The Blue Team Village will be in Savoy Ballroom inside the Flamingo Hotel & Casino.

This year we will also be holding workshops on Friday in four rooms provided to us by DEF CON, thank you DEF CON!

The four rooms are also in Flamingo: Valley of Fire 1, Valley of Fire 2, Lake Mead 1, Lake Mead 2

Threat Hunting With The Elastic Stack

Friday 09:00, Savoy Ballroom, Flamingo (Blue Team Village) (4H)

@CyberPraesidium brings over 12 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including vulnerability assessments, penetration testing, incident response, forensics, and threat hunting. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GCFA, GWAPT, and Splunk Power User certifications.

@politoinc has over 10 years of federal and commercial expertise in the field of Endpoint and Mobile based Intrusion Detection and Protection, Network Security, e-Discovery, Mobile Application Security, and Penetration Testing. Jeffrey holds a Masters of Science in Digital Forensics from George Mason Univ. along with a Bachelors in Business IT from St Johns Univ. Jeffrey also has earned certifications such as GIAC Certified Forensic Analyst, Encase Examiner and Encase E-Discovery, Xways, and Cellebrite Certifications.

With all new logs and revamped material from our 2018 workshop, this year's hands-on training will walk attendees through leveraging the open source ELK (Elastic) stack to proactively identify malicious activity hiding within diverse data sets. The basic tools and techniques taught during this class can be used to investigate isolated security incidents or implemented at scale for continuous monitoring and threat hunting. Attendees will be provided with access to a preconfigured ELK cluster and extensive sample logs containing malicious events waiting to be discovered on a simulated enterprise network. New for this year, attacker artifacts will be mapped to the MITRE ATT&CK Framework and tagged accordingly in the provided logs to help demonstrate the value of log enrichment, showcase both common and novel real-world attacker TTPs, and leverage a methodological approach to adversary and anomaly detection. Emphasis will be placed on live demos and practical training exercises throughout. The training will conclude with a friendly CTF tournament to give attendees the opportunity to collaborate and compete on teams in order to put their learning into practice and win some prizes.

Threat Hunting with ATT&CK On Splunk

Friday 09:00, Valley Of Fire 1, Flamingo (2H)

@olafhartong is a person of many interests with a passion for defensive security and data. He has over 12 years experience in security, he specializes in building and operationalizing SOC teams through the use of SIEM systems or log management systems such as Splunk. He is an expert Threat Hunter and works in close collaboration with the Red Team to facilitate Purple teaming workshops for his clients. He is the author of several security focused tools and blogs. Before joining Deloitte, Olaf worked as a Security Officer for a large managed hosting provider serving Governmental and Commercial service clients. Olaf has spoken at MITRE ATT&CKcon, ISF Live, Splunk Live, BlackHat EU Arsenal.

In order to become a superhero, able to hunt for bad in your environment you first need some great powers. Starting blind, you need means to listen. I will introduce a modular Sysmon configuration to cover your Windows environment, mapped extensively to the ATT&CK framework.

By using the ATT&CK framework as a basis for hunting the likelihood of catching at least part of the attackers trail is significantly increased. To make use of this rich data source I will guide you through a Threat Hunting methodology in an application built to do just this, which will guide your investigation along all covered ATT&CK techniques.

Deep Infrastructure Visibility With Osquery And Fleet

Friday 09:00, Valley Of Fire 2, Flamingo (4H)

@thezachw has been involved with osquery since the earliest design documents in 2015. He has brought his extensive experience to the delivery of core features such as AWS logging and syslog consumption in osquery, as well as the development Kolide Fleet, the most popular open-source osquery Fleet manager. These days he can be found cheerfully helping out users in the osquery community, or developing features for Fleet. As the founder of Dactiv LLC, he consults with technical organizations to reap the benefits of Fleet and osquery.

This workshop is an introduction to building first-class host instrumentation capabilities with open-source technologies supported by leading security practitioners. Learn the ins and outs of Facebook’s osquery agent, exposing information from hundreds of sources across the major operating systems (Mac, Windows, and Linux). See how to tie this together across the infrastructure with Kolide’s Fleet. Throughout the workshop we will interact with osquery in example scenarios in order to build hands-on experience with these tools. We will begin with a dive into the capabilities of osquery. A brief introduction to the structured query language (SQL) used in osquery will be provided. Using this query language, we will learn to extract basic data, and move on to more advanced ways to associate data across subsystems. We will discuss the scheduled query facilities of osquery and how these can be tied into a logging and alerting pipeline. When we have built some familiarity with osquery, we will look at how to utilize these capabilities across the managed infrastructure. We will cover how to manage configurations and live query individual and groups of hosts with Kolide Fleet. The discussion of Fleet will be rounded out with an introduction to the command line interface, with suggestions for how to integrate with automation and source-control workflows.

Cyber Fire Puzzles, Part I & Part II

Friday 09:00, Lake Mead 1, Flamingo (8H)

Since 2009, Cyber Fire puzzle events bring participants into contact with a myriad of cybersecurity circumstances including file carving, cryptanalysis, sequence prediction, and network protocol reverse-engineering. With input from seven labs across the Department of Energy (DOE), the puzzles include scenarios and problems grounded in real-life events and threats seen by our analysts.

Designed and facilitated by Cyber Fire, the DOE’s forensic investigation training program, anyone with an appetite for CTF, or an expert looking to continue to hone their decoding skills is encouraged to participate and put our puzzles to the test.

This was submitted as a contest but will be designed as a workshop.

Tracer FIRE, Part I & Part II

Friday 09:00, Lake Mead 2, Flamingo (8H)

Tracer FIRE (Forensic Incident Response Exercise) is a combined simulation and live exercise program developed by Sandia National Laboratories to help cyber security incident responders, analysts, and operators become proficient in critical skill areas. These exercises simulate various events such as attacks, emergencies, and disruptions to critical infrastructure. Participants in the latest Tracer FIRE scenario are hired by Orko Power Company to investigate a series of cyber attacks that resulted in company data being exfiltrated, degradation in Orko service, and damage to consumer confidence. In the midst of an already chaotic situation, the CIO of the company has mysteriously disappeared. Participants form teams and are provided a set of artifacts from the company’s infrastructure, including raw email sessions, network packet captures, disk images, and memory images to conduct their investigation. As a learning workshop, challenge questions and a scoreboard are provided to guide and motivate the teams through the different cyber attacks.

The "Art" Of BEC

Friday 11:30, Valley of Fire 1, Flamingo (2H)

@iheartmalware is a Senior Threat Researcher with Agari; has been fighting and trolling BEC scammers for over three years with the help lots of friends. Like, more than 600 of them, and many are feds, too!

The industry has started to gain a deep understanding with all of the intricate parts of BEC, such as romance scams, lottery scams, real estate scams, account takeover, wire fraud, W2 fraud, IRS scams, gift card scams, and direct deposit scams, just to name a few. How do you eat an elephant? In this workshop you will learn about the different types of BEC threats as well as identifying areas of engagement with BEC actors to help drive up their costs of operation.

Malware Traffic Analysis Workshop

Friday 14:00, Valley Of Fire 1, Flamingo (4H)

@malware_traffic based in Texas, specializes in traffic analysis of malware and suspicious network activity. After more than 21 years in the US Air Force, Brad transitioned to cyber security in 2010. He is currently a Threat Intelligence Analyst for Palo Alto Networks Unit 42. Brad is also a volunteer handler for the Internet Storm Center (ISC) and has posted more than 140 diaries at He routinely blogs technical details and analysis of infection traffic at, where he's provided over 1,600 malware and pcap samples to a growing community of information security professionals.

This workshop that focuses on infection traffic for hosts running Microsoft Windows. It begins with setting up Wireshark and identifying hosts in network traffic. Participants review malware infections and learn tips to identify indicators of malicious activity. The training ends with an evaluation where participants review pcaps and compose incident reports.

MEDIC! Malware Response 101 From The Trenches

Friday 13:30, Valley Of Fire 2, Flamingo (2H)

@krypt3ia is a security professional with over 13 years experience specializing in areas such as DFIR Ethical Hacking/Pen Testing, Social Engineering Information, Security Auditing, ISO27001, Threat Intelligence Analysis, Steganography Application and Detection.

Many of you out there may be in the information security field but how many of you know how to respond to a phishing and malware outbreak? It seems to be a common theme in companies that the ideal is that tools will be the end all be all in mitigating threats but the reality is that many times one will find themselves staring at a screen of alerts about malware and phishing waves coming in and no one really knows how to approach reversing the malware quickly and responding appropriately on a shoe string, which, many companies sadly find themselves doing. This workshop will show you how to triage a malware situation using tools and techniques easily found online. With a little know how and understanding of how malware works outside of the exotic APT you hear about, you too can learn how to respond without the benefit of a huge budget for security tools and even perhaps enough responders.

Blue Teaming For Fun And The Sake Of Your Organization

Friday 16:00, Valley Of Fire 2, Flamingo (2H)

@sirmudbl00d located in Boston, is a cyber security enthusiast with a decade of experience. He is the CEO and founder of Null Hat Security which focuses on incident response, cyber security training, threat hunting, and security operations. He founded Null Hat Security as he believes new methods a required to cultivate defenders in order to combat advanced attacks and defend organizations. O'Shea is also the co-founder of "Intrusion Diversity System", a bi-monthly hosted cyber security podcast.

@apiary Sarah Gibson is an application security consultant who focuses on working with developers to understand and fix the security issues within their code. Showing developers how secure code is good code. She has been working in application security testing for the past six years and enjoys poking at the internet.

This workshop will combine aspects of web application security, incident response, and threat hunting to combat attackers in an active campaign against your organization. We will incorporate the incident response life cycle to accurately respond to this fictitious attack along with providing tips and techniques that may be leveraged to aid in response efforts. There is also an aspect of web application security featured in presenting bad SDLC practices that may lead to an attacker gaining entry to an organization's systems.

Introduction To Mac-centric Incident Response Tools And Techniques

Saturday 09:00, Savoy Ballroom, Flamingo (Blue Team Village) (4H)

@crlowell is a member of the security team at a SF based tech company where he performs incident response, detonates malware, and helps protect employee devices.

Learn how to identify malicious files, determine where malware was downloaded from, configure your own VM Lab, and safely detonate malware to gather IOCs by responding to simulated Mac based incidents.