• Email info@derpcon.io
  • Location Virtual



Assumed Breach: The Better Pen Test

Tim Medin

Security teams should not operate under the assumption that a breach will happen, but when. The fresh twist on penetration testing puts an attacker (good guy/gal) on your systems running under the context of an authorized user. The goal is to simulate a compromised system or a rogue trusted insider. The goals of the test should be focused on the business risk and how insecurities, vulnerabilities, and misconfigurations can impact the data and processes vital to the organization. Goals are business focus, not domain admin focused.

Adversary Emulation

Jorge Orchilles

Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations will be covered shortly. Adversary emulation Red Team Exercises emulate an end-to-end attack against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.

.NET Roulette: Exploiting Insecure Deserialization in Telerik UI

Caleb Gross

So you're pentesting a .NET application, and you notice the server is deserializing user input—great! You know this is bad in theory, but have no idea how to actually get a shell in time for the engagement. This talk will bring you up to speed on how .NET deserialization works and how to get shells on real applications.

In this presentation, we'll dig into the internals of CVE-2019-18935, a deserialization vulnerability that allows RCE on the popular web UI suite Telerik UI for ASP.NET AJAX. After demonstrating how to exploit this issue step-by-step, you'll learn a hands-on approach to debugging a locally running ASP.NET application, quickly assessing the site's attack surface, and examining possible avenues for finding and exploiting insecure uses of deserialization. This talk is intended for penetration testers and security researchers who'd like to begin testing deserialization vulnerabilities in .NET software.

Supply Chainsaw

Matt "scriptjunkie" Weeks

Supply chain attacks are a gold standard of exploitation. Malicious software coming through the same channels as legitimate software is not in your threat model since it is nearly impossible to defend against. But supply chain attacks are often assumed to be expensive, time-consuming, and personally risky; exclusively the domain of intelligence services or well-funded criminal groups. This talk will show how anyone can launch similar software supply chain attacks that are effective against a global audience, and do so in ways that are nearly impossible to trace. It will examine numerous popular software distribution methods and show how most of them have readily exploitable weaknesses.

For the popular software repositories, this talk will demonstrate how easy it is to upload unverified malicious code, and how it will be executed on countless systems with just a single errant keystroke or no mistake at all. This presentation will show how comprehensive public information also enables us to identify and target individuals trusted by enormous user bases and automate credential theft and infection of widely trusted software from source to distribution to end user. Finally, this talk will show the results when many of these actions were performed in the wild with proof-of-concept non-malicious packages created to test and validate these infection vectors.

Ham Hacks: Breaking into the World of Software Defined Radio

Kelly Albrink

RF Signals are basically magic. They unlock our cars, power our phones, and transmit our memes. You’re probably familiar with Wifi and Bluetooth, but what happens when you encounter a more obscure radio protocol? If you’re a hacker who has always been too afraid of RF protocols to try getting into SDRs, or you have a HackRF collecting dust in your closet, this talk will show you the ropes. This content is for penetration testers and security researchers to introduce you to finding, capturing, and reverse engineering RF signals. I’ll cover the basics of RF so you’re familiar with the terminology and concepts needed to navigate the wireless world. We’ll compare SDR hardware from the $20 RTLSDR all the way up to the higher end radios, so you get the equipment that you need without wasting money. I’ll introduce some of the software you’ll need to interact with and analyze RF signals. And then we’ll tie it all together with a step by step demonstration of locating, capturing, and reverse engineering a car key fob signal. * You don’t need any special equipment for this presentation, just follow along with the demos.

Building Secure Systems using Security Chaos Engineering and Immunity

Yury Niño Roa

The metaphor of software viruses to biological ones is deeply ingrained. It is a fact that biological viruses are at least the namesake the inspiration for computer viruses.

Artificial immune systems are intelligent systems that recognize and learns from faults injected previously. Using computational techniques, these systems are able to use resilience patterns to build confidence in the system's capability to withstand turbulence. It is precisely one definition for chaos engineering which is considered as a set of practices to build immunity in software systems by injecting harm, like latency, CPU failure, or network black holes, to find and mitigate potential weaknesses.

In this talk we are to discuss if it possible to learn more about software failures leveraging concepts used in biological viruses, such as the raging COVID-19 epidemic. We are going to review the black swam theory and provide a list of attacks and tools that the attendants can use to mitigate security attacks.

Going Phishin' with GoPhish

Patrick Laverty

Want to learn how to put together a phishing campaign? Great, let's do it. We will use the free and open-source tool GoPhish to launch campaigns. We'll show how to install, set up GoPhish, create each of the necessary pieces and launch. We'll also talk about pretexts and how "mean" should we be, and mix in some stories of phishing successes and failures.

.NET & Python: Let's get weird with it

Marcello Salvati

Forget the weird things that have been done with Python, its about to get weirder with .NET

Dear Diary: Today I met my first APT

Brian Warehime

Building out a threat intelligence program can be quite the task, and once built there are many logistical concerns that come into play. Things like "I hate JIRA, I'm never using that" comes up quite a bit, or "We can't possibly use Google and spreadsheets to track all this". Managing your requirements and research shouldn't be a pain point and definitely shouldn't prevent you from you having everything you need for doing your work.

A Hacker's Viewpoint: Planning The Attack

Kristina Krasnolobova & Robert George

A lot of work has gone into breaking out the stages of an attack. Unfortunately, many security teams focus on the detection of infiltration, data loss, or response after an attack. This focus skips over a more proactive approach to preventing the attack during the planning stages. There is a plethora of information publicly available about a company and its employees that is collected prior to an attack. This information is used to find vulnerabilities in information systems. The information is also used to plan out social engineering which is used to gain system credentials or additional information about a company.

This presentation is focused on the pre-attack planning stage. It serves to bring awareness of the misuse of publicly available information to target a company’s technologies and people.

Resource Smart Malware Detection with YARA & osquery

Julian Wayte

Traditional filehash malware detection is relatively easy to circumvent as threat actors easily morph code to create "new" variants, rendering old IOC's useless. YARA, uses a different approach. Its rules match to small segments of code within the malware, making traditional morphing techniques ineffective. The challenge can be knowing which files to scan with YARA, as scanning everything can be expensive. This is where osquery comes in, it can tell us exactly which files have been executed, and therefore which files to scan. Even if a file has not been executed, osquery can use an alternative approach - creating whitelists from golden images - to identify unrecognized binaries. This session will provide: -An introduction to two open source tools: osquery and YARA -Benefits of using targeted osquery YARA scans (vs full system YARA scans) -Instructions on configuring and running YARA detections via osquery for changed files and processes that have run.

Reducing The Breach Detection Gap

Markus Hubbard

Methodologies on identifying signs of compromise incorporating e-mail schema, DNS, expanding web structures, robots.txt, honeyports, honeysql, honeypot accounts, honeypot workstations, canary documents, file modification alerts, etc.

Passive (Aggressive) DNS

Donald "Mac" McCarthy

This presentation focuses on using passiveDNS to augment existing tools and create new ones to increase SOC visibility and performance. Leveraging DNSTwist with passive DNS can help teams illuminate some TTPs of attackers using lookalike domains. Combining passiveDNS with a bit of python can reveal infrastructure which may have gone online without a proper security review, reveal misconfigurations in split horizon DNS, and possibly discover third-party or cloud solutions which the security team is not aware. Finally, we will help compliance teams do a more complete third-party/vendor assessment using pDNS and a bit of historical BGP data. In each subsection the presentation will also clearly lay out what each process aims to achieve, a realistic look at how long it will take to implement, and why the process is important to both the operational staff and management. Time and tools aren't free. This presentation is about spending minimally on both to maximize results.

Anatomy of a Gopher - Binary Analysis of Go Binaries

Alex Useche

Go is everywhere these days (because Go is awesome). It is now common to find Go binaries embedded in IoT, Edge computing devices, and web assembly applications. However, there are some important differences between C and Go binaries that penetration testers should be aware of when conducting binary analysis and reverse engineering of Go applications. In this talk, we will highlight those differences, identify what makes Go binaries unique, and recommend approaches to reverse Go applications with tools like Radare2 and Binary Ninja. The proposed approach will help penetration testers, and anyone interested in reverse engineering Go binaries conduct a faster and more effective analysis of Go application.

Hypothesis driven MacOS Threat Hunting


MacOS is a popular operating system deployed across many organizations. Few commercial tools exist that provide proper event visibility in MacOS. Often, these tools are expensive and some lack important monitoring features. However, open source offers a great selection of tools that can be deployed to kick start a MacOS Threat Hunting Program. In this talk, we will simplify threat hunting and present a technique to create reliable and useful hunt hypothesis. With only a few open source tools we will provide and guide the audience on a repeatable methodology to hunt for threats in MacOs or any other OS.

The Offensive Defender | Cyberspace Trapping

Matthew Toussain

The attackers always win because they have the advantage. Wrong! Any seasoned Red Teamer knows that while attackers need to succeed at each stage of their compromise to achieve their objective, we as defenders only need to stop them along one point in the intrusion. By leveraging our “home field advantage” and weaponizing our networks with traps and snares, we have the opportunity to take the initiative and bring the fight to the intrusion set. Attackers may have an untold and ever-growing number of tools and techniques to use during the attack, but they have a limited set of tried-and-true tactics. Targeting the adversary and poisoning those tactics enable us to weaponize our environments and transform attackers’ own decision-making into their undoing. When attackers can never be certain if their own, unique tools are safe for them to use, their decision-making gets disrupted and we’ve already won the fight. This talk is about the strategy of cyberspace trapping and includes a library of scripts and demonstrations for attendees to take with them and apply on day 0.

Fifty Shades of Grey - Ethical Challenges of Today's CSO

Vincent Grimard

A real life perspective on risk, risk appetite, and the perils of leadership while trying to do the right thing.

Demystifying Capture The Flags (CTFs)

Barrett Darrnell

Capture the Flag (CTF) competitions range in style and difficulty but each and every CTF offers a wealth of knowledge for any participant. In the talk: Demystifying CTFs, Barrett Darnell will provide an overview of CTF formats, the skills they require and the experience they develop, and conclude with a plethora of CTF resources for those wanting to participate. The main focus of the talk will be relating how both technical and non-technical skills learned through CTF participation can be applied to real world information security challenges. The target audience for this talk are those who are interested in playing CTFs and would like to maximize the value from them.

The Economics of Red Teaming - Makin’ a profit while droppin 0-day

David Wolpoff

As a red team lead, you're always balancing providing your clients with the most valuable experience possible with the economic realities of running a business. In this talk, Randori CTO & Co-Founder, David Wolpoff explores the economics of attack and the balancing act red team leads must walk between realism and profitability. He'll breakdown the decision process he's used in engagements to justifying developing high-end tooling, some opsec tips for keeping capabilities secret and safe, and guiding questions attendees can apply themselves when seeking to maximize customer value without breaking the bank.

The Truth About Passwords, Privacy & Breaches

Serge Borso

The purpose of this session is to take a close look at user security on the web, explore common mistakes people make as it pertains to their privacy/ online security and learn about what adversaries are doing with compromised data. I'll talk about choices we all make which impact our own security, then discuss how breaches occur and what happens after a data breach - to the company and specifically to users now compromised data. I'll break down common myths (like misleading password strength infographics), provide solid advice (revolving around strengthening accounts and minimizing data exposure), discuss interesting facts and leave the audience with actionable information.

Entrepreneurial Adventures: Starting Your Own Company

Bryson Bort

So you’re not crazy, you just want to start your own company. Which kinda takes a level of crazy to pull it off. We’ll talk through what it takes to be an entrepreneur, different kinds of companies (service, product, non-profit), the market, back-office administration, pricing and economics, and my experiences starting three companies.

Where the real security work gets done and how to measure it

Dan DeCloss

Whether you're on a red team or a blue team; whether you have a deep technical skillset or are just getting started; whether you consult with key stakeholders or slog through the trenches; we all play an important role in getting the actual cybersecurity work done. As a person who has worn many hats throughout his career, this talk will highlight what we all should be focused on from a daily basis. This is based on unique experience in building both red and blue teams over the last 15 years and observing where the bottlenecks are in actually improving an organization's security posture. We'll wrap it up with a few suggestions on key metrics that a red and blue team should be tracking to gauge if you're actually gaining ground on the cyber warfront.

A Day in the Life of a Pentester: What Pentesting Really Looks Like

Chris Elgee

Chris Elgee is a senior security analyst and Core NetWars Tournament design lead for Counter Hack, and a commissioned officer in the Massachusetts Army National Guard. At Counter Hack, Chris is responsible for the design and implementation of NetWars challenges designed to be fun, engaging, and challenging for players of all skill levels. His expert storytelling and keen application of real-world hacker techniques have allowed him to create some of the player-favorite challenges throughout NetWars and the Holiday Hack Challenge.

Through his work with SANS and the National Guard, Chris shares his unique insight into cyber security threats to educate, prepare, and inspire students and soldiers alike. Chris holds GSEC-Gold, GCIH, GWAPT, GPEN, GCIA, CISSP, and OSCP certifications.

Outside of work, Chris enjoys volunteer community service work, playing bass at church, spending time with his wife and four kids, and playing with their dog, Isabelle.

The Pentester Blueprint: A Guide to Becoming a Pentester

Phillip Wylie

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.