Incident Response Competition - in conjunction with @retrospectlabs

Do you want to put your Incident Response skills to the test?

For ComfyCon 2020, we’re spicing things up a little bit! For those who are interested in testing out their incident response skills, we’ve partnered with Retrospect Labs (who specialise in cyber security exercises), to deliver an incident response competition.

You’ll have to work your way through an exercise that simulates a real-world incident and conduct the usual activities required within an incident response operation. This includes analysing malicious artefacts to understand what malicious activity has occurred, through to preparing media statements and briefings for senior executives. Although you can do the exercise solo, but we recommend getting a team together (maximum of 5 per a team) with a variety of different skillsets to best perform across all aspects of the incident response.

To select the team(s) who performed the best, we have created a panel of industry experts and thought leaders who will assess your team’s performance throughout the course of the competition. The winning team will be announced during ComfyCon (with a prize too!).

Exercise/Competition Details:

  • Registration is first come first serve! There will be limited availability so sign up quick!
  • Teams have a maximum of 5 participants, so we recommend trying to build as diverse a team as possible! Remember, it won’t just be your technical skills you need to show to win!
  • Some of the activities you may need to do include:
    • Email analysis
    • Malicious document analysis
    • Disk and memory forensics
    • Communication
    • Media talking points
    • Legal considerations
  • The exercise will kick off on the 21st November, but it’ll be self-driven so you can complete it in a day, or over the course of a week. You won’t be judged for how long it takes you to complete the exercise, but on your team’s ability to undertake common incident response tasks.
  • The exercise is delivered remotely, via Retrospect Labs exercise platform, so you’ll be able to access all the relevant information and forensic artefacts.

Sign ups are now open! Please

Linux Privileged Access Training - in conjunction with @synick and @5ud0ch0p

“Attackers never stop at initial compromise; there is always an end goal objective which often requires privileged access to specific devices or systems.

Moving from low to high privileged access is crucial to this strategy, with various controls regularly being employed to limit the likelihood of such an attack succeeding, or increasing the effort required for an attacker to reach their goal. As security professionals, we need to understand such techniques in order to accurately assess the risk and likelihood of a given attack path within the organisation.

Identifying the correct privilege escalation vector can often feel like looking for a needle in a haystack, however with the right approach and understanding of the various controls in play, gaining full control can often be a safe assumption in many instances following initial foothold.

This course therefore will equip those likely to find themselves with an initial foothold with the skills to practically exploit a given privilege escalation vector on the Linux system. Attendees will be presented with various scenarios and methods by which full control can be achieved, supported by a virtualised set of challenges to practice and hone their techniques.

We will be focusing on privilege escalation in Linux, looking at both the basic scenarios and some more complex instances, as well as escaping restricted shells and execution environments.

Alongside a core methodology and exposure to various privilege escalation scenarios, attendees will also take away an execution environment which can be used to further hone their privilege escalation skills, and be tuned to increase the difficulty of exploitation by enabling controls commonly found in the wild and within hardened environments.

Specifically, the following topics will be covered:

Day One:

  • The Linux privilege model, and the importance of root
  • Basic Linux privilege escalation

Day Two:

  • Escaping and bypassing restricted environments
  • Complex Linux escalation”

Exercise/Competition Details:

  • Registration is first come first serve! There will be limited availability so sign up quick!
  • Training will be held from 9AM to 1PM each day of the conference (Saturday the 28th and Sunday the 29th of November)
  • The exercise is delivered remotely, and further details of what you may require for the training will be sent prior to the event.

    Sign ups are now open! Please


Workshop Speaker(s)
Guide to writing IR Playbooks - 14:55 on Saturday 28th for 2 hours

Incident Response playbooks are either written too vague or too detailed. One size doesn't fit all and borrowing playbooks from industry peers won't work for your out-of-box. Every organization is unique in terms of the technology stack, skilled manpower, and team structure.

This workshop is aimed at equipping the participants with the analytical skill to produce playbooks for operations of any scale and complexity.

Interactive Exercise: We will start with a tabletop exercise, use ComfyCon discord for brainstorming response actions, and build a playbook from scratch. This activity is aimed at instilling the analytical workflow which the participants can take away and use the next day at job.

Sign up at
Mustafa Qasim (@mustafaqasim)

Mustafa started in IT industry 15 years ago and been working in DFIR space since 2013. He worked as Network Engineer and Unix Sysadmin before pivoting into Incident Response and Digital Forensics. He has built a Managed Security Services division from ground up, orchestrating professional services including Security Operations Center, Incident Response, Penetration Testing, and Incident Readiness. He is passionate about teaching and loves to make analogies that help explain  technical concepts in plain English.
Build-a-bot - Creating a bot to beat a WAF and SOC. - 12:45 on Sunday 29th for 2 hours

In this workshop we'll dig into the process of creating a HTTP Bot from scratch, designed to bypass the most finely tuned WAFs and subvert WAF alert triaging to go unnoticed. In this session you'll have the opportunity to implement your own location aware proxy service for your bot to hook into, dynamic HTTP header generation to avoid ever sending the same request twice, mimicking legitimate human traffic and creating a smokescreen to divert the attention of the SOC.

This workshop will require access to a code editor, have a fair understanding of JavaScript in the context of NodeJS, and the ability to install NodeJS.

Sign up at
Sam Crowther (@infosecsam)

I'm an entrepreneur with a passion for cybersecurity. I got my start in the security industry as a high school student when I had the opportunity to work with the team at the Australian Signals Directorate (ASD). From there, I moved to a red team role at a global investment bank, an experience that inspired me to start my own company. I love creating simple technical solutions to complex problems and am motivated by challenging preconceived ideas.

Liam Robinson

Liam Robinson is the Head of Research and Development at Kasada, primarily focusing on designing the future state of Kasada's detection platform, identifying & researching new detection techniques and strategies. He also plays an important role within the security engineering and threat system teams, assisting with the ever evolving bot identification and mitigation TTPs.

Combining a strong technical background in solution architecture with a propensity for "breaking stuff" and reverse engineering; Liam thrives on the opportunity to envisage creative methods to achieving his goals. Liam's obsession for automation and all things bot related started at the age of 14, writing his own custom scripts to grind all the boring stuff on MMORPGs while he was at school. It didn't take long until he realised you could automate a lot of the boring stuff in life online as well.
Learn how Networks work with WireShark. - 16:35 on Sunday 29th for 1 hour

A 100 level workshop to demonstrate how devices communicate over network interfaces, typically using Ethernet and TCP/IP.

Demonstrating how you can view contents of cleartext packets, how encryption affects network transmission, how you can view the full communication of a network transmission and more.

Learn how to install and configure WireShark on your own workstation.

Learn some really simple tricks you can use in pcap analysis tasks in Capture the Flag events.

Sign up at
George (@georgecoldham)

George loves sharing what he knows in the hope that it helps others grow and improve. His career spans both education and technology and now works as a consultant at Empired.
Mental Health Threat Modeling - 12:45 on Saturday 28th for 1 hour

In the field of cyber security, we talk about threat modeling as a process of how we can design systems to become more secure by looking at potential threats. The phrase has also been used in the context of personal threat modeling in terms of how we can practice having better opsec to protect our physical security. But we haven’t really talked about how we can use threat modeling to help safeguard our mental wellbeing. This talk will cover how we can use safety plans from the realm of mental health practices to create our own mental health threat models. Participants will be given time to think about their potential risk factors. At the end of the talk, the speaker hopes that the participants walk away with a draft of their own mental health threat models.

Sign up at
Gyle (@GyledC)

Before switching to the tech field, Gyle trained as a psychologist. While in the university, she used to joke that there seems to be an invisible blinking signboard above her head that says “All ye needing solace and comfort, talk to me.” This persisted when she got into the interwebs via her trusty 56k US Robotics modem, where she used to hang out in IRC chat rooms. Currently, aside from finding bad stuff as a Cyber Threat Analyst, she volunteers for various causes. She’s also an accredited Mental Health First Aider and if it wasn’t for the pandemic, she would go for the instructor course to help train more people. So getting selected to do this talk is her way of reaching out to others who maybe struggling.
Real-World Cryptography - 15:00 on Sunday 29th for 1 hour

Have you ever wondered how all the cryptographic magic we use every day works? Then this workshop is for you!

Aimed for people with little prior knowledge, Eleanor will discuss the theory behind some of the most widely-used cryptographic tools today, including AES, ECDH, ECDSA, and message authentication codes. They will then give you the opportunity to use these tools to solve some workshop problems in Java or Python, giving you some hands-on experience to relate the theory to practice. Eleanor will be at hand to guide you through anything you get stuck on.

Sign up at
Eleanor (@noneuclideangrl)

Eleanor is a Master's student at the University of Melbourne researching applied cryptography. They are interested in almost everything, but especially security & privacy, and the methods to achieve them in real-world scenarios. They like cats, tea, karate, and role-playing.