You are here: Home » The Event » Speakers

Our 2019 speakers…

Attack – Detect – Evade: Getting Splunky with Kerberos

Ross Bingham & Tom MacDonald

Kerberos and Splunk are both complex beasts which present plenty of opportunities for both red and blue teams. In this talk we aim to cover both sides by looking at how to attack and defend Kerberos, along with how to evade detection and also what to do when you do get a detection! Hopefully leaving everyone with a better understanding and appreciation of their impact on an environment as a red team operator and providing blue team operators with insight into the weird and wonderful world of Splunk detections and how to categorise and act on certain events.

The underlying message being, understand what you are doing, what Indicators of Compromise (IOC) you will set off, and what to do when there is a detection.

The following areas will be covered throughout this talk:

Kerberos – How it works, Different Attacks, Tooling, Environment Footprint / OpSec, Evasive Maneuvers.

Splunk – How it works, Deployment, Plugins, Detecting Kerberos Attacks, Threat Response & Threat Hunting off the back of an alert, Deploying Honey SPNs

Evasion – Attacking Intelligently (not just smashing all the things), Using Splunk Against itself, compromise through the Splunk Dashboard and through Splunk forwarders.

Ross (@PwnDexter) – Red Teamer @ Nettitude

Ross is a Senior Security Consultant working within Nettitude’s red team, the bulk of his time is spent delivering red team engagements, fighting EDR products, or reporting! Otherwise working on research, tool development and our detection lab.

Mac (@BaffledJimmy) – Red Teamer @ Nettitude:

Mac is a Senior Security Consultant at Nettitude, working on large internal infrastructure and red team engagements. He is never happier than when abusing sysadmin tools to compromise environments, as it reminds him of his younger days as a systems administrator before he saw the light and became focused on security. He is also the company expert on password cracking inefficiency .

Built-In Application Whitelisting with Windows Defender Application Control

Chris Truncer

Today’s attackers can relatively easily gain access to an environment by phishing employees and compromising their workstation. This is usually done through some form of custom or public code that the attacker modifies to fit their need. A recommendation we commonly make is to have our customers investigate some form of application whitelisting. An effective application whitelisting deployment can prevent these types of attacks from beginning, provide telemetry for blocked events, and make an attackers job significantly harder. What if there was already an application whitelisting solution built right into Windows, for free? Welcome to Windows Defender Application Control (WDAC). This talk will discuss what WDAC is and how can be deployed. We’ll look into building custom policies that allow you to define how your environment is protected and what you trust. We’ll also look at common configurations for WDAC along with their strengths and weaknesses. Finally, this wouldn’t be a talk without discussing and demonstrating how an attacker could attempt to circumvent WDAC, and live within its confines.

The goal for this talk is for attendees to walk away with the knowledge of an application whitelisting solution that is already built into Windows and is available for free.

Christopher Truncer (@ChrisTruncer) is a red teamer with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets. Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community’s ability to defend their network as well.

Defend the indefensible – “WordPress isn’t a security dumpster fire, Fight Me!”

Tim Nash & Glenn Pegden

Tim believes that common wisdom is wrong and WordPress CAN form part of a Secure Enterprise ecosystem, Glenn, on the other hand, likes to sleep at night.

By taking on the role of attacker and defender, Glenn and Tim will walk you through an escalating series of Attack vs Defence scenarios with real-world examples; Tim will attempt to convince you that for most reasonable threat models, WordPress can easily defeat a skilled and determined attacker and Glenn will attempt to prove him wrong.

The talk aims to give something to both Red Team and Blue Team, covering some common (and not so common) techniques to both compromise and harden WordPress. Failing that, come watch two middle-aged blokes bicker about whether WordPress deserves its place as an industry joke, or is unfairly maligned because of misuse and unnecessary risk-taking.

Tim is the platform lead at 34SP.com for their Managed WordPress product in addition to being the companies developer advocate. One day he will work out what either of those job titles means. Until he does he spends his day in a mix of dev, security, ops and project management as well as speaking at user groups and conferences. He is responsible for the security of the 34SP.com WordPress platform, keeping thousands of WordPress sites from falling prey to bad actors. Tim has spoken on topics as varied as acoustic variations in heated elements, too (perhaps more relevant) talks on WordPress security and building security into developer pipelines. He also has done a couple of talks about how to rob banks.

For BSides Leeds Glenn wrote “Despite being an old school hacker who has done almost every job in IT during his career, Glenn decided that he wouldn’t just join the unsexy Blue Side of InfoSec, but he’d then specialize in the least cool part he could find (at least, without needing the CISSP qualification) Vulnerability Management. By day he does Vulnerability Management and Security Risk Management for SkyBet, by night, well, he tends to post on twitter a bit and then has an early night as he’s getting on a bit.” and frankly he’s unlikely to ever write a better bio again, though he has since got roped into helping run the Leeds DC151 group.


Neil Lines

In my own time, I have been beavering away, working on an idea about offensive automation. The concept is quite simple, can you 100% compromise a targeted organisation from a single click.

Think about data breaches of recent, could any of them been achieved without a remote shell? I believe they could, I think, most exploitation techniques can be automated into a single command including exfiltration of targeted data and triggered from a single person’s response to an email.

The talk will contain the why’s, how’s and demo my research. During this process, I have created a few scripts to help automate sections of the weaponization, I never spoke about coding before, as I don’t consider myself to be one, but will address this also during the talk and will be releasing them to the world.

This talk has never been given before, my talks are always different per conference, but this talk is particularly personal and important to me, and as such I want it at Steelcon.

As always, my slides, will be 100% bespoke artwork, (I take months on creating my slides alone) presented in an original way, I just like things to look nice.

Senior security consultant working for Pen Test Partners with over ten years’ experience, specialising in red teaming, physical and remote social engineering, infrastructure and application testing.

Dynamic Callbacks For Persistence


Maintaining persistence and communication between C2 infrastructure and compromised hosts is a fundamental element for successful red team campaigns. This is well understood by defenders, and so effort and time is invested by SOCs in improving their detection and blocking capabilities to reduce the time that persistence and communication can be maintained. But what if the communication and persistence can be re-established dynamically after it is blocked?

Different techniques will be described and combined to obtain the new address of the C2 infrastructure and changes on persistence. It will show how stagers and payloads can heal themselves after being blocked including how communication can be re-established via dynamic parametric data. The techniques and methods described are code agnostic and can be used as a baseline to provide extremely flexible methods which can be combined to culminate in a robust C2 persistant communication channel.

The talk is focused on dynamic callbacks for re-establishing communication with C2 infrastructure and for achieving persistence by using different methods incorporating communication with popular websites, domain fronting and multiple protocols.

xtr4nge is a security consultant and researcher with more than 15 years experience in cyber security within large companies. He is continuously engaged in researching the security aspects of new technologies and using as a platform to drive security forward. He has a passion for developing open source software for fun, learning and research such as FruityWiFi and FruityC2. He is interested on breaking stuff and then understanding how to fix them.

Great Expectations – On InfoSec Careers, Skills, Roles, and How We Can and Must Do Better!

Mark Carney

This talk is not technical. Is is safe to say that in reality, this talk is not a talk. It is a rant about the current state of infosec hiring – the practices, the misinformation, the assumptions, and the lack of clear communication between those in the community, and those wishing to enter the field. The rant will begin with problems, but will end with proposed fixes – including the author’s ‘Infosec Skills Matrix’.

What is the Skills Matrix? It is a spreadsheet. Yes, this is a not-talk about a spreadsheet. But one that has been road tested, and is a living document that defines the connections between infosec roles, and the necessary and desirable skills with which to carry out that work – first proposed by the author in a blog post titled We need to kill the security analyst! (though no SecAnalysts were harmed in the making of this spreadsheet).

Students get a better idea of what they should prepare and learn in order to do the job they want. Educators get a better idea of what they should be teaching to their students to keep their courses up to date and relevant. HR managers get better data, and can better formulate the right job specs. Everybody wins.

This talk will officially launch the Skills Matrix, and we promise a heady mix of Scouse humour, ranty swearing, terrible puns, rounded off with optimism about how things really can, and possibly are, changing. Yes, it’s a bit sh*t; but we can, and must, do better!

Mark is currently completing his PhD in mathematics – the only rule is; we don’t mention the thesis. He has been in infosec for long enough to have shaken off his former life as a violinist, and until recently, did a load of research and consultancy for Security Research Labs. He organises BSides Leeds, and can be heard from up to 250m away on a clear day.

Hunting Sh*T Up – Red Teaming with A Bug Hunter’s Mindset

Andy Gill

Red teaming, testing pens and bug bounties all align to the side of offensive security in the modern day. One thing I have learned from transitioning pentesting and bug bounties and now red teaming is that the mindset is the same. This talk will investigate the mindset and techniques that can be applied to all three and how each varies in the level of noise a tester will cause on a network depending on the engagement type, it will also explore how tooling written for one area can be applied to all three.

TL;DR Pentesting != Bounties != Red Teaming

As his day job, Andy works as a senior penetration tester and red teamer in training who is enjoys hacking all the things. For those that don’t know Andy, he is a strong believer in passing knowledge on and supporting the infosec community he does this by providing tutorials on his blog (https://blog.zsec.uk), running his local DEF CON Chapter & has also published a book Breaking into Information Security: Learning the Ropes 101.

ISIS Online: Junaid Hussain

Michael Jack

This talk examines the online tactics of Junaid Hussain (Aka TriCk) as a hacktavist and later as a member of ISIS. The talk will cover:

– Hussains hacking abilities

– The hacks he and his crew perpetrated

– How Hussain transferred his knowledge to propagandising for ISIS

– Hussains role in ISIS’ propaganda and recruitment efforts

The main aim of the talk is to discuss how Hussain utilised his hacking skills and their effectiveness in relation to ISIS’ objectives.

Security Engineer. Former @AbertayHackers Vice Gaffer. Purveyor of macOS security & rum.

Our Mental Health Matters

Lizzy Higgins

Mental health and burn out – we all know about it, we all talk about it so what does it mean, and how can it affect you?

1/4 of us in the uk have a long term acute to severe mental health problem and 1/6 of us will experience a mental health issue every week.

My talk explores the signs and symptoms of burn out and mental distress & how to self care as well as an industry how we can work towards preventing more people leaving cyber security due to mental ill health and burnout.

Lizzy, 32, originally from Liverpool area, grew up in South Africa – even my accent doesn’t know where it’s from. Likes beer, OSINT and the psychology behind cyber security. Mental health ambassador for Time to Change and hoping to go into cyber behaviour analytics (hacking the human essentially). currently doing my masters in psychology and working as a SOC analyst to pay my bills.

Owning an enterprise with three lines of code

Achim D. Brucker

Today, Software is rarely developed on the green field: software developers are composers that build new system by combining existing (Open Source) solutions. Custom code is, in many development projects, a curiosity.

As a result, all software depends on open source projects, which, sometimes, are as small as three lines of code or as large as several millions lines of code. One the one hand, these projects speed up the development. On the other hand, their use requires trust and care: with a few lines of code in an installation script, your development system can be powned or a small vulnerability in a dependency can be the root cause of one of the largest data leaks of the last years.

In this talk, I will discuss, using real world examples, the security threats of using software dependencies carelessly and provide recommendations that help to minimise this risk.

From June 2019, Achim D. Brucker (www.brucker.uk) is a Professor (Chair for Cybersecurity) at the University of Exeter, UK. Prior to that, he was a Senior Lecturer at the Computer Science Department of The University of Sheffield, UK. He leads the research in software assurance and security (https://logicalhacking.com).

Until December 2015, he was the global Security Testing Strategist at SAP SE, were, among others, he defined and implemented the security testing strategy for over 27000 developers world-wide. SAP’s risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP’s Secure Software Development Lifecycle. He also was involved in the security checks for SAP’s outbound and inbound Open Source process.

PARASITE: Can An Open Internet Fight Extremism?

Dan Nash

It’s no secret that people are more interconnected than ever: not only is it incredibly convenient to contact old friends and distant family, but thanks to the open internet we can engage with strangers all over the world at the press of a button. A single tweet can gain thousands of interactions from strangers seemingly at random: what could possibly go wrong?

In this talk, I touch on a wide variety of subjects related to the complex relationship between extremism & the internet: among these, I will be exploring the various “stages” of how extremism manifests itself online and the methods that they will employ to achieve their goal: whether that be recruitment, intimidation or simply to organise amongst themselves.

Can we combat this threat while still keeping the internet open? Is the burden too much for service providers like Google & Facebook alone? What is the role of governments, and how do we collaborate? What is censorship? When does it become negligence? And most importantly, will I have to talk about machine learning?

Expect a healthy mix of technical and soft content. This talk is beginner friendly and no prior knowledge will be assumed, so strap in!

Dan is a security engineer with a love for malware who spends his time looking into why we’ve ended up in this mess: he loves public speaking, capture-the-flags and lie ins.

Pouring salt into the crypto wound: How not to be as stupid as ransomware authors

Sarah White

This talk discusses various ransomware families that have been prevalent in the past 5 years, exploring the common and often hilarious mistakes that were made when it comes to the encryption, as well as some mocking the authors who made such mistakes. Some advice in regards to best practices when it comes to implementing cryptography is also discussed.

I am a malware analyst working at Emsisoft, a fully remote antivirus company, for the part 3 years. I focus mostly on ransomware.

Profiling The Attacker | Using Natural Language Processing To Predict Crime

James Stevenson

What does Minority Report, Black Mirror, and 1984 all have in common?.. Well, let’s find out.

On a day to day basis we countlessly write notes, send messages and respond to emails. The question is, however, what does what we write actually show about us, and how can we use the meaning behind these pieces of text to predict crimes and attacks.

This talk delves into just this – how machine learning, and specifically natural language processing and sentiment analysis, can be used to predict crime and security attacks. This, of course, comes hand in hand with talking about predictive policing approaches, biases in predictive policing, and how natural language processing can be used to automate this whole process.

James Stevenson is a Software Engineer and Security Researcher, with a history of security operations. James is an Alumni of the University of South Wales and these days he’s working at BT Security, as well as speaking at security events across the UK.

Rage Against The FUD

The Beer Farmers

FUD you, I won’t do what you tell me.

In this talk, we reveal some of the worst examples of organisations delivering fear, uncertainty and doubt (FUD), why it’s a terrible move and how to avoid it as a responsible organisation.

Be it CrowdStrike claiming APT28 will pwn your network inside two hours, to allegations of Huawei backdooring all your data back to Beijing, we’ll lay down the facts and give you the information to make your own judgements.

We’ll tackle the press, excitable researchers and even nation states.

As ever, there’ll be music and fun, but the underlying messages will be serious in nature.

The Beer Farmers is a parody project, who’s aim in life is to help the InfoSec community take itself less seriously, bring some fun, while at the same time help us focus on the important things in what we do.

There are five members: Mike Thompson, John Opdenakker, Ian Thornton-Trump, Sean Wright and Andy Gill. All members are from a diverse professional background (and indeed different countries!)

State of Cybersecurity Report – Extended Play

Dan Raywood

Last year Infosecurity Magazine conducted industry research to determine the driving trends in cybersecurity. “Sure there are lots of reports” you may ask, “so why should I be interested in this one?” How many reports are ultimately vendor-sponsored, pushing the problem that their product or service resolves? With this research, we independently interviewed some of the main names in cybersecurity, and in 2019, we did this again with a larger sample set, and precedent to compare against.

We will look at the findings from this report, compare against last year’s results and other industry research, and get an understanding of what this industry’s researchers, CEOs, practitioners and analysts actually think is driving cybersecurity now, and will drive it in the coming years.

Learning Points:

How compliance was the leading driver in 2018, and how it stands post GDPR deadline

How much the human factor is a driver

What the business can do to be more secure, and embrace security

Where the opportunities are for jobs, both for new people and those seeking a career change

Dan Raywood is a journalist with more than 18 years experience, including 10 years covering cybersecurity including covering ground-breaking stories such as Stuxnet, Flame and Conficker, the online hacktivist campaigns of Anonymous and LulzSec, and broke the news on the EU’s mandatory data breach disclosure law (now a major part of the GDPR).

In his day job at Infosecurity Magazine, he looks after the official webinar channel and contributes to the twice-annual Virtual Conference and writes articles for the print magazine and website. He has spoken at events including 44CON, SteelCon, Infosecurity Europe, SecuriTay and BSides Scotland.

Steal These Ideas

Stefan Hager

Sometimes people think the mistakes they keep making since 30 years are experience.

This famous quote by Mullah Nasruddin expresses one of the major problems of most blue teams. Many allegedly tried-and-true strategies are surprisingly mediocre when examined closely, but are rarely challenged or changed. With a bit of work and determination those approaches can be improved upon for an overall better level of security. Creativity and unusual thinking aren’t just valuable tools for red teamers and attackers; questioning what you have at you disposal and how to improve it is also a good exercise for any person on the defence.

Whether you’re a newcomer to infosec or a seasoned veteran, this talk should give you some insights into technical, organisational and other challenges and present some ideas on how to overcome those.

Be prepared to slaughter a few holy cows of infosec and emerge with fresh ideas!

Stefan works for the Internet Security Team at German company DATEV eG. He started messing with computers in the 80s and turned it into a job as a programmer in the early 90s. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is security research, raising security awareness, coming up with creative solutions to security problems and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, procrastinating or trying to beat some hacking challenge. Stefan also sometimes writes blog posts (in English and German) on his site https://cyberstuff.org.

The Internet is Broken and so are We

Saskia Coplans & Alastair O’Neill

Ever lie awake at night sweating over the next vuln? Thats because we all do. In short security is not good for us.

Whilst we agonise about the skills shortage are we considering the people who hold the skills we do have. How do we explain that there’s always a skills shortage but never a shortage of new entrants. Why can’t we retain the skills and the people we have and develop them.

It’s time to accept that the skills shortage is a skills mismatch and for too long we’ve been trying to fit security in to the mould of Pen Testers rather than fix security. Thats not good for security and its not good for us.

Saskia is Security Consultant and Director at Digital Interruption. She a registered Data Protection Officer (DPO) and a privacy specialist with over ten years experience in information security and governance. Along with standards and policy development, she has developed risk based defensive security strategies across Europe and Central Asia for Governments, NGO’s, Regulators and the Private Sector.

Alastair is Head of Defensive Security at Digital interruption. He has more than a decade of experience in information security, both as a security consultant and as a researcher. His skills range from embedded device exploitation to mainframe hacking, along with a significant grounding in all shapes of UNIX. He regularly presents in the UK and abroad on topics ranging from cutting-edge malware research to innovative offensive techniques, and has a strong passion for offensive and defensive hacking.

The LANs that time forgot.

Brian Whelton

The IT industry is moving more and more emphasis of security to client and server side security applications, agents, and to cloud server deployments. Nevertheless, whether a computer environment is ‘on- prem’, hosted, or even in a domestic setting, they all have one thing in common, a network.

This talk is a blue team based talk focused only on network security to highlight methods and technologies already present in routers and switches, often unused or unknown, that can be employed for the cost of a little time and can be implemented to greatly reduce the threat surface, and improve the detection of issues to any environment hosted on them.

Brian is a network guy with 20 years’ experience, and is the Director of Whelton Network Solutions, a consultancy primarily focused on networking, security audits and incident response.

Outside of professional commitments he is a self-proclaimed certification junkie, InfoSec conference attendee and speaker, as well as a multi Bsides ‘Goon’.

TLS 1.3 for Penetration Testers

Richard Moore

TLS 1.3 was released by the IETF last year and is a major step forward in transport security. Unlike the move from TLS 1.1 to 1.2 there are major changes that penetration testers need to be aware of – common testing tools like sslscan do not detect if it is supported, indeed in some cases they cannot connect at all. TLS 1.3 changes both the concept of cipher suites and the version negotiation mechanism, and completely eliminates the ability to decrypt traffic using just the server’s private key. New features in the protocol include encrypted extensions, a future proofing mechanism called GREASE and 0 Round Trip Time support. This talk will describe the changes in the protocol and their implications for testing, making clear the limitations of some common tools and approaches for ensuring TLS 1.3 is tested with practical examples. Firefox, Chrome, OpenSSL, Cloudflare and even Java support TLS 1.3, do you?

Richard Moore is a Principal Security Consultant at MWR, and formerly the CTO of Westpoint Ltd. He has worked extensively with SSL/TLS both as a tester and as a developer. He has found security problems in the SSL/TLS implementations of major browsers and written tools such as a TLS server fingerprinter (released at BSides Manchester in 2015). For several years he maintained the network stack of the Qt development framework, particularly the SSL/TLS support. A long time ago, he was one of the original developers who created KHTML which you’ll probably know as WebKit (or Blink if you’re using Chrome).

We have a firewall, right? War stories from the front line of security management

Carl Gottlieb and Paul Heffernan

With a combined 26 years of working in security, Carl works as a DPO and Paul as a CISO. In this talk, we’ll talk about the difficult job of security management in the age of (ir)responsible disclosures, mega data breaches, and privacy savvy customers and employees. We will discuss some of our own war stories that have tested the relationship between security, management, and what we’ve learnt along the way. Whether you’re looking to get into security or want some tips on keeping your boss happy, come along to this session and question our poor life choices.

Carl needs no introduction…

Paul is the CISO at Revolut and has enjoyed attending Steelcon for the past 3 years, so it’s about time he gave something back.