BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:d8721006-4d19-4c0f-bb98-605c3b8bbf94
DTSTAMP:20260423T082633Z
SUMMARY:Josh Kamdjou\, Alfie Champion - Email Detection Engineering and Thr
 eat Hunting Inbox
DESCRIPTION:Title: Josh Kamdjou\, Alfie Champion - Email Detection Engineer
 ing and Threat Hunting Inbox\n\nScheduled Date and Time (Pacific Standard)
 : Saturday\, August 12\, 2023\, at 0900 PDT\n\nEventBrite Link: https://ww
 w.eventbrite.com/e/josh-kamdjou-email-detection-engineering-and-threat-hun
 ting-inbox-tickets-668389941307?aff=oddtdtcreator\n\nMax Class Size: 80\n\
 n\n\n\nAbstract:\n\nEmail remains the #1 initial access vector for commodi
 ty malware and nation state actors. Historically\, tackling email-based th
 reats has been considered the purview of black-box vendor solutions\, with
  defenders having limited scope (or tooling!) to swiftly and effectively r
 espond to emerging attacker activity and novel offensive tradecraft.\n\nIn
  this workshop\, attendees will be given detailed insight into the latest 
 techniques used to deliver prevalent malware strains\, including QakBot an
 d Emotet\, and will hunt through email data to identify this malicious act
 ivity\, developing rules to detect and block these attacks.\n\nInitially a
 ttendees will be introduced to the foundational technologies that enable t
 hreat hunting\, detection engineering\, and response in the email domain\,
  before being given access to the email data of a fictitious company seede
 d with benign and real-world attack data. Throughout the day\, participant
 s will learn to hunt common phishing techniques including:\n\n- VIP Impers
 onations\n\n- HTML smuggling via links/attachments\n\n- Malicious VBA macr
 os\n\n- OneNote / LNK file malware (attachments\, and links to auto-downlo
 ads)\n\n- PDF attachments with embedded links to malware (PDF -> URL -> ZI
 P -> WSF)\n\n- Lookalike domains / homoglyph attacks\n\n- Credential phish
 ing\n\n- Password protected archives\n\n- Exploits (e.g. CVE-2023-23397\, 
 CVE-2021-40444)\n\n- Fake invoices (Geek Squad)\n\n\n\n\nAttendees will be
  guided through the rule creation process\, utilizing free and open detect
 ion engines including Sublime and Yara\, and will be introduced to the sig
 nals and email attributes that can be used to craft high-fidelity rules\, 
 including targeted user groups\, sentiment analysis\, sender domain age\, 
 and attachment analysis. Having completed the workshop\, attendees will ha
 ve a strong understanding of the tools and techniques at their disposal to
  defend their organizations from all manor of email threats.\n\n\n\n\nSkil
 l Level: Beginner\n\nPrerequisites for students: N/A. The training will ca
 ter to security practitioners with any level of technical experience. Whil
 e a general understanding of email threats will be advantageous\, all offe
 nsive and defensive techniques and tools in the training will be introduce
 d at a foundational level and built on throughout the day.\n\n\n\n\nMateri
 als or Equipment students will need to bring to participate: Attendees sho
 uld bring their own laptops in order to be hands-on\, preloaded with Docke
 r. Instructions to run the Docker images from Github will be shared. All t
 ools used in this lab are free and/or open-source.\n\n\n\n\nBio:\n\nJosh h
 as been doing offensive security-related things for the past 12 years. He'
 s spent most of his professional career breaking into networks via spear-p
 hishing and other methods\, and building software for both the public (Dep
 artment of Defense) and private sectors. Josh is the Founder and CEO of Su
 blime Security\, and in his private life enjoys weight lifting\, Martial A
 rts\, soccer\, and spending time with his niece and nephew.\n\n\n\n\nAlfie
  specializes in the delivery of attack detection and adversary emulation s
 ervices\, actively contributing education content\, tooling and blogs to f
 urther the industry. He has previously worked with organisations across mu
 ltiple industry verticals to uplift and validate their detective capabilit
 y through red or purple team engagements\, and now leads the global advers
 ary emulation function at a FTSE 250 company. He has previously spoken at 
 BlackHat USA\, RSA and Blue Team Con 2022\, among others\, and is the co-f
 ounder of DelivrTo.\n​
URL:https://forum.defcon.org/node/246039
DTSTART:20230812T170000Z
DTEND:20230812T210001Z
LOCATION:Las Vegas\, NV\, DEF CON 31
END:VEVENT
END:VCALENDAR