2022 Conference Information

The 2022 conference occurred on Sunday, January 16th.

(CST)Track 1SpeakerTrack 2Speaker
0850-0900OPENING REMARKSLesley Carhart——-——-
0900-0945KEYNOTEElle Armageddon——-——-
0945-1030Where the #$@! am I? Preparing to Take the Shot.Andrew LemonBoring Solutions Are Your Friend – In Infosec And PaintingFynn Fabry
1030-1115Cyber Deception and Farm FailsJohn StrandStop Committing Your Secrets and Improv Skills Everywhere!Dwayne McDaniel
1115-1200CLI Server Surveillance and Writing Your First NovelBreanne BolandUsing ZAP to the MAX/Adding Tai Chi to Your Fitness RoutineMichael Taggart
1200-1245What to look for in a manager, and pottery!Dave WeinsteinScanning for Sunday SauceKevin Gennuso
1245-1330Horror Movies, and Making Better Cyber Security Board GamesMaxOSEINT:Open Source (Emotional) IntelligenceHudson Bush
1330-1415Threat Detection Construction and the Evolution of LEGOJoe SlowikEHLO is that you? And the Land of the Golden DragonCatherine J. Ullman
1415-1500Hack Yourself: A Blue Teamers guide to Beginner AD HacksBrandonStructuring Intelligence Assessments and Gin CocktailsRobert M. Lee
1500-1545Where We’re Going we don’t need Secret Keys, or Store Bought VanillaDerek HeldSecurity Champions and Urban GardeningTanya Janca
1545-1630How Bartending Made Me a Better Infosec ConsultantBen BurkhartSOC2 Intro and MindfulnessEmily Gladstone Cole
1630-1715Delicious Pretzels and Devious PacketsRandy PargmanDifficult Lessons in Security Leadership Plus Low-Effort Crockpot MealsJasmine Hex
1715-1800Basic RFID tag cloning and antique camera photographyGabe SchuylerSecurity Documentation & Intro to Leather WorkingTim / w00k
1800-1845How to Get Involved in the Security Community and Preserving the Past for the FutureDr. Meg LaytonZero Trust Security: A Hype-free, Buzzword-free Introduction Grounded in Reality, and Sous Vide CookingJason Garbis
1845-1900CLOSING REMARKS / AWARDSLesley Carhart——-——-

Talk Abstracts

What to look for in a manager, and pottery!We know from research that the majority of the time an employee leaves a company, the reason is their interactions with their direct manager. And while the technology industry is notorious for “promoting” people to management with no training at all, to the degree that training is provided (either internally or through external resources) it is almost exclusively aimed at managers.

But even if you don’t ever want to be a manager, you ideally want to pick your manager throughout your career. In this talk, we look at things to look for in a manager, as well as warning signs to avoid. We’ll also touch on knowing when the right time has come for you to move on, and what to look for when making a move (internally or externally) to a new role.

After that, we’ll talk about pottery. You may have noticed that many of the senior people in technology have drifted from primarily technical or work-related hobbies and into arts and crafts. We’ll talk a little bit about that, but mostly, we’ll talk about making pottery as a way of letting your mind rest and relax. After all, it’s just fancy mud.
OSEINT:Open Source (Emotional) IntelligenceWe are experts at information gathering when it comes to others and to our targets. In fact, most people are great at pointing out the flaws of others. But are you able to really analyze and learn about yourself? This talk applies the concepts of Open-Source Intelligence Gathering (OSINT) to ourselves and our emotional intelligence / self-knowledge. If our adversaries know more about our blind spots than we do, we’re in trouble.

In PancakesCon fashion, I’ll spend half of the time discussing how emotional intelligence, self awareness, meditation, mindfulness and other techniques can apply to your personal life, and your infosec life.
Threat Detection Construction and the Evolution of LEGOThreat detection, also referred to as alerts or alarms, forms a central part of information security programs. Yet critical examinations of precisely how detection rules are constructed, their goals, and acceptable error rates remain rare. This talk aims to explore the fundamentals behind threat detection development, including differentiating rules along audience types, examining type 1 and type 2 errors, and how detection development feeds into threat hunting.

That said, we will also explore the topic of LEGO, particularly how the building bricks have evolved over time from monolithic structures of blocks to increasingly complex arrangements with architectural features not far removed from modern building design and construction. This conversation will build greater appreciation for how the bricks are assembled and how their arrangement has evolved over the past 30 years, with examples from the speaker’s own collection of items.
Using ZAP to the MAX/Adding Tai Chi to Your Fitness RoutineWhen testing web applications, most resources point you to Portswigger’s excellent Burp Suite as a testing proxy. But did you know there’s a powerful free and open source alternative that’s more than capable of finding and validating vulnerabilities in web apps? In Part 1 of this talk, we’ll review how to get ZAProxy set up for success, and some of the best tips and tricks for how to use it to maximum effect.

In Part 2, a spiritual sequel to my talk from PancakesCon 1, I gently introduce some Taijiquan (Yang style) basics, including the principles of movement, foundational postures, and an easy 8-step form that can be practiced in small spaces. As a long-time teacher and practitioner of Taijiquan, I’m passionate about spreading knowledge about this martial tradition.
Cyber Deception and Farm FailsIn this talk I will talk about practical deception organizations can set up very quickly with immediate blue team benefits. No expensive tools. No beta testing open source products. Just hacker tears.

For the farm part… Well, I have failed a lot in my infosec journey. But I have failed in so munch more than infosec. In this part I will discuss the following:

Goats with diarrhea in my house, flying cows, almost getting killed by a backhoe, the joys of barbed wire, water ram pumps and how to explain farming accidents to ER staff.

The goal of this part of the talk is to let people know that failure is OK. It is part of the process. And, under the right circumstances…. It can be fun.

Except for the goat thing…
Structuring Intelligence Assessments and Gin CocktailsGain an introduction to cyber threat intelligence with a focus on how to structure (and use) intelligence assessments with proper confidence levels and sourcing. Additionally, the talk will cover a few super straightforward gin cocktails that you can make at home with only a few ingredients.
Where we’re going we don’t need secret keys, or store bought vanillaIn the past, if you wanted service to service authentication it meant storing and rotating secret keys or passwords. If you run workloads in cloud providers such as GCP, AWS, or Azure you can shed (almost) all the burden of managing service identity and authentication. Instead of storing and rotating special keys, rely on short lived tokens instead! Learn how cloud service providers have built their platforms so that you never have to worry about keys or passwords ever again.

Have you ever thought to yourself, “what if instead of paying $30 for a 16oz bottle of vanilla extract from Costco, I could pay more and have to wait weeks or months before I can use it?” Then you’ll love learning about making your own vanilla extract! Through different combinations of liquor and vanilla bean pods you can craft your own vanilla extract to bring a special flavor to the things you make.
SOC2 Intro and MindfulnessSOC 2 is a compliance certification that a lot of corporations are interested in getting to show that they know about security. This talk will give a brief introduction to SOC 2, the 5 areas that a company can certify in, and why it’s the easiest compliance certification to start with.

Mindfulness is a practice of being aware of, and centered in, your body. It can help you relieve tension, and deal with stress. We will go over at least one mindfulness exercise during the presentation.
Delicious Pretzels and Devious PacketsIn this talk, I will show how to bake delicious soft pretzels at home and demonstrate methods for defenders to hunt devious network traffic such as domain fronting to disguise attacker traffic as normal packets to trustworthy domains and legitimate CDN IP addresses.
Security Documentation & Intro to Leather WorkingReporting the details of a security incident need to be clear and concise, while still telling the whole story with enough detail. The computery portion of the talk will provide some tips about framing the narrative, what details to include or omit, and how to include screenshots that accentuate the story.

I came into Leatherwork through an industrial arts school, and will share some of the basics to get started with the fun craft. I’ll walk you through choosing which leather use for your project, the multitude of ways to stamp patterns, and how to measure twice and still mess up the cut… I’m still learning and would love to share!
How to get involved in the security community: preserving the past for the futureThere’s a 1675 letter by Isaac Newton: “If I have seen further it is by standing on the shoulders of Giants.” A large part of this sentiment is having other folks lift you up to take you further. The infosec community is a great way to do this – and making sure you preserve your learnings is a great way to lift others.

Get involved in the community is a popular response when folks ask “how can I learn more about security”. But that response seldom answers the “how?” for people who are just breaking into the field. It’s almost like you need the secret decoder ring to be able to break into the secret decoder community. The wonderful thing about the field is that it is constantly changing, which means everyone has something to contribute! Join this talk to learn how to identify your community, immediate actions you can take and contributions you can make and get involved today.

Stay with this talk to learn more about preserving the past for the future. We’ve all heard the saying that once it’s on the Internet it’s there forever… but computers and the Internet don’t always apply the best context. As Rupert Giles would say, “Books smell. Musty and rich. The knowledge gained from a computer, it has no texture, no context. It’s there and then it’s gone. If it’s to last, then the getting of knowledge should be tangible, it should be…smelly.” Properly preserving and archiving your pictures for the future gives everyone something to look at – even when the power goes out – and it can help connect you to folks when you don’t get a chance to see them in a long while. Scrapbooking teaches us with minimal tools and just a little perseverance, you can capture memories in tangible ways for the future.
Hack yourself: A Blue Teamers guide to Beginner AD hacksI will open my talk with a magic trick that uses a dollar bill as a metaphor for your on-prem Active Directory. “Your AD is perfect, clean, free of any blemishes” I will say, “or maybe it looks more like this”. I crumple, tear, rip, and throw away a portion of the dollar. I then explain that it is only by better investigating your AD, that you can make it whole again. The dollar has returned to normal.
This talk is based off my first Adversary Emulation performed as a Blue Teamer. The talk is geared towards small companies or Jr. Administrators looking to get started with security. I will walk the audience through my own steps and findings. I begin with light AD enumeration using the “net” and “dsquery” commands, followed by attempts at remote executions to dump hashes using Metasploit hashdump and mimikatz. I also use Impacket’s GetUserSPNs.py to dump SPN hashes. Finally, I’ll discuss persistence techniques such as local account creation, scheduled tasks, and sticky keys redirection.
During this phase of the talk, I will explore some of the things that surprised me to find. For example: As a Windows veteran, and employee of 10 years, I did not realize how visible all of AD is to domain users. I also did not fully realize how easy an adversary with local administrator could create vulnerabilities that could put Domain Admin accounts at risk. The biggest #facepalm I found was that THE Domain Administrator account had been setup as an SPN and never removed. Any domain user could have the hash of my most precious account. I hope the audience is inspired to responsibly test their own domain by hacking themselves.
The second phase of my talk will focus on MAGIC. Several years ago I started learning card tricks as a hobby and I love sharing them with my family, friends, and attempting to wow my children. For this section I will perform and explain three simple tricks that anyone can learn. For the first trick I will teach everyone how to “force” someone to select a specific card. In the second trick, I will demonstrate how to control that card to the top of the deck. Lastly, I will perform a trick called “The Pancake”. I’ll let that one be a bit of a surprise. For the more “fidgety” crowd, I will also demonstrate a few card spins and flips to occupy idle hands.
Zero Trust Security: A hype-free, buzzword-free introduction grounded in reality. Also, Sous Vide cooking.Part 1:

In just the last two years, Zero Trust has moved to the forefront of information security, and become a major shift in the way that enterprise security architectures are designed, deployed, and measured. It’s also become a marketing buzzword, overused and abused to the point where industry professionals may doubt its value.

This presentation will provide some history and context around Zero Trust, and explain the substance behind the hype. The reality is that when approached properly, Zero Trust represents a transformation of security principles, technology, and processes, with a unified policy model and set of enforcement points across a heterogeneous technology landscape. That is, Zero Trust focuses security efforts, is holistic and integrated by design, and eliminates silos and weaker technologies.

However, because Zero Trust is a set of security principles rather than an architecture, each enterprise must define their own pathway along a sometimes-perilous Zero Trust journey. Zero Trust can be complex and challenging – this is because our enterprises are complex, and Zero Trust is essentially modeling them from technology, access, and process perspectives. And yet, Zero Trust is a demonstrably better way to approach information security, delivering better outcomes for both security and the business, so there is an increasing imperative to adopt it.

After this presentation, attendees will

• Understand the core principles of Zero Trust security, and why it’s important to adopt them now
• Be able to see where a Zero Trust security approach can provide security and operational benefits to their enterprises
• Understand the ways in which their organization can quickly begin a Zero Trust journey, integrating with and enhancing their existing IT and Security infrastructure
• Be able to begin researching and learning more about Zero Trust from credible and platform-neutral sources

Part 2: Sous Vide Cooking: Food Safety

I love cooking for my family, especially using the sous vide cooking method – it’s super-precise, but also very forgiving. And, it’s easy to get started inexpensively. In this session, we’ll briefly introduce the sous vide cooking method, then dive into a discussion of time and temperature – as it affects both cooking and elimination of dangerous bacteria.

After this presentation, attendees will
• Understand the sous vide method of cooking
• Be able to navigate the time and temperature chart for food safety
• Be ready to try sous vide cooking themselves
Security Champions and Urban GardeningWith security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

This session will teach you;
• How to attract the right people to your program
• What and how to train them
• How to engage them, and turn them into security advocates
• What do delegate and what NOT to delegate
• What to communicate, how often and to who
• How to motivate them
• How to build an AMAZING security champion program

This talk will ALSO teach you have to make a basic urban garden. You live in an apartment and only have a balcony? NO PROBLEM. You have a super-tiny lawn? NO PROBLEM. Let’s grow some food!
How Bartending Made Me a Better Infoec ConsultantAfter having worked for 8 or 9 years in some of <REDACTED BIG CITY>’s most esteemed cocktail bars, I made a drastic career transition into information security. After working as a pentester and consultant, I was shocked at how much my fine dining and bartending experience helped inform my work as a consultant. This talk helps draw comparisons between the steps of service within hospitality industry and how they can be applied to consulting. Working for a managed service provider means that infosec consulting is, in a roundabout way, very much like working in the service industry. This talk is also helpful for junior professionals or individuals looking to break into the field as it helps reframe soft skills and other non-technical work experience with a consulting and security-focused context.

The second half of this talk will segue into craft cocktail basics, including a quick intro on tools and techniques, then a deeper dive into the base ratios that make up a vast number of classic cocktails, as well as tips and tricks for improvisation and continued learning. I’ll also probably share some of my favorite recipes and bar stories from over the years if time allows and would love to answer viewer/listener questions.
Scanning for Sunday SauceThe first portion of this talk will be an intermediate-to-advanced overview of Nmap. It won’t just focus on simple port scanning, but also strategies, script usage, output formats and adjacent tools. We will then use Nmap to discover the Sunday Sauce recipe and walk through how to make a gravy good enough to impress Tony Soprano.

Difficult Lessons in Security Leadership Plus Low-Effort Crockpot Meals
When I finally became the leader of a small security function at a rapidly-growing startup in August 2020, I had to hack my way through a lot of leadership lessons the hard way. In many cases, I wish someone had told me what to expect before I took the helm as a baby CISO.
While I prevailed in passing 3 security compliance audits on a shoestring budget and scaling security, I wouldn’t say it was painless. Discover the secrets of real-world CISOs in the trenches before you’re in a security leadership role – especially if, like me, you’re an individual from an underrepresented background.
Learn why individuals with a sterling work ethic and analytical mindset often find themselves woefully unprepared to create relationships with the C-Suite, and the importance of setting boundaries between work and professional life. Discover the business security metrics that executives care about, how to embed security into the sales lifecycle with world-class security assurance efforts, and last, how to know when it’s time to cut bait and grow your career elsewhere.
And with those lessons in mind, you will also learn how to feed yourself and your partner (or housemates) with minimal effort – I’ll present a series of truisms and tactics for assembling a crockpot meal in between Zoom calls that won’t necessarily look perfect but will taste delicious and minimize your spend on delivery meals. I’ll share recipes and photos for Wild rice hot-dish, epic tater tot casserole, tortilla soup, and cabbage soup – while also linking to a Github repo with full recipes. Together, we’ll feed your security leadership career and your face!
CLI Server Surveillance and Writing Your First NovelWith the command line, you have great server surveillance tools available to you – without bringing Kali into the mix. The first half of this talk will cover using curl, nmap, netcat, ping, traceroute, whois, and dig to figure out what a server is supposed to be doing, what it’s actually doing, and possible vulnerabilities to investigate further. You’ll learn at least one concrete way to use each command with plenty of resources to keep you going.

In the second half, we’ll talk about why anyone who wants to write a novel can do it. We’ll look at the mindset and process shortcuts that can help you – yes, you! – write a first-draft novel, including mindfulness, how to observe themes and writing tics without slowing yourself down, and how to pursue joy as you rack up your word count. We’ll also touch on scheduling, accountability, and how to start finding a writing community.
Boring Solutions Are Your Friend – In Infosec And PaintingWhen you first look at a field – be it infosec or fine arts or whatever – you see the rockstars, the ones who made it, and you might get convinced, that these are all that field needs. In this talk, I beg to differ.

In this first part, I want to discard that idea that many, especially new-joiners, have that to make a difference in infosec, you have to be a hacker-prodigy with 100 CVEs to your name and five top tier research papers on new exploit techniques. Not only is that in my experience not needed, but what the companies I worked with needed were people who are ready to do the blatantly obvious and boring tasks. So as an encouragement for those who might still be unsure if they are needed, I want to highlight some tasks that would save several large companies’ butts – if anyone had the grit and patience to pull through on them instead of looking for the next rockstar gig.

When it comes to art, I want to highlight the individual approach and what kind of (boring and tedious) grunt work is and always has been the invisible foundation of any artist you’ve ever admired a painting of. In my experience, people try “art”, dismiss themselves as untalented or not creative enough and give up. The truth is, especially at the beginning you have lots of exercises to do that require neither talent nor creativity but just the willingness to keep going when you think you’re not good enough (yet). I’ll show and demonstrate what these things are, how progress on these tasks looks and how you can throw in some motivating indicators of progress.
Basic RFID tag cloning and antique camera photographyTake a trip through two parts of the electromagnetic spectrum, first with radio (RFID) and then visible light (film).

We’ll start with an introduction to Radio Frequency IDentification (RFID) tags/cards/keys. How do they work? What shapes do they come in? What frequencies do they operate on, and what chips will you find inside? Then, we’ll take a practical look at cloning some common ones.

Next up, the visible light part of the spectrum. Before camera phones, film photography converted light into a lasting record of a moment. First, we’ll take a quick look at the evolution of film cameras over the last century. Then, stepping back into the twenty-first, we’ll look at currently available film formats, processors, and how to get started reviving a cheap antique camera. It’s easier than you think!
Where the #$@! am I? Preparing to take the shot.
You just got access to a customer’s VPN and you’re on the network. Where do you start? My talk covers the enumeration process and getting your bearings to determine where you will attack. This covers initial enumeration to DA. The other half of the talk includes how the preparation is the same for long range shooting and being able to hit a steel plate a mile away. I’ll be comparing the concepts side by side. This will include atmospheric/network conditions, identifying targets, lining up your shot and finally how to correct when you miss.
Stop Committing Your Secrets and Improv Skills Everywhere!Stop Committing Your Secrets

No one wants their keys and secrets on GitHub, but one bad push can mean you are suddenly exposed. Best case you know and fix it, worse case you don’t find out until it is far too late.
While most devs are familiar with using .gitignore files to prevent Git from tracking specific files and folders. But did you know that you can leverage Git hooks and some open source tools to keep you from accidentally committing your secrets inside files Git is actively tracking?

Improv Skills Everywhere!

If you say the word “improv” to most folks, you might get a cringy look from those who are afraid they will invite you to an improv show. Most folks immediately associate it with comedy, thanks to the popularity of shows like “Whose Line Is It Anyway?”
However, improv in its truest form is a way to unleash creativity and give yourself permission to think more freely. It can turn confrontations into pleasurable exchanges and get you out of your own way. In this talk we will walk through several easy to do at home exercises and hopefully get everyone start seeing the world a little differently.
Horror movies and making better cyber security board gamesNon-technical audiences can’t tell apart real horror movie titles from the names of major vulnerabilities like SMBGhost, Meltdown, Heartbleed or PrintNightmare. Thus, we can gain insight info the current horrors of ransomware and other cyber attacks by first looking at PG-13 horror film posters. We will start with Nosferatu, a classic vampire flick from 1922, and end with a horror poster from 2022.

Target audience: intrigued by 100 years of horror movie history or in dire need of new cultural references to make at parties.

Speaking of parties – did you ever play a cyber security board game? Not the funny ones with a mix of cyberpunk, the serious ones! Where you are expected to learn something new about cyber security. I did. They are horrible. We will develop a concept for better cyber security board games by reflecting upon current cyber security management practice, in Germany. We will talk about ISO27001, three lines of defense and ransomware in health institutions.

Target audience: eager for a security analyst or risk compliance specialist position or in dire need of more board games to hoard.
EHLO is that you? And the Land of the Golden Dragon
As a defender, I’m often asked “Is this message legitimate?” As attackers become more clever, determining the legitimacy of email messages can be a real challenge. And, after we spend time discerning fraud in digital technology what better way to get away than in the second part of the talk where we return to a time before it all existed? The first part of this talk will examine e-mail headers and how to determine legitimate messages from those that could lead to fraud or identity theft. The second part will explore what it’s like living in the Current Middle Ages as a member of the Society for Creative Anachronism.