Our Favorite Presentations from ShmooCon 2015

By and

Category: Events, Threat Prevention, Unit 42


We were fortunate enough to attend this year’s ShmooCon, an annual hacker conference held in Washington, DC. It is organized by The Shmoo Group, which was founded in the late 1990s as an international non-profit security think tank. It invariably sells out every year, with tickets from each of three rounds of sales gone in under a minute. In addition, the maximum number of tickets that can be purchased at one time is limited to two to help more people get tickets. The tickets are highly sought after as the conference:

  1. Remains affordable (just $150 person; a bargain compared to most industry events)
  2. Limits attendance to what the facility can comfortably hold (we’re looking at you, Defcon)
  3. Focuses on new research or speakers that have not yet been presented at other conferences.


The focus on new speakers and research can lead to some presentations that could’ve used some more research, time, or polish, but in general ShmooCon is considered one of the best hacker conferences around. It also has one of the best barcons (short for bar conference, as in everyone meeting and chatting at the bar).  If you aren’t one of the lucky ticket holders, ShmooCon is also livestreamed so you can follow along at home.

We’ve never left a ShmooCon without a few new friends and some new research to consider.  Three of our favorite presentations from this year are below, and this is by no means a complete list of all the great talks (more can be found here). If you were at ShmooCon, feel free to add a comment and let us know your favorite.

No Budget Threat Intelligence: Tracking Malware Campaigns on the Cheap by Andrew Morris

Andrew’s talk discussed the use of open source intelligence indicators, malware artifacts, and data derived from honeypots to detect and track APT activity. The initial tool published to github focuses on one Chinese-derived tool using SSH passwords to spread malware. The tool automatically creates and publishes reports detailing number of attacks, IPs, and passwords seen. In addition, Andrew created a twitter account that is queryable with IP address(es) of interest.

The project is here in Github, and his main Github account is here.

The Joy Of Intelligent Proactive Security (Slides) by Scott Behrens and Andy Hoernecke

Scott Behrens and Andy Hoernecke gave an overview of some of the pitfalls encountered in accomplishing Application Security at Netflix and the challenges of a modern infrastructure. Their focus was on automation to identification of anomalies or problems and notification. They also use automation to aide in the creation of more complex workflows for remediation. They highlighted a few of the tools their team uses and has made available on the Netflix Github repository.

Simian Army

This proactively wrecks your environment to simulate outages, which allows for developers to write resilient code that will continue to function or gracefully handle missing resources. The simian army will take down everything from apps and instances to entire AWS regions.

Security Monkey

This project will monitor events and changes to AWS users, security groups, and policies. Notifying on any change that occurs or even going as far as to terminate offending instances. This project can also search for security violations or vulnerabilities.


Used as a Swiss army knife for various monitoring tasks, scumblr will monitor for various items such as credential dumps, hacktivism, and full disclosure. Sketchy is leveraged for screenshots and text scrapes when necessary. The combination of these two projects allows for an intelligent automation platform that can search the internet for sites and content of interest.

Automated Binary Analysis with Pin and Python (Slides) by Omar Ahmed and Tyler Bohan

This talk focused on dynamic binary instrumentation and tools that can be built using them. Various DBI frameworks are mentioned such as Valgrind, DynamoRIO, and Intel Pin.

Using Intel Pin you can create code that is used to hook various parts of a program: instructions, basic blocks, and function calls while the program is running without altering the original binary. While Pin comes with a large repo of well-commented sample tools, the API uses C++, which could make prototyping difficult for someone not used to the language. To make writing PinTools easier the speakers embedded a python interpreter within it that enables access to Pin’s functionality from within python. This also makes the creation of prototypes quicker and enables seamless integration with other Python modules.

The presentation showed a few demos using their wrapper to detect Use After Free (UAF) and Heap Overflows. The presenters have released the slides for their talk as well as the wrapper code through Github.

We can see the trend in the industry becoming more automation heavy specific to analysis and threat intelligence.  This will allow people to focus on the higher priority alerts and trends and move away from trying to keep up with every alert that can happen on a network.

Did anyone else make it to ShmooCon?  What talks were your favorites? We heard a lot of good things about many other talks; unfortunately two people can only make it to so many! There were a lot of tough choices made between which talks to see.