DEF CON Training
Sam Bowne & Elizabeth Biddlecome - Full-Stack Incident Response
Learn the entire process of attacks and defenses, including the MITRE
ATT&CK knowledge base of attacker tools, techniques and procedures and
defenses: networking monitoring, forensics, malware analysis, and
This workshop is structured as a CTF competition, to make it useful to
students at many levels, from beginners to intermediate. There are no
PowerPoint slides--instead, a large base of hands-on projects and
challenges are available. We will demonstrate the easier challenges
from each topic, and detailed step-by-step instructions are available.
More advanced challenges are available for students who want to gain a
deeper understanding. We will have several instructors available to
answer questions and help participants individually. Every
participant should find new, useful techniques to practice.
We will begin with a high-level view of attacks: Groups, Tactics and
Techniques in the ATT&CK matrix, and attribution. We will use Caldera
or a similar product to simulate the stages of an attack and test
Network Security Monitoring
We will cover centralized security monitoring in detail, using Splunk
and Suricata to find and analyze attacks. We will use a pre-installed
Splunk server with archived attack data to find and analyze attacks
including vulnerability scans, brute force attacks, ransomware, Web
Then we will analyze network traffic with Wireshark, Virus Total, and
Packet Total to find suspicious traffic, reconstruct the attacker's
actions, and recover downloaded files. We will generate attack traffic
with Scapy and monitor traffic with simple Python scripts.
We will practice using Zeek, the powerful network security monitor
formerly called Bro. We'll practice writing simple code to customize
Zeek, using it to analyze captured traffic, and then install it on a
cloud server and use it to detect live attacks.
We will use many techniques to defend Windows systems, including
detecting ransomware with Sysmon and Splunk, RAM analysis, detecting
known malware with yara, and prefetch forensics.
We will use Velociraptor extensively for threat hunting on Windows
systems, finding malware and persistence mechanisms, scanning for
indicators of compromise, and capturing traffic remotely.
Windows Internals and Malware Analysis
We'll use many techniques to analyze the behavior of malware to find
indicators of compromise and understand the harm it does. We'll use
simple static analysis with strings, PE file analysis tools, and
packers. Then we'll perform dynamic analysis with debuggers,
disassembly with IDA Pro, and decompiling with Ghidra.
We will explore the structure of Windows executable files and the
operating system itself, to better understand programs, services,
malware, and defenses. We will explore the import table, perform DLL
injection and DLL proxying, and examine Windows API calls in userland
and the kernel in detail.
Projects include: cheating at games, building malicious DLL libraries,
stealing passwords from the API, building a keylogger, debugging a
driver, and writing custom shellcode. Tools used include pestudio, API
Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, WinDbg, and the
We will examine the MBR and a simple bootkit.
Takeaways for the students after completing the class:
* Use cloud technologies to detect & build automated response against IAM attacks.
* Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.
* Use serverless functions to perform on-demand threat scans.
* Deploy containers to deploy threat detection services at scale.
* Build notification services to create detection alerts.
* Analyze malware-infected virtual machines to perform automated forensic investigations.
* Define step functions to implement automated forensic artifacts collection for cloud resources.
* Build cloud security response playbooks for defense evasion, persistence and lateral movements.
Student skill level:
- Previous experience with C and assembly language is helpful but not required.
What should students bring to the Training?:
- laptop computer and Web access. We will provide cloud servers for participants who don't want to run virtual machines locally.
Sam Bowne has been teaching computer networking and security classes
at City College San Francisco since 2000, and is the founder of
Infosec Decoded, Inc. He has given talks and hands-on trainings at
Black Hat USA, RSA, DEF CON, DEF CON China, HOPE, and many other
Credentials: PhD, CISSP, DEF CON Black Badge Co-Winner
Elizabeth Biddlecome is a consultant and instructor, delivering
technical training and mentorship to students and professionals. She
leverages her enthusiasm for architecture, security, and code to
design and implement comprehensive information security solutions for
business needs. Elizabeth enjoys wielding everything from soldering
irons to scripting languages in cybersecurity competitions,
hackathons, and CTFs.
Trainer(s) social media links:
Twitter: @sambowne, @DJHardB
DATE:Aug 15th to 16th 2022
TIME:9am to 5pm PDT
VENUE:Caesars Forum Ballroom
TRAINER:Sam Bowne & Elizabeth Biddlecome
CERTIFICATE TEST AVAILABLE (45 minutes after class) Please purchase Certificate test
- 16 hours of training with a certificate of completion for some classes
- COVID safety: Masks required for indoor training
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- Note: Food is NOT included
Registration terms and conditions:
Trainings are refundable before June 25th, the processing fee is $250.
Trainings are non-refundable after July 1st, 2022.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.