Content provided by trainers and presenters can be found here.

The overall schedule can be found here, but these are some of the briefings that will happen at SAINTCON 2017...

This presentation will focus on improving organizational security by using a security methodology and framework.  Multiple frameworks will be discussed, but we will focus primarily on the Center for Internet Security Critical Controls methodology.

We will discuss how to begin implementing a framework, how to start making progress and methods for evaluating and measuring security performance.

Finally, we will open it up to discussion and answer your questions, discuss pitfalls, and help navigate these security seas.

Attackers are innovating their Command and Control (C2) traffic to bypass next-gen security countermeasures and remain undetected within target networks for extended time periods. In this session we will review the craziest C2 channels we have seen attackers use in the real-world, along with demonstrating some brand new ideas for C2 and exfiltration over bleeding edge protocols. With everything from leveraging celebrities social media accounts to communicating over unconventional network protocols, this is one session you won't want to miss!

Many security experts and laws are created around the idea of protecting personal privacy by protecting personal identifying information (PII).   However, we classify other information as non-identifying information and release it freely on the Internet.  

In this presentation I will demonstrate how in today's digital world, there is no such thing as non-identifying information.

Is it possible to be secure and have DevOps?  Yes.  Let's talk about the simple elements needed to bring into your processes to help make this work.

The Threat landscape is changing

This is a breakdown of the SAINTCON 2017 badge!

Are you facing some, or all, of these challenges?
*Host Mobility (w/o stretching VLANs)
*Network Segmentation (w/o implementing MPLS)
*Roles-based Access Control *Common Policy for Wired and Wireless (w/o multiple tools) *Consistency Across Campus, WAN and Branch (w/o multiple tools)

This session will help you learn how you can overcome these challenges and provide your organization with the framework to meet these security objectives. We will introduce the technologies needed to create a Campus Fabric and see a demonstration of how to build a Campus Fabric that enables a secure, mobile, policy-based network.

This is another tin foil hat talk where we dive into the world of the Shadow Brokers purported NSA tools dump, what we learned and how to defend against it. #TFHT

The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists.  

In this presentation, we will discuss current cyber criminal trends the FBI is tracking locally, nationally, and globally.  We will also present new methods and schemes criminals and state-sponsored actors are using to steal secrets, defraud victims, and make money.  

Using information security to defend the organization is the classic structural defense using a variety of strategies to defend the perimeter of an organization.  You can also use a variety of tools, DLP to monitor your internal defenses.Privacy also has the ability to monitor activity if the right applications are available to look for insider attacks, use of excessive rights, and exfiltration of data.

Bring Privacy into the conversation and to the table in your Information Security discussion to enhance and fortify your organizations ability to defend itself against malware and bad actors inside and out. 

This talk will describe the logging options available on Amazon Web Services (AWS) and what alert rules you should have to detect attackers.  This guidance will draw from the log data collected from the CTF

A rise in data analytics and machine learning has left the typical pentesters behind in the dust. This talk covers the required tools for consolidating, analyzing and visualizing the dark tools that are used by every red team.  This can all be done at scale keeping up with even the most bleeding edge continuous integration and deployments environments.  We'll demonstrate the required framework for getting the data where it needs to be, the technical add-ons to ensure this data is ingested in usable formats, and dashboards for Spunk to leverage this data for mass pawnage of your target!

Is your remote access application secure? If not, you could be losing valuable data and not even know it. Unsecured remote access is still the biggest pathway for hackers to find and steal sensitive information. Organizations should understand how easily unprotected card data can be stolen through remote access if they don't secure it. 

This presentation covers past remote access compromises, hacking methodology, live hacking examples, and tips to implement security practices to protect business data.

It is very recent that management has recognized the need to fund cybersecurity. Usually, that decision comes after a breach. Even so, like the rest of the IT industry, IS personnel must work with a shoe string budget. Thus, it is all too common for an organization to work toward mitigating the last audit. Unfortunately, audit mitigation does not necessarily ensure good cyber hygiene.  

Every organization has cybersecurity requirements, but few have a documented, prioritized cybersecurity program. Fewer still engage in assessment activities to ensure that the policies and procedures are both implemented and effective.  While my content is not new, the program I am proposing leverages the greatest minds in cybersecurity. Our discussion will cut through the fog of more to focus on the most important activities.  We've all had jobs in which we were busy. The question, though, is how effective was that work. It is easy to get caught up in the news stories of the latest breach and start chasing rabbits down holes. To be effective, we must focus on those areas that provide the biggest bang for the buck.

This is year 3 of the wireless monitoring project and its bigger than ever. What started with simple war walking around the largest hacker conference in the world (DEF CON) has now grown into multi-fixed point monitoring devices with capability of 802.11/a/b/c/d/e/f/g/n/ac.

New this year is a device capable of monitoring 50 channels simultaneously as well as bleeding edge software to manage it. This talk will discuss the technology, the software, and the results from monitoring at DEF CON 25 and BlackHat USA this year. Additional topics covered will include an analysis of the captured data, what risks exist by using wireless, and what your devices are saying about you. 


Next Generation Endpoint Performance against Zero-Day file based malware

This talk will dig into not only the technical aspects of Nyetya but also the impact this had on a global scale and how these kinds of attacks affect us as an industry.

What is Nyetya?
How is it different from Petya?
What do we know about Nyetya?
- Spread
- Impact
- Aftermath
- Lessons learned

Wiper, ransomware or something else? Impact of Nyetya across industries and countries Top recommendations for improving security

You need to learn PowerShell some administrative tasks can only be done using it

PowerShell Libraries and what you have access to for example Dos commands, visual basic script, Windows Management Interface (WMI), Dot Net and registry

PowerShell Repositories  GITHUB,  Microsoft Library and The Web

Extend-ability, Libraries, Mutli-threaded, scripts more  features as windows evolves and graphical interfaces

Borrowed Code understand what you are looking at if it contains devious  or poorly written code your in trouble

Signing your Code and using GPO's to protect the computers

My favorite IDE for debugging, managing and Securing code

Samples concepts of what I have done as time allows  

During the last decade there has been a dramatic shift in corporate IT infrastructure and how it managed. Gone are the days where IT assets are centrally located and managed only by company employees. Security assessors now have to account for cloud hosting providers, outsourced IT, and 3rd party hosted applications. The problem we are currently faced with is that most of the process that are used to assess the security perimeter of a company are rooted techniques that were developed when IT was centrally housed and managed. This presentation will discuss the problem space and approaches that can be used to obtain objective data to more accurately assess the security posture of distributed corporate IT assets.

In this presentation I would like to demonstrate how modern ad platforms can be hijacked by a malicious user to deliver an extremely targeted phishing campaign to an unsuspecting victim. This campaign can target anyone from a CEO to a college intern, and can be configured to show on any predetermined device. 

Everyday, millions of people use social networks to reach out, interact, share, and partake in an ever growing digital consciousness. Behind these networks sit unseen ad platforms serving up relevant advertisements to whoever advertisers would like to target. Modern ad platforms are designed to allow advertisers to grow their revenue and brand presence while being easy enough to use that everyone from a fortune 500 executive, to a general contractor, can now take part in the digital advertising revolution. 

What most non-advertisers don't know is that while advertising to a broader audience is excellent for business, ads can be and have been, used as a sharp skewer, precisely targeting a single individual. Modern ad platforms have given advertisers the power to reach anyone they please, anywhere in the world; this power could be harnessed by malicious users to serve as a gateway onto the network of their intended victim. 

James will teach you how to provide good user security training by giving you good security training, and discussing each component and how to do effective delivery of user training.

Training slides and materials will be provided to all who attend.

Through the use of event detection monitoring and do it yourself monitoring techniques on a Linux Apache PHP MySQL stack, I will demonstrate how you can create unique web application attack surfaces that alert you when someone is scanning your web application trying to do something they shouldn't.  The case study will demonstrate the use of hacking tools as a defense strategy in a corporate network and will cover the story of the detection of insider threats from the internal application point of view. The entire presentation is a hands-on lab that can be used after the presentation as a guide for attendees to set up a Threat Detection program. 

Setup of an Active Defense Program- Load Balancers - Config Review- ModSecurity - Config Review- Log Collecting and Altering - Config Review- MySQL Log Watching - Config Review- FAIL2BAN - Config Review

Reading HTTP Logs - looking for malicious actors
Stopping Script Kiddies and Bots - User Agent Strings - blocking pentester tools with default configs by filtering user agent strings.- Robot.txt - setting up no-go zones as possible bait for bots to be used for detection.
Traps- Systems Detection - Setting up interesting files on operating systems that send out alters when accessed.- Token String Detection - Setting up fake access tokens that no one should use for IDS and WAF detection.- Zombie Accounts - Setting up fake users credentials to be used for penetration detection.- False DB Tables - Setting up fake tables in a database for threat detection- Fake Domains - Creating fake domains to create more work and possible fake targets for attackers.- Fake URL/URI - Dead end functionality in the application that doesn't do anything other then looks like an interesting target for malicious activity.- Trap Ports - Setting up fake TCP/IP ports on critical servers that are only used for detection.- PHPmyAdmin Attack Surfaces - Fake PHPmyAdmin for attackers- Wordpress Login Attack Surfaces - Fake Wordpress setup.- Directories Attack Surfaces - Fake exposed directories with malicious payloads.- Slowing connections - Make attackers scans run longer.- Recursive Directory Loops - Make attackers scans continuously crash.- Random Success on Logins - Create weird bugs that look like vulnerabilities. - Url Redirects - Redirect attackers randomly making the app hard to map.- Random Log Outs - Change when a threat is logged out after a certain amount of time.- Random HTTP Response Codes - Sending back random response codes on fake URLs.-Using Social Engineering Tool Kit as a Defensive Tool-Using Browser Exploit Framework (BeEF) as a Defensive Tool

Web applications today still struggle with basic password security. Billions of passwords have been leaked by companies. Even the big boys aren't immune. In this presentation we'll discuss the basics of good password protection as well as advanced topics. Topics include encryption, hashes, salts, peppers, key stretching, length constant comparisons, algorithms, and user policy. Multi-language code and DB examples will provide developers insight to actual implementation of topics. We'll also cover new password security recommendations announced by the National Institute of Standards and Technology (NIST).

While heartbleed is no longer a new vulnerability, it offers a glimpse into a newer category of vulnerabilities. Those found within shared libraries and components. Software vendors are well practiced at code reuse within their products. We believed similar coorolaries existed within the hardware world.

Using four smart meters we attempted to test the hypothesis that there could be shared components among hardware. Following these tests, we aimed to propose an initial approach to assessing hardware and software at a component level to identify shared attack surface, and potential related vulnerabilities for integration within an organizations security plans and posture.

This talk will discuss this chain of events, and their findings to inform practitioners and decision makers of the potential for vulnerabilities underneath the surface of what is still considered a current "attack surface".

Traditional phishing affects individuals: victims who have disclosed their financial credentials. Our research into "phishing kits" reveals that many phishermen are changing tactics. And their new targets should concern CISOs everywhere, because most organizations have large amounts of "shadow data" out in the cloud somewhere -- and the phishermen are finding ways to access those accounts.

Inform and educate attendees on how RFID-based access control works and how it is typically set up in common environments. Demonstrate the common flaws prevalent in nearly every facility and with access control. Lastly, give a demo of cloning, overwriting, spoofing and enumerating cards.

Will cover:
* what RFID is and how it works
* common and uncommon RFID technology and uses. Eg: implants, wood nails, fabric
* Rewriting RFID tags (live demo)
* wiping RFID tags (live demo)
* cloning RFID tags (live demo)
* RFID tag enumeration (live demo)

So you need to defend web apps, do you? This is an intermediate-level #appsec talk that will dive into some of the specifications and emerging defensive strategies of using the HTTP protocol. We will provide you with a broad overview of the protocol and related technologies, then cover proper use of security headers and how to protect sensitive information like session tokens and cookies. For those of you who want to walk the path of the #appsec ninja - or just learn how to best protect your web presence - you must attend! The presentation will include demos of some tools and techniques and provide additional resources for further research.

The Cuckoo Sandbox is a open-source automated malware analysis system used by security professionals around the glob. In this presentation I will demonstrate how to install and configure Cuckoo and consider the pros and cons of running your own sandbox environment rather then using some of the free solutions found on the Internet. We will also discuss why its not just a tool for the Malware Analysts.

Red teams share a common goal: they present scenarios that challenge the *status quo* in order to improve postures and processes. In InfoSec, red-teaming consists of simulated network attacks aimed to uncover and resolve weaknesses in a network's defenses, with a primary goal of eluding detection. 

While a major outcome of these simulations is remediation of software and infrastructure weaknesses, equally important is improving the tools and processes that allow the attacks to go unnoticed. Confronted by a sea of security products, how can you verify your tool of choice is providing the information you need to defend your assets? 

In this talk I discuss the notion of red-teaming an enterprise SIEM solution by "hacking to get caught", generating suspicious artifacts on monitored endpoints with the intention of being detected. I'll release a modular framework that automates these simulations without burning precious tools. Nukes will be fired, will you detect them?!

Every year thousands of organizations are compromised by targeted attacks. In many cases, the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible as if the assailants’ skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe. 

If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently cited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.

Although the material in this talk will provide tools for launching an offensive against attackers this talk is not intended to be instructional for hacking back. The ethics and legality of counter attacks will be touched on only briefly as that is a discussion beyond the scope of this talk.

Update on Social Engineering Trends and Tactics.

Over the past 20 years, the security industry has defined application security testing tools as separate from the traditional QA toolset, although the approach is similar. Send test data (or payloads, exploits) to an application and inspect the response for appropriate or inappropriate behavior. The one-size-fits-all approach for security testing during the software development lifecycle (SDLC) does uncover security flaws, but leaves something to be desired, as it does not pinpoint the exact file/function where a vulnerability exists. Fuzzing application parameters is a great first step, but requires additional research and work to fix or exploit any identified flaws.

Due to the available security testing tools, custom and specific security testing is often overlooked or implemented with the previously-mentioned solutions. As developers and security professionals, we can do better. A hammer is not the only tool in our belt. Now that DevOps practices such as Test Driven Development (TDD) and Continuous Integration (CI) are synonymous with modern development, customized security testing can be integrated into the SDLC.

This talk will first introduce a simple framework for creating security unit tests. Next it will review common strategies for building application security unit tests, including function identification, testing approaches, edge cases, and payload generation. We will demonstrate these techniques in python, Swift, and Java against intentionally vulnerable applications. In addition, it will introduce the sputr (, an open-source repository of security unit testing payloads to use as a starting point for creating custom security unit tests.

Environment:  I'll machine a cut-a-way lock so that we'll be able to use a live video feed of how the lock is functioning. The audience will be able to see the pins at the shear line, binding, raking, bumping, being destroyed through different techniques on opening a lock.

Three Strategies to Stay on Top of Bots & DDoS Attacks on Your Website
Half of your site visitors are bots. Of those, more than 50 percent are malicious. Find out how you can take control of your website from malicious bots while reaping the benefits of "good" bots. Bad bots on the other hand, such as Mirai, Nitol, and Leet are malware that wreaks havoc on computers and networks. They waste valuable resources, steal proprietary information, and flood websites with distributed denial of service (DDoS) attacks.

SAINTCON Attendees will learn:
- How much website traffic is generated by bots?
- How are bad bots used in cyber attacks?
- What drives good bot visits to various websites and services?
- Which are the most active bad and good bots?

Greywalkers appear. What will you walk away with?

Everyone seems to know the general idea about rainbow tables, and how they make finding hashed passwords simpler. However, when you push them on the details, they don't seem to know exactly how they work. This presentation will clear those muddy waters. We'll learn about hashing functions and reduction functions, the time/space tradeoff, and what hashing functions rainbow tables generally seem to target.

We'll also look at how to defeat rainbow tables both from the user perspective as well as the provider perspective. We'll talk about password length, salts, peppers, and different password hashing functions, such as Argon2, scrypt, and bcrypt.

Finally, we'll look at some rainbow table projects, where you can download them, and where you can contribute your CPU or GPU time to add to the rainbow tables.

With the evaporation of the perimeter, Google’s BeyondCorp has been a model for many to build zero trust networks. However, most malware breaches start at the endpoint, so is there a way to architect endpoint security to completely remove the user from the risk equation, without impacting productivity? Come learn about advanced technologies already available in today’s laptop and desktop CPUs that isolate malware from below the operating system and make malware a thing of the past.

Understanding Multi-Factor Authentication.

What is the purpose of multi factor authentication?

Understanding types of OTP

  • Time based
  • Event based
  • MITM Attacks
Understanding U2FA

Braintrace Labs takes you on a journey exploring financial fraud though time from both sides of the law.

We then drop you into the middle of present day fraud research providing a unique insight into the future of financial fraud detection, investigation and mitigation.

Feeling fairly confident, our networking team decided to have a security audit.  We thought we were pretty secure..... We were wrong.  

This Presentation will explain what is was like to be audited by pentesters, why it was worth doing, lessons we learned, and why we want to do it again. 

Ok, you’re the new security person. There is so much to do, where should you start? This talk is aimed at the person who just had ‘security’ added to their title(s), or the person who thinks that might be coming. Or the person who’s been swimming in it for a while, and doesn’t feel like they know where to go. We’ll be covering the basics, identifying the low-hanging fruit that can be done now, and how to create a game plan for the short-term, med-term, and long-term. Think of this as Enterprise Security 101.

An introduction to the popular network scanner NMAP. We'll go through host and service discovery using different types of scans, using the NMAP Scripting Engine (NSE), and even write a simple script of our own.

Come hear all about the SaintCON Hackers Challenge from the mind of Josh Galvez who helps run this fantastic game.. 

Learn from the great mind of Dave Packham a little of the doom and gloom of the security world as well as his love for drones and the various ways these are being used today. Warning there is likely to be some form of quadcopter flying over your head during this presentation.....

HubbleStack is a modular, open-source security & compliance auditing tool written in Python.

Hubble was created by engineers at Adobe Systems in Lehi and open sourced in 2016. This presentation covers Hubble v1 (based on SaltStack) and the new Hubble v2 which no longer requires a SaltStack installation. Hubble has built-in coverage for CIS standards, integration with osquery ( for deep introspection, real-time file integrity monitoring and supports Splunk and/or Slack reporting endpoints.

AWS wasn't built by dummies.  The premier public cloud platform comes with dozens of security features and most services are configured securely out of the box.  Like most powerful tools however, it is flexible enough for you to really shoot yourself in the foot.

This talk will focus on post-exploitation.  There will be a particular emphasis on AWS-native services, including EC2, IAM, S3, DynamoDB, and a few others.  We'll walk through how to use your initial foothold to escalate to other services within the account, or perhaps other accounts.  We'll also switch to the blue side to explore why these misconfigurations end up getting set in the first place, best practices, and tips for monitoring and auditing your environments.

A new tool for persisting access to AWS access via STS will also be released and demoed.

Surveillance Capitalism is a form of information monetization that aims to predict and modify human behavior as a means to produce revenue and control. It strives to be a pervasive background collector of our cyberspace and meatspace activities, attempting to both generate and profit from data collected about our wants and needs. It's what happens when Marketing decides to plagiarize from the NSA's playbook.

The methods used by Surveillance Capitalism's practitioners are intentionally becoming harder to detect, trickier to thwart, and increasingly convoluted to opt-out from. Merchandisers, content producers, and advertising networks are actively seeking and developing new technologies to collect and correlate the identities, physical movements, purchasing preferences, and online activity of all of us, their desperately desired customers.

This presentation will discuss existing data collection methods and review your options to avoid being profiled and tracked without your consent.  Skip this session if you're already familiar with and are prepared to defend against:

-  Instant facial recognition & correlation at scale
-  Geofenced content delivery & user identification 
-  Retailer & municipal Wi-Fi tracking 
-  Unblockable browser fingerprinting 
-  Cross-device tracking & ultrasound beaconing 
-  Inescapable data brokers, IoT, and more.... 

Surveillance Capitalism is entrenched, it's profitable, and it's spreading.  Ethical engineering, disposable personas, and extreme compartmentation may be the only chance for Privacy's survival.

Often times we are inundated with different tasks that we are to accomplish in a short amount of time. Some of them have more benefit than others when it comes to visibility into our network.

In this talk we will be discussing SIEMs and the benefits that it can provide to your organization in regards to visibility. Some things that you may not have been aware of and some mistakes that can be avoided.
We will also cover the open source tools available if you are operating under a tight budget within your organization. The better we understand what is happening in our network, the better we will be able to protect it.

Physical penetration testing must be thought of more than someone trying to tailgate employees into a building, sneaking past the front desk or dropping USB devices in a parking lot. It includes social engineering employees to grant access to restricted resources and creating advanced tools to further  access once inside the building.

This talk will discuss how to become a better social engineer, social engineering techniques that work, and tools you will want during a test. Including how to build a long-range RFID badge reader slightly better than the Tastic RFID Thief.