Registration for AvengerCon VI Workshops, Villages & CTFs is now closed!

Registration for AvengerCon VI Workshops, Villages & CTFs is now closed!

Date: November 29-December 1, 2021 | Location: Physical at DreamPort, and Virtual

NOTE: All registrants must be registered to attend the conference at avengercon.com & to a .mil or .gov email address is required to register for the workshops, villages & CTFs.

Attend a workshop while at AvengerCon VI. Workshops, Villages & CTFs will be held on November 29 at the DreamPort facility in Columbia, MD.
NOTE: This is just a request to reserve a seat in the workshop. You will be notified within 24 hours if the seat has been reserved for you.

By registering for a workshop you are allowing for your information to be shared with the individuals and/or organization providing the workshop. Also, if you are coming onsite you will adhere to any and all COVID-19 guidelines.

If you wish to sign up for more than one village from the designated time blocks (0900-1200 & 1300-1600), please submit a new form with a different village selection. PLEASE DO NOT REGISTER FOR WORKSHOPS AT CONFLICTING TIMES. If you do register for workshops that occur at the same time, you may be removed from both workshops.

Registration is now closed.

Abstract

Are you brave enough to try and fight back against a live ransomware infection in a Windows network? You will be pitted against our latest malware sample Alastor in a live environment and charged with trying to stop the infection from spreading and trying to recover the critical files that have been lost.

Participants will be asked to assume the role of a forensic investigator or malware analyst and placed in a live virtual Windows 10 environment. The Alastor infection will launch without warning and participants will be divided into two groups:

Forensic Investigators:
The forensic investigator must be able to examine a live system that has been infected or where an infection just took place. They should use forensic techniques to attempt to identify the malware that caused the infection. The forensic investigator should be able to examine network communications to identify any Internet connected assets the malware may communicate with during infection for command and control. The forensic investigator may be required to examine C2 servers to identify vulnerabilities that could be leveraged to gain access and identify decryption details. The forensic investigator should be able to develop indicators of compromise for an active infection and hopefully develop mitigations to prevent any further infection such as firewall restrictions or Windows Defender security policy changes.

Malware Analysts:
The malware analyst should be able to examine a Windows binary without uploading to VirusTotal or any Internet connected virus scanner or sandboxing site(s). They should be able to identify embedded strings, instructions, configuration files and ideally identify embedded code. The malware analyst should be able to identify indicators of compromise and write pattern matching rules or signatures that they can share with future investigators or examine other systems for potential infections.

These groups need to work together to attempt to stop active infections and prevent spread of Alastor to new hosts within the environment. They will need to study the infected hosts, the network communications and the actual malware samples themselves if they can identify them. We will provide guiding hints to help move the story along but may also inhibit the investigation if we find skilled participants are going to rush to a solution alone without helping their team solve the problem.

Abstract

In Part 1 of this workshop, we'll dive into some of the differences between on-premise and cloud environments. We'll look closely at how organizations can help address one of the largest risks faced when moving to the cloud: a lack of visibility. Traffic acquisition in the cloud has traditionally required complex network architectures or 3rd-party software agents running on individual endpoints. However, new capabilities have been made available by cloud service providers that offer unprecedented access to network communications using the Software Defined Network itself for packet acquisition. We'll describe this new capability, how its configured, deployed, and operationalized. We'll examine some best practices and lessons learned to keep in mind when planning a cloud network defense strategy that includes network traffic analysis.

In Part 2 of this workshop, we'll pivot to analyzing PCAP samples using PacketTotal.com (PackeTotal). PacketTotal is a free cloud service based on Zeek and Suricata for static packet-capture (PCAP) analysis. The service equips cybersecurity researchers and analysts, with a database of over 100,000 indexed PCAP samples uploaded by the security community for contextualizing malicious network behaviors and cybersecurity alerts.

The solution facilitates the community sharing of traffic samples and allows researchers to search for indicators of compromise, download the corresponding network traffic, and see examples of how malware communicates across a variety of environments. PacketTotal's emerging search API also allows researchers to find PCAPs containing any domain name, IP address, malware strain, protocol used and discover relationships between PCAPs including common malicious traffic characteristics.

During Part 2 of this workshop, we will demonstrate how PacketTotal uses Zeek and Suricata to extract evidence relevant to security investigations, and how it can be integrated into security processes through the open-source SDK.

Instructors' Bios

Jamin Becker is the Chief Technology Officer at Dynamite Analytics and has worn many hats during his career, ranging from security operations to software engineering. Jamin is the maintainer of several open-source projects related to network analysis and began developing PacketTotal in 2015 when he noticed there was no easy way for security researchers to quickly analyze and share malicious network traffic. Since then, he has continued to maintain and extend the capabilities of PacketTotal for the benefit of the security community.

Adam Pumphrey is the Chief Operations Officer at Dynamite Analytics. He has worked in cybersecurity for over 20 years specializing in network traffic analysis, threat detection, forensics, and incident response. Adam spent his early career creating and leading security operations teams for the federal government before transitioning to the private sector where he now focuses on technology integration, solution engineering and customer success.

Abstract

The Cyber Policy Simulation is a 3-hour table-top simulation designed to encourage and empower students to practice cyber policy-making skills in real-time. The cyber policy simulation will allow cadets and students from many different backgrounds to role-play and work collaboratively as important stakeholders and U.S. government agencies to define problems, operationalize resources needed to achieve policy objectives, assess effects of certain policy objectives and replicate real-world environments.

Instructor Bio

LCDR Odunukwe is a Cryptologic Warfare Officer (CWO) who is assigned at the Naval Academy as a Junior Permanent Military Professor. LCDR Odunukwe served as a Division Officer within the Navy Information Operations Command (NIOC), Maryland and as the Regional Targets Watchfloor Officer in the National Security Agency Operations Center (NSOC), from August 2006 to October 2009. She completed her tour at NIOC Maryland and reported to Navy Cyber Warfare Development Group (NCWDG) in Suitland, Maryland in October 2009. While at NCWDG, she served as an Acquisition Officer and was responsible for the management and technology development of two multi-million dollar antenna system Research and Development (R&D) projects. LCDR Odunukwe completed her tour at NCWDG in July 2012, and reported as the IWO in USS NITZE (DDG 94) in September 2012 where she was responsible for the cryptology, electronic warfare, and intelligence warfare areas. She completed USS NITZE's 2012 ENTERPRISE Carrier Strike Group deployment to C5F/C6F, and NITZE's 2013-2014 Scan Eagle Deployment to C6F. Onboard USS NITZE she attained her Officer of the Deck Underway (OOD U/W), Surface Warfare Coordinator (SUWC), and Combat Information Center Watch Officer (CICWO) qualifications. Upon completion of her tour in USS NITZE, she reported to OPNAV N2/N6F3, Integrated Fires for the Deputy Chief of Naval Operations for Information Dominance (OPNAV N2/N6) in July 2014 where she is assigned as a Requirements Officer until July 2016 where she was responsible for the programming, planning, budgeting, and execution of three Navy programs within the Integrated Fires portfolio. She now is serving as a JPMP in the Cyber Science department teaching courses in the technical fundamentals of cybersecurity. LCDR Odunukwe's personal awards include the Joint Commendation Medal (one award) and the Navy and Marine Corps Commendation Medal (three awards).