--[ Virtual Workshops

--[ A Network Analysis Workshop


Jamin Becker is the Chief Technology Officer at Dynamite Analytics and has worn many hats during his career, ranging from security operations to software engineering. Jamin is the maintainer of several open-source projects related to network analysis and began developing PacketTotal in 2015 when he noticed there was no easy way for security researchers to quickly analyze and share malicious network traffic. Since then, he has continued to maintain and extend the capabilities of PacketTotal for the benefit of the security community.

Adam Pumphrey is the Chief Operations Officer at Dynamite Analytics. He has worked in cybersecurity for over 20 years specializing in network traffic analysis, threat detection, forensics, and incident response. Adam spent his early career creating and leading security operations teams for the federal government before transitioning to the private sector where he now focuses on technology integration, solution engineering and customer success.


In Part 1 of this workshop, we'll dive into some of the differences between on-premise and cloud environments. We'll look closely at how organizations can help address one of the largest risks faced when moving to the cloud: a lack of visibility. Traffic acquisition in the cloud has traditionally required complex network architectures or 3rd-party software agents running on individual endpoints. However, new capabilities have been made available by cloud service providers that offer unprecedented access to network communications using the Software Defined Network itself for packet acquisition. We'll describe this new capability, how its configured, deployed, and operationalized. We'll examine some best practices and lessons learned to keep in mind when planning a cloud network defense strategy that includes network traffic analysis.

In Part 2 of this workshop, we'll pivot to analyzing PCAP samples using PacketTotal.com (PackeTotal). PacketTotal is a free cloud service based on Zeek and Suricata for static packet-capture (PCAP) analysis. The service equips cybersecurity researchers and analysts, with a database of over 100,000 indexed PCAP samples uploaded by the security community for contextualizing malicious network behaviors and cybersecurity alerts.

The solution facilitates the community sharing of traffic samples and allows researchers to search for indicators of compromise, download the corresponding network traffic, and see examples of how malware communicates across a variety of environments. PacketTotal's emerging search API also allows researchers to find PCAPs containing any domain name, IP address, malware strain, protocol used and discover relationships between PCAPs including common malicious traffic characteristics.

During Part 2 of this workshop, we will demonstrate how PacketTotal uses Zeek and Suricata to extract evidence relevant to security investigations, and how it can be integrated into security processes through the open-source SDK.

--[ App Ambush: HackerOne @ AvengerCon CTF


Nick Zajciw, is a Community Manager at HackerOne where he focuses on recruiting and engaging HackerOne's community of hackers. Prior to HackeOne he spent four years as Senior Manager, Cyber Initiatives at bwtech@UMBC and was a Venture for America fellow. He is a graduate of University of Michigan and has a graduate certificate in Cybersecurity Operations from UMBC.


Join HackerOne, the leaders in crowdsourced security in a CTF challenge while at AvengerCon. HackerOne will be running a half-day hybrid CTF event (available both to those attending in-person and virtually). Our CTF will feature flags of varying difficulty as you progress through the levels. Those with entry to advanced knowledge of web application hacking will enjoy the challenges we have in store for the event. Prizes will be awarded for the top 3 participants in the event and will be announced at the Event.

In 2018, HackerOne launched Hacker101, one of the largest free resources to learn to hack online. Hackers have access to CTF levels of varying difficulty covering a range of topics and techniques, while being constantly updated. As part of our mission to empower the world to build a safer internet, HackerOne has paid out $150M+ in bug bounties, manages a discord of 57,000 aspiring hackers, and supports both our customers and community through exclusive challenges and Live Hacking Events.


Laptop, access to the internet, and basic understanding of web application security.

--[ Car to Cloud: Exfil Data for Fun and Profit


Lead Instructor Brent Stone, Ph.D.Capability Developer at Army Cyber Command (ARCYBER)Brent is a software developer, AI specialist, development team leader at ARCYBER HQ, and co-founder of Stoneguard Software LLC. He presents regularly at AVENGERCON and DEFCON about Industrial Control System (ICS) network reverse engineering and security.

Asst. Instructors Daniel Hawthorne, Ph.D., capability developer and team leader at ARCYBER; and Luke Maffey, team leader at ARCYBER.


Brent Stone, Dan Hawthorne, and Luke Maffey walk you through a hands-on workshop demonstrating every step needed to set up a secure streaming data flow from an Internet of Things device like a car network data logger to a cloud-hosted database. Participants will be provided their own temporary account on Google Cloud Platform to learn using the exact same tools used by tech giants and startups.

  • Additional workshop registration is needed to coordinate access to a private Google Cloud Platform (GCP) class environment and student accounts. Please provide your name and email at https://forms.gle/ZxpTrKeQNCax2hzf8.

  • Please ensure the email provided is registered with and accepted as a Google login account as you will need this to reliably access the QwikLabs class and GCP student resources.

  • If you'd like to follow along with a real IoT device, Brent will be demonstrating live data collection from his car using the Macchina P1 based on the Pocket Beagle platform. While currently out of stock due to the global chip shortage, the P1 is available at https://www.macchina.cc/catalog.

--[ Cyber Policy Simulation


LCDR Joseph M. Hatfield (PhD Cambridge University) is an active-duty naval intelligence officer currently teaching courses on the technical fundamentals of cybersecurity, the ethics and policy of cyber operations, intelligence and national security, and human factors in cyber operations. His current research focuses on the ethics of war, human factors in cyber operations, and intelligence studies.

Prior to joining USNA, his military experience includes an operational tour with Helicopter Squadron Five aboard the aircraft carrier USS EISENHOWER (2007-2009), working as an intelligence analyst at U.S. Africa Command (2009-2012), and leading as a staff officer (N2) for Commander Task Force SIX SEVEN (CTF-67) in Sigonella, Sicily (2012-2015). He was awarded the Joint Service Achievement Medal for his work during the 2011 Libya Crisis, where his analytical products were used to brief senior decision makers in the Department of Defense, the Department of State, and the President of the United States. He has also been awarded the Defense Meritorious Service Medal, and the Navy Commendation and Achievement Medals.


The Cyber Policy Simulation is a 3 hour table-top simulation designed to encourage and empower students to practice cyber policy-making skills in real-time. The cyber policy simulation will allow cadets and students from many different backgrounds to role-play and work collaboratively as important stakeholders and U.S. government agencies to define problems, operationalize resources needed to achieve policy objectives, assess effects of certain policy objectives and replicate real-world environments.

--[ Cyber Range Scenario


Bob DuCharme is a Principal Professional Services Engineer for Keysight Technologies. Bob has served in a number of different roles, helping customers learn testing technologies and educating customers in Cyber Security. Bob worked for BreakingPoint Systems before being acquired by Ixia, and finally being acquired by Keysight Technologies. Prior to that, Bob worked at Cisco Systems for 13 years, serving in several roles from security training manager to customer solutions manager. Bob is retired from the US Air Force.


As Cyber security professionals encounter higher levels of attacks from individuals and groups, we must have a way to keep our skills sharp. Having an environment to execute all sorts of different attacks and analyze those attacks, as well as look at different methods of protecting against those attacks is an absolute necessity. This must be done in a safe and secure way. An example of this could be the delivery of malware via a very common protocol, SMTP (Simple Mail Transport Protocol). Mail is such a ubiquitous way of communicating that users can sometimes become complacent with regards to security.

In this scenario, the attendees will have the opportunity to execute this scenario. They will utilize different tools to emulate malware being delivered via SMTP and look at different ways to try to defeat this attack.


The attendees should have a good solid technical background. They do not need to be experts in cyber security, but some knowledge is good.

They will need their own laptop to be able to connect to the cloud-based lab to execute the scenario.

--[ Guarding Against Ransomware With Free and Open Elastic Security


Free and open Elastic Security empowers teams with limited resources to collect, analyze, and search across large amounts of security data at scale. Learn how to protect your enterprise from ransomware, malware, and other malicious techniques by eliminating blindspots and getting full visibility into your networks and systems with Elastic. Principal Solutions Architect Michael Young will introduce you to the Elastic Platform, showcase how Elastic Security allows users to ingest and retain large volumes of data for augmented threat hunting, and provide a live demo of how it all works. You'll also see how Elastic defines the potential of XDR for cybersecurity teams and delivers limitless free and open XDR, SIEM, and endpoint capabilities built on a single platform.

Attendees will have the opportunity to participate in a live Capture the Flag (CTF) exercise to investigate a real-life security incident. You'll experience how Elastic Security builds on the power of the Elastic Stack to deliver out-of-the-box capabilities that help security operations teams do their jobs more effectively. This CTF will be open for the whole event and will have our solutions architect team readily available to assist you.