Presentations


image description

Jayson E Street

STRATEGIES ON SECURING YOUR BANKS & ENTERPRISES. (FROM SOMEONE WHO ROBS BANKS & ENTERPRISES FOR A LIVING!)- Thursday Keynote

Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk Jayson will show how an attacker views your website & employees then uses them against you. We’ll start with how a successful spear phish is created. By using the information gathered from the companies own ‘about’ page as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful counter-measures to help stave off or detect attacks. This discussion will draw on the speakers 15 years experience of working in the US banking industry on the side of defense. Also at the same time he’ll be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well everyone will have learned something new that they can immediately take back to their networks and better prepare it against attacks!


 
 
 

image description

Johnny Xmas

10 Cent Beer Night: The World we now Live In- Friday Keynote
June 4th, 1974: A bench-clearing brawl in response to some extremely “dirty” baseball a week prior at a Texas Rangers game left fans of the visiting Cleveland Indians itching to show how far they’d be willing to go to defend their pride. In the week that followed, radio announcers, TV hosts and even coaches from each city swapped backhanded remarks and snide comments in regards to their opposition, raising public tensions to astronomical proportions. As the series moved to Cleveland’s stadium and the fans’ thirst for revenge making a steep incline, the Indians marketing team decided to continue with plans for one of the worst ideas in Major League Baseball history: Ten Cent Beer Night.


 
 
 

image description

Gabriel Ryan (solstice)

The Black Art of Wireless Post-Exploitation
Wireless is an inherently insecure protocol. Most companies recognize this, and focus their resources on minimizing the impact of wireless breaches rather than preventing them outright. During red team engagements, the wireless perimeter is cracked within the opening days of the assessment, or it isn’t cracked at all. From an attacker’s perspective, the real challenge lies in moving laterally out of the isolated sandbox in which network administrators typically place their wireless networks. Enterprise network teams are typically aware of this fact, and many will attempt to justify weak wireless perimeter security by pointing out how difficult it is to pivot from the WLAN into production.

However, preventing an attacker from doing so is only easy when the network in question is used exclusively for basic functions such as providing Internet connectivity to employees. When wireless networks are used to provide access to sensitive internal infrastructure, the issue of access control gets significantly messier. A door must be provided through which authorized entities can freely traverse. As with cryptographic backdoors, a door that requires a key is a door no less.

In this presentation, we will focus on methods through which red team operators can extend their reach further into the network after gaining their initial wireless foothold. We’ll begin with a quick recap on how to use rogue access point attacks to breach all but the most secure implementations of WPA2-EAP. We’ll then demonstrate methods of evading the most commonly used methods of WLAN access control, and explore whether segmentation of a wireless network is truly possible. Finally, we will demonstrate how contemporary network attacks can be combined with wireless man-in-the-middle techniques to create brutal killchains that would be impossible to achieve over a wired medium.


 
 

image description
image description

Kyle Shattuck & Kyle Eaton

The Credentials in the High Castle
Account takeover (ATO) incidents can be obfuscated from an analyst in a magnitude of ways. Analysts will learn a number of ways to detect and respond to these ATO events. The analysts will be taken through reactive and proactive ATO activity, as well as developing and validating patterns to detect this traffic. Blocking methods are also important considerations we will cover. We will go through three simulated ATO attack scenarios to express this process. It is important to have knowledge of what legitimate traffic should look like, for an analyst to respond appropriately. This will not cover the setup of appropriate logs or focus on a particular tool.


 
 
 

image description

Arron ‘Finux’ Finnon

3rd Party Data Burns
Data-Loss via 3rd party data-breaches is a subject that most have a little time for, yet the impact of what has been lost in recent years is yet to be fully understood. From work related emails, to corporate passwords, its all out there. Billions and billions of individual pieces of data are floating around the internet, none of them really have any value individually but when put together and indexed they can become very costly. This talk looks at the journey one can take to build a data-dump search-engine, that is fast, efficient and plentiful in results, and of course all the bumps along the way. It is so much more than just passwords, its a peak behind the curtain of what is really waiting for us in the next few years. You’ll walk away from this talk knowing what to expect from data-driven hacking attacks, and get an understanding for how dangerous this passive OSNIT enumeration can actually be.


 
 
 

image description

Chris Roberts

Population Control Through The Advances In Technology…
The Future…. :)
Will we end up with a hierarchical system of digital existence? At the moment we still need humans to be able to produce for us, we are not talking about food or anything so mundane…but at some point we are going to need to maintain a source of power, cooling and of course increased capacity for that ever expanding universe that we are creating…so will we have those who prefer the conscious life over the digital life? Will we somehow manage to tier the existence in such a way that we become a totally separate set of entities, if so how will we exits, how would we manage to interact in a manner that is symbiotic with our fellow man who’s on the outside? Are we possibly looking at population control through digitization? There’s 7-8 Billion of us on this planet at the moment, if a large chunk of humanity decides to give up on its physical body and solely rely upon the digital resources for existence then there’s an argument to be made for the simple fact we’d be saving the planets resources (as long as the data centers could be maintained in a somewhat carbon neutral manner (which some have proved IS possible).
 
 
 
 

image description

David Kennedy

Morphing to Legitimate Behavior Attack Patterns
Let’s face it, the industry is getting better at detection. Not everyone, but it’s getting there. Companies are focusing on getting logs from their endpoints and looking for abnormal patterns of behavior. As attackers, our tactics have been shifting over time to become more compliant with standard protocols and behavior. This has implications on how we test, length of engagements, and the level of effort to attack. It’s not as easy as it once way (with many exceptions), but as defense grows, our capabilities as attackers has to grow as well.

This talk will dive into what I’m seeing out there as far as detection capabilities, and how to get around them. Let’s take a dive into multiple detection and preventive capabilities and how to circumvent them without getting detected. As the offense, we can’t rely on hoping for multicast to DA every time. The times are changing, our skills need to match that appropriately.


 
 
 

J Wolfgang Goerlich

We got it wrong
This session is on all the things we all say all the time, about all the things we call know. Security through obscurity is bad. Defense in depth is good. Stop clicking things. Next generation is bad, or maybe, next generation is good. The list goes on and on. The resulting rules of thumb are sometimes contradictory and often misleading. With war stories and anecdotes, we’ll explore what happens when teams run security by tribal knowledge instead of research and reason. Spoiler alert: they get pwned. Turns out, we were wrong.


 
 
 

image description

Duncan Manuts

Duncan Vs the Internet!
Enjoy the show as Duncan debates the internet on a variety of topics. With some special guest appearances.
Gauranteed to delite and offend


 
 
 

image description

Joel Cardella

The Shuttle Columbia Disaster: Lessons That Were Not Learned
When the shuttle Challenger was destroyed in 1986, poor NASA culture was significant in the events the led to the disaster. NASA made serious changes to their space program to ensure human life was at the least risk possible. But in 2003, the shuttle Columbia suffered a disaster and all hands were lost upon re-entry. The ensuing investigation specified that “NASA organizational culture had as much to do with this accident as the foam.”

This talk will look at how culture affects risk in organizations, using both the Challenger and Columbia as examples, and talk about the difficulties of risk management, and give guidance on how to deal with and overcome difficult risk decisions, such as the final decision by NASA not to inform the astronauts they were doomed.
Takeaways will be how to understand how culture impacts risk, what you can do about it, and how to make better risk decisions.


 
 
 

image description

Infosystir

Cyber, Cyber, Cyber – Using the killchain to accomplish something
Everyone talks about the cyberkill chain(tm). I want to show you how to map some of the common threats to the different steps along with how to defend against and monitor for each along the way. Threats like ransomware, data exfiltration, and application vulnerabilities will be broken down for a better understanding of how to improve the standard of defense.


 
 
 

image description

Brett “GOllumfun” Johnson

Shadowcrew: A history and future of cybercrime
Presenter will detail a representative history of cybercrime, concentrating on Shadowcrew, Carderplanet, and its members (Brett Johnson, Albert Gonzalez, Max Butler, Roman Vega, Dmitry Golubov, and others). Presentation will center on how those groups are the precursors of darkweb marketplaces and online criminal communities. Issues of Group Structure, Trust, Anonymity, networking among criminals, etc. will be examined. Further discussed will be the current state of cybercrime, specific crimes and intrusion techniques, future implications, and ways to prevent.


 
 
 

image description

Joe Petroske & Rachel Giacobozzi

Those Phishing Guys: TA530 In-Depth
Successful financially-motivated adversary groups play the long game. They evolve, adapt, and change tactics to make sure they remain successful. Here is an in-depth look into the activities of one such group, who has been successful enough to get their own name: the TA530 group. We will take a look at TA530’s successful campaigns, focusing on the initial payload delivery and network detection of the malware used by this group


 
 
 

image description

Dr. Jared DeMott

Embedding Security in Embedded Systems
If security were easy, we’d have solved it 20 years ago. Unfortunately for complex systems, we need all-hands-on-deck: developer training, correct implementation, proper deployment, monitoring, secure updates, and response planning. Come be encouraged by Dr. DeMott to apply security best practices to the embedded specific domains.


 
 
 
image description

atlas 0f d00m

TBA
More info to be announced shortly


 
 
 

image description

Dr. Phil Polstra

I’ve got a (Pocket) Bone to pick with you
This talk will demonstrate several attacks that can be performed using the new open-source PocketBone from the BeagleBoard.org family. The PocketBone is only 1.5×2.5″ which means it can fit in a small mint tin and could always be with you. USB and wireless attacks will be covered. In addition, attendees will learn how to use the PocketBone as a USB writeblocker. Only basic Linux and attack knowledge is required to get something from this talk.


 
 
 

image description

Aaron Shanas & Joe Petroske

The Need for Speed – Benefits of Speed Driven Incident Response
Threat actors, like your IR team, need time to complete their mission. By short-circuiting the IR process, we will show you how to recover from attacker footholds and prevent what you really care about — Attacker mission completion. We propose and demonstrate the benefits of a new approach, focusing on rapid identification and containment of threats using sniper forensics and live response techniques in place of classical investigative methods.


 
 
 

image description

David “HealWHans” Schwartzberg

Building a Usable Mobile Data Protection Strategy
Mobile smart devices from the consumer perspective are easy to activate for a enriched user experience. Enable smart devices in the enterprise, after the basics, the user experience they know drops while users and InfoSec demand more with competing agendas. This presentation will provide you with a blueprint of the various mobile data protection technologies. We will review what is provided natively, as well as, third party options to help you decide what will fit best in your environment and corporate culture.


 
 
 

image description

Charles Parker, II

Oops! Was that your pacemaker?
Medical devices have become more prevalent as the population has aged. The earlier applications included the exterior utilized devices. As time passed the technology improved markedly. Technology has improved these devices by, among other modifications, connecting these (IoT). Over more than the last two decades, a portion of these have been implanted in the human body. Although these have proven to be significantly useful, there have also been the issues that have been shown to be problematic and others that could prove to have issues (proof of concept). This connective-ness has created its own vulnerabilities and allowed these to be attacked and potentially breached, as a POC. This is a direct result of the engineering primarily being focused with the equipment operating and not addressing the security aspect. The presentation shall address the historical aspect of the equipment, manufacturers, communication channels, and how these are attacked.


 
 
 

image description

Michael Belton

Tales From The Trenches: Practical Information Security Lessons
In this talk, Michael Belton discusses his past experiences delivering penetration testing services. The format for this talk is conversational and audience participation is encouraged. Michael will provide background on the situation, discuss the actual techniques and attacks used in the hack and use that to identify defense-in-depth measures that could have mitigated risk. This talk is intended to learn from the mistakes of the past.


 
 
 

image description

Thomas Richards

Red Team Yourself
So your organization conducts regular tests with $automated tool. Want to bring your security testing program to the next level? Red Teaming will give your organization a goal based, adversarial emulating approach to see how secure it really is.


 
 
 

image description

Zee Abdelnabi

Identity theft through OSINT/social engineering
This talk will demonstrate how easy identity theft has become because of OSINT and the ability to easily social engineer and grab meta data. It will cover how an attacker uses OSINT to build targeted attacks. How an attacker builds a profile using software to represent their data about you. How an attacker uses data points to pivot from one source to another online. The target was a random target that was picked. Not only does it cover his current activity but his cached activity which enables attackers to target him. The story will show how an initial search to a complete PWNAGE was done on the individual because of a random blog that was discovered. This talk also shows how easily I was able to find his company’s email format, private IP addresses which could of completely allowed me to own his companies network because his company allowed BYOD. It will cover how you can better prepare and protect yourself.


 
 
 

image description

Anthony Sabaj

The Future of Cyber Security
Trends, Threats and Solutions from the Data Center to the The Cloud for tomorrow and beyond


 
 
 

image description

Justin ‘Buckaroo’ Whitehead & Jim Allee

vAp0r and the Blooming Onion
vAp0r is a Linux distro that brings together a specific set of tools to allow for secure Tor use on the Raspberry Pi 3. Due to the standard Tor Browser bundle’s inability to support the ARMHF architecture. Included in the distro is Mozilla Firefox setup as a Tor browser with custom privacy settings to harden it and privacy add-ons which allow for extra layers of security.

Bloomin’ Onion is a Red Team inspired leave-behind device, based on RPi3, which opens your targets network up like an Onion blossom. Deploy a rogue hotspot remotely and tunnel traffic back to your vAp0r and funnel through Burp proxy for MitM. Do remote arp spoofing, collect Windows authentication information, packet capture and more!

 
 
 

image description

Shaun Muller

Software Defined Segmentation
Acquisitions, partnerships, BYOD, IoT are just some business demands that increase security headaches for businesses and place demand on IT. Come explore segmentation as a mechanism to combat compromises of one system to another.


 
 
 

image description

Hilary Louise

A Reporter’s Look at Open Source Intelligence
Governmental and private agencies provide a vast amount of publicly-available information on individuals and companies for those driven or savvy enough to find it. This talk aims to ease the digital and bureaucratic guesswork from the perspective of an investigative reporter. We’ll go through where and how to find certain types of data, and talk search tips to make the best of any future digital intelligence-gathering efforts.


 
 
 

image description

Jim Wojno and Dan Kieta

Infosec State of Affairs: Too much Kim Kardashian – not enough Malcolm Gladwell
In security we obsess about vulns, exploits and attacks with headline grabbing names like Petya / Nyetya, WannaCry or Eternal Blue and not enough on the fundamentals. Sexy technospeak marketing names dominate a field where dozens of companies compete to sell you the latest Silver Bullet One-Size-Fits-All miracle cure widget. This tabloid-esque fixation with style over substance creates a “Kim Kardashian Effect” that produces little long term value and burns precious resources better used on a Back to Basics approach. This talk will discuss the benefits of a fundamental security hygiene program both from a technology and a business perspective as well as provide attendees with practical advice on how to improve their own operations using tools you probably already own. Examples discussed will highlight how Blue Team members can become a force multiplier through a return to basics and security 101 and how a focus on the basics can pay higher dividends than the latest glitzy next-gen widget.


 
 
 

image description

bat

Vulnerability Disclosure
Bat will give a brief overview of vulnerability disclosure policies and their importance in both the public and private sectors. She will go over the basics of what a policy should include, things to consider when accepting vulnerabilities from the public (encryption, PoCs, TLS-encrypted forms, email), and how to get started. She’ll discuss the importance of transparency as it relates to vulnerability reports, provide resources to get folks started on their own policies (or refine policies in place), and briefly touch on DHS’s Vulnerability Disclosure Framework, a couple of NIST publications, and the ISO standards for vulnerability disclosure.


 
 
 

image description

David Adamczyk

An Attack Pathway Into Your Organization? Reducing risk without reducing operational efficiency
Despite the increased understanding in the importance of locking down privileged account access, the fact is that privileged access is not limited to users with a “heartbeat.” Enterprise applications, including COTS and custom-built apps often require the same access to privileged accounts as privileged users do. Understanding how breaches occur has allowed for the creation of a methodology, which focuses on reducing the most risk for the least effort first. A phased approach ensures the ability to show measurable risk reduction, and meet compliance, without impacting operational efficiency.


 
 
 

image description
image description

Mark Stanislav & Kelby Ludwig

Realizing Software Security Maturity: The Growing Pains & Gains
Software security maturity is often diluted down to the OWASP Top 10, leaving organizations with a simplistic & ineffective view of risks represented by their real-world attack surface. Where do these organizations then go, to realize a strategy that considers the complexity of their production stacks, including frameworks, platforms, languages, & libraries.

This talk will focus on leveraging the Software Assurance Maturity Model (SAMM) to benchmark coverage & consistency of application security across the software development lifecycle.
If your organization has been considering formalizing your application security program, or just don’t know where to start, come to this talk to find out the pitfalls and opportunities of using SAMM to guide a successful and ever-maturing application security program.


 
 
 

image description

Chris Barnes

Infrastructure Based Security
As the enterprise continues to be bombarded with advanced and increasingly more sophisticated attacks, the CISO must shift to accomplish three critical objectives:
Gain Superior Visibility and Control over their environment, Automate tasks that enhance security posture, Utilize integrated systems that identify breaches, and facilitate rapid remediation This can only be done by partnering with vendors that have strong threat research, broad capabilities, powerful tools and integrations with existing tools.


 
 
 

image description

Bil Harmer

Change is Simply an Act of Survival: Predicting the future while shackled to the past
This presentation will briefly review the history and development of the corporate network, it’s interaction with the Internet and how the adoption of SaaS and PaaS base solutions have rendered the network irrelevant from a security perspective. We will explore recent developments in malware, trends in targets and attack methodologies using case studies. Finally we will then consider one possible future and explore how laying the ground work now will provide a more secure base to work from while improving usability for the Netizens while reigning in costs.


 
 
 

image description

Rhett Greenhagen

Skiptracing for fun and profit
This talk will be somewhat humorous, taking real world examples from my work that are unclassified with mug shots of them on there way to prison. Each example will start with what I had at the time I was given the targets name and personals, and ending each example with how I came across there information or lured them to a specific location for extraction by federal agents. Some of the examples include creating a phishing website based off of the targets resume, finding a ip address through xbox live, using cell phone information as well as Facebook metadata to track the user, etc.


 
 
 

image description

Ken Donze

How do you POC? Are you really testing a product?
We have all read the reports from the successful breaches from Target to Equifax. Have you ever questioned the nature of the security products not preventing or alerting earlier to breach? Trend Micro’s presentation will focus on the Proof-of-Concept phase of testing a solution from start to finish. Learn the key steps of a POC, and how companies run product tests and what is effective and the errors.


 
 
 

image description

Tom Mead

Critical Incident: Surviving my first layoff by applying BCP/DRP Principles
The day before my 30th birthday will be forever ingrained in my mind. It was the day my world stopped, as I experienced a random layoff of my InfoSec job of over 5 years. In this presentation I will discuss my reaction to the sudden and unexpected news, and how my experience in Information Security helped me navigate one of the most terrifying experiences in my life to date. By keeping a cool(ish) head, and applying sound Business Continuity and Disaster Recovery practices, including development of post “incident” lessons learned, I was able to navigate the “disaster”, and come out ahead. I will provide key takeaways to help the audience be prepared for such an incident, while sharing many of the emotions that one experiences during a layoff. While I hope no one ever experiences such an event, it never hurts to Be Prepared.


 
 
 

image description

Bryan York

Dissecting Destructive Malware and Recovering from CatastropheDissecting Destructive Malware and Recovering from Catastrophe
An in depth look into the NotPetya malware outbreak from a boots-on-ground incident responder with first-hand experience assisting organizations through response, recovery and investigation. This talk will cover how NotPetya operates, the geopolitical significance of this attack, ramifications of fake news during NotPetya response efforts, methods to recover certain files encrypted by Salsa20, and what you can do to prepare for similar destructive malware attacks in the future.


 
 
 

image description

Aaron Herndon

Pen Test War Stories – Why my job is so easy, and how you can make it harder
As a Pen Tester and security professional, I get it. You are faced with a behemoth of a network, constrained by budget, and every day seems to bring a new zero-day to patch. However, there are some basic steps you can take to secure your network without having to plead for budget. This talk will take attendees on a magical journey through the pillaging and looting that occurs during penetration tests, and the wonderful war stories that come with it. Once the dust settles, we will break down fixing most common vulnerabilities and misconfigurations, so that on your next penetration test, your domain will withstand the siege.

So sit back, laugh or cry, and learn easy ways to make my job harder.


 
 
 

image description

Richard Thieme/neuralcowboy

Staring into the Abyss: The Dark Side of Security and Professional Intelligence
Nothing is harder to see than things we believe so deeply we don’t even see them. This is certainly true in the “security space,” in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think. We become assimilated by the conversation and cease to see the bigger picture.

An analysis of deeper political and economic structures reveals that narrative and therefore our core beliefs in a new context which illuminates mixed motivations, some of the reasons we chose to do this work, and the interpenetration of overworlds and underworlds in our global society and profession. This analysis will make you hesitate before uncritically using the buzzwords and jargon of the profession – words like “security,” “defense,” and “cyberwar,” and thinking in a binary fashion of good guys and bad. By the end of this presentation, simplistic distinctions between foreign and domestic, natural and artificial, and us and them will have gone liquid while the complexities of information security will remain … and continue to challenge us personally and professionally.


 
 
 

image description

Brent White & Tim Roberts

Skills For A Red-Teamer
Want to incorporate hybrid security assessments into your testing methodology? What does going above and beyond look like for these types of assessments? How do you provide the best value with the resources and scope provided? What do some of these toolkits encompass?

If you’re interested in what skills are needed for a Red-Teamer, or taking your red teaming assessments to the next level, here’s the basic info to get you started. We’ll discuss items of importance, methodology, gear, stories and even some tactics used to help give you an edge..


 
 
 

image description

Derek Milroy

Learning from InfoSec Fails
This presentation will highlight some of the reasons why InfoSec either fails or is perceived to fail. People, Process, and Technology issues will be presented with examples. The goal of this talk is to allow people to pick up some pointers for doing things better by analyzing real world failures. This talk makes use of jaded and cynical humor to get some of the lessons learned across.


 
 
 

image description

Deral Heiland

Securing the Internet of Things (IoT) -Through Security Research and Vulnerability Analysis
The “Internet of Things” (IoT) is taking over our lives, so we should be constantly questioning the security and integrity of these technologies. As an IoT researcher, this is precisely what I do. During this presentation, I will be sharing details of my day-to-day research, covering the various processes and methodologies around researching (attacking) various IoT technologies that we all use every day. I will be discussing the various structures of an IoT ecosystem and showing how each segment of that ecosystem can be compromised to impact the overall security of a product. Using a live demonstration, I will show several of the security issues discovered during my research over the past 12 months and how we worked with the manufacturers to get these issues mitigated.


 
 
 

image description

Adam Hogan

Eye on the Prize – a Proposal for Legalizing Hacking Back
The myriad objections to legalizing hacking back all agree that an undisciplined horde of skids responding aggressively to every threat presents significant risks we would all like to avoid. Unfortunately the debate has advanced little from this well established point. I propose we continue the discussion by exploring ways in which hacking back can be legalized responsibly. To this end I argue that stopping piracy in the age of sail shared a number of the same problems we face stopping cyber attackers. This also presents a framework with which to allow responsible hacking back: that of the Admiralty Prize Courts. Prize Courts served as adjudicators to the legitimacy of capturing pirates, and held illegitimate attackers responsible for their misdeeds. This system limited who was legally allowed to attack pirates, held control over the viable targets, and controlled the incentives for pirate hunting. I will argue this is a system we can emulate to regulate hacking back.


 
 
 

image description

Keith Wilson

Defending The De-funded
There is a cyber poverty mark that plagues the Cyber Security Industry. The global 2000 have budgets that allow them to build strong defenses, hire large teams, and perform full and complete investigations. In this talk, we discuss what can be done if your cyber security budget has been cut, or is extremely limited. We will discuss solutions, metrics, and questions to ask your vendors to make sure you are getting the most out of every dollar your department has been allocated.


 
 
 

image description

Andrew Brandt

You Got Your SQL Attacks In My Honeypot
Among the many automated attacks that target the honeypots hosted on my lab network, one of the most interesting in recent memory is also, now, among the most frequent: An automated, Mirai-like attempt to worm malware onto what the attackers clearly think is a Microsoft SQL server, using SQL commands in the tabular data stream (TDS) format. The attacks employ easily-readable commands, some of which have been encoded into base64 to be used as stored procedures for, one might presume, more efficient attack delivery.

In this session, attendees will get a detailed walkthrough of the attack methods in use by the operator(s) of this campaign, including but not limited to analysis of malware the attacker attempts to deliver to a victim server. The attacker(s) appear to be using this method to infect server-grade hardware with a variety of malware including RATs and ransomware. The attackers also employ a number of dead-drop servers of their own, used for hosting malware payloads, and appear to validate connections to ensure the requests for the malware originate from a server and not from an analyst — but we’ve managed to get around that, too. Attendees will also learn what we’re able to determine about the network addresses from which the attacks appear to originate, using Symantec+Blue Coat’s network reputation data.


 
 
 

image description

Zac Brown

Hidden Treasure: Detecting Intrusions with ETW
Today, defenders consume the Windows Event Log to detect intrusions. While useful, audit logs don’t capture the full range of data needed for detection and response. ETW (Event Tracing for Windows) is an additional source of events that defenders can leverage to make post-breach activity more visible in Windows.

ETW provides a rich set of data, largely intended for debugging scenarios. As a side effect, these traces also have data that is ideal for detecting potentially malicious behavior, such as raw networking data and detailed PowerShell data. Unfortunately, the ETW API is low level and primitive, making it difficult to use at scale reliably. Be- cause our security team in Office 365 supports monitoring over 150,000 machines, we needed a reliable way to consume the events in real-time, while adhering to strict memory and CPU usage constraints. To accomplish this, our team built the open- source krabsetw library to simplify dynamically consuming ETW events. We currently use this library to collect 6.5TB of data per day, from our service.

In this talk, we’ll discuss a few ETW sources we’ve found to be high value as well as the detections they enable. We’ll also demo a few examples of using krabsetw to consume them as well as share some strategies for scaling ETW monitoring.


 
 
 

image description

Ernest “Cozy Panda” Wong

A GRReat New Way of Thinking about Innovating for Cyber Defense (and even Cyber Offense)
Since the origins of the Republic, the American people have shown a strong speculative knack that lead to novel ideas for tackling tough problems. From the first American colonists who made do with limited resources, to NASA astronauts who boldly explored space with minimal supplies in order to break free of gravity, Americans have a proud history of advancing new and effective ways of getting the job done. However, the Internet’s rapid growth has meant that the tools for operating in cyberspace are constantly changing. In such a fluid environment, does America still have the capacity to gain the advantages necessary to out-hack those who attack us in the cyber domain? This talk analyzes what innovation really means and highlights differences between disruptive, breakthrough, sustaining, and incremental innovations. Through this straight-forward yet impactful framework, we gain tremendous insights that help to progress how our nation can develop more effective cyber tools for the defense (as well as the offense, but you didn’t officially hear that from me).


 
 
 

image description

Jerod Brennen

Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
With global information security spending rapidly approaching $100 billion, you’d think we’d have a pretty good handle on preventing data breaches by now. However, considering that nearly 1 billion records have been exposed in the 5000+ data breaches publicly disclosed since 2005, you’re probably asking yourself the same question as security and risk management professionals all over the world: How does this keep happening? This presentation will walk you through a penetration tester’s process, step-by-step, as the tester goes from unauthorized outsider to domain admin (without being detected). More importantly, we’ll discuss the fundamental security controls that will shut down attackers time and again.


 
 
 

image description

Shannon Fritz

An Employee, their Laptop and a Hacker walk into a Bar
If one of your company laptops were lost, what might an attacker be able to do with it? In this string of live hacking demos, we begin as an attacker who has no user account credentials and demonstrate how to hack into the warm juicy center of the corporate domain and then STEAL ALL THE THINGS. Learn some easy parlor trick hacks that really work, and more than a dozen ways to protect your organization from them.


 
 
 

image description

Chris J

Threat Intelligence: Zero to Basics in presentation
This is an audience participation talk, on going from having DFIR with no Threat Intelligence to building a basic threat intelligence program. The majority of the data needed to start a Threat Intelligence program is probably already being captured by the DFIR program, and this talk is about taking that data, putting context around it to make it information, and then make that into something actionable (intelligence).

Attendees of this talk should be able to go back to the office after the conference and enhance their IR programs with Threat Intelligence. The presentation will show what Threat Intelligence is and how to collect the data from their own networks. The talk will cover why the majority Threat Intelligence shouldn’t be paid for until later in the program, while discussing the few things that should be paid for at the start.

In parts of the talk Attendees will help pick the data points to capture, and work through the Alternative Competing Hypotheses to figure out the most likely reason for the event / incident.


 
 
 

image description

Ray Davidson

National Guard for Cyber? How about a Volunteer Cyber Department?
Increased public awareness of “hacking” activities has led to an increase in calls for organized response, some which have better intentions than understanding. The devil is always in the details. For the past 3 years, the State of Michigan has been cultivating a community of information security professionals and developing a team of volunteers to respond in the event of a cyber emergency.

We have identified and addressed (sometimes multiple times, with varying degrees of success) issues including sponsorship, leadership, authorization, legislative and budgetary support, the makeup of stakeholder and customer groups, and other bedevilments.
Other state governments are now reaching out to learn from Michigan’s experience. Some will undoubtedly create similar efforts in their own regions, potentially led by those who understand the importance of cyberdefense, without understanding cyberdefense itself. This presentation is an attempt to share our experience with practitioners and subject matter experts, so that when the organizers come calling, the practitioners will be equipped to contribute to the effort in the most effective way possible.

Attendees will leave with detailed awareness of some of the pain points of a formal cyber volunteer organization, and some specific knowledge to bring to the table, when it is set.


 
 
 
 
 
 

image description

stumblebot

ProbeSpy: Tracking your past, predicting your future
As infosec enthusiasts and professionals, may of us are acutely aware that our devices may be giving away their current location as they sit in our pockets. What if I told you that your device may also be revealing where you’ve been and where you may be going soon?


 
 
 

image description

spartan

Real-World Red Teaming
Anyone who has been doing pentesting for any length of time knows that there’s a huge difference between what you read in books about pentesting, and what actually happens out in the field. The view of pentesting that is given by textbooks is glorified vulnerability scanning, while the field is moving towards boutique, objective-oriented red teaming. What is different about real-world red teaming, and what should aspiring pentesters be focusing on?


 
 
 

image description

Secureholio

Run the App Sec program? OK…but I don’t think ‘Hello World’ has vulnerabilities
Two years ago the company I left nearly two years before that convinced me to return and head up their application security program. Some asked why I would go back to a company I left, others asked why someone with no professional coding experience would want to take a job in application security. I had a number of programming language classes in college but I never had a job where my responsibility was writing code. The reasons why I went back are varied but you’ll get some insight on how I’m helping to drive better code & reduce overall risk in my company as well as some issues I’ve run into and how I overcame (some of) them.


 
 
 
*Speakers are subject to change and little or no notice