Please Note: A BSides San Diego Badge is required to attend

Registration for tutorials is OPEN

Since capacity is limited, we do attach a nominal $5 fee to advance registration to prevent speculative registrations and limit no-shows. We will not keep a wait-list, but empty seats will be made available first-come-first-served at the start of the workshop.

If for any reason, this fee is a barrier to your attending, use the coupon code ‘IPROMISETOATTEND’ to register for free.


Informing Detection via Intelligence

by Joe Slowik @jfslowik

Oct 22nd 10:30am (90min)

Threat detection is hard! This talk will work to highlight how a combination of intelligence-driven research and analysis and iterative detection development can work for even the most ill-equipped or poorly-resourced organization. The central idea here is to emphasize how security shops can utilize publicly-available information to drive threat detection and response within their environments to achieve good or desirable outcomes. This discussion will be very frank in acknowledging that an approach focused on "backward-looking" indicators and what they mean will likely fail in the face of the latest and greatest APT, but emphasize how most organizations don't face such entities - and why focus on more fundamental tradecraft elements can be significantly more beneficial for what defenders are trying to achieve.

Student Requirements: Students should bring a laptop

Bio: Joe currently leads Threat Intelligence and Detection Engineering at Gigamon. Previously, Joe worked in CTI at DomainTool and Dragos, and performed various roles in US DOE and US Navy.

DevSecOps : The Inevitable wave in DevOps world

by Viraj Gandhi

Oct 22nd 1300(90min)

Software is everywhere and modern software consists of 80% of open-source components, automation of software delivery has amplified security risks. Software supply chain security incidents have been growing tremendously which has changed the cybersecurity priorities lately, we all have heard of Solar winds attack how it was catalyst for industry to start bringing security into the DevOps culture and secure CI/CD pipeline

Workshops will provide insight to audience on what can go wrong when DevSecOps is not adapted in organization by going over few real-world famous attacks happened in past like NPM supply chain attack issues, SolarWinds attacks, etc. Developers, DevOps attending this workshop will takeaway key techniques to embrace a culture of DevSecOps and best practices on how to shift left from shift right. The workshop will help developers, DevOps to broaden their knowledge and start thinking of adding security in DevOps and will guide them to the path of DevSecOps world.

Student Requirements: Students should bring a laptop

Bio: Viraj Gandhi. is currently a Product Security Manager at SailPoint. He has successfully led “Shift-to-left” transformations of security programs at various companies like ServiceNow and SailPoint.

Hunt the Wumpus - Using Free Canarytokens & Opencanary to detect attacks

by Casey Smith @subTee

Oct 22nd 1445 (90min)

What can defenders do to prepare their networks in advance of an intrusion? How can they increase the likelihood of detecting adversaries in their organization? Honeypots have played a crucial role in detecting actual attacks over the years. This training will allow participants to explore free services like Canarytokens and Opencanary. We will work through example case studies where Canarytokens or Opencanary can work to detect unauthorized activity, despite all the other defensive products deployed. We also present ideas on how adversaries may alter behavior in the face of actual or perceived tripwires. How might an adversary change their approach, when they suspect they are operating in a network with many possible traps? This training offers lots of hands-on labs, and real-world practical examples.

Student Requirements: Students should bring a laptop

Bio: Casey Smith is a Senior Security Researcher at Thinkst Applied Research. He enjoys continually working to understand and evaluate the limits of defensive systems. His background includes security analysis, threat research, penetration testing, and incident response.

DC619 Learned how to overflow mainframe buffers and so can you!

by Soldier of FORTRAN (Phil) @mainframed767

Oct 23nd 0830 (120min)

Have you ever wanted to hack a mainframe? Have you ever wanted to get hands on and do the impossible? This workshop will teach you how to do a buffer overflow on a real life mainframe, once thought impossible is now possible. Using JCL, TSO TEST, C and some ingenuity this workshop will walk through all the steps you need to overflow some mainframe buffers. After this workshop you'll be able to understand return registers, write some MVS machine code and see why mainframe hacking is just the coolest. This workshop is very hands on and all done in a mainframe using TN3270, TSO and JCL. Attendees will walk away with a better understanding of how buffer overflows work, how to cause abends and analyze system dumps, write JCL and be able to claim they hacked a gibson!

Student Requirements: Students should bring a laptop

Bio: Phil, aka Soldier of FORTRAN is a phreak and a hacker, with over 10 years of mainframe hacking experience. He has taught mainframe hacking classes at BlackHat, Derbycon and and has taught workshops at DEFCON. When he's not hacking the gibson he volunteers his time as a mentor.

How to get into Incident Response

by Greg Wood

Oct 23nd 1045 (45min)

Training talk will focus on the forensic skills and investigative mindset needed to build experience with host-based forensics and ultimately contribute to an Incident Response team.

1. Intro (tales from the trenches)

2. Windows Artifacts: File System, Registry, Execution, Persistence, Lateral Movement, Logs, Memory

3. Investigative Mindset: Interpreting Artifacts, Evidence Reliability, Direction / Actioning Next Steps, Documentation, Research

4. Questions

Student Requirements: Students should bring a laptop

Bio: Greg Wood is a Senior Manager with Mandiant leading a team of Incident Responders. He has led large investigations for Fortune 500 clients tracking threat actor activities throughout a variety of environments.

CALDERA 101: Intro to Adversary Emulation

by jyee

Oct 23nd 1045 (90min)

As threat actors to all industries have increased across the spectrum, it becomes inherently important to test one's own cyber defenses in a systematic and repeatable manner. In addition, for many cybersecurity teams today, identifying potential threat indicators is mainly based on ever-changing indicators of compromise rather than actual adversary behavior. That is where adversary emulation comes into play. By utilizing adversary emulation, one can streamline cyber security assessments, help defenders better respond to threat actors, identify gaps in defense and have it repeatable enough so that any fixes can be tested again!

To that end, this training will utilize CALDERA, an open-source adversary emulation tool to help you get started on your journey to becoming a better defender. We will go over what is adversary emulation and how it relates to the MITRE ATT&CK framework, then dive into using the software to deploy your own agents and run your own adversarial campaigns.

Student Requirements: Students should have a laptop with some kind of virtualization software available (preferably virtualbox). Since the virtual machine is several GBs in size,. The software can also be downloaded from:

Bio: Jay Yee is a Senior Cybersecurity engineer at The MITRE Corporation. He previously worked for NAVWAR engaging in network monitoring, incident response, and cloud security. He holds a CISSP, OSCP, GCIH, and a MS from the Naval Postgraduate School.