Wednesday, October 23


Airport Con - Shuttle leaves RAP at 12:30PM, 3:30PM & 6:45PM
Airport Shuttle Info
We know traveling to Deadwood (although worth it) is kinda hard. In an effort to ease a bit of pain, we’ve booked a shuttle to take you from Rapid City Airport to The Grand Hotel and back. We’re carving out a corner of the airport (near baggage claim) to host the first “WWHF Airport Con” where you can relax and play games while waiting for the shuttle. It’s free, just look for the sign (it won’t be hard, it’s not a big airport) and the schedule is below:
Wednesday the 23rd: Leaving RAP at 12:30PM, 3:30PM & 6:45PM

Wednesday October 23, 2019 TBA
Rapid City Airport

3:00pm MDT

Conference Registration
Conference Registration runs from 3pm - 8pm on Wednesday.  Talks, labs (most) and the Welcome Party start on Wednesday night!

Wednesday October 23, 2019 3:00pm - 8:00pm MDT
Conference Floor

4:00pm MDT

S1/E3: Do you C2? If you do, ICU.
Wherein an Evil Agent does what an Evil Agent has to. We will run it down once more...

Yayyyy Deadwood again! So many new scary things to learn about! Wicked Wizards and 0days! Almost certain @HackingDave and @DeviantOllam and @MalwareJake and so many others are going to shift how you think about everything!

Meanwhile, back at the office, Steve Secretary clicks a link. Then a browser goes pop. A new Evil thread emerges in the world. It doesn’t know what to do! Halp! It needs a meeting! It needs to call Mom. And when it does…

When it does, I will see it. Without spectacularly expensive tools. Without dark skills. I will see it just by looking.

avatar for Jonathan Ham

Jonathan Ham

Jonathan is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO (and an emphasis... Read More →

Wednesday October 23, 2019 4:00pm - 4:50pm MDT
Main Stage

5:00pm MDT

Offensive GoLang
Tools such as Metasploit, Mimikatz, and Netcat are household names amongst penetration testers and red teamers. They have been used for many years to get shells, dump creds, and move laterally with fanfare and impunity; however, times change. Network defenses are improving, and they are increasingly blocking the tools we rely on for successful penetration tests (good job vendors!).

So how can you as a penetration tester deliver value to your clients when your essential tools are blocked?

The short answer is you can “live off the land”, modify existing tools, or roll your own. But this is easier said than done. Our device ecosystem is growing rapidly. On a single engagement you may face systems including Windows, Mac, Linux, mobile, IoT, and more. You don’t have time to learn 6 programming languages. You can’t expect needed runtime environments to be present on all targets. And you need solutions that are easy to create, maintain, and deploy.

Enter GoLang. The Go programming language (GoLang) was built by computing pioneers from Google. They set out to create a language that is simple to read and write, easy to deploy, and able to scale. And it happens that Go has wondrous offensive capabilities.

Offensive GoLang will provide an overview of the Go programming language, highlighting how it can be applied to penetration test and red team engagements. Attendees will enjoy several demos showcasing Go’s awesome offensive applications including creating cross platform executables, injecting A/V resilient shellcode, payload hardening, and more. At the conclusion of this presentation, viewers will have a strong understanding of how Go can be used to create simple, reliable, and scalable offensive tools.

-Intro / Agenda
-Overview of Go
-Pros/Cons of Go versus other solutions (Python, PowerShell, C#, etc.)
-Attack all the things with cross compilation
-Easily create Windows DLLs with Go
-How to model advanced threats with A/V resilient shellcode injection
-How to use Goroutines to speed up password cracking
-Getting low level with W32
-Defense Evasion with Go
-Popular open source projects (Merlin, Egesploit, goBuster, and more!)
-Conclusion / Q&A

avatar for Michael C. Long II

Michael C. Long II

MITRE Corporation
Michael Long is a Senior Cyber Adversarial Engineer with the MITRE Corporation and a former U.S. Army Cyber Operations Specialist. Michael has over 10 years of experience in information security disciplines including adversary threat emulation, red teaming, threat hunting, and digital... Read More →

Wednesday October 23, 2019 5:00pm - 5:50pm MDT
Main Stage

6:00pm MDT

Welcome Party
Wednesday October 23, 2019 6:00pm - 8:00pm MDT
Conference Floor
Thursday, October 24

7:30am MDT

Conference Registration
Thursday October 24, 2019 7:30am - 6:00pm MDT
Conference Floor

8:30am MDT

Welcome to WWHF

John Strand

Black Hills Information Security
John has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing.  He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry shaping Penetration Testing Execution Standard and 20... Read More →

Thursday October 24, 2019 8:30am - 8:50am MDT
Main Stage

9:00am MDT

avatar for Ian Coldwater

Ian Coldwater

Ian Coldwater is a DevSecOps engineer turned red teamer, who specializes in breaking and hardening Kubernetes, containers and cloud native infrastructure. In their spare time, they like to go on cross-country road trips, capture flags and eat a lot of pie. Ian lives in Minneapolis... Read More →

Thursday October 24, 2019 9:00am - 9:50am MDT
Main Stage

10:00am MDT

Hacking a Security Career
Prominent and very wise individuals in INFOSEC have published blog posts and offered wisdom to those who seek to enter our industry.  One of the best sides of our community is on display when venerable types extend a hand to the next generation.  These amazing guides and collections of links and training resources can help guide many hopefuls on the path toward knowledge and perhaps their first of many rewarding jobs.  

However, what if you aren’t just focusing on your first new job, but instead you want to take a broader view and help plot out your entire career? What if you don’t simply want to work for an INFOSEC business but instead you aim to run a security business? Deviant has started (and still runs) several successful security firms… and he believes there are some very specific points and considerations that don’t get brought up in the discussion. With the hope of saving countless new employees from failure and many new businesses from bankruptcy, Dev will discuss the key element that many people fail to bring to the table when starting a security career… and the secret to the success of so many INFOSEC individuals who came before us.

avatar for Deviant Ollam

Deviant Ollam

The CORE Group
While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom... Read More →

Thursday October 24, 2019 10:00am - 10:50am MDT
Track 2

10:00am MDT

What's hiding on your networks
avatar for Bob Hillery

Bob Hillery

Bob Hillery is a founder and Chief Operations Officer with InGuardians, Inc. He is anexperienced consultant in Information Systems Security Management and has an extensivebackground in computer networks gained through the Navy and R&D labs. Bob has workedon National Institute of Justice... Read More →

Thursday October 24, 2019 10:00am - 10:50am MDT
Track 1

10:00am MDT

Resume Review and/or Mock Interview w/ Jake Williams
Jake Williams is offering resume and interview advice to the community.  Print your resume, bring your questions...this guy is an amazing resource to help, so take advantage.


Jake Williams

Rendition InfoSec

Thursday October 24, 2019 10:00am - 4:00pm MDT
Conference Floor

10:00am MDT

New Speaker Workshops - 30 minutes each
10:00am - Nick Roy: OSINT and the Hermit Kingdom. Leveraging online sources to learn more about the worlds most secret nation.

10:45am - Marcus W Tonsmann: DoH (DNS over HTTPS) for attackers and defenders
DoH is coming. This talk will prepare you by covering the basics of the protocol, available tools for testers, and techniques being leveraged by real adversaries. Proactive defensive measures will also be discussed, with an eye towards the future.

11:30am - Robert Hawes: Enumerating Userland Applications Attack Surface on Windows
This presentation will cover how to perform attack surface enumeration concerning windows userland applications. Inside the domain of vulnerability research, many different methodologies exist for how a researcher may start their journey with auditing an application. This presentation will provide information on how to enumerate the attack surface of userland applications that are deployed on the Windows operating system.

1:00pm - Kelly Whitaker: Hacking Pioneers, Breaking through the stigma of influential advertising
This presentation will challenge the way you think about those who are in the computer science industry.

1:45pm - Ryan Stalets: Abusing AWS Architecture (and How to Defend It)
Amazon Web Services (AWS) offers many architecture features which improve application performance and make it easier to deploy applications. This talk will look at two AWS architecture features which can be abused to hide C2 traffic and compromise application code and infrastructure. We will also discuss these features from a "prevent, detect, respond" perspective with a special emphasis on detection and response actions for SOC/IR teams.

2:30pm - Serenity Smile: Fortify Yourself First: Personal Cybersecurity Distilled
As a cybersecurity professional, are you doing the best you can to protect
yourself and your family first? This talk will thoroughly distill the latest research and provide a
practical cheat sheet for what you need to do NOW to mitigate risks as a user of cyberspace.

3:15pm - Nicholas Childs: Aircraft avionics primer for hackers

4:00pm - James Arnold: Configuring Malleable C2 for Threat Emulation and Opsec Safe(ish) Payloads
This talk will start by showing the options of Cobalt Strike’s Malleable C2 Profiles. Next, we will go through the process of getting information from malware analysis reports to mimic malware for use in testing detection systems and/or use in Purple Team projects. Finally, we will go through options for creating a more Opsec safe(ish) profile.

avatar for Nick Roy

Nick Roy

Nick Roy is currently a Senior Security Specialist at Splunk focusing on security automation and improving blue team response. Before Splunk, Nick was at Phantom Cyber working with partners across the globe build out their security automation practices and delivering them to their... Read More →
avatar for Marcus Tonsmann

Marcus Tonsmann

Marcus works as a Detection Engineer at a national healthcare company. In his role, he spends a lot of time researching offensive techniques and how to detect and prevent them. Currently, he holds GPEN, GDAT and GNFA certifications. When not in front of a computer, Marcus loves to... Read More →
avatar for Robert Hawes

Robert Hawes

VerSprite Security
Robert Hawes is a Security Researcher at VerSprite Security. He enjoys all things in the area of vulnerability research and exploit development. Robert is passionate about discovering zero-day vulnerabilities and developing accompanying exploits for advance capabilities. Robert is... Read More →
avatar for Kelly Whitaker

Kelly Whitaker

Kelly Whitaker is the Information Technology Officer for the National Weather Service Rapid City forecasting office where she is a Jill of all trades - coding, security, setting up VMs, configuring servers, putting out fires, and making forecasters happy. She’s worked on many national... Read More →
avatar for Ryan Stalets

Ryan Stalets

Ryan is an analyst on the security incident response team of a Fortune 100 global company. His focus areas include cloud threat detection/response and network intrusion detection. Ryan has a decade of experience in IT, with nearly five years as a CSIRT analyst, and holds several GIAC... Read More →

Serenity Smile

Serenity Smile is an Information Security Analyst for a Fortune 100 company and grateful to be a SANS Diversity Cybertalent Immersion Academy Graduate.  She holds the GIAC GSEC (GIAC Security Essentials), GIAC GCIH (GIAC Certified Incident Handler), and GIAC GCIA (GIAC Certified... Read More →
avatar for Nicholas Childs

Nicholas Childs

I am a FCC Licensed Aircraft Avionics systems Technician.  The primary focus in my career has been the repair and service of Radar, Targeting, Sensor, Communication, and Navigation Systems, on multiple Civilian and Military platforms.  I am DoD Information Assurance level 2 certified... Read More →
avatar for James Arnold

James Arnold

James is a Senior Offensive Security Engineer for Jack Henry & Associates.  He currently performs penetration tests and Red Team projects.https://github.com/xx0hcdhttps://www.linkedin.com/in/jparnold02/... Read More →

Thursday October 24, 2019 10:00am - 4:45pm MDT

11:00am MDT

Breaking Into Your Building - A Hacker's Guide to Unauthorized Physical Access
During this presentation, we’ll discuss proven methods of bypassing popular physical security controls and employees, using only publicly available tools and social engineering. You'll hear war stories from assessments that we have performed, and the frightening simplicity of gaining unauthorized physical access to many things from server rooms to Top Secret Ops rooms. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used, as well as remediation recommendations.

avatar for Brent White

Brent White

NTT Security
Brent is a Sr. Security Consultant at NTT Security as well as a Trusted Advisor for the Tennessee Department of Safety and Homeland Security on the topics of Physical and Cyber Security. He is also the founder of the Nashville DEF CON group (DC615), and is the Global Coordinator for... Read More →

Thursday October 24, 2019 11:00am - 11:50am MDT
Track 1

11:00am MDT

Social Forensication: A Multidisciplinary Approach to Successful Social Engineering
This presentation outlines a new twist on an existing social engineering attack. In the past, we have worked on getting users to plug in USB devices to drop malicious documents and executables. While this attack sometimes proves our point, it is the tip of the iceberg that can be done. Enter Social Forensication.

This is a two-pronged attack, consisting first of collecting a memory image for offsite offensive forensic analysis, the second being a rogue Wi-Fi access point attack. During this presentation, we will walk through the steps to perform each attack. Since defense is just as (if not more) important as the attack itself, we will also discuss mitigations (technical and procedural) and relevant windows detections for these attacks.


Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys... Read More →

Thursday October 24, 2019 11:00am - 11:50am MDT
Track 2

12:00pm MDT

Automating Social Engineering for the Anti-social Engineer
While modern technical controls and protections can thwart basic phishing attempts, phone communication remains a lucrative avenue for would-be attackers. This is a typical route used to gain a foothold into an environment via an unsuspecting employee. However, this time-consuming manual process makes documenting and utilizing your social engineering results difficult.

Fortunately, existing interactive voice response (IVR) technology can help solve this problem. While these systems are typically used to assist people, we could also leverage them to attack.

The abundance of cloud-based services makes this easy to accomplish and even easier to expand upon with your own custom scenarios, all while capturing respondent information. This presentation will cover how to take existing, off-the-shelf tools and configure them to build your own social engineering “robot”.

avatar for Patrick Sayler

Patrick Sayler

Patrick Sayler is approaching ten years of experience in the information security industry with more than six years dedicated to penetration testing. During this time, he has worked across a wide range of industries, including aerospace, financial services, manufacturing, healthcare... Read More →

Thursday October 24, 2019 12:00pm - 12:45pm MDT
Main Stage

1:00pm MDT

Hack (Apart) Your Career - How to Fund Doing What You Love
Our field is full of extremely creative people who have a lot to offer the industry. But often we lose focus because we are working for a company that has their own goals and competing priorities. This leads to long hours of work, a declining quality of life, and various other troubles. In this talk I focus on the tidal wave of DOD-related opportunities that exist to fund novel research and cutting edge technology, all while allowing autonomy of the individual. I've personally used these sources to transition to running my own company and have helped a lot of folks in the industry do the same. I'll discuss why people should consider this as a career path, where to find these resources, and walk through exactly how to apply.

avatar for John Grigg

John Grigg

I have 12 years of experience within the Navy, the Intelligence Community, and in the corporate cyber security world with focuses on building and maturing SOCs, SIEM/IDS/IPS engineering, malware analysis, and cyber operations.@Sk1tchD... Read More →

Thursday October 24, 2019 1:00pm - 1:50pm MDT
Track 2

1:00pm MDT

We’ve Got A Lot To Learn: Building threat models to support innovation and save the world
The thought of building a network rife with IoT devices and remotely-accessible critical control systems is enough to bring most infosec professionals to tears. When that same network promises to reduce urban potable water demands by 70% while still supporting commercial and residential irrigation, it is probably worth wiping away the tears and rolling up our sleeves. Innovation is all around us, working to protect natural resources, provide opportunities for better lives, and ideally doing it in a way that ensures the availability, confidentiality, and integrity of the networks supporting these efforts.

Following a year-long, collaborative research project into network security in some of the most innovative areas of wastewater reclamation and treatment, this talk will focus on how to engage with and support industries with real needs for complex networks and with even more complex threat profiles. You will come away with an understanding of why asking questions and relying on experts outside of security is critical, learn how to identify and adapt industry-specific risk frameworks, and how to apply threat-based recommendations when the stakes are high and existing data is hard to come by.

avatar for Rebekah Brown

Rebekah Brown

Rebekah Brown has helped develop threat intelligence programs at the highest levels of government and has had some exciting experiences along the way. She is a former National Security Agency network warfare analyst, U.S. Cyber Command training and exercise lead, and crypto-linguist... Read More →

Thursday October 24, 2019 1:00pm - 1:50pm MDT
Track 1

2:00pm MDT

Digging Deeper into the Google Calendar Attack Surface
“One Billion Google Calendar Users Exposed to Fake Invite Scam” - Forbes Inc
“Beware phishing scams posing as Google Calendar notifications” - Tech Radar
“Google Calendar spam is on the rise” - CBS News
But really just how bad is it? On one side of the equation it seems everyone has been getting either spammed or phished leading to account compromises and being woken up at 2am because of the new iPhone they just won from some sketchy site they never been to. On the other side of the equation service providers publicly acknowledge calendar events have issues but not as a technical security problem. This lack of seriousness on behalf of service providers has led to neglecting the fundamental issues because of the impact it could have on their users experience.
To demonstrate just how bad the problem really is, we’ve pulled back the cover on this mostly untapped attack surface by digging into the core calendar specification dating back to 1995. We have analyzed the original format components by digging into the specification, researched the attack surfaces affecting high-level implementations by Google, and finally identified new vulnerabilities which we will demonstrate.
We will provide a quick recap of existing calendar problems to date, discuss fundamental design flaws in the calendar specification, and demonstrate new vulnerabilities that can be exploited using calendar events. This presentation has just enough technical details to intrigue security researchers while providing a very clear warning for anyone who uses calendars.

Thursday October 24, 2019 2:00pm - 2:50pm MDT
Track 2

2:00pm MDT

Finding a Domain’s Worth of Malware
Are you tired of demonstrations of products that take months or years to get effective data from? How many products have you seen half-implemented (but fully paid for!) that didn’t ever deliver any real value to your organization? Here, I’ll discuss multiple free products that you can use next week to find evil inside your organization. Some techniques will find less advanced adversaries, and some will trip up even some of the most advanced ones - but they’ll all deliver value in less than a week of implementation, and I’ll discuss how you can integrate them and find the malware you already have in your environment. “Assume breach”...then find it!

avatar for Jeff McJunkin

Jeff McJunkin

Jeff McJunkin @jeffmcjunkin is a senior staff member at Counter Hack Challenges with more than nine years of experience in systems and network administration and network security. His greatest strength is his breadth of experience - from network and web application penetration testing to digital/mobile forensics... Read More →

Thursday October 24, 2019 2:00pm - 2:50pm MDT
Track 1

3:00pm MDT

Adversarial Emulation
Today’s Red Team isn’t enough

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?
- Fortune 50 Retailer Use Case
- Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK)
- Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation - what’s done today vs what should be done

To white box or black box

Threat Intelligence
- Such a disappointment = static identifiers, but no way to machine read for emulation
- Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
- Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response

MITRE ATT&CK - what it can and can’t do for you.
- Common mistakes - rigid adherence, signature-based

Open Source Options:
- CALDERA - APT3 example (although, they didn’t really use CALDERA for this…)
- Powershell - great. Seen in the wild. But, not hard to defend… so limitations.
- Empire - based on… Powershell.
- Living off the Land - https://lolbas-project.github.io/

Host Activities
- Destruction: ransomware, wiper
- Escalation
- Persistence
- Credential Theft

Network Activities
- Communication/Traffic
- C2 infrastructure

Lateral Movement
- Combination of host/network
- Mapping

Going Purple
- Combined visibility and reporting
- How do you technically do this - SIEM/Analytics, red team strings/tagging
- Program strategy and direction - shared gap analysis

avatar for Bryson Bort

Bryson Bort

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity... Read More →

Thursday October 24, 2019 3:00pm - 3:50pm MDT
Track 2

3:00pm MDT

Selfies of the Mind: Confessions of an Extreme Diarist
Hacking your own mind — everybody does it to some extent, but some mind hacks are more useful and more extreme than others.  Since I was a kid, I’ve devised various mind hacks that have helped me throughout life. But just three years ago, I embarked on another extreme mind hack designed to improve my perception, memory, and understanding of the world around me.  In this deeply personal talk, I’ll share my technique, the tools that support it, and the adventures and insights that it has inspired.  It’s gonna get a little weird too.

avatar for Ed Skoudis

Ed Skoudis

Ed Skoudis has taught cyber incident response and advanced penetration testing techniques to more than 12,000 cybersecurity professionals. He is a SANS Faculty Fellow and the lead for the SANS Penetration Testing Curriculum. His courses distill the essence of real-world, front-line... Read More →

Thursday October 24, 2019 3:00pm - 3:50pm MDT
Track 1

4:00pm MDT

Architecting Secure ICS Environments
Criminals are hacking Industrial Control Systems (ICS). Their motivations are as diverse as the environments where ICS solutions and devices are found. Businesses are taking notice and asking the hard question: "how do we secure systems that are intended to run continuously?" The personnel operating these environments need to understand IT security as much as IT security professionals need to understand the concepts and requirements of an ICS implementation. The purpose of this presentation will be to, briefly, introduce the concepts and security considerations for ICS devices and solutions. It will brush on common devices and implementations while providing an overview of the methodologies used to architect and secure ICS environments. Attendees will walk away with an excellent starting point for assisting with the security of a business' ICS deployments in a manner that facilitates safety and business-centric decisions.

avatar for Don C. Weber

Don C. Weber

Cutaway Security
Don C. Weber has devoted himself to the field of information security since 2002. His most recent experiences include providing penetration assessment, architecture review, detailed hardware security assessment, wireless and radio implementation analysis, and incident response management... Read More →

Thursday October 24, 2019 4:00pm - 4:50pm MDT
Track 2

4:00pm MDT

Incident Response is HARRRRRD… but it doesn’t have to be
So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that Bobs Windows box has some suspicious activity.  Do you have the details you need to investigate or remediate the system?  Can you quickly and easily investigate it?   You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used.  Let’s take a look at how we do Incident Response on Windows systems and what you can do to prepare for an inevitable event.

How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default Microsoft does NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable file types so users do not initiate the scripting engine when they double click, rather just open good ol’ Notepad?

Everything mentioned here is FREE and you already have it!

This talk will describe these things and how to prepare, and be PREPARED to do incident Response on Windows systems. A few tools will be discussed as well that you can use to speed things up.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the… inevitable, an incident.

avatar for Michael Gough

Michael Gough

IMF Security
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic.  Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for.  Michael is a primary contributor to the... Read More →

Thursday October 24, 2019 4:00pm - 4:50pm MDT
Track 1

5:00pm MDT

Burpsuite Team Server - Collaborative Web Pwnage
During large scale engagements against multiple applications teams often split the workload across many testers. Currently, sharing Burpsuite sessions requires exporting large files that cannot be merged with a running state restricting the ability for teams to collaborate on an application. With this new plugin, coupled with a lightweight server, multiple testers can share traffic in real time across multiple applications allowing for quick collaboration! Have a repeater payload your team needs to see? Simply right click the request and select share to populate their repeater tabs! Come listen and see how this plugin can help your teams hack collaboratively!


Tanner Barnes

Tanner is a full scope penetration tester for AON Cyber Solutions providing red team, social engineering, physical security, and source code review consulting for a myriad of clients in diverse industries. As a software engineer, he discovered the cyber security world through his... Read More →

Thursday October 24, 2019 5:00pm - 5:50pm MDT
Track 2

5:00pm MDT

The Security of DevSecOps
The current trend for DevSecOps has revolutionized the way applications are built and deployed, with developers having the ability to push a change from their desktop and have it running on a live server within hours, sometimes even minutes. The key to making all this possible is automation, with code changes running through build and test scripts and infrastructure being span up by lines of code rather than humans.

The downside to this automation is that the machines must now hold secrets that were previously only available to their human masters. Config files hold database credentials for structural updates, roll-out scripts can access SSH keys for production, and source code repositories never forget anything. In this new world, compromise of a single host can mean compromise of the whole process, affecting both the end product and the business itself.

This talk will look at the DevSecOps process and point out a number of key areas where we can look during reviews in a hope to plug as many of these potential holes as possible and ensure the Sec stays in DevSecOps.


Chris Truncer

Christopher Truncer (@ChrisTruncer) is a co-founder and red team lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other... Read More →
avatar for Robin Wood

Robin Wood

Hacker, coder, climber. Co-founder of UK conference SteelCon, freelance tester, author of many tools. Always trying to learn new things.

Thursday October 24, 2019 5:00pm - 5:50pm MDT
Track 1

5:00pm MDT

WWHF - Deadwood History Tour - $10 Registration Fee

Deadwood is pretty awesome, but don't take our word for it. Sign up for the WWHF History Tour by Boot Hill Tours where we'll take you through the Historic Streets of Deadwood up to Mt. Moriah, our famous Boot Hill, to visit the graves of Wild Bill Hickok, Calamity Jane and other gold rush characters. The tour will include a one hour tour of Deadwood and Mt. Moriah and then a tour to the Homestake Mine/Sanford Lab visitor center.

Tickets are $10 each and can be purchased at the Registration table. Space is limited so don't wait to buy one!

Bus leaves Deadwood Grand Hotel promptly at 5:15pm
Tour Highlights:
  • Deadwood's 1876 Gold Rush
  • Local History and Legends
  • Current Gold Mining
  • Historic Main Street Buildings
  • Custer's 1874 Expedition to the Black Hills
  • Great Sioux's Struggle for the Black Hills
  • Chinese of Deadwood
  • The Killing of Wild Bill at the Saloon #10
  • The Trial of Jack McCall
  • Legalization of Deadwood Gambling - 1989
  • Recount the lives of Wild Bill, Calamity Jane, Potato Creek Johnny, and Sheriff Seth Bullock

Thursday October 24, 2019 5:00pm - 6:30pm MDT

6:00pm MDT

Story time with Johnny Long
I’ve had some interesting adventures in my twenty-or-so years as a professional hacker and INFOSEC dude, and I’ve learned quite a few things about the hacker community. In this talk, I’ll unload some of the stories of my adventures all over the globe and share the valuable insights I’ve gained about what it means to be a hacker and why this community is unique, valuable and worth fighting for.

avatar for Johnny Long

Johnny Long

Hackers for Charity
Johnny Long spent his career as a professional hacker. He has penetrated and subsequently secured some of the world’s most securely government, military and corporate networks and facilities and is currently a senior staff member at Offensive Security. He is the author of numerous... Read More →

Thursday October 24, 2019 6:00pm - 6:50pm MDT
Main Stage

7:00pm MDT

Hiring Happy Hour
Are you looking to wrangle a career or need to find the next ace in the hole for your company?  Then make sure to gussy up your resume or jot down your job descriptions and join us at the Hiring Happy Hour at Wild West Hackin' Fest.  It's casual, it's not intimidating, and it's at 7pm on Thursday night.


Jason Blanchard

Black Hills Info Sec

Thursday October 24, 2019 7:00pm - 8:00pm MDT
Friday, October 25

9:00am MDT

Be Evil | A Toolset for Tier 1 Threat Emulation
Some intrusion sets are elite, top tier. Others... not so much. An emerging service in the information security community is the emulation of these threat groups in all their incarnations.

Proven security. The concept is as desirable as it is mathematically impossible. Given that cybersecurity risk is a facet of both threat and impact, proving security against a given threat actor requires more than traditional pentest and red team engagements. It requires a combined toolset of tactics and capabilities tailored to drive effects against the networks that we are tasked to defend. In this talk we explore real attack tactics and unveil an open source toolkit driven to enable advanced threat emulation.


Matthew Toussain

Matthew Toussain is the founder of Open Security and an analyst with CounterHack. As an avid information security researcher, Matthew regularly hunts for vulnerabilities in computer systems and releases tools to demonstrate the effectiveness of attacks and countermeasures. He has... Read More →

Friday October 25, 2019 9:00am - 9:50am MDT
Track 2

9:00am MDT

Kerberos & Attacks 101
Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We'll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.

avatar for Tim Medin

Tim Medin

Red Siege
Tim Medin is the founder and Principal Consultant at Red Siege, a company focused to adversary emulation and penetration testing. Tim is also the SANS MSISE Program Director and a course author. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. He gained information secu... Read More →

Friday October 25, 2019 9:00am - 9:50am MDT
Track 1

9:00am MDT

Campfire Stories - 15 minutes each
9:00am - Branden Miller - Email header analysis... the hard way
There is a treasure trove of data that one can get from email headers. Many tools provide this data in easy to read formats automatically, but, to fully understand what is going on, one must understand the types of data. This talk will introduce the data, help the user synthesize the data, and turn it into intelligence.

9:20am - Frank Vianzon - Anatomy of a phishing attack
Per the Verizon Breach Report of 2018, phishing is on the rise. In this talk we will look at a few really good phishing e-mails that I received and break down how to recognize it, how to protect yourself against it and how to perform a basic analysis of what the phishing e-mail is doing using the Burp Proxy Suite

9:40am - Heather Lawrence - Higher Ed and the Infosec Skills Gap
Some 37% of the 2018 ISC2 Workforce Study indicated that they were concerned about the lack of skilled cybersecurity personnel while almost 60% indicated that their organization is at risk due to the staff shortage. This talk discusses the current availability and quality of infosec higher education, how few institutions are preparing their students with the skills they need, and effective training methods that organizations can use to bridge the gap in-house.

10:00am - Bob Hewitt - Our Adventure with an Awareness Training Escape Room
Are you as tired of Annual Awareness Training as your users are? It might be time to change up your approach to Security Awareness Training with some gamification. Escape Rooms can be fun and a great opportunity for team building while demonstrating your Information Security Awareness objectives. Participants are faced with a series of scenarios that require actions that reflect your organizations policies, procedures and best practices.

10:20am - Josh Fu - The Real Deal about AI
Artificial Intelligence(AI) is impacting our world in previously unimaginable ways and vendors love to say they use it. But how does it really work? If you are looking for the real deal about this industry buzzword, this is the talk for you. We will cover the history of this incredibly innovative technology, what it is and what it is not, the steps required to produce a solution, the subfields that make up AI, how various industries are using it, and at the end of the presentation provide the reference list for you to dive deeper into this next generation field and get started for yourself.

10:40am - Bronwen Aker - URL Hacking - How to Cut the Tracking Cruft
Have you ever read a web page and wondered what all that weirdness in the URL means? It’s not rocket science, but there is madness behind the method of how those URLs are put together, and you can learn how to use it to your advantage. Hidden in plain view are the tracking codes companies like Google, LinkedIn, Amazon, and others use to track where you go online and how you got there. Trimming those codes from your URLs is easy, makes your links friendlier, and prevents would-be online trackers and their marketing masters from keeping tabs on you. Come along as we hack some URLs so you can clean that marketing malware from the links you use and share with others.

11:00am - Edward Ruprecht - When logging everything becomes an issue
Discussing potential issues with logging Sysmon and PowerShell logs. Potential sensitive data leakage, best practices, and scalability issues.

11:20am - Josh Rykowski - Gamification and Andragogy - A Match Made for Workforce Empowerment
In this talk I discuss the series of trials and tribulations faced when developing a programming competition aimed at energizing a large (approximately 700 individuals) existing employee population within our organization and trying to stoke their excitement about learning how to script and program.

1:00pm - Heath Adams - What I Learned After a Year as a Cybersecurity Mentor
Cybersecurity professionals are life-long learners. We put in our 40+ hours a week at work, but it never ends there. The field is constantly changing. Every day, something new comes out. A new exploit. A new patch. New software. A tactic that worked yesterday might no longer work today. Because of this constant state of metamorphosis, a cybersecurity pro is always studying. We are reading news articles. We are catching up on Twitter. We are working on certifications, on a CTF, or whatever it is that keeps our endorphins escalated. We never stop.

Many people come in seeing the sexy, only to bail when they realize the level of effort needed to succeed. In my belief, this is why we have (and always will have) a shortage in the field. This talk will provide guidance and resources available to network, find jobs and succeed in the field of cybersecurity.

1:20pm - Bruce Norquist - STRIDE Threat Model of a Cloud Application & Associated Cloud Baggage
This presentation is on a generic SAAS application and associated Cloud Stack’s Threat Model.
The central theme of this discussion uses VISIO drawings of the SAAS, PAAS, and IAAS and the related STRIDE set of threats.

STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer security threats. It provides a mnemonic for security threats in six categories.
The threats categories are:
•    Spoofing of user identity
•    Tampering
•    Repudiation
•    Information disclosure (privacy breach or data leak)
•    Denial of service (D.o.S)
•    Elevation of privilege


Bruce Norquist

Bruce Norquist has been hooked and working security since he touched his first B3 level Compartmentalized Mode Workstation in 1994. He retired from the Army National Guard after 24 years as an Information Operations and Combat Engineer officer at NORAD/USNORTHCOM. His first Cloud... Read More →
avatar for Bronwen Aker

Bronwen Aker

Bronwen Aker has played with computers since elementary school when she was introduced to FORTRAN programming using bubble cards. She worked for twenty years in web development, and as a technical trainer, before entering the world of cybersecurity. Today she is a graduate of the... Read More →
avatar for Branden Miller

Branden Miller

Branden Miller retired from the US Navy in 2011 after 20 years as a Cryptologic Technician. He has held several jobs within Computer Network Operations including those of a Computer Network Defense Analyst and a Computer Network Exploitation Analyst. After retirement, he has enjoyed... Read More →

Frank Vianzon

Frank Vianzon works in Corporate Risk Management during the day but also writes and teaches classes at the local colleges and is a Board Member at OWASP. Frank currently holds three SANS certificates for GPEN, GCWN and GISP.
avatar for Bob Hewitt

Bob Hewitt

Bob works for a Software as a Service provider that services charitable foundations and financial institutions where he is responsible for program management, compliance, SOC operations, penetration testing, and privacy. He consults several organizations on beginning and managing... Read More →
avatar for Josh Fu

Josh Fu

Josh Fu (Twitter @jfusecurity) is a security professional at Cylance and was the founder of the west coast chapter of the International Consortium of Cybersecurity Professionals (ICMCP). His ability to turn technical concepts into easy-to-understand plain English has led him to present... Read More →

Edward Ruprecht

Lead Cyber Security Engineer at FM Global
avatar for Heather Lawrence

Heather Lawrence

Heather Lawrence is a data scientist for the Nebraska Applied Research Institute who earned her undergraduate and masters degrees in Computer Engineering from the University of Central Florida. In previous lives she was a USN nuke, VA photographer, NCCDC winner, Hack@UCF mom, and... Read More →
avatar for Josh Rykowski

Josh Rykowski

Josh Rykowski @ryko212 currently serves as a Cyberspace operations officer for the US Army where he has lead a Cyber Protection Team and worked to develop specialized training for those same teams. On his convoluted path to cybersecurity he obtained a Bachelors of Science in Electrical... Read More →
avatar for Heath Adams

Heath Adams

Heath Adams is a Senior Penetration Tester. He has a strong background in network administration and information security, including penetration testing, network design and implementation, and network security. Heath currently holds multiple cybersecurity related certifications, including... Read More →

Friday October 25, 2019 9:00am - 2:00pm MDT

9:00am MDT

Conference Registration
Friday October 25, 2019 9:00am - 6:00pm MDT
Conference Floor

10:00am MDT

Elevating your Windows privileges like a boss!
Local privilege escalation on Windows is becoming increasingly difficult. Gone are the days when you could just easily exploit the Windows kernel. Multiple controls (KASLR, DEP, SMEP, etc.) have made kernel mode exploitation of the bugs that are discovered much more difficult. In this talk, we'll discuss multiple opportunities for privilege escalation including using COM objects, DLL side loading, and various privileges assigned to user accounts. Bring a Windows 10 VM. We'll have instructions available for recreating the scenarios demonstrated in the talk.


Jake Williams

Rendition InfoSec

Friday October 25, 2019 10:00am - 10:50am MDT
Track 1

10:00am MDT

Py2k20 - Transitioning from Python2 to Python3
It’s time to talk about the 2020 End of Life for Python2. We’ll address what the short, and medium term impacts will likely be. Key language differences will be highlighted with techniques to modify your code to be forward compatible.

As a SANS instructor teaching SEC573: Automating Information Security with Python, over the past three years, I have steadily moved my teaching materials, examples, demonstrations and personal coding to Python3. In this process, I have had to break habits and learn new habits to write Python3 compatible scripts. I also spend considerable effort showing people how to write Python2 scripts which are forward compatible with Python3 in order to ease the transition.

The largest barrier that most people struggle with is the idea that Python3 has changed the default string encoding to UTF-8 rather than simple byte encoding. Once you learn how to manage your string objects, the remaining transition issues are mostly modern improvements to the language which most people consider advantageous to adopt.

Since Python2 will no longer have active releases after 2020, it is important to embrace the change and move forward with the Python scripting community.

avatar for Joff Thyer

Joff Thyer

Joff has over 20 years of experience in the IT industry as an enterprise network architect, network security defender, information security consultant, software developer and penetration tester. He has extensive experience covering intrusion prevention/detection systems, infrastructure... Read More →

Friday October 25, 2019 10:00am - 10:50am MDT
Track 2

11:00am MDT

"First-try" DNS Cache Poisoning on IPv4 and IPv6
DNS fragmentation attacks are a more recent series of attacks that take advantage of the consistent composition of fragmented DNS responses by sending a crafted (malicious) second fragment to be reassembled with a legitimate first fragment at the IP layer. Even if DNSSEC is fully implemented, an attacker can still poison unsigned "glue" records.

These types of attacks are difficult, and have really only been considered remotely feasible over IPv4. Most nameservers use "per-destination" IP-layer ID (IPID) counters, and the IPID in the IPv6 Fragment Extension Header cannot be easily guessed blindly, as the number of bits in the field has been comparatively doubled to 32 bits (making blind-guessing even in ideal conditions take an average 34 million iterations).

Unfortunately, as part of optimizations made to Linux. The IPID counter is no longer truly "per-destination" and the IPID for a given destination can be inferred consistently enough to facilitate an attack. This allows DNS poisoning on IPv4 and IPv6 with equal consistency and precision, and makes poisoning on the first attempt "thousands" of times easier.

This talk will cover how this attack is carried out, how consistent it really can be, and mitigations that can be put in place by operators of both DNS nameservers and resolvers to limit its effectiveness.

avatar for Travis Palmer

Travis Palmer

Travis (Travco) Palmer is a Security Research Engineer at Cisco. Travis is a certified OSCP and OSCE who has been getting paid to either fix or break something for over seven years. He is a fan (and sometimes-contributor) of a number of simulator/sandbox video games, and keeper of... Read More →

Friday October 25, 2019 11:00am - 11:50am MDT
Track 2

11:00am MDT

Consent, Alignment, and Cooperation in the Internet Era
Much of the spectrum of human action and human custom translates more or less obviously from the real world ("meat space") into the Internet ("cyber space"). Yet, some pieces of the human puzzle do not have an obvious place in the Internet game board, and this has wrought unconsidered change to human society through its digital nervous system, the Internet. Is this merely the post-Westphalia era, or as many claim, the post-national era? Let's discuss.

avatar for Paul Vixie

Paul Vixie

Farsight Security
Dr. Paul Vixie is an internet pioneer. Currently, he is the Chairman, CEO and co-founder of award-winning Farsight Security, Inc. Dr. Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet... Read More →

Friday October 25, 2019 11:00am - 11:50am MDT
Track 1

11:00am MDT

Resume Review and/or Mock Interview w/ Jake Williams
Jake Williams is offering resume and interview advice to the community.  Print your resume, bring your questions...this guy is an amazing resource to help, so take advantage.


Jake Williams

Rendition InfoSec

Friday October 25, 2019 11:00am - 3:00pm MDT
Conference Floor

1:00pm MDT

Active Defense Web Edition: Web apps dripping with honey!
In this talk, Mick will show you how to honey *every single thing* in your web app stack to become the nastiest, meanest, and downright most painful web app to attack. From client side, through servers, all the way to your data... everything will become a sensor. Even better, attendees will walk away with multiple response options to confuse, frustrate, and drive the attackers to tears!


Mick Douglas

Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor's degree in communications from Ohio State University. He is the managing partner for InfoSec Innovations.

Friday October 25, 2019 1:00pm - 1:50pm MDT
Track 1

2:00pm MDT

Assumed Breach: A Better Model For Penetration Testing
The current model for penetration testing is broken. The typical scan and exploit model doesn’t reflect how real attackers operate after establishing a foothold. At the same time, most organizations aren’t mature enough to need a proper red team assessment. It’s time to start adopting the assumed breach model. In this talk, I’ll discuss techniques for assumed breach assessments that provide a better model for emulating the techniques attackers use once they’re they’ve established a foothold inside a typical network.

avatar for Mike Saunders

Mike Saunders

Red Siege
Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike has been... Read More →

Friday October 25, 2019 2:00pm - 2:50pm MDT
Track 2

2:00pm MDT

Post Exploitation: Striking Gold with Covert Recon
You're on a covert penetration test focusing on the client's monitoring and alerting capabilities. You've just established a foothold, maybe even elevated to admin, but now what? You want to know more about the internal network but careless packet slinging will get you caught. Join me on a mining expedition where you can't swing your pick axe without striking gold. We'll be mining logs, pilfering connection statistics, and claim jumping process network connections. Without leaving the comfort of your beachhead, you'll be shouting "Eureka!" in no time.


Friday October 25, 2019 2:00pm - 2:50pm MDT
Track 1

3:00pm MDT

The Hackers Apprentice
I turned my house into an escape room! In this talk I’ll show you how I used IoT devices and open source software to turn my house into an escape room. Topics will include HomeAssistant, the HA AppDaemon, Alexa, Python coding and puzzles.

avatar for Mark Baggett

Mark Baggett

Mark Baggett is the owner of Indepth Defense, an independent consulting firm that offers incident response and penetration testing services.  Mark has more than 28 years of commercial and government experience ranging from Software Developer to Chief Information Security Officer... Read More →

Friday October 25, 2019 3:00pm - 3:50pm MDT
Track 2

3:00pm MDT

The Nerdlist: The Totally Not 1337 Bad Idea's That Gives Infosec Noobs A Foot In The Door
Let’s face it: hacking things is boring as hell, and until Eliot Alderson, no one made command-line fu anything other than the setup for the first act while we waited for Mr. Anderson to become Neo. What do we do while staring at 1s and 0s? Watch movies, tv, YouTube, old memes, and rehash terrible jokes on IRC and then Slack and in Twitter memes. See—here’s the thing. That means that those of us who are like Razor and Blade (“they’re elite!”) can sometimes let our love of bad inside jokes get the better of us…and into our passwords.

The Nerdlist is a collection of self-reported or accidentally discovered anecdotally in-use administrator and system passwords. Let HaveIBeenPwned collect statistics and give us the top 1000, and let RockYou.txt be the dancing broken washing machine in the background. The Nerdlist has become the place where at least fifteen people who have never publicly contributed to an infosec project have made their first commits, because it’s funny, and nonthreatening. We now have interesting geometric shapes and patterns…and one of those unlock gesture codes is in the shape of the Harry Potter spell “Alohomora!"

Anecdotally, when asked to pick a number between 1-100, graduate students in computer science or engineering or complex systems will choose *42* approximately 18% of the time. That’s not a coincidence: it’s the answer to Life, The Universe, and Everything. That’s why the Nerdlist can help us find and fix bad leet passwords, and be a welcoming project for noobs at the same time. Listeners will get an update on the project, hear some startling insights, and see where the Nerdlist will go in future, as well as being welcomed to participate with specific instructions and the formation of collaborative partnerships.
Give us your puns, your wit, your searing humor, your correct horse battery staple.

avatar for Tarah Wheeler

Tarah Wheeler

Tarah Wheeler is Chief Information Security Officer at Setec Astronomy. She holds a PhD in Horribleness from Pacific Tech, N.E.W.T.s in Herbology, Charms, and Defence Against The Dark Arts, and yes, she would like to play a game.

Friday October 25, 2019 3:00pm - 3:50pm MDT
Track 1

4:00pm MDT

Baselining Behavior Tradecraft through Simulations
With the adoption of endpoint detection and response tools as well as a higher focus on behavior detection within organizations, when simulating an adversary it's important to understand the systems you are targeting. This talk will focus on the next evolution of red teaming and how defeating defenders will take more work and effort. This is a good thing! It's also proof that working together (red and blue) collectively, we can make our security programs more robust in defending against attacks. This talk will dive into actual simulations where defenders have caught us as well as ways that we have circumvented even some of the best detection programs out there today. Let's dive into baselining behavior and refining our tradecraft to evade detection and how we can use that to make blue better.

avatar for David Kennedy

David Kennedy

Trusted Sec & Binary Defense
David Kennedy is founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from both an offense and defense perspective.  David also serves on the board of directors for the ISC2 organization. David was previously CSO for... Read More →

Friday October 25, 2019 4:00pm - 4:50pm MDT
Main Stage

5:00pm MDT

Chuckwagon Dinner & Awards
Just a steak dinner cooked over an open flame for all conference attendees...NBD.

Friday October 25, 2019 5:00pm - 6:30pm MDT
Main Stage

8:00pm MDT

After Party
Includes performances from DualCore, Ohm-I, John Strand and Beau Bullock!

Friday October 25, 2019 8:00pm - 10:00pm MDT
Casino Floor
Filter sessions
Apply filters to sessions.