an insurmountable amount of money. If you're still feeling out the field ZAP works is the best bang for your buck.

More resources

OWASP Zed Attack Proxy Tutorial - YouTube
Lanmaster53 - Tim Tomes (he provides training too)
The Web Application Hacker's Handbook 2nd Edition by Dafydd Stuttard
SANS web App Penetration Testing and Ethical Hacking Course

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Google for research

November 12, 2015

Google is a powerful tool for information security or IT in general. I was first introduced to Google back in 2003, while serving in the US Navy. Before Google I had used Yahoo, Netscape, and Lycos search functions with varying results. Once Google showed up, it changed the game. More accurate and quicker results became the norm. The other search engines began to fade until eventually Google was the reliable go to.

At my DerbyCon talk, someone mentioned Google Hacking for Penetration Testers by Johnny Long, Bill Gardner, and Justin Brown. The book takes a red team approach to utilizing Google. While that is important we're going to focus on some beginner level techniques in this post.

As with all the tools we’ll be covering, using Google is well documented. If a search technique needs better understanding, Google it. It’s that simple. Two of my favorite parameters to use are: quotation marks (“ “) and site search (site:).

Using quotation marks (“ “) around search terms will help refine searches. For example if I search for infosec tools I’ll get one set of results:

Using “infosec tools” I get a different set of results:

The first search term (infosec tools) is checking the entire page for the words infosec and tools. The second search tearm (“infosec tools”) is looking for that specific phrase in the web page. I've found using quotations useful for searching names and complex problems. Putting the quotations around a phrase helps refine the search. The search infosec tools returned 701,000 results; the search “infosec tools” returned 2,940 results.

This technique is also useful for using exact words with other terms. Example: Forensics “infosec tools”

The other parameter I like to use is the site: parameter. This parameter allows you to search within a specific site for specific words or terms:

2015-11-10 11_59_50-site_timothydeblock.com NSA - Google Search.png

That’s 19 results for the word NSA on this site. This is useful for searching blogs or sites that are difficult to navigate. Earlier today I came across this post on MOZ that talks about 25 operators specifically for the site: parameter.

There are numerous other search operators available to further refine searches. filetype: is another useful one. This operator is useful for discovering specific file types like a spreadsheet or PDF. Here are two of the many sites that dive deeper into Google search operators:

We’ve only scratched the surface, but this is a good starting point. Google is a powerful tool for security teams. Learning to use it effective is a valuable skill for any security team. From here disciplines like Google Dorking and OSINT await. As well as other tools that will help make your team better at what they do.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Introduction

November 5, 2015

I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.

My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.

LIMITED RESOURCES IS ONLY AN EXCUSE

Limited resources can be it’s own challenge.

“If only we could buy this appliance, all our problems would be solve.”

Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.

Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.

Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.

CHALLENGE #1 - Research

Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data

CHALLENGE #2 - Threat Intelligence

So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data

CHALLENGE #3 - Application Security

Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security. This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free

An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)

CHALLENGE #4 - Forensics

As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free

An alternative to this tool is Volatility. COST: Free

CHALLENGES #5 - Endpoint Security

Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one. COST: Free

CHALLENGE #6 - Patch Management

This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)

CONCLUSION

The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.

Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Trends 2015 presented by IT-ology wrap-up

October 28, 2015

Trends 2015 presented by IT-ology was today and I am exhausted.

Every year in the fall IT-ology selects a technology topic to hold a conference on. This year was security, so naturally ColaSec was involved in providing speakers, volunteers, and marketing for the conference. Four keynote speakers filled the morning track and 12 speakers filled the afternoon tracks, which were split into technologist, civilian, and business. I presented a talk titled, "Low cost tools for security challenges" in the technologist track.

For those coming to my site who were in that talk, here are my slides and here are my videos (from previous conferences) of the talk. I got some good feedback from in regards to the talk, which was very much appreciated.

Trends 2015 was the last time I intended to give this particular talk. The recordings are out, my slides are out there, and I'd like to move onto some fresh content. What that is, I don't know yet, but I have some ideas. Before I move onto some fresh content, I want to compliment the video and slides of my talk with some blog posts that go a little more in-depth with the tools I presented. Over the next several weeks I intend to have a post a week, with step-by-step instructions on how to use each of the tools in my talk.

Thank you to everyone that made it to my talk and any feedback is still welcome.

This post first appeared on Exploring Information Security.

DerbyCon talk and impressions

September 28, 2015

DerbyCon lived up to its top billing as one of the best security conferences to attend. It is amazing how much is going on at the conference the entire time. Five talk tracks, CTF competition, lock pick village, vendor area, and of course LobbyCon. And that doesn't include the evening festivities like Hacker Jeopardy, a showing of Hackers to hackers, or the two nights of concerts (DualCore and The Crystal Method). There was a constant roar coming from the lobby of DerbyCon each day from 8 a.m to 6 a.m.

The con was well located in downtown Louisville, Kentucky. Outside of the venue is a plethora of food choices and entertainment. All within a two block radius. The farthest I ventured away from the con was about three blocks for breakfast with a group of old and new acquaintances.

Speaking of acquaintances, I got to catch up with people I've meet at previous conferences, as well as meet some new ones. That is one of the best things about attending these conferences, the connections you create and maintain (and I've made a whole bunch in the one-plus year of attending cons).

Below is the recording of my DerbyCon talk and a link to my slides.

DerbyCon talk slides

I was pretty happy with my talk. I wish I wasn't so monotone, but part of that was nervousness and the other part was sitting down for the talk. I believe later speakers stood up with microphone, which is something I should have done. Sitting down to give my talk sucked some of the energy from it. Looking past the lack of energy, I have gotten good feedback on the talk. Everyone that I talked to about the talk said it was good and useful, which was my ultimate goal.

I am very much looking forward to DerbyCon 2016

This post first appeared on Exploring Information Security.