Presentations

Initial release of talks below, more to come


image description

Dave Kennedy

Thursday Keynote

 
 

 
 

image description

Matthew ‘Mattrix’ Hoy

Friday Keynote





 
 
 

image description

Kyle Eaton

Murky Waters: Diving into Phishing Kits
Credential harvesting phishing emails are the scourge of inboxes everywhere. While these emails are meant to steal account information, sometimes attackers leave behind copies of their source code which we can analyze. This allows us to better understand the attacker and what they are doing exactly.
This talk will highlight the collection of these phish kits, analysis of them as well as automating this process.


 
 

image description

Arron ‘Finux’ Finnon

So how the actual f**k did i end up as root here!!!
This is a talk about when failure comes knocking, how you can take down the whole entire house of cards. If you have a failure, that failure should always have more meaningful and larger failures with other failures. Those failures should have other failures with other consenting failures, and those failures can start making more failures. In the end this talk is basically the Russian doll of cascading failures, but a lot more painful. No developers were harmed(*only applies to physical well-being) in the making of this talk.


 
 
 

image description

Jayson E Street

TBA
TBA


 
 
 

image description

Kyle Shattuck

Everyday De-Obfuscation
Modern threat actors are improving their tactics and techniques at an alarming pace. In order to keep up, Incident Responders need to embrace speed as the metric against which they measure success. In this talk, I’ll cover how our team has successfully implemented a program that not only allows for rapid identification and eradication of attacker activity but maintains the depth of investigation needed to ensure that your environment is no longer at risk.


 
 
 

image description

Chris Roberts

The Abyss is Waving Back…The four paths that human evolution is charging down, and how we choose which one’s right…
As humans we have four evolutionary paths: 1. We embrace nanotechnology and Bionanotechnology… we become more dependent upon machines and slowly move towards integration with the systems (we know we’re looking at 80% integration in the next 20 years at least) 2. We embrace consciousness and some of us end up in New Zealand hanging out in an AS/400…bodies no longer needed 3. AI wakes up, looks round wonders WHY humans are in the driving seat and takes over… OR we end up unplugging it and rebooting back to the 1900’s… 4. The stumbling drunk…simply put we keep staring into the abyss and almost falling in, only to somehow manage to come back from the collapse, the challenge is HOW many times can we do this before we simply fall in?
 
 
 
 

image description

Megan Carney

Threat Hunting: the macOS edition
Much of the research into host-based indicators for threat hunting has focused on Windows. This presentation focuses on host-based indicators I found on macOS after running malware through a lab environment. While the hunting queries I present will be specific to one SIEM, the ideas should be applicable to any SIEM that has process monitoring data.


 
 
 

image description

Duncan Manuts

Wrap Up
Enjoy the show as Duncan rambles on abotu who knows what
Gauranteed to delite and offend


 
 
 

image description

Joel Cardella

Stop Boiling The Ocean! How To Succeed With Small Gains
Trying to do to much in infosec will actually wind up causing harm, because your attention gets diverted and important things wind up aging.
Infosec is also a very complex set of problems and solutions. It’s typical for managers and practitioners to get caught up in everything and try to do it all at once. This means spreading yourself too thin, and very likely your efforts are falling short. For organizations with small security staff or budgets, a proper information security program can seem like a very daunting task, and it is. Whether you are large or small, improvements over time can also help bolster the security posture of organizations. This is called aggregation of marginal gains, and it’s been used successfully in many situations. It’s harder to see, but easy to measure, and in information security any improvement is a good improvement. The cool thing is you don’t have to stop at just infosec. There is power in small wins and slow gains. This talk will discuss the small improvements organizations can make to improve a security program, whether it is in inception or fully in gear. We will focus the importance of making better decisions on a daily basis. Find out ways to manage and measure progress, and discuss how to benefit from incremental improvement.

The core of this talk seeks to address one simple question: how can I do better each day?


 
 
 

image description

Rhett Greenhagen

The Spies Who Didn’t Love Me
Cyber espionage is both a small and large playing field. There is a limited number of highly specialized Intelligence operatives and an abundance of potential targets in both heterosexual and homosexual sexualities that can be blackmailed. Everyone lies about sex. A foreign agent is more likely to be able to find information that can be exploited in order to compromise an otherwise loyal individual. While conducting an investigation on multiple mobile dating applications, we found large numbers of false identities in the areas surrounding classified locations including military bases where intelligence agencies, brigades, and law enforcement operate. We came across multiple suspect profiles that were attempting to authenticate the information we were feeding them to determine if we had access to sensitive information and to ascertain our real identities. By following the “Actionable Intelligence Lifecycle”, we were able to document, capture, and analyze patterns to help identify these false identities, both current and future. By developing criteria to detect false identities we were able to develop metrics and a reporting process to assist with countering their intelligence gathering operations against U.S. and allied nation personnel.


 
 
 

image description

Dr. Jared DeMott

How to Conduct a Product Security Test: And How it Fits Into the Larger Security Strategy
Code is now running on just about everything. Threats from around the world, would like to damage our data, reputation, finances, and more. As such, we need to be as secure as possible. There’s lots of arrows to that quiver. One of them is AppSec or code security. But more broadly we need to look at the whole product and ecosystem. We need to find security bugs in the products we depend on, before bad actors do. In this presentation, renowned cyber expert, Dr. DeMott, will walk us through the process of how developers and security pros should be conducting such examinations. The steps, the wars stories, the experience: I hope to see you there.


 
 
 
image description

atlas 0f d00m

TBA
More info to be announced shortly


 
 
 

image description

Aaron Shanas

Do it Fast, Do it Right – Incident Response to Counter Modern Attackers
Modern threat actors are improving their tactics and techniques at an alarming pace. In order to keep up, Incident Responders need to embrace speed as the metric against which they measure success. In this talk, I’ll cover how our team has successfully implemented a program that not only allows for rapid identification and eradication of attacker activity but maintains the depth of investigation needed to ensure that your environment is no longer at risk.


 
 
 

image description

David “HealWHans” Schwartzberg

Living the Phreaker Life
This is the stories and inspirations behind creating the hit trading card game, Phreaker Life. This is a unique opportunity to hear the stories behind the game.

This talk will only be given at GrrCON.


 
 
 

image description

Aaron Heikkila

w.e w.e Internet Explorer Does What It Wants
So you think you’re safe because you set Notepad to Open HTA documents? An IE application bypass method will reveal a hole in your network defense. Internet Explorer can download and execute files in ways that do no respect the File Associations configured in Windows. I’ll explain how threat actors are able to leverage the bypass. I will also explain how defenders can harden their environment to disable the bypass.


 
 
 

image description
image description

Aaron Herndon & Thomas Somerville

Red vs Blue: The Untold Chapter
When a red teamer and a blue teamer go to the bar together, you inevitably get a pissing match of ‘I can do this attack!’ followed by ‘I can stop that attack!’. After hours of this exact, beer-fueled conversation, Aaron and Tom threw down the gloves and put words into action. Join us as we recount the Battle Royale, with Aaron conducting red team attacks, such as generating obfuscated payloads, living off the land, and persisting inside the network, while Tom, representing the blue team, shows how to detect, defend against, and eradicate these threats within a mid-sized corporate network without a dedicated SOC or Fortune 500 InfoSec budget.


 
 
 

image description

Pranshu Bajpai & Dr. Richard Enbody

Crypto Gone Rogue: A Tale of Ransomware, Key Management and the CryptoAPI
Ransomware such as WannaCry and Petya have been heavily focused upon in the news but are their cryptographic models different from predecessors? Key management is crucial to these cryptoviral extortions and for convenience, they harness the power of resident Crypto APIs available on host. Simply stated, they command victim’s resources to lock victim’s resources. In this talk, we examine popular key management models deployed in infamous cryptovirii with the ultimate objective of providing a deeper comprehension of exactly how resident APIs are being used against users. On a Windows host, CryptoAPI (CAPI) provides cryptographic services to applications. CSPs are sets of DLLs that are associated with CAPI implementing cryptographic functions such as CryptAcquireContext, CryptGenKey, CryptEncrypt, CryptImportKey, CryptExportKey, CryptDestroyKey. In Windows Vista and later, CNG replaces CAPI and the ransomware menace persists. We explain cryptographic functions exploited by several ransomware families and explore answers to crucial questions such as how and where the encryption key is generated, where it is stored, how it is protected while encrypting user data, and how it is securely purged. We provide graphical representations combined with pseudo-codes embodying real-world Crypto API function calls pertaining to key management in ransomware. This talk delves deep into key management in present-day ransomware and is a direct result of real-world case studies of highly virulent infections. Dissections will be shown to back up the arguments.


 
 
 

image description

Jeff Man

More Tales from the Crypt…Analyst
The speaker, a former Cryptographer for the National Security Agency (NSA), presented “Tales from the Crypt…Analyst” at GrrCON 2016 where he shared some of his experiences as both a designer of and breaker of cryptographic systems. “More Tales from the Crypt…analyst” will pick up with the speaker’s third “tour of duty” at NSA where he became one of the founding members of NSA’s first penetration testing or Red Team. While the thought of NSA hiring hackers or engaging in cyber warfare might be fairly common today, it was not always the case. Somebody had to be first, and the policies, procedures, methodologies, and rules of engagement had to be developed for not only conducting what we called Vulnerability and Threat Assessments, but for successfully navigating the politics, bureaucracy, and reticence of this often-misunderstood clandestine organization. The first NSA penetration testing team was assembled as a part of the newly formed center of excellence that NSA called the “Systems and Network Attack Center” or SNAC. To quote Charles Dickens, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us…” Come hear some war stories from the early days, and see how this industry and the practice of penetration testing has evolved in the past 25 years.


 
 
 

image description

Soya Aoyama

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function “Ransomware protection” in “Windows 10 Fall Creators Update”. How does this function work? Is it really effective? In this talk, I will explain the operation principles of “Controlled folder access” of “Ransomware protection” through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.


 
 
 

image description

Kelley Robinson

Analyzing Pwned Passwords with Apache Spark
Apache Spark aims to solve the problem of working with large scale distributed data — and with access to over 500 million leaked passwords we have a lot of data to dig through.
Advancements in the API make running Spark with Python, or even SQL smoother and faster than ever. This talk will introduce you to Spark and the way to run queries on structured, distributed data by looking at breached credentials. We’ll walk through how to get started with Spark and discuss the tradeoffs for using different abstractions provided by the framework. With the help of live code, we’ll find patterns in the password data and look at how you can encourage your users to be more secure. You will see how easy and fast it is to both explore and process data using Spark SQL and leave with the tools to get started with your own distributed data…and a password manager.


 
 
 

image description
image description

Brent White

Breaking Into Your Building – A Hacker’s Guide to Unauthorized Physical Access
During this presentation, we’ll discuss proven methods of bypassing popular physical security controls and employees, using only publicly available tools and social engineering. You’ll hear war stories from assessments that we have performed, and the frightening simplicity of gaining unauthorized physical access to many things from server rooms to Top Secret Ops rooms. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used, as well as remediation recommendations.


 
 
 

image description
image description

Matthew Eidelberg & Steven Daracott

SniffAir – An Open-Source Framework for Wireless Security Assessments
As the amount of wireless devices continues to increase, so does the amount of wireless traffic. It’s quite easy for malicious traffic to be obscured by the amount of benign traffic out there. SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.


 
 
 

image description

Ankur Tyagi

Angad: A Malware Detection Framework using Multi-Dimensional Visualization
Angad is a framework to automate classification of an unlabelled malware dataset using multi-dimensional modelling. The input dataset is analyzed to collect various attributes which are then arranged in a number of feature vectors. These vectors are then individually visualized, indexed and then queried for each new input file. Matching vectors are labelled as per their AV detection categories for now but this could be changed to a heuristics approach if needed. If dynamic behavior or network traffic details are available, vectors are also converted into activity graphs that depict evolution of activity with a predefined time scale. This results into an animation of malware/malware category’s behavior traits and is also useful in identifying activity overlaps across the input dataset.


 
 
 

image description

April Wright

Social Engineering At Work – How to use positive influence to gain management buy-in for anything
Do you understand how to navigate office politics and regularly get what you want and need to make your security efforts take off and be successful? Are there projects or programs you want to institute, but have trouble getting started or knowing how to get people on-board? Most of us understand how SE can be used to test for human vulnerabilities, but socializing at work may give us a yucky feeling. However, if you really want to learn how to get buy-in for your ideas or projects and get what you want, you need to be able to navigate the social system at work and exert indirect influence. It is possible to study and reverse the “dark arts” of SE to actually achieve positive goals; SE principles are used every day by savvy business people to make things happen, even if they don’t realize that they’re using them. Let’s define ways even the most introverted person can play the corporate game in a non-malicious non-manipulative way. Then, we can use this knowledge within our organizations to improve our security posture, “sell” security to stakeholders, and lessen risk. Learn how to utilize the tools of SE “for good” so that we can better serve our infrastructures and customers.


 
 
 

image description

Rachel Giacobozzi

Building a Persona: Protecting Yourself While Conducting Open Source Research
This presentation will outline how to choose your search persona, how to pick your name, location, and even pictures. I will explain which accounts to set up and the best profile information to include. I will outline the best methods for circumventing security questions and SMS text verification. I will discuss which activities and interactions that help your profiles appear legitimate. Next I will go over some searching tips to maximize your new profiles. Finally, I will demonstrate how to burn your persona in the event you no longer need the profile or if your profile becomes compromised. This will include scenarios and indicators of a compromised persona.


 
 
 

image description

Dan Cao

Automate the boring Incident Response stuff
Let your security analysts be analysts – Stop wasting their time on the boring stuff! Help reduce the stress of your analysts by building out an automation framework to facilitate information gathering necessary for your responders to begin analyzing a security event immediately!


 
 
 

More speakers to be announced shortly


*Speakers are subject to change with little or no notice