2018 BASC Workshops

We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

This Training Session is designed to help penetration testers and network administrators up their games. It is no secret that InfoSec professionals on both sides of the ball are in short supply. Studies consistently show competition for savvy InfoSec practitioners is fierce and likely to get more intense as organizations climb the InfoSec maturity curve.

In this training session MEI will provide a virtual network of up to 24 seats. John Hammond, Red Team Lead, will occupy Microsoft’s Jay Peak conference room with participants primarily interested in pen testing, attacking assets in the network. MEI Security’s Vik Solem, Blue Team Lead, will operate in the Cranmore conference room with participants interested in more secure network administration and defending assets. In the 90 minute session both teams will walk through attack or defense tools and strategies known to exploit VM vulnerabilities. Scoring will be collected for display purposes in the Bretton Woods conference room. A SIEM will document activity for analysis.

Participants must bring a laptop with wireless connectivity, SSH, & OpenVPN installed and a phone with tethering capability. Participants will be given a thumb drive with credentials and tools. Drives will not be collected at the conclusion of the session and may be reused for the Challenge Session.

Please note you will connect to a ‘live fire’ network where attacks are likely. It is strongly advised that your machine be backed up prior to participation in these sessions. MEI Security is not responsible for any loss of function or data, participation in these sessions explicitly represents your agreement. Do NOT participate in these sessions if you do not explicitly agree. Following this session and a 30 minute break, an unassisted Challenge Session on a different ticket will be held to identify the Best Attacker & Best Defender.

Building on the Training Session is the Challenge Session. For this challenge the red and blue team leads will not provide assistance, competitors will employ tools and skills to attack and/or defend assets as they see fit. It is no secret that InfoSec professionals on both sides of the ball are in short supply. Studies consistently show competition for savvy InfoSec practitioners is fierce and likely to get more intense as organizations climb the InfoSec maturity curve.

In this Challenge Session MEI will provide a virtual network of up to 24 seats. Participants are free to occupy any of the three rooms of this challenge, Jay Peak, Cranmore, or Bretton Woods conference rooms. In this 90 minute session all participants will be scored for both attack and defend points. Scoring will run every two to three minutes. DOS/DDOS attacks will not produce Attack Points. Disconnection from the network will not produce Defense Points. A SIEM will document activity for analysis.

Participants must bring a laptop with wireless connectivity, SSH, & OpenVPN installed, and a phone with tethering capability. Participants will be given a thumb drive with credentials and tools. Drives will not be collected at the conclusion of the session.

Please note you will connect to a ‘live fire’ network where attacks are likely. It is strongly advised that your machine(s) be backed up prior to participation in these sessions. MEI Security is not responsible for any loss of function or data, participation in these sessions explicitly represents your agreement. Do NOT participate in these sessions if you do not explicitly agree.

Following this session, MEI will name the Best Attacker & Best Defender.

Join this live interactive tournament which is sure to a fun, challenging learning experience for all. Whether you are eager to prove your web application AppSec knowledge of the OWASP Top 10 and more….and watch as you climb to the top of the Leaderboard or simply want to learn more about how to code more securely – everyone is welcome and there will be prizes / SWAG for the winner(s).

The tournament will be conducted using the Secure Code Warrior platform, an innovative online, hands-on, gamified SaaS Learning Platform that actively engages developers to Learn & Build their secure coding skills. This approach is changing the way developers think and behave as they build & test software. Bring your laptop (not tablet), choose your preferred language/framework, whether it be C# (.NET) MVC, C# (.NET) Web Forms, Java Enterprise Edition, Java Spring, Python Django, Ruby on Rails, or Scala Play, and launch into the AppSec Wars Challenge!

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with common gotchas in Threat Modeling and how to watch out for them.

'Laptop recommended for some labs, but not required. GitHub account recommended, but not required.'

When conducting a penetration test for a web application, knowledge of technology-specific caveats becomes crucial. Knowing vulnerability basics is often insufficient to be effective. In this workshop, the latest XXE and XML related attack vectors will be presented. XXE is a vulnerability that affects any XML parser that evaluates external entities. It is gaining more visibility with its introduction to the OWASP Top10 2017 (A4). You might be able to detect the classic patterns, but can you convert the vulnerability into directory file listing, binary file exfiltration, file write or remote code execution? The focus of this workshop will be presenting various techniques and exploitation tricks for both PHP and Java applications. Four applications will be at your disposition to test your skills. For every exercise, sample payloads will be given so that the attendees save some time. Attendees must bring their own laptops with Burp Suite or ZAP pre-installed.

A properly positioned defense will increase strength while decreasing the effort needed to maintain position. For applications, the best defense is both in and around the application. Through instrumentation, defenders can map the attack surface from the inside and add defenses against the right threat at the right location. In this workshop, we will use freely available tools to map an application and describe how instrumentation saves a defender’s time through compatibility, performance, and security. Attendees require a laptop with internet connection and familiarity with coding, ideally in Java.

osquery is a powerful cross-platform, cross-virtualization, open-source endpoint agent that was released by Facebook in 2014. It has been growing rapidly in the past year, becoming one of the top security projects on GitHub, with major internet companies above and beyond Facebook adopting it as their endpoint tool of choice in place of commercial endpoint offerings. This workshop, offered by a seasoned engineer, who has been working closely with osquery since mid-2016, will provide information for security practitioners who: - Have EDR or IR endpoint needs, but don't always have the budget or other resources to purchase and deploy expensive black-box security products - Want the ability to freely customize the questions they are asking of their endpoints over time - Want the ability to collect and analyze data passively like they would with a SIEM yet have active investigation capabilities for the endpoint without having to deploy a separate tool. This workshop will be a combination of presentation and hands on learning. The presentations will consist of an introduction to the project, why osquery is significant and useful, and the design principles behind osquery; who’s using osquery currently, notable improvements (and expected improvements) in the past and upcoming year, and how attendees can get involved and/or contribute. The presentations will also include an overview of the tables included in osquery, including specific utility tables and the idea of extensions. The presentation will conclude with a summary of the learning so far, and the challenges of using osquery at scale. The hands-on portion will include installing and configuring osquery on linux, demonstrating how to run osquery in interactive mode, some basic osqueryi shell commands, how to use various facets of sql to write queries for osquery, how to configure osqueryi to listen for events and how to query events tables, and some examples of how osqueryi can be used to investigate a host. If time allows, additional lab sessions may be attempted.

'Participants should bring a laptop and battery charger. Laptop should have a USB port or adapter (we'll either provide a virtual machine environment via USB or as from a secure downloadable link).'