Photo by Guillaume TECHER on Unsplash

Sessions

Session 1

Privacy in a Time of Pandemic

Amber Welch

Abstract: COVID-19 has altered many facets of life, and privacy expectations as well as emergency legislation have rapidly shifted to adapt. In this talk, we’ll first discuss two primary competing values: the public good and our private rights. We’ll then explore how these concepts have been applied to health data privacy and contact tracing. Topics covered under health data privacy include crisis exceptions to HIPAA, telehealth adjustments, and differences between national government approaches. The contact tracing discussion will address phone apps, consent, geolocation and proximity data, aggregation and anonymization, and employee mandates to use tracing apps. Throughout the talk, we will look to post-9/11 privacy intrusions to inform our interpretation of current events.

Bio: Amber Welch is currently a Data Protection and Cyber Risk Specialist at McKinsey & Company, responsible for managing the security and privacy program for the health data analytics practice. Amber has previously managed security and privacy governance for a suite of SaaS products and worked in companies creating ERP, CRM, event planning, and biologics manufacturing software while serving as a technical writing adjunct lecturer. She holds the CISSP, CIPP/E, CISA, CIPM, CCSK, and ISO 27001 Lead Auditor certifications, as well as an MA and the IAPP Fellow of Information Privacy (FIP) designation.

So You Wanna Be a Redteamer?

Shelby Spencer

Abstract: The talk will attempt to identify the attributes, skills, and personalities that typically make up a good Red Teamer. It will cover the presenter's journey through the industry with lessons-learned and advice for getting started.

Bio: Shelby Spencer is a Red Teamer with over 10 years of active experience in the industry. In addition, he is also the CEO of his own MSP, with much experience delivering security solutions. His experience ranges from working with Fortune 10 companies on down to small mom-and-pop businesses, and addressing security challenges across the spectrum of company sizes and industries.

Session 2

Attack Emulation with Atomic Red Team

Carrie Roberts

Abstract: Atomic Red Team is a free and open source project that helps you measure, monitor and improve your security controls by executing simple "atomic tests" that are mapped directly to the Mitre ATT&CK Framework. This presentation will introduce you to the Atomic Red Team project and help you understand how it can be used to create and validate detections in a script-able and consistent way.

Bio: Carrie Roberts is a web application developer, turned pentester, turned red teamer, turned blue. She loves to learn and give back to the community. She is currently one of the primary Atomic Red Team project maintainers and developers and has developed many of her own open source tools including the Domain Password Audit Tool (DPAT) and Slack Extract. She holds Masters Degrees in both Computer Science and Information Security Engineering. She has earned 12 GIAC certifications including the prestigious “Security Expert” (GSE) certification. She has spoken at numerous security conferences including DerbyCon and Wild West Hackin' Fest, published many blog posts on topics ranging from social engineering to bypassing antivirus, and contributed new research on the VBA Stomping maldoc technique.

Stenography in OT Attack Campaigns

Dr. Jacob Benjamin

Abstract: Steganography is an ancient means of secret communication and has evolved to incorporate digital techniques for hiding information. It can easily evade traditional security solutions such as antivirus. Adversaries can use steganography to bypass the security protections provided by removable media kiosks, network monitoring, and antivirus to execute malicious code on OT systems and networks. I have conducted research and penetration tests this year successfully utilizing digital steganography tactics against OT networks. The experiments and penetration tests included evading an OPSWAT malware-scanning kiosk (used by many nuclear power plants), Symantec AV deployed on a gas control network, and numerous network monitoring tools deployed within both IT and OT infrastructure. I was able to bypass these protections and execute various malware such as mimikatz to further the attack campaign. My talk will cover the results of these tests as well as possible mitigations and detections.

Session 3

Wireless Data Analysis with Kismet & ELK

Chase Peterson

Abstract: Want to dig deeper into the wireless environment around you? This talk will first cover Kismet and setting up data capture on multiple wireless sources (WiFi, Bluetooth, RTL433, etc). We will then go into several methods for parsing Kismet data into the Elasticsearch Logstash Kibana stack. Finally we will go over various analytical processes via Kibana and build some dashboards for monitoring a local wireless environment.

Bio: I have been involved in the wireless security realm for over 15 years. I've spent time doing wireless work in the military and for private and public companies. Currently I am a wireless security engineer. I have a passion for wireless, data analysis, and building tools to make doing things more efficient.

Organizational Security Competencies and Cybersecurity Workforce Development

Donaven Haderlie

Abstract: A new approach for extending existing cybersecurity frameworks has been developed by a team of researchers at Idaho National Laboratory. The project is being called the CYBER Security – Competency Health and Maturity Progression (CYBER-CHAMP) Model. There are five phases in the model that are meant to help an organization assess their risk profile and their workforce’s cybersecurity maturity.
Phase 1: Measure Organizational Security State. Examine the organizations security profile and operational readiness by measuring the security elements of the organizational documents.
Phase 2: Create Workforce Profile. Determine the organizations workforce structure by identifying job roles and placing them into job groups. The job groups are then assigned a cyber function level in which they are to meet and maintain.
Phase 3: Determine Competency Health State. Identify job roles and tasks that match industry frameworks. This process provides an identification of the primary job role.
Phase 4: Develop and Complete Learning Path(s). Based on the identification of the primary job role training plans are provided to ensure the workforce is maintain the competency that is required to keep the organization secure.
Phase 5: Re-measure Organizational Security State. Re-examine the organizations security profile and operational readiness and adjust, as necessary.
For the purpose of our presentation we will focus on a high-level CYBER-CHAMP overview with specific emphasis on organizational security competencies and cybersecurity workforce development.

Bio: Donaven Haderlie is a Business Specialist in the Workforce Development and Training organization within the National and Homeland Security Division at Idaho National Laboratory. He has earned a Bachelor of Science in Computer Science with an emphasis in Programming from Stevens Henager College, a Master of Science in Information Technology Management with an emphasis in Project Management from Capella University and a certificate in Digital Forensics from Capella University.
His primary responsibilities are working to develop new business programs or make enhancements to current business programs to meet changing customer demands. He fulfills his role by:

His responsibilities also include software development on tools the group is developing or integrating with. In his spare time he continues studying computer science, cybersecurity, and project management topics. He also spends time practicing his programming skills.
Donaven is married and has two boys. He enjoys spending time with his family and together they do a lot of home improvement projects and spend as much time as possible outside on walks, bike rides, camping, or riding horses.

Session 4

Taking your data back: Who's got it and how to stop the breach

Colin Jackson

Abstract: This is a workshop/visit later and do kinda virtual presentation. It's based on minimizing your online footprint, how to shrink it down, etc. I follow a lot of Michael Bazzell's recommendations that he lists on his Inteltechniques website.
We'll go over resources, OSINT-ing yourself and how to get your data removed and things you can do to find where you are on the Privacy Scale and where you want to be on it.

Bio: d1dymu5 was first introduced into security while at college and his locksmith uncle taught him how to pick locks. As a security gateway drug, he expanded into cyber security. He's been involved in the Intermountain West security community since 2012. If you've ever attended a local conference, you've probably met him in the LPV. For the past 2 years, he's presented at the DEFCON LPV. He's into blue-teaming and physical security pentesting.
He also enjoys OCR racing and spending time with family.

Keynote

My Cybersecurity Journey - What I Learned, Why Workforce Development is Important, and My CISO Initiatives

Keith Tresh

Abstract: Over the past 27 years I watched what was once known as Information Assurance morph and move into what we now call it…..Cybersecurity. I will talk about my career and progression into the Cybersecurity field and some of the lessons I learned along the way. I will also discuss the state of the cybersecurity workforce, why it is important to create and nurture an effective cyber workforce development plan. The presentation will culminate with an overview of the priorities and initiatives the State of Idaho CISO’s Team is working.

Session 5

Exploitation of Medical Devices with Propietary Wireless Protocols

Jesse Young & Carl Schuett

Abstract: Reverse engineering and security analysis of remotely controlled medical devices has been a subject of interest for the Information Security community for the better part of a decade. Last year, eleven models of insulin pumps manufactured by Medtronic were recalled due to security vulnerabilities in their wireless communications protocol that, if leveraged, could result in patient harm.This talk will briefly explore wireless medical device technology, recognize previous research efforts in this area, and summarize basic techniques for RF reverse engineering. Finally, we will discuss the technical challenges and successes of the latest research that led to the manufacturer's voluntary recall of thousands of insulin pumps due to information security vulnerabilities.

Bio: Carl Schuett and Jesse Young are both security researchers at QED Secure Solutions. Together, they represent a combined experience of attacking embedded technologies across the medical, aviation, and defense industries. They, among others from QED Secure Solutions, are credited by the DHS and FDA for medical device vulnerabilities that could result in patient harm.

Cybersecurity as a Web Developer

Angela Fehrnstrom

Abstract: I was once told cybersecurity and web development are not compatible mindsets. So, as a web developer, how do I approach cybersecurity concerns? How do I explain issues to clients? And how can you work with web developers in your company?
This isn't intended to be a detailed conversation, but a high-level discussion about how cybersecurity and web development can, actually, be compatible mindsets.

Bio: Angela has been a web developer for 12 years, and tangentially involved in cybersecurity for nearly as long. Her web development career has always tended towards more security sensitive fields, including government, the financial sector, and youth organizations.

Session 6

Suspect Last Seen Wearing Admin Credentials

Ryan Thompson

Abstract: Over years of teaching incoming security analysts, I've realized that while it's easy to teach tools and syntax, it's much more difficult to pass along the intuition necessary to investigate an incident. This talk is geared to overcome that gap by drawing comparisons between finding a bank robber in the physical world and hunting for an attacker in a virtual space. Making the indicators and the investigation process more tangible helps highlight common pitfalls and develop stronger security analysts.

Bio: I have worked in the realm of IT for 4 years with a focus on Information Security. I have spent time reviewing logs, managing permissions, responding to IDS alerts, incident response and consulting. I have worked at Hewlett Packard Enterprise, Alert Logic and currently work as a Education Engineer at Elastic.

Joining, building, and scaling a fully remote team.

Mark Stacey

Abstract: Scaling a remote team (before and after COVID) is a challenge. This talk will explore lessons learned working remotely, interviewing techniques (from both sides of the table), and how to manage a quickly scaling and diverse team. More than just video conferencing applications and differing timezones, working remotely presents challenges in etiquette, culture, and the mentality of 'team.'

Bio: Mark Stacey is the Director of Professional Services at Dragos, Inc. Mark oversees delivery and execution of advisory services, tabletop exercises, network and device penetration testing, and proactive threat hunting services provided by Dragos for ICS and SCADA networks worldwide.
For 5 years he provided incident response, threat hunting, and digital forensic services within RSA's IR team and spent 7 years working within operations and research for the Department of Energy.

Session 7

A-hunting We Will Go! Adventures in Endpoint Threat Detection

David Branscome

Abstract: Breaking the attack kill-chain is one of the primary objectives of every Blue Team. Time spent identifying the indicators of compromise and acting on them is time that the attacker is on your network. With that in mind, follow me on a hunting expedition. We’ll follow the attacker through the kill chain and figure out how to stop him before he gets any further. In the end, you’ll be armed with knowledge that can make your next hunting expedition a success!

Bio: David works as a security architect at Microsoft, helping Microsoft partners learn and deploy the latest Microsoft security technologies in Microsoft 365, Windows 10 and Azure. David holds numerous certifications, including CISSP, GISP, GCED, GCWN, GCIH, GMOB and a bunch of Microsoft certifications.

Brining critical D&D skills to the workplace!

John Stoner

Abstract: This is a lighthearted career focused talk, but I think it is important to discuss critical "non hard cyber skills" and why they are important to cyber security. As a 30+ year player and Dungeon Master with Dungeons and Dragons, I thought this talk might lure in some folks to discuss soft skills. I think it can also help to overcome imposter syndrome, because for a lot of roles you need to be well rounded. D&D taught me how to think on my feet, resolve conflicts with people you consider your friends, as a DM I gameplan "what if" scenarios quickly, and I learned how to tell stories (which are critical to a lot of roles, most importantly, your interview).

Bio: Mr. Stoner has over 20 years of experience in the intelligence and national security community with 10 specifically within cybersecurity. He is a cyber threat intelligence analyst and a US Army Veteran (with 10 years of service). He has experience with SIGINT, instructional design, teaching, cyber counterintelligence, and APT analysis. He has spoken at multiple BSides including DC, Vegas, NoVA, Pittsburgh and London. He has volunteered in career villages at several events, including GrimmCon, DEFCON 28 and The Diana Initiative. He of course is a long-time D&D player and DM and also is a soccer fanatic.

Session 8

Binary - Malware or Essential Executable?

Rita Foster

Abstract: The Idaho National Laboratory has created binary analysis toolsets based on automated reverse engineering capabilities, resulting in two areas of research directions:

  1. Firmware Binary Code Analysis - Using translated binaries from the Annotated Translated Disassembled Code (@DisCo) product which produces a test corpora for translated code for analysis, advanced machine learning methods can identify similarities and differences in context of the code. This baselining of firmware can be used to detect changes via supply chain exploits, or configuration mistakes. Identification of ubiquitous libraries with known vulnerabilities results in better code and cyber defenses.
  2. Malware Analysis - Create Analysis Capabilities: Superficial comparisons of binary code does not address the underlying characteristics for exploit. Development of tools for repeatable analysis when the ongoing new exploit capabilities evolve is needed. INL created What is it? Binary (WiiBin) for initial triage of malware or unknown binary file.
The Firmware Indicator Translation (FIT) Project is a collaborative effort with Southern California Edison (SCE), Detroit Energy (DTE), Pacific Gas & Electric (PG&E), New Context, Siemens, Schweitzer Engineering Laboratory (SEL), Schneider, Eaton and now Hitachi Federal and funded by the Department of Energy.

Bio: 30+ years control system development with last 15 year focus on cyber security of the electric grid. Strategic lead for advanced research projects in structured cyber threat, machine learning, binary analysis and reverse engineering - for better cyber defenses.

Burnout: How to Avoid, Survive, and Recover

John Darrington

Abstract: Burnout is real, and it can be detrimental to your health, family, and career. With the global pandemic it has become even more important to avoid a mental state that can put yourself and your welfare at risk.
Learn the warning signs and what to do if you or someone you know is experiencing job related burnout.

Bio: I've been in software development for roughly 10 years and have performed that role in many different kinds of positions. From intern to business owner I feel like I have a unique perspective on the forms burnout can take and how it can affect those around you.
I have my own software company and have been active in local meetup groups in the Idaho Falls Area - up to and including the organizing of events and giving tech talks.
I also have a degree in Public Relations and have given many presentations and talks in that capacity.

Session 9

How to translate technical risk for management understanding

Linda Montgomery

Abstract:Many times the senior leadership decision-makers don't support the cybersecurity professionals through funding, attention and staffing. This talk by a corporate attorney, will give you ways to present cyber risks so that the risks can be effectively weighed against other corporate risks. It will enable you to make your most persuasive arguments -in their terms - to justify funding.

Bio: Linda has been a practicing attorney for 25 years, 20 of them as the General Counsel (head attorney) for large multinational companies and national laboratories. For the last 4 years she has been the Director of Knowledge Management in the Idaho National Lab's Information Management organization. Linda holds a certificate in cybersecurity risk management from Harvard University.

Getting Started in DFIR

Josh Stemp

Abstract: Have you found yourself interested in specializing into the fields of digital forensics or incident response, but are not sure how to get started? In this rapid 20 minute presentation, you will learn about some ways you can steer your cyber career into these specializations and some resources available to help you get a strong start in the field.

Bio: Incidents and Investigations Unit Lead for Idaho Transportation Department for the past five years, currently serves as a SME on digital forensics and incident response for the State of Idaho, and leads the statewide Incident Response Task Force. Nine years of experience working in public and private-sector incident response teams. Currently holds the following relevant industry certifications: GCIH, GCFA, GCFE, GASF, and GCTI.

Session 10

Panel: How Do I Start in Cybersecurity?

Moderator: Scott Cramer

Session 11

Structured Threat for Sharable, Actionable and Implementable Intelligence

Rita Foster

Abstract: For threat analysis, the standard structure concepts enable better indicators and remediation actions can be shared across entities and are machine readable to enable automated response technologies. Tools to enable the standard structure to be more human readable and analyzed are needed for defenders to manage the dynamic nature of threat information. Prioritization of threat information that is specific to the defender’s configuration, the ability to defend, feasibility and impact are required to best use limited resources. Actionable mitigations are also needed in a machine readable standard structure that can be implemented on a wide variety of configurations. Threat intelligence is currently provided to private entities in the form of indicators in textual reports. Indicators provided are in multiple formats, not provided in context or tuned to operational environments that manage the electric grid. INL has created several tools based on the Structure Threat Information eXpression (STIX) version 2.1 that enable advances in cyber response and threat analysis. Structured Threat Intelligence Graph (STIG) is an open source application that uses graph databases as a visual STIX programming and analysis tool. Exploit, Malware and Vulnerability (EMV) scoring is another open source application enabling the tracking and prioritization of cyber issues. Structured Threat Observable Tool Set (STOTS) is a utility that provides a sensor-less agnostic indicator capability. Structured Threat Automated Response is the final utility that enables execution of courses of action. These applications and utilities are available open source and can be demonstrated via video.

Bio: 30+ years in control systems development with the past 15+years in cyber security of electric grid; technical lead for research projects focused on machine learning of structured threat for predictive analysis, using machine learning for reverse engineering and binary analysis to make better cyber defenses.

Feeling certifiable: building security credentials from beginner to expert

Steven Kirby

Abstract: This session will review major security certifications, develop a potential roadmap for security professionals who are seeking to become certified, and discuss some inexpensive ways that professionals can prepare for certification exams.

Bio: Steve Kirby has been a Unix systems administrator for over 25 years. Just how far beyond 25 years remains a closely guarded secret. For much of that time Steve has been interested in security issues, largely as a means of promoting paycheck continuity. He holds multiple IT and security certifications and currently works as a Security Engineer for Brightsprings Health Services in Louisville, KY.