OCTOBER 19th, 2018 | Durham, NC


...a community-driven framework for building events for and by cyber security community members.


Security BSides is a community-driven framework for building events for and by cyber security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

Security is top of mind across the entire sphere of IT and the world beyond. Therefore, more people and organizations are interested in the next new thing in security. BSides is the place where these people come to collaborate, learn and share.

With many tech-companies, colleges and universities in Raleigh, Durham, Chapel Hill and surrounding areas, it is also an international center of innovation in the security industry.

Security B-Sides Raleigh-Durham (B-Sides RDU) is proud to have had great speaker lineups at our events including keynotes by Dan Kaminsky, Dave Kennedy, Paul Vixie, BenTen, Jay Beale, G.Mark Hardy, and for B-Sides RDU 2017: Cliff Stoll.




Talk Name

8:00 start



8:30 - 8:45


Welcome & Opening Remarks

8:45 - 9:45

Shahid Buttar

Keynote from Shahid Buttar, EFF Director Of Grassroots Advocacy

9:50 - 10:35


Approaching Parity: Considerations for adapting enterprise monitoring and incident response (IR) capabilities for efficacy in cloud environments, and how to operationalize these capabilities with a playbook.

10:45 -11:30

SleepZ3R0 and HA12TL3Y

Movement After Initial Compromise


Joel Lathrop Our Docker app got hacked. Now what?




2:05-3:05 Matt Martin & Panel Guests

Preparing for and Involving Law Enforcement In Breach Response



Sky-high IR - IR at Cloud Scale


Sam Granger

When it rains it pours


Neal Humphrey

Rise of the Advisor



Break for Social Hour Talks and Hacker Jeopardy


Ron Burkett No Network Needed?!?!


Justin Hoeckle WarGames


Staff Hacker Jeopardy



For a word that appears nowhere in the U.S. Constitution, privacy holds outsized—and underappreciated—significance to constitutional rights. Why does privacy matter, and how does its erosion undermine not only constitutional rights but also democracy in America writ large? Beyond exploring and applying constitutional theory to topics from mass surveillance to police militarization, we will also discuss how concerned Americans are already taking action every day to reclaim freedom of expression in an era of arbitrary surveillance.

About Shahid

Shahid leads EFF's grassroots and student outreach efforts. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director. In 2018, Shahid ran for Congress, seeking to represent California's 12th congressional district in the U.S. House of Representatives.

After graduating from Stanford Law School in 2003, where he grew immersed in the movement to stop the war in Iraq, Shahid worked for a decade in Washington, D.C. He first worked in private practice for a California-based law firm, with public interest litigation projects advancing campaign finance reform and marriage equality for same-sex couples (as early as 2004, when LGBT rights remained politically marginal). From 2005 to 2008, he helped build a national progressive legal network and managed the communications team at the American Constitution Society for Law & Policy, before founding the program to combat racial & religious profiling at Muslim Advocates in 2008.

Outside of his work at EFF, Shahid also DJs and produces electronic music, writes poetry & prose, kicks rhymes, organizes guerilla poetry insurgencies, plays capoeira, speaks truth to power on Truthout, occasionally elucidates legal scholarship, and documents counter-cultural activism for the Burning Man Journal. He also serves on the Boards of Directors of Defending Rights and Dissent, the Center for Media Justice, and the Fund for Constitutional Government.

Approaching Parity: Considerations for adapting enterprise monitoring and incident response (IR) capabilities for efficacy in cloud environments, and how to operationalize these capabilities with a playbook.


There is no denying the ubiquity of cloud computing, and for most organizations, Infrastructure as a Service (IaaS) in particular as the new norm. The model for cloud security is typically a shared responsibility between the provider and the consumer, which really means the consumer is ultimately responsible. Whether your infrastructure is completely hosted, is partly hosted, or is soon-to-be hosted in the cloud, your security posture must adapt appropriately if your monitoring and Incident response capabilities are to remain effective.

Developing an accurate view of nefarious activity in cloud environments still requires the multi-layered approach it did in the enterprise; however, it must adapt to include sources such as Amazon Web Services (AWS) CloudTrail IaaS logs, VPC Flow logs, endpoint logs, and more. This data must be captured and arranged in a manner to make it actionable, requiring you to have a plan for the IR lifecycle—even though you might not own the mitigation process.

Approaching Parity is a talk about adapting your security posture for monitoring and IR in IaaS environments, through native capabilities, third-party products, via workaround, or any combination of the three, and then operationalizing this telemetry with the CSIRT playbook. Though this talk provides AWS IaaS examples, the topics presented are applicable to other IaaS providers too.

About Matt

As an information security practitioner with 20 years of IT experience, Matt helps protect Cisco’s network and assets as a first responder on the Computer Security Incident Response Team (CSIRT). Matt shares his monitoring and incident response expertise with the InfoSec community by participating in groups such as the Defense Security Information Exchange (DSIE) and the North Carolina InfraGard. Matt’s hobbies include making his own sauerkraut and competitive rifle shooting, both activities that have absolutely nothing to do with information security.

Movement After Initial Compromise


Once a system is compromised there are many avenues to consider. It brings up a lot of questions. Who am I on this network? Where am I in this network? Can I move to another system with my current permissions? Can I privilege escalate on my current system? We are going to go over enumeration utilizing “living off the land” techniques and on tools that an attacker can use for enumeration. Examples of some tools that we will go over for enumeration are SharpHound, Powersploit’s collection of Microsoft Powershell modules and others.

We will then go into what is Port Forwarding and why it is useful. Then we will show several ways to execute Port Forwarding. We will have video examples for utilizing SOCKS in Cobalt Strike and SSH port forwarding techniques. Once enumeration is done we will go over how to move to another system on the network. We will provide multiple examples such as; WMIC, Psexec, AT, Schtasks, WINrm, Remote Registry, DCOM, Multi-relay, SMB-relay. Screenshot and videos will be provided during the talk. The last part we will go over is how to detect or attempt to protect against these techniques that attackers implement.

About Matt Batten

Red Team Security Engineer conducting Red Team operations and penetration tests for SixGen. Matt has seven years of experience in the information security field and operated on an NSA Certified DOD Red Team. U.S. Marine Corps Veteran that specialized in Signals Intelligence. Current certifications include, CISSP, OSCP, CEH, and more.

AboutCollyn Hartley

Persistent Cyber Operator for NSA Certified DOD Red Team. Where my main focus is lateral movement and persistent access in a variety of DOD networks. My current certifications are CEH, Sec+, Net+, Linux+, OMA, WEA, and SANS511.

Our Docker app got hacked. Now what?


Someone deployed their application as a Docker container. Then another someone came along and hacked it. Now everyone is looking at you asking, "How did this happen? What did the attacker do? How do we stop this from happening again!?" If this were a normal physical server or VM, it'd be no problem: you'd just crack open traditional forensic tools and start building a forensic history from the disk image. But this is a Docker container... and your tools don't know what Docker containers are. So now what?

In this talk, we'll go over what a Docker container looks like from a forensic viewpoint. We'll dig into how you can get access to the underlying disk/filesystem data of a compromised container and which existing forensic tools that you may already use can still apply. We'll also cover what new forensic opportunities Docker provides and new metadata that can be extracted that wouldn't be available on a conventional system. When we're done, you'll know how to tear apart a Docker container and get all those people turning to you the answers they need.

About Joel Lathrop

Joel Lathrop spent his childhood developing computer software, a path which eventually led him into the field of cybersecurity. Beginning with work in developing distributed systems for ensuring privacy and anonymity, he picked up an interest in cryptography which led to an M.S. focused on cryptanalysis. Delving deeper into the subfield of threat intelligence, Joel has applied his occasionally unorthodox approach to reverse engineering and forensic analysis toward research into topics such as malware counter-exploitation, malware obfuscation evolution, and botnet neutralization.

In what spare time he has, he enjoys keeping up with advances in programming language theory, cryptography, and distributed systems design as well as attending the occasional opera.

Security Automation for the Blue Team


Supposedly, there's a shortage of Information Security professionals. Some people agree while others disagree. However, there is one thing most infosec professionals will agree on… and that is the fact that we all run around like our hair is on fire because we don't have enough resources to accomplish everything that needs to get done. I know this is the case for most infosec people I talk to. Even if we get an additional headcount, our list of compliance check-boxes, projects, and daily responsibilities keep growing at a phenomenal pace. How do we keep up with this fast-paced growth, insane workload, alerts out our ears and no end in sight? One of the best ways to make a big impact is through automation. Whether you have a massive budget or no budget at all, I will discuss your options and how to start the automation journey… or improve upon what you already have. I'll talk about using existing tools, creating your own scripts, using API's and even the latest fad in security automation, SOAR (security operations analytics and reporting). We will discuss how to determine what you should automate first, automation use cases in infosec, and how to tell if there’s something you shouldn’t automate. Let's face it, we are over tooled and understaffed… We need automation to help us out.

About Eric Waters

Eric Waters has been an Information Technology professional for over 20 years. He spent almost 10 years in technology management before deciding to concentrate on Information Security full time. He specializes in internal penetration testing, security monitoring, and security automation. He holds a Bachelor of Science in Information Security, GPEN, and is a member of the GIAC advisory board.

You Can't Dial 911


A panel discussion on engaging law enforcement in the incident response process before and after a breach. Cyber incidents that impact business, steal intellectual property or cause financial or other loss happen every day. Do you know when to call Law Enforcement, how to work with them, and what to expect from them? In this panel, moderated by United States Attorney Matt Martin, members of the FBI, US Attorney’s Office, and Cisco will share insights on when you should engage Law Enforcement, what you should do in preparation for making the call, what you should expect in response, and lessons learned of how NOT to do it.

About The Panelists

Mike Scheck is the Director of the Cisco Computer Security Incident Response Team (CSIRT). The CSIRT is a team is responsible for monitoring, investigating, and mitigating all computer security incidents on Cisco's corporate network, hosted solutions, clouds, and new ventures. There are over 90 team members within the Cisco CSIRT that are responsible for Analysis, Investigations, Engineering and Threat Intelligence. Mike moved to the Cisco CSIRT in 2004 as an investigator after working for several years in Cisco IT as a Unix system administrator. During his time in the Cisco CSIRT Mike has worked as Lead Investigator, Threat Intelligence team lead, and Manager of the Global Investigations team. Prior to Cisco Mike worked as a Unix Consultant, and was in the infantry as a member of the U.S. Marines.

Supervisory Special Agent Jessica Nye is the current Supervisor of the FBI Cyber Squad in Raleigh, NC. Prior to her arrival in North Carolina in 2015, Ms. Nye spent eight years working in the Baltimore Field Office on their Cyber Squad and two years at FBI Cyber Division Headquarters in Washington DC. She has significant experience working cyber-related matters including computer intrusion investigations, intellectual property (IP) rights violations, theft of trade secrets, economic espionage and other investigations.

Anand Ramaswamy is an Assistant United States Attorney in Greensboro, North Carolina, prosecuting cybercrime and human trafficking. AUSA Ramaswamy attended the University of North Carolina at Greensboro before receiving his law degree from the University of North Carolina at Chapel Hill. He served as an Assistant District Attorney, prosecuting for the State of North Carolina for eight years before joining the U.S. Attorney’s Office in 2007. He is a board certified specialist in state and federal criminal law and vice-chair of the Criminal Specialist Committee of the North Carolina State Board of Legal Specialization.

Matt Martin serves as the United States Attorney for the Middle District of North Carolina, the chief federal law enforcement officer responsible for federal prosecution in the Middle District. Before becoming US Attorney, Mr. Martin was Associate General Counsel for Duke Energy Corporation and, previously, a partner at Smith Anderson law firm, where he focused on complex litigation. Prior to joining Smith Anderson, Mr. Martin practiced with the law firm of Covington & Burling in Washington, D.C. Mr. Martin has served on the boards of the Food Bank of Central and Eastern North Carolina, Marbles Kids Museum, and Meals on Wheels of Wake County. He received both his B.S., with honors and highest distinction, and his J.D., with high honors, from the University of North Carolina at Chapel Hill.

Sky-high IR - IR at Cloud Scale


Does your organization plan ahead for Incident Response events? Have you accounted for the unique challenges that diverse cloud environments present to incident responders? In this talk, we'll explore the tactical, strategic and even the legal implications of conducting incident response operations in public, private, and hybrid cloud environments.

We'll look at supporting architecture, scenarios, and industry trends as well, with the goal of arming you with information and knowledge to conduct IR in the cloud. Finally, we will look at critical components, tools, and crown jewels to discuss how they could be compromised leading to derailing your (or your client's) IR processes.

About Aaron

Aaron is a trusted and results-oriented InfoSec professional with over 15 years of cyber security experience for diverse organizations in healthcare, federal government, software, energy and defense industries. Aaron specializes in managed security and assessment services including managed detection and response, strategic and technical assessments, and training.

Aaron is also a graduate student at the SANS Technology Institute™ where he is studying Penetration Testing and Ethical Hacking. Aaron often speaks at security bsides and other conferences, in a quest to the InfoSec community a better place through sharing experiences and information resources acquired over the years. Aaron enjoys professional networking through ISSA, playing guitar, and flying drones in his free time.

When it rains it pours


When it rains it pours. Connected devices will expand to over 20 billion devices by 2020. With the speed of adoption for Internet of Things it is no surprise that even the most basic security flaws are again prevalent in our smart devices. In this presentation I explore my journey to uncover several critical security vulnerabilities in a popular smart irrigation system using basic testing tools and techniques. This presentation is the final stage of the responsible disclosure process.

About Sam Granger

Sam Granger is a senior security consultant with a passion for connected devices and home automation.

Rise of the Advisor


We have a problem in security today. We simply don’t have enough people to cover all the needs. Colleges and technical schools are starting Cyber specific programs, but those are going to be academic practitioners and are going to need time to season in the industry. Vendors are pushing out more and more tools or information on what is or isn’t going wrong in customers networks from not only detection-based alerts, but from vulnerability, risk and compliance standpoints.

We are monitoring more and more of a user’s presence on the network but we are creating more and more noise for ourselves while we have been trying to reduce and refine the noise. We need something new, or we need to recognize something that we used to have and bring it back to the front. We lost coordination at the tactical level across the security stack.

The purpose of this talk is to draw from years of experience in the vendor world in look at customers organization structures and make a case for what works and what doesn’t work. It’s based on architectural principles but not specific to a compliance version or to the plumbing of a security stack.

Attendees will leave with a better understanding of how they can work with and influence their security teams positively along with internally marketing for the recognition of a new role within the security organization.

About Neal

Neal Humphrey is currently a Threat Intelligence Engineer, working for ThreatQuotient. He has been active and advising in the security industry for over 15 years and in technology for 20 plus. Previous to his current position he was a Technical Solution Architect for Cisco, and before that was a Principal Security Engineer for Sourcefire.

No Network Needed?!?!


It seems every day, we are bombarded with news of yet another breach and our personal information being traded and sold on the dark web/Internet. We lose sleep wondering if we have the right controls and policies in place to prevent our companies and our names from appearing in the next morning’s headlines. Is it time for a different approach? What if we could get rid of our network so we no longer had to define complex boundaries and policies? Is it really possible to architect a system that removes all the traditional ingress and egress points? If we resign ourselves to the fact that it’s not IF but WHEN our network gets breached….then why do we still have a network?

About Ron

Ron Burkett is a Director of Sales Engineering for Zscaler. Ron has 20+ years of experience in the networking and security industries and has been deeply involved in developing emerging security and networking strategies for fortune 1000 customers. Currently Ron is tasked with helping customers develop zero-trust networking strategies by adopting cloud, software defined networking strategies, and FEDRAMP certified solutions for US federal government agencies.



Shall we play a game? We all have war stories from our time fighting the good fight. In my WarGames session I will share several of my favorite war stories from my cyber front lines. Each one will speak to a problem common in defensive cyber operations and hopefully be interesting in and of themselves. At the end of each war story I will try to draw and share some cyber security insights just like Joshua, “A strange game. The only winning move is not to play. How about a nice game of chess?”

About Justin

A technical guy and a “hacker” (aka tinkerer) trying to run a business of other passionate like-minded people. Over the last 20+ years he’s worked at a variety of places supporting educational non-profit organizations to government super-secret squirrel and Fortune Global 100 organizations. In past lives prior to COO he’s been a systems administrator, programmer, incident response fly away team lead, engineer, architect, red teamer, analyst, and scientist. In his spare time, Justin enjoys Piña Coladas, getting caught in the rain and is a Sagittarius.


The Carolina Theatre is a performing arts and cinema complex in downtown Durham, North Carolina. It is an AMAZING venue in the Raleigh Durham area!

We are growing! The main conference will be at the Fletcher Hall -- an auditorium with 1,048 seats hosting a diverse lineup of live events and film. Fletcher Hall has been restored to its 1926 décor, and is the only downtown building designed in the Beaux Arts style.


Don't miss the event!

Follow us on: | |