2021 Schedule

9:00a - 9:45a: Accidental Red-Teaming by ab3 


When I was a kid, I used to sneak into amusement parks through the backdoor and talk my way into the park if confronted. In my early twenties I would access rooftops because I enjoyed the view from above the city. I never made the connection between my childhood past and hacking, and you might not either.

10:00a - 10:45a: Stop Shiny Object Syndrome: Free TTPs for the Blue Team by Robert Wagner


Most organizations don’t have enough budget to buy every tool nor hire every person they need. They also don’t realize there are plenty of FREE tools, tactics and procedures available to the Blue Team. Here’s a collection of tips and tricks learned from security professionals around the world about what you can do today to level up your People, Processes, and Technology -- at little to no cost. You’ll walk away with actionable tips to fill your security gaps and help reduce your attack surface.

11:00a - 11:45a: Practical Threat Hunting With Machine Learning by Craig Chamberlain


Machine learning, while being one of the most hyped and anticipated technology paradigm shifts, has yet to be widely applied to threat hunting and detection for a variety of reasons. This talk covers our experience during two years of work creating 64 unsupervised machine learning models for threat detection. Case studies will include high value detections including SUNBURST and NOBELIUM instances; C2 detection using network events; DGA detection using DNS events; privilege elevation and exfiltration in cloud environments; credentialed access relevant to ransomware scenarios; and LPE exploit activity using statistical functions such as frequency analysis and relative rarity. Finally, experimental work on UEBA (user-entity behavior analytics) for insider threat detection and risk-based detection clustering will be demonstrated. Clustering often produces high-confidence correlations of ML detections.

12p: Open Forum / Mic

1:00p - 1:45p: Cyber Security Interviews By Douglas Brush


The cybersecurity industry is one of the fastest-growing industries on the planet. However, women represent only 20% of the workforce, with only 14% of women serving as CISOs at Fortune 500 companies. The numbers of people of color in our community are far fewer. Additionally, women and people of color are, on average, paid less than their white male counterparts.

From entry-level analysts to CISOs, the infosec industry constantly tries to fill millions of open job requisitions. However, the problem is not a lack of candidates, but systemic issues in our recruiting, hiring, training, and retainment of talent, which disenfranchises women, people of color, the LBGTQ+ community, disabled, and neurodivergent security professionals.

This talk examines the lack of diversity in the cybersecurity industry that marginalizes underrepresented groups of people at many levels and what we can do to be a more inclusive and diverse industry to fill open positions and increase infosec program success.

Join Douglas Brush as he reviews the evolution of this type of attack and what organizations need to be aware of to mitigate the risks.


Douglas Brush Global Advisory CISO for Splunk and an information security executive with over 30 years of entrepreneurship and professional technology experience. He is a globally recognized expert in cybersecurity, incident response, digital forensics, and information governance. In addition to serving as a CISO and leading enterprise security assessments, he has conducted hundreds of investigations involving hacking, data breaches, trade secret theft, employee malfeasance, and various other legal and compliance issues. He also serves as a federally court-appointed Special Master and neutral expert in high-profile litigation matters involving privacy, security, and eDiscovery.


He is the founder and host of Cyber Security Interviews, a popular information security podcast.


Douglas is also committed to raising awareness about mental health, self-care, neurodiversity, and diversity, equity and inclusion, in the information security industry.

2:00p - 2:45p: Starting an Infosec Business by Digital Silence

3:00p - 3:45p: Triple Threat: How Law Enforcement Access to Personal Data Undermines Privacy, Imperils Due Process, and Shakes the World Economy by Jordan Sessler, Anthony Hendricks


A prosecutor uses data from a Fitbit to charge a murder suspect. A murder defendant is unable to use social media records to impeach an adverse witness. And, immediately after the EU raises questions about whether European personal data can be stored on U.S.-based cloud services because of the risk of surveillance by U.S. authorities, Apple announces plans to begin scanning photos for child porn


We have all become numb to headlines like these. But they speak to a critical truth: law enforcement in the U.S. has unique and often unequal access to data from websites, companies, and even IoT devices. Because most U.S. laws are inherently backward looking and fail to account for the raw amount of data being generated today, it is often difficult for courts and companies to protect privacy interests. Indeed, existing case law interpreting the Fourth Amendment often allows law enforcement to surveil user data without a warrant. And yet, despite due process guarantees, defendants often lack similar access to data in mounting their legal defense—meaning that potentially exonerative information is not available at trial. This reality has prompted European and Asian privacy regulators to raise concerns about foreign-supplied data being surveilled or misused while being stored in the United States—leading to formal European investigations into Microsoft and Amazon cloud services, along with plenty of uncertainty for the companies that rely on those services.


In other words, unfettered access to data by U.S. law enforcement poses a triple threat: to consumer privacy, due process, and the global economy. This talk will assess the legal reasons for this, as well as legal and technical ways for lawmakers and the InfoSec community to help solve the problem.



Anthony J. Hendricks is an attorney who advises clients as the chair of Crowe & Dunlevy’s Cybersecurity & Data Privacy Practice Group. A Harvard Law School graduate, Anthony teaches cybersecurity law as an adjunct professor at Oklahoma City University School of law and previously served as a fellow at New America’s Cybersecurity Initiative.


Jordan E.M. Sessler is an attorney who advises clients as a member of Crowe & Dunlevy’s Cybersecurity & Data Privacy Practice Group. A Harvard Law School graduate, Jordan previously clerked for U.S. District Court Judge D.P. Marshall Jr. and regularly visits his wife's family in Colorado Springs. Next time he visits, he hopes to have the chance to sit down and talk policy and/or inter-disciplinary collaboration with you!

4:00p-4:45p: Exploiting the Simos18 Engine Control Unit by Brian Ledbetter


Have you ever wanted to make your car faster? Have you ever wondered how commercial Engine Control Units are protected from modification, or wondered why "chip tunes" cost so much money? Join me for a journey into the Continental Simos18 Engine Control Unit found in modern Volkswagen vehicles, including a presentation of two exploit chains to gain full control of the ECU.


We will take a trip through the basics of modern Engine Control Units, including the trust chain and hardware architecture as well as update and reflash procedures. We will learn how to set up a Ghidra project to reverse-engineer the Simos18 Supplier Bootloader, and we'll take a quick trip into its internals. Then, we'll look at a few exploit chains in action and learn how they're incorporated into various commercial products.


After this presentation, attendees will understand the basics of automotive tuning, automotive computer architecture, ECU trust chains, and will have learned how modern control units are protected and exploited. Hopefully, some attendees will develop an interest in this space and in ECU exploit development!

5:00p-5:45p: Problem Child In the Stack by Apoorva Joshi, Disha Dasgupta, Craig Chamberlain


The so-called “living off the land” technique, increasingly popular with threat actors, is a significant unsolved problem in security monitoring and threat detection. The use of so-called “LOLbins'' or “living off the land” binaries involves using innocuous system programs that are ubiquitous. This technique is used by threat actors to blend in and hide in an existing environment in order to avoid detection and maximize dwell times.


Avoiding identifiable malware or persistence mechanisms, by using LOLbins, often creates a dearth of clearly suspicious indicators for security detection tools to key upon. Malicious LOLbin activity is distinguishable from benign activity only through consideration of very subtle differences and nuance in behaviors. Benign LOLbin activity is normally supernumerary and the combination of volume and nuance makes it infeasible to detect suspicious LOLbin activity at scale using conventional search based alert rules or manual sifting and analysis. We present ProblemChild, an advanced multi-stage hybrid machine learning detection pipeline, for hunting the one suspicious event among billions created by LOLbin intrusion activity. ProblemChild aims to help detect these types of attacks by identifying rare parent-child process chains and suppressing commonly occurring ones since rarely spawned processes in an environment (and more so from a specific parent process) could indicate malicious activity. The ProblemChild framework identifies these anomalous chains by leveraging multiple machine learning capabilities to produce an anomaly score for each process event chain. We derive the anomaly score by optimizing two components: maliciousness and prevalence. We first utilize a supervised machine learning model, to train on process event data, in order to classify process execution events as malicious or benign. Processes marked malicious by the supervised model are then polled using unsupervised anomaly detection models to further refine the results and pick out the most significant outliers and clusters in the classified process events. Finally, the output of the unsupervised models is turned into alerts, where they can be reviewed by analysis individually or correlated with additional alerts and indicators in a SIEM.



Apoorva is currently a Senior Data Scientist on the Security Protections team at Elastic, where she works on a broad portfolio of problems surrounding malware detection on endpoints using machine learning, like alert correlation, risk scoring of endpoints, detection of living off the land attacks, to name a few. Prior to Elastic, she was a Research Scientist on the Detection Services Team at FireEye, where she applied machine learning to interesting problems in Email Security, like to malicious URL detection, business email compromise, phishing campaign detection etc. She has a diverse engineering background with a Bachelors in Electrical Engineering and a Master’s in Computer Engineering, followed by a proven track record for developing, packaging and deploying end to end Machine Learning models in different environments. Apoorva loves learning about new ML things and is currently dabbling with Recommender Systems in her free time. To learn more about me : https://www.linkedin.com/in/apoorvajoshi95/

Disha is a Security Data Scientist at Elastic, where she has been working for the past year as part of the Protections team. Her work is focused on detecting various types of malicious activity through the development of Machine Learning (ML) models in the Elastic Stack. Her most recent work at Elastic includes ProblemChild and the development of a URL Spoofing detection framework that surfaces malicious URL activity by leveraging supervised ML methods, threat intelligence, and customized detection rules. Prior to Elastic, Disha received her degree in Computational Social Science from Stanford University, where she focused on the applications of Data Science and ML methods towards behavioral interactions. She also worked at Endgame prior to its acquisition by Elastic as an intern, where she focused on creating models to detect malware based on file directory paths and highlighting model interpretability through game theory approaches. For any further communication, you can reach out to her by email or find her on LinkedIn: https://www.linkedin.com/in/dishadasgupta/.


Craig has seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion, C-beams glittering in the dark near the Tannhäuser Gate. Craig is a longtime security researcher who has been to the places and done the kinds of things you would expect, most of which cannot be discussed here. He has twice served as a chief security architect and was a principal at several successful security product startups. He is currently serving as a detection science area lead, and part-time festival organizer, at a major security product company.


6:00p-6:45p: Keynote with discussion afterwards - "You're Doing It Wrong (given at Bsides Boulder 2020 - updated for 2021" by Pyr0


Fun conversation about how we keep doing the stupid because we have always done the stupid.