BSides Las Vegas, 2016

I absolutely love giving presentations! I love to run my mouth, so being able to do so in front of like-minded individuals is a passion of mine. I’ve started to lose track of the various presentations I’ve given, so I made this page to catalogue my work and provide resources should anyone be interested in reviewing the content.


Table of Contents

SANS Summits & Webcasts

Ransomware – Do You Pay It Or Not? – Experts debate the costs and ethics surrounding ransomware payments – SANS Webcast [2021.06.03]

View Webcast details and recording

To pay ransomware attackers or not to pay? The global cybersecurity community continues to debate this complicated issue recently brought to the forefront by the Colonial Pipeline attack. Governments around the globe are now weighing in on what they believe to be the right response to a ransomware attack. Some are even considering making ransomware payments illegal. Putting potential legal requirements aside, on the business side the decision to pay or not to pay isn’t an easy one to make: On one hand, paying ransom encourages additional brazen attacks; on the other, organizations that choose not to pay the ransom may have to shutter operations or find themselves in the position of being unable to pay employees.

SANS is proud to host what is sure to be a dynamic debate of this issue. We’re bringing together some of the top minds in cyber and ransomware incident responders to represent both sides of the debate. Our expert panelists will share stories from the field and their own experiences in responding to what amounts to hundreds of ransomware incidents between the lot of them.

There’s no great solution here — it’s a real-life ‘no-win situation’ for cybersecurity. This debate will focus on providing practical and thoughtful advice that’s based on real-world experiences dealing with ransomware. If you have a strong opinion on the issue, join us to see if you can be swayed. As these unique perspectives will highlight, the decision to pay the ransom or not is much more challenging than you might suspect.

Recording here: https://www.sans.org/webcasts/ransomware-pay-not-experts-debate-costs-ethics-surrounding-ransomware-payments-119960

Avoiding or Minimizing Ransomware Impact to the Bottom Line: A Panel Discussion – SANS Webcast [2021.05.27]

View Webcast details and recording

On this webcast, John Pescatore, SANS Director of Emerging Security Trends, and Benjamin Wright, lawyer and SANS Senior Instructor, will discuss key ransomware issues and analyze their associated ransomware report with sponsor representatives.

Ryan Chapman, Principal Incident Response Consultant for the BlackBerry Security Services Team, is an IR consultant with roots in SOC and CIRT work. He handles incidents requiring network activity analysis; researching host and network IOCs; hunting through log aggregation utilities; sifting through packet captures; analyzing malware; and performing host and network forensics. Ryan is also the lead organizer for CactusCon, teaches FOR610 for SANS, and is writing a new ransomware-based course for SANS. He also spends time with his family and plays plenty of Street Fighter. Hadouken!

Recording here: https://www.sans.org/webcasts/avoiding-minimizing-ransomware-impact-bottom-line-panel-discussion-118435/

Ransomware Defense 101: A Simple Action Plan – SANS Healthcare Lightning Summit 2021 [2021.05.19]

View Webcast details and recording

On this webcast, John Pescatore, SANS Director of Emerging Security Trends, and Benjamin Wright, lawyer and SANS Senior Instructor, will discuss key ransomware issues and analyze their associated ransomware report with sponsor representatives.

Ryan Chapman, Principal Incident Response Consultant for the BlackBerry Security Services Team, is an IR consultant with roots in SOC and CIRT work. He handles incidents requiring network activity analysis; researching host and network IOCs; hunting through log aggregation utilities; sifting through packet captures; analyzing malware; and performing host and network forensics. Ryan is also the lead organizer for CactusCon, teaches FOR610 for SANS, and is writing a new ransomware-based course for SANS. He also spends time with his family and plays plenty of Street Fighter. Hadouken!

Recording here: https://www.sans.org/webcasts/healthcare-lightning-summit-119555

Oh You Silly Framework!: An Intro to Analyzing .NET Malware – SANS Sydney 2020 @Mic Webcast [2020.11.04]

View Webcast details and recording

Malware written using Microsoft’s (MS’s) .NET Framework operates differently from your standard compiled Portable Executable (PE). The framework, often pronounced “dot net,” provides modern, functional, and easy-to-use assemblies for creating current-generation software. Once the C Sharp (C#), Visual Basic (VB.NET) or other .NET language is compiled, the result is MS Intermediate Language (MSIL). Upon being executed, the MSIL-based PE uses a just-in-time (JIT) compiler to generate native code, which is what we see run when .NET software/malware executes. Wonderfully for both the malware hobbyist and reverse engineering guru alike, MSIL PEs are easily decompiled back to source code. In this talk, SANS Instructor Ryan Chapman will provide an overview of the .NET framework, discuss malware families known to depend upon the framework, and provide analysis methodologies and tools for ripping these samples apart with ease.

Register for free recorded content here: https://www.sans.org/webcasts/silly-framework-intro-analyzing-dotnet-malware-sansatmic-sydney-117015

LOCKED OUT! Detecting, Preventing, & Reacting to Human Operated Ransomware – SANS Webcast [2020.10.12]

View Webcast description and details

Human Operated Ransomware (HORA) threat groups are growing in number and strength every day. In this Webcast, SANS Instructor Ryan Chapman will cover the evolution of, tactics inherent to, and threats associated with HORA. Ryan will provide “quick wins” that you can implement now to protect yourself against this ugly threat. Ryan will also focus on what to do if ransomware is running *right now*, along with what to do when ransomware has run and the outlook is bleak. Ryan will wrap up the Webcast with a list of digital forensics and incident response tools that work well within on-prem and cloud-based environments alike. Are you and your company prepared for this looming threat?

Link: https://www.sans.org/webcasts/locked-out-detecting-preventing-reacting-human-operated-ransomware-116800

Hunting Human-Operated Ransomware Operators – SANS Threat Hunting & Incident Response Summit 2020 [2020.09.11]

View Webcast details and recording

The real threat of ransomware these days lies in “Human Operated Ransomware” attacks, in which we see the deployment of ransomware move to secondary or tertiary objectives. The human operators often focus on enumerating the internal environment in preparation of data exfiltration. By the time the ransomware is deployed, the threat actors have already carried out their initial objectives (and stolen your data!). This talk focuses on finding these operators while they are in your network. Find the operators == stop the ransomware deployment.


CactusCon & BSides Talks

Implementing a Kick-Butt Training Program: Blue Team GO! – BSides San Francisco & CactusCon 2019

View talk details and recording

2019, BSides San Francisco & 2018, CactusCon

Operationalizing Cyber Threat Intelligence (CTI): Pivoting & Hunting – CactusCon, 2018

No recording available

Exposing the Neutrino EK: All the Naughty Bits – BSides Las Vegas 2016

View talk details and recording

TAPIOCA: How to Automate Yourself Out of a Job – BSides Las Vegas 2015

View talk details and recording

These days, many security groups want to become ‘intel shops,” and threat intelligence is all the rage. An intel shop should ingest intel, analyze indicators, and pivot from correlated data. However, few understand how to begin the transition. How IS this accomplished? MAGIC, DAMNIT. Then again, if you’re not the slight of hand kind of guy or gal, we have an answer for you. Check behind your ear, and you’ll find a dollop of TAPIOCA! In this talk, we will present our process for analyzing Indicators of Compromise (IOCs) at scale, correlating information from multiple sources, and pivoting to obtain information from deep within the bowels of our global network. We’ll talk about the technical challenges we have addressed in applying automated analysis to terabytes of data every day. We will also discuss the next-steps for this analysis, including applying machine learning techniques to help further classify our data. We are also releasing our automated IOC vetting tool, TAPIOCA (TAPIOCA Automated Processing for IOC Analysis), to help other security groups begin processing and benefiting from threat intelligence.


Work / Vendor Presentations

Protecting Your Workforce from Business Email Compromise – BlackBerry Webinar [2020.10.27]

View Webcast details and recording

Join BlackBerry for an informative webinar on safeguarding your workforce from business email compromise and other business critical services for remote workers.

Ryan Chapman, BlackBerry Principal Consultant, Incident Response & Digital Forensics, walks through:
– Tips for securing your business email
– Business email compromise (BEC) threats and how to avoid them
– The evolution of phishing attacks from malware deployment to credential theft
– How BEC attacks should be analyzed and reported
– How a BEC Assessment can help you understand your email-based threat landscape
Don’t miss this valuable presentation on ways to address the threats facing remote workers. Watch this webinar on-demand now.

The official, On-demand webinar is available here: https://blogs.blackberry.com/en/2020/10/webinar-protecting-your-workforce-from-business-email-compromise

A modified version of the webinar is also available on YouTube:

Incident Response in Your Newly Expanded Workforce – Nth Generation Symposium 2020

No recording available

Threat Hunting in 2020: Focal Points for Success – SINC Virtual Roundtable New York/New Jersey

View Webcast details and recording

Link: https://sincusa.com/event/blackberry-virtual-roundtable-new-york-new-jersey/

Sign up at the link above to view recording

IT Security Outlook 2020: What to Expect in the Year Ahead – eSecurity Planet 2020

View Webcast details and recording

Threat Intelligence – Buzzword or Buzz-Worthy? – Cisco Threats: The Good, the Bad and the Ugly 2018

View Webcast details and recording


JavaScript Deobfuscation

YouTube videos, not quite presentations. But hey, they’re fun!

MalWerewolf: JS/Shellcode Deobfuscation

View YouTube recordings (part 1 & 2)

JS/Shellcode Deobfuscation Tutorial Part 1/2

JS/Shellcode Deobfuscation Tutorial Part 2/2

Splunk Talks

PowerShell Power Hell: Hunting for Malicious PowerShell with Splunk – Splunk.Conf 2016

View talk recording

Security Operations Use Cases: ‘Cause Bears, Pandas, and Sandworms – Splunk.Conf 2015

View talk recording

Security Operations: Hunting Wabbits, Possum, and APT – Splunk Live! Scottsdale 2014

View talk recording

Security Operations Use Cases: ‘Cause Bears, Pandas, and Sandworms – Splunk Live! Santa Clara 2014

Same as Splunk .Conf 2015 preso above

Security Operations Center Use Cases – Splunk Live! Phoenix 2013

My first InfoSec talk!! Alas, no recording available.


Cyber Forensics Workshop

This is a 6-part workshop that I presented to students from Cal State University Fullerton (CSUF) back in 2014. While the version of WireShark we use is quite old, the content is still completely viable here in 2021-2022.

View workshop recordings from YouTube (all 6 parts!)

CSUF Cyber Forensics Workshop Part 1/6

CSUF Cyber Forensics Workshop Part 2/6

CSUF Cyber Forensics Workshop Part 3/6

CSUF Cyber Forensics Workshop Part 4/6

CSUF Cyber Forensics Workshop Part 5/6

CSUF Cyber Forensics Workshop Part 6/6