Presentations

Initial release of talks below, more to come


image description

Dave Kennedy

Thursday Keynote

 
 

 
 

image description

Matthew ‘Mattrix’ Hoy

Friday Keynote





 
 
 

image description

Kyle Eaton

Murky Waters: Diving into Phishing Kits
Credential harvesting phishing emails are the scourge of inboxes everywhere. While these emails are meant to steal account information, sometimes attackers leave behind copies of their source code which we can analyze. This allows us to better understand the attacker and what they are doing exactly.
This talk will highlight the collection of these phish kits, analysis of them as well as automating this process.


 
 

image description

Arron ‘Finux’ Finnon

So how the actual f**k did i end up as root here!!!
This is a talk about when failure comes knocking, how you can take down the whole entire house of cards. If you have a failure, that failure should always have more meaningful and larger failures with other failures. Those failures should have other failures with other consenting failures, and those failures can start making more failures. In the end this talk is basically the Russian doll of cascading failures, but a lot more painful. No developers were harmed(*only applies to physical well-being) in the making of this talk.


 
 
 

image description

Jayson E Street

TBA
TBA


 
 
 

image description

Kyle Shattuck

Everyday De-Obfuscation
Obfuscated docs to scripts, how quickly and accurately can you get the IOCs? A number of tips and methods for de-obfuscating different files will be covered. Coming across obfuscated files with a methodology will streamline IOC collection. Setup of a Malware VM will not be covered.


 
 
 

image description

Chris Roberts

The Abyss is Waving Back…The four paths that human evolution is charging down, and how we choose which one’s right…
As humans we have four evolutionary paths: 1. We embrace nanotechnology and Bionanotechnology… we become more dependent upon machines and slowly move towards integration with the systems (we know we’re looking at 80% integration in the next 20 years at least) 2. We embrace consciousness and some of us end up in New Zealand hanging out in an AS/400…bodies no longer needed 3. AI wakes up, looks round wonders WHY humans are in the driving seat and takes over… OR we end up unplugging it and rebooting back to the 1900’s… 4. The stumbling drunk…simply put we keep staring into the abyss and almost falling in, only to somehow manage to come back from the collapse, the challenge is HOW many times can we do this before we simply fall in?
 
 
 
 

image description

Megan Carney

Threat Hunting: the macOS edition
Much of the research into host-based indicators for threat hunting has focused on Windows. This presentation focuses on host-based indicators I found on macOS after running malware through a lab environment. While the hunting queries I present will be specific to one SIEM, the ideas should be applicable to any SIEM that has process monitoring data.


 
 
 

image description

Duncan Manuts

Wrap Up
Enjoy the show as Duncan rambles on abotu who knows what
Gauranteed to delite and offend


 
 
 

image description

Joel Cardella

Stop Boiling The Ocean! How To Succeed With Small Gains
Trying to do to much in infosec will actually wind up causing harm, because your attention gets diverted and important things wind up aging.
Infosec is also a very complex set of problems and solutions. It’s typical for managers and practitioners to get caught up in everything and try to do it all at once. This means spreading yourself too thin, and very likely your efforts are falling short. For organizations with small security staff or budgets, a proper information security program can seem like a very daunting task, and it is. Whether you are large or small, improvements over time can also help bolster the security posture of organizations. This is called aggregation of marginal gains, and it’s been used successfully in many situations. It’s harder to see, but easy to measure, and in information security any improvement is a good improvement. The cool thing is you don’t have to stop at just infosec. There is power in small wins and slow gains. This talk will discuss the small improvements organizations can make to improve a security program, whether it is in inception or fully in gear. We will focus the importance of making better decisions on a daily basis. Find out ways to manage and measure progress, and discuss how to benefit from incremental improvement.

The core of this talk seeks to address one simple question: how can I do better each day?


 
 
 

image description

Rhett Greenhagen

The Spies Who Didn’t Love Me
Cyber espionage is both a small and large playing field. There is a limited number of highly specialized Intelligence operatives and an abundance of potential targets in both heterosexual and homosexual sexualities that can be blackmailed. Everyone lies about sex. A foreign agent is more likely to be able to find information that can be exploited in order to compromise an otherwise loyal individual. While conducting an investigation on multiple mobile dating applications, we found large numbers of false identities in the areas surrounding classified locations including military bases where intelligence agencies, brigades, and law enforcement operate. We came across multiple suspect profiles that were attempting to authenticate the information we were feeding them to determine if we had access to sensitive information and to ascertain our real identities. By following the “Actionable Intelligence Lifecycle”, we were able to document, capture, and analyze patterns to help identify these false identities, both current and future. By developing criteria to detect false identities we were able to develop metrics and a reporting process to assist with countering their intelligence gathering operations against U.S. and allied nation personnel.


 
 
 

image description

Dr. Jared DeMott

How to Conduct a Product Security Test: And How it Fits Into the Larger Security Strategy
Code is now running on just about everything. Threats from around the world, would like to damage our data, reputation, finances, and more. As such, we need to be as secure as possible. There’s lots of arrows to that quiver. One of them is AppSec or code security. But more broadly we need to look at the whole product and ecosystem. We need to find security bugs in the products we depend on, before bad actors do. In this presentation, renowned cyber expert, Dr. DeMott, will walk us through the process of how developers and security pros should be conducting such examinations. The steps, the wars stories, the experience: I hope to see you there.


 
 
 
image description

atlas 0f d00m

emulacra and emulation: an intro to emulating binary code with Vivisect
static analysis is my favorite hard thing. blurring the lines between static and dynamic analysis can be incredibly powerful and immensely gratifying. come listen to atlas talk about how “partial emulation” works, how emulation works in Vivisect in general, and the powerful toys one can create using these tools


 
 
 

image description

Aaron Shanas

Do it Fast, Do it Right – Incident Response to Counter Modern Attackers
Modern threat actors are improving their tactics and techniques at an alarming pace. In order to keep up, Incident Responders need to embrace speed as the metric against which they measure success. In this talk, I’ll cover how our team has successfully implemented a program that not only allows for rapid identification and eradication of attacker activity but maintains the depth of investigation needed to ensure that your environment is no longer at risk.


 
 
 

image description

David “HealWHans” Schwartzberg

Living the Phreaker Life
This is the stories and inspirations behind creating the hit trading card game, Phreaker Life. This is a unique opportunity to hear the stories behind the game.

This talk will only be given at GrrCON.


 
 
 

image description

Aaron Heikkila

w.e w.e Internet Explorer Does What It Wants
So you think you’re safe because you set Notepad to Open HTA documents? An IE application bypass method will reveal a hole in your network defense. Internet Explorer can download and execute files in ways that do no respect the File Associations configured in Windows. I’ll explain how threat actors are able to leverage the bypass. I will also explain how defenders can harden their environment to disable the bypass.


 
 
 

image description
image description

Aaron Herndon & Thomas Somerville

Red vs Blue: The Untold Chapter
When a red teamer and a blue teamer go to the bar together, you inevitably get a pissing match of ‘I can do this attack!’ followed by ‘I can stop that attack!’. After hours of this exact, beer-fueled conversation, Aaron and Tom threw down the gloves and put words into action. Join us as we recount the Battle Royale, with Aaron conducting red team attacks, such as generating obfuscated payloads, living off the land, and persisting inside the network, while Tom, representing the blue team, shows how to detect, defend against, and eradicate these threats within a mid-sized corporate network without a dedicated SOC or Fortune 500 InfoSec budget.


 
 
 

image description
image description

Pranshu Bajpai & Dr. Richard Enbody

Crypto Gone Rogue: A Tale of Ransomware, Key Management and the CryptoAPI
Ransomware such as WannaCry and Petya have been heavily focused upon in the news but are their cryptographic models different from predecessors? Key management is crucial to these cryptoviral extortions and for convenience, they harness the power of resident Crypto APIs available on host. Simply stated, they command victim’s resources to lock victim’s resources. In this talk, we examine popular key management models deployed in infamous cryptovirii with the ultimate objective of providing a deeper comprehension of exactly how resident APIs are being used against users. On a Windows host, CryptoAPI (CAPI) provides cryptographic services to applications. CSPs are sets of DLLs that are associated with CAPI implementing cryptographic functions such as CryptAcquireContext, CryptGenKey, CryptEncrypt, CryptImportKey, CryptExportKey, CryptDestroyKey. In Windows Vista and later, CNG replaces CAPI and the ransomware menace persists. We explain cryptographic functions exploited by several ransomware families and explore answers to crucial questions such as how and where the encryption key is generated, where it is stored, how it is protected while encrypting user data, and how it is securely purged. We provide graphical representations combined with pseudo-codes embodying real-world Crypto API function calls pertaining to key management in ransomware. This talk delves deep into key management in present-day ransomware and is a direct result of real-world case studies of highly virulent infections. Dissections will be shown to back up the arguments.


 
 
 

image description

Jeff Man

More Tales from the Crypt…Analyst
The speaker, a former Cryptographer for the National Security Agency (NSA), presented “Tales from the Crypt…Analyst” at GrrCON 2016 where he shared some of his experiences as both a designer of and breaker of cryptographic systems. “More Tales from the Crypt…analyst” will pick up with the speaker’s third “tour of duty” at NSA where he became one of the founding members of NSA’s first penetration testing or Red Team. While the thought of NSA hiring hackers or engaging in cyber warfare might be fairly common today, it was not always the case. Somebody had to be first, and the policies, procedures, methodologies, and rules of engagement had to be developed for not only conducting what we called Vulnerability and Threat Assessments, but for successfully navigating the politics, bureaucracy, and reticence of this often-misunderstood clandestine organization. The first NSA penetration testing team was assembled as a part of the newly formed center of excellence that NSA called the “Systems and Network Attack Center” or SNAC. To quote Charles Dickens, “It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair, we had everything before us, we had nothing before us…” Come hear some war stories from the early days, and see how this industry and the practice of penetration testing has evolved in the past 25 years.


 
 
 

image description

Soya Aoyama

An Inconvenient Truth: Evading the Ransomware Protection in Windows 10
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function “Ransomware protection” in “Windows 10 Fall Creators Update”. How does this function work? Is it really effective? In this talk, I will explain the operation principles of “Controlled folder access” of “Ransomware protection” through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.


 
 
 

image description

Kelley Robinson

Analyzing Pwned Passwords with Apache Spark
Apache Spark aims to solve the problem of working with large scale distributed data — and with access to over 500 million leaked passwords we have a lot of data to dig through.
Advancements in the API make running Spark with Python, or even SQL smoother and faster than ever. This talk will introduce you to Spark and the way to run queries on structured, distributed data by looking at breached credentials. We’ll walk through how to get started with Spark and discuss the tradeoffs for using different abstractions provided by the framework. With the help of live code, we’ll find patterns in the password data and look at how you can encourage your users to be more secure. You will see how easy and fast it is to both explore and process data using Spark SQL and leave with the tools to get started with your own distributed data…and a password manager.


 
 
 

image description
image description

Brent White & Tim Roberts

Breaking Into Your Building – A Hacker’s Guide to Unauthorized Physical Access
During this presentation, we’ll discuss proven methods of bypassing popular physical security controls and employees, using only publicly available tools and social engineering. You’ll hear war stories from assessments that we have performed, and the frightening simplicity of gaining unauthorized physical access to many things from server rooms to Top Secret Ops rooms. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used, as well as remediation recommendations.


 
 
 

image description
image description

Matthew Eidelberg & Steven Daracott

SniffAir – An Open-Source Framework for Wireless Security Assessments
As the amount of wireless devices continues to increase, so does the amount of wireless traffic. It’s quite easy for malicious traffic to be obscured by the amount of benign traffic out there. SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.


 
 
 

image description

Ankur Tyagi

Angad: A Malware Detection Framework using Multi-Dimensional Visualization
Angad is a framework to automate classification of an unlabelled malware dataset using multi-dimensional modelling. The input dataset is analyzed to collect various attributes which are then arranged in a number of feature vectors. These vectors are then individually visualized, indexed and then queried for each new input file. Matching vectors are labelled as per their AV detection categories for now but this could be changed to a heuristics approach if needed. If dynamic behavior or network traffic details are available, vectors are also converted into activity graphs that depict evolution of activity with a predefined time scale. This results into an animation of malware/malware category’s behavior traits and is also useful in identifying activity overlaps across the input dataset.


 
 
 

image description

April Wright

Social Engineering At Work – How to use positive influence to gain management buy-in for anything
Do you understand how to navigate office politics and regularly get what you want and need to make your security efforts take off and be successful? Are there projects or programs you want to institute, but have trouble getting started or knowing how to get people on-board? Most of us understand how SE can be used to test for human vulnerabilities, but socializing at work may give us a yucky feeling. However, if you really want to learn how to get buy-in for your ideas or projects and get what you want, you need to be able to navigate the social system at work and exert indirect influence. It is possible to study and reverse the “dark arts” of SE to actually achieve positive goals; SE principles are used every day by savvy business people to make things happen, even if they don’t realize that they’re using them. Let’s define ways even the most introverted person can play the corporate game in a non-malicious non-manipulative way. Then, we can use this knowledge within our organizations to improve our security posture, “sell” security to stakeholders, and lessen risk. Learn how to utilize the tools of SE “for good” so that we can better serve our infrastructures and customers.


 
 
 

image description

Rachel Giacobozzi

The Hybrid Analyst: How Phishing Created A New Type of Intel Analyst

Come along as I explain how our in depth phishing research morphed me into a new hybrid analyst: part Intel, part IR, part Detection, and a bit of everything else. As I walk through our research and analysis process, I will point out how each step propelled me to expand my skills and helped form a new understanding of what a Cyber Threat Intel Analyst could be. Listen as I explain how to collect sources and scope campaigns, which lead to my month with CSIRT and training as a SOC Analyst. As we explore pattern recognition, I will regale you with my new adventures in Regex and detection writing. Each step in the process leads to additional skills and even more twists and turns. Expect education, skills, ideas, memes and more..


 
 
 

image description

Dan Cao

Automate the boring Incident Response stuff
Let your security analysts be analysts – Stop wasting their time on the boring stuff! Help reduce the stress of your analysts by building out an automation framework to facilitate information gathering necessary for your responders to begin analyzing a security event immediately!


 
 
 

image description

James O’Neill

How this 20 Year Old Changed the Security Industry
What do you remember about 1998? Back when we debuted the Nessus vulnerability scanner, only 41% of U.S. adults were online and less than a quarter (24%) were checking their email daily. The Nokia 6620 was the most popular mobile phone, Amazon was only four years old, and a little startup named Google just launched. In the two decades since, the world has become a completely different place. In this session, we’ll share the history and key learnings from our two decades of Nessus vulnerability management experience, explore how VM can augment your security posture, and give you seven takeaways you can use to start a serious conversation in your organization about how to reduce your cyber exposure.


 
 
 

image description

John Grigg

Automation and Open Source: Turning the Tide on Attackers
The security world is still trying figure out how to deal with the overwhelming number of security alerts and data deluge most SOCs are faced with and then turn them into intelligence that is useful and actionable. Throwing more people and tech at the problem has proven to be ineffective and costly. In this talk I walk through methods and tools (that you can actually employ) to turn the tide in your favor and create a security team that proactively deals with threats.


 
 
 

image description

Ken Donze

Do I have a signature to detect that malware?
Signatures have been the primary solution for detecting malware since the early days. Today you can’t depend on signatures alone. What other technologies can we leverage? Is machine learning the answer? Could behavior monitoring actually solve all ills? What about sandbox technologies? Ken will discuss the good, the bad, and the ugly about different technology options for malware detection.


 
 
 

image description

Jared Phipps

Advanced Attackers Hiding Inside Encrypted Traffic at the Endpoint
Advanced attackers are always looking for ways to stay hidden. The growing use of traffic encryption — over 50% of Web traffic today is encrypted — provides a simple trick for attackers to hide their threats and communications channels. Exploit kits, malware, adware, callbacks, as well as command & control channels leverage encrypted communications to infiltrate organizations and exfiltrate information.
Look into encrypted traffic, without the need for a proxy or additional agents and ensure full coverage of threats hiding within covert channels. SentinelOne extends EPP capabilities to provide an integrated workflow from visibility & detection to response & remediation. The single agent, single console architecture provides deployment simplicity and operational agility to improve productivity and minimize business impact of threats.
In this session:
  • Explore and expose threats hiding inside encrypted traffic at the endpoint
  • Discover Autonomous Detection and Response to formerly “unseeable” threats
  • Live Attack Demonstration, Investigation and Remediation



  •  
     
     
    image description

    Joshua “Naga” Crumbaugh

    How to rob a bank over the phone
    This talk will be 50% real audio from a social engineering engagement and 50% lessons learned from the call. During this call I talk a VP at a bank into giving us full access to his computer as well as facilities. At one point during the call, the AV triggers. This is an intense call with a ton of valuable lessons for any social engineer or defender looking to learn how to identify attacks.


     
     
     

    image description

    Michael Morgese

    Saving All the Money to Buy All the Booze: Learning to Hack All the Things on a Budget
    The purpose of this presentation is not to provide an overly technical, in-depth look at all the tools available to the budding cyber security researcher; instead this is what present me would have liked past me starting out in the field to have known.
    Every conference I have attended has had the same question pop up, “How do I start out?” To the credit of the community, they have been good at helping anyone out that asks. This talk is to give a broad idea of some low-cost or even free tools that anyone just starting out, or even some experts, may not know about. I will be going over places to get textbooks, training, tools, ways to relax, and a few fun things. If you’re looking for puns, terrible jokes, and possibly a meme or two, you’re in the right place!


     
     
     

    image description

    John Ventura

    Cloud Based Security Alerting from Scratch
    The current state of monitoring in Google Cloud Platform (GCP) and other cloud based platforms is less than ideal. Established methodologies include significant downsides – for many of these schemes, obvious bypasses exist for attackers and mischievous users, and developers are often inconvenienced. We have examined current alerting mechanisms and will present their strengths and [EXPLOITABLE] weaknesses. More importantly, we have devised alternative strategies that allow administrators to go beyond these limitations in a cheap, effective, and safe way by emulating technologies that exist within AWS and other cloud environments. This talk will prove that administrators can achieve effective monitoring in GCP despite the limited configuration options currently offered.

    Although we intend to focus on GCP, we will also examine some of the strengths and weaknesses of other platforms, including AWS. We intend to demonstrate monitoring and alerting strategies that will help administrators seeking to enforce policies or detect successful attacks and misuse.


     
     
     

    image description

    Derek Milroy

    Threat Modeling – How to actually do it and make it useful
    This talk will walk through the landscape of various Threat Modeling techniques and then focus on way to perform threat modeling that leads to actionable outputs and also integrates with risk management practices. The focus is on true L1-L8 threat modeling, not just application threat modeling. No pitches for specific technologies will be made during this presentation. The modeling can be done via common office tool suites.


     
     
     
    image description

    Joshua “Naga” Crumbaugh

    Guaranteed Failure: Awareness The Greatest Cyber Insanity
    This talk will outline the top 10 mistakes related to human security and why most companies are still failing. This will be followed up with actionable data derived from real-world training program successes and failures. Attendees will learn how to measure human risk accurately and most importantly how to remediate that risk.


     
     
     

    image description
    image description

    David Fletcher & Sally Vandeven

    Hacker Tools, Compliments of Microsoft
    This presentation discusses offensive uses for various elements of the Microsoft SysInternals tool suite. In Sally and David’s experience, these tools are often found or are accessible from inside a target organization network and can be valuable using unprivileged user access. In organizations where built-in features like PowerShell, the net commands, and WMIC are being instrumented or restricted these tools may provide a set of viable alternatives….signed, sealed, and delivered by Microsoft. This presentation also serves as a warning to system administrators to protect these tools properly.


     
     
     
    image description

    Alex Fernandez-Gatti

    Physicals, Badges, and why it matters
    This talk will cover recent developments in physical security and badge access controls. Research presented at Hushcon and Thotcon in the past year has created a whole new approach towards gaining unauthorized physical access by attacking the door controllers directly on the network. Recently released exploits on these devices allow attackers unfettered access, if they’re willing to set foot inside your building. You can now blame Russia for raiding the break room fridge too!


     
     
     

    J Wolfgang Goerlich

    Bounty Hunters
    Bounty hunters, those keyboard cowboys, bent on circumventing protections and leveraging mistakes in software. All for coin, swag, and glory. But bug bounty programs are the latest attempt to find and stamp out code-level weaknesses. We’ve tried education. We’ve tried coding guidelines. We’ve tried top tens and paid penetration testers. And now we turn to the lone hunter, hoping to find and close just one more vulnerability. This session will highlight some achievements in recent times by these bounty hunters. And stepping back, thinking about defensibility, a framework and approach for building stronger software will be shared. After all, anyone writing code today lives with a price on their head


     
     
     
    image description

    Truman Kain

    Dragnet – Your Social Engineering Sidekick
    Dragnet was created to decrease your time spent on OSINT research, while increasing your SE engagement conversions. If you were to go back and add 10s or 100s of data points for every social engineering target you’ve emailed, or called, or visited… do you think maybe you might find some patterns on who converted? And what if adding those data points was 95% automated? Dragnet is an intuitive interface which analyzes past and present data on social engineering engagements, then offers suggestions on your future engagements, with the goal of saving you time while increasing conversions.


     
     
     
    image description

    Corey Batiuk

    PwnBook: Penetrating with Google’s Chromeboo
    Why? Manufacturers are making great form factors that are very portable, sleek, with great battery life, and it runs Linux!
    I will talk about what led me to using a Chromebook as my main laptop and how I’ve customized it for my daily workflow. I’ve used a Chromebook for the OSCP lab and HacktheBox and will show how I access these labs and get everything working so that I’m just as productive as I would be with any system running Linux. I will also show the solutions for the issues that you will come across if you do this.
    I’ll go over how I’ve installed Ubuntu alongside Chrome OS and how I use it without having to switch between Chrome OS and a Linux GUI, but can still run GUI Linux software when needed in Chrome OS. Using Crouton I’ve found a setup that works best and discovered what doesn’t work. I’ll go over both and show tips for managing your Crouton install and how best to work with the limited amount of internal space on most Chromebooks. I’ll also go over my recommended methods for tool installation to a Crouton install and the workflow that I use for pentesting and CTF challenges. I’ll introduce command line tools and settings to improve your workflow which will be important on the Chromebook, but can also be applied to pentesting from any Linux command line. I’ll introduce some Tmux configuration options such as setting up logging for evidence collection. Tmux and Vim also go great together so I’ll show my Vim tips and integrations. Then a demo from my Chromebook of setting up a VPN connection to a lab and a quick exploit walkthrough of a CTF VM using what I’ve shown.


     
     
     
    image description

    Chad Calease

    Life, Death + the Nematodes: Long live Cyber Resilience!
    The promise (illusion) of 100% Cyber Security has worn thin. While we continue to support the concepts of defense + prevention, Cyber Resilience goes beyond those measures to elevate our team’s awareness and emphasizing strategic response + preparedness for when incidents occur. Because they will occur. Making sure we’re prepared when they do is what Cyber Resilience is all about. Doing it well means opening our hearts + minds + learning to understand our own species even better than before..


     
     
     

    image description

    Tomasz Bania

    Intelligence Creating Intelligence: Leveraging what you know to improve finding what you don’t
    Are you an organization that uses threat intelligence that produces less than fruitful results? Is the security team on the brink of removing a “useless” threat feed because it never alerts on “anything good”? What if you could use the information you already gather to produce more actionable (and reliable) threat intel?


     
     
     
    image description

    Whitney Phillips

    My First year in Application Security
    Application-Security is no longer the “optional” department as many companies throughout the world recognize it as a requirement, as well a being prudent for their own risk management. This talk discusses my experiences as someone new to the field of AppSec and through the many hurdles I faced. I will also discuss the challenges that a new Application Security team will see whilst trying to develop methods and processes for an ever growing code-base. This talk will benefit the individual that is new to the field and those who are managing these groups. Attendees of this talk will take away how I learned to think on my feet whilst under pressure and how I survived my first year in Application Security.


     
     
     
    image description

    Matt Reid

    Structuring your incident response could be one of the most important things you do to bolster Security
    Breach news and various studies show that organizations are taking too long to remediate critical vulnerabilities and respond to the tidal wave of alerts from the various protection and detection tools. Despite the significant investment Organizations have made in security, every incident still needs a response from the organization—and in some cases, the response needs to be lightning fast. The challenge is that most companies are still responding at “people speed”—following long runbooks, relying on multiple sources of data, moving data between spreadsheets, responding to long email threads, and creating manual reports. The incident response function is a chronically unstructured and unproductive process. But it doesn’t have to be. In this talk, we’ll address the challenges and dysfunction majority of organizations face responding to security incidents and events. In particular, how to operationalize the telemetry that is coming out of those investments in vulnerability management, protection, anddetection.


     
     
     
    image description

    Ankur Tyagi

    Analyzing Multi-Dimensional Malware Dataset
    This presentation will be about analyzing a malware corpus as a multi-dimensional dataset. We start with a set of Portable Executable samples and scan them to collect attributes. These attributes characterize a malware and are typically represented as a 1D set of key values. This view is however fairly limited and is not helpful in identifying useful traits for malware family attribution. We then represent the key-value pairs as a multi-dimensional dataset and visualize it using the following approaches:

    1. Byte Frequency Histogram
    2. Grayscale/RGB Byte Representation
    3. API Histogram
    4. Timebound API Histogram

    These techniques help with identification of defining attributes of a malware family and as such are useful in clustering of samples. The presentation will demo the analysis and visualization upon multiple unclassified malware samples. We will start with a manual run of the tool and then look examples that use the builtin api for automation.


     
     
     

    image description

    Bill Lampe

    2018 SIEM Trends: What is my Mean Time to Value?
    SIEM technology is notorious for taking a long time to get to a point where it is actually providing value to your organization. SIEM vendors in general have two goals: reduce the mean time to detect (MTD), and reduce the mean time to respond (MTR) to cyber threats to your business. Bill will provide an overview of what the SIEM market looks like today and how the landscape is changing to meet the challenges of today’s cyber threats.


     
     
     

    image description

    Matthew Eidelberg

    Vibing Your Way Through an Enterprise: How Attackers are Becoming More Sneaky
    Traditional defenses are no longer adequate when faced with modern attacks – attackers will always find a way in. Once an attacker has established a foothold inside a domain, their primary objective is to compromise their target as quickly as possible without being detected. Whether that target is sensitive data stored on a file server, or the compromise of a Domain Admin account, the attacker must first formulate a plan of attack. This plan often involves strategic lateral movement throughout a network. Because of this, many organizations have the begun the practice of monitoring for threats based on traffic patterns and characteristics of user activity, known as threat hunting.
    Threat hunting solutions can be employed to detect and prevent these types of attacks. By reviewing not only known attack signatures, but also analyzing behavioral characteristics of both user and system traffic to detect malicious activities, attackers can be stopped from moving deeper into a network. Unfortunately, these tools and appliances are not perfect, and adversaries are constantly developing new techniques to remain undetected. The two main categories that this talk will focus on are techniques attackers can perform to carry out domain enumeration, as well as, hunting users and systems which can be leveraged for elevated access while remaining undetected. I will cover techniques attackers can perform, utilizing the objects integral to a domain environment, how are they effective and why they work. Finally, I will discuss and provide recommendations to help combat and mitigate these techniques.

    I’ve developed a framework called Vibe, which utilizes these techniques to perform lateral movement while remaining undetected. This tool uses zero PowerShell to carry out these actions. This tool is not only for red teams, but can be used by blue teams to simulate threat actors in an effort to tune their defenses.


     
     
     
    image description

    Mark Stanislav

    Crawl, Walk, Run: Living the PSIRT Framework
    With its June, 2017 draft release, the PSIRT Framework from FIRST established a new era in product security formalization. A quick search of FIRST member organizations show a 5:1 disparity of CSIRT-to-PSIRT members represented, providing a data point to what many industry experts already know — formal product security programs are much more rare than their corporate counterparts. This presentation will detail the journey, hurdles, and outcomes of using the PSIRT Framework to take a hard look at formalizing an existing application security team’s efforts into a more holistic program. Topics will include executing a program gap analysis, deciding on how to re-mediate identified gaps, organizing a PSIRT across functional teams, processes we utilize, execution of a product security advisory process, and other parts of our organization’s implementation of the framework to guide our program maturity.
    Curious how to take your team’s best-effort product security and level it up? Attend this talk and you’ll gain real-world value from the experiences our team took to do just that.


     
     
     
    image description

    Brandon Traffanstedt

    Zero to Owned in 1 Hour: Securing Privilege in Cloud, DevOps, On-Prem Workflows
    In this session, we’ll look at a decade of environment evolution and share a few war stories/fails. Most importantly, we’ll discuss tips to help reduce this big ol’ attack surface by securing privileged organic and inorganic secrets that allow access into Cloud environments as well as ones that are used by your orchestration, automation, CI/CD, and the DevOps supporting toolchain while not forgetting that on-prem data centers still exist

     
     
     
    image description

    Chris Burrows

    Career Risk Management: 10 tips to keep you employed
    Hear interesting stories and learn 10 tips to keep you gainfully employed whether you enjoy leading a Red Team or being a CISO; Soft skills, networking and every-day learning are a few examples of how you will continue to thrive in this space. This talk is applicable whether you are 18, 27 or 72. Everyone needs career advise, especially technology people. Tech skills will get you hired, soft skills will keep employed as long as you want to be.


     
     
     
    image description

    Spencer Gietzen

    Pacu: Attack and Post-Exploitation in AWS
    Cloud infrastructure security and configuration has been shown to be a difficult task to master. Sysadmins and developers with years of traditional IT experience are now being pushed to the cloud, where there is a whole new set of rules. This is what makes AWS environments particularly exciting to attack as a penetration tester. Best practices are often overlooked or ignored, which can leave gaps throughout an AWS environment that are ripe for exploitation. With an increasing number of breaches leaking AWS secret keys, companies are working to be proactive and are looking for red-team-like post exploitation penetration tests, so that they can be sure that their client data is as safe as possible post-breach. Due to this need and the lack of AWS specific attack tools, I wrote Pacu, a modular, open source Amazon Web Services post exploitation attack tool created and used for Rhino Security Labs pentests. In this talk I will cover how red teamers can use Pacu to simulate real-world attack scenarios against AWS environments, starting from IAM enumeration and scanning through exploitation, privilege escalation, data exfiltration and even providing reporting documentation. It will be released as an open source project to encourage collaboration and discussion of different AWS attack techniques and methodologies with both attackers and defenders. This way, both myself and the community can contribute new modules to expand the functionality and usefulness of Pacu continuously.


     
     
     
    image description

    Scott Thomas

    Data data everywhere, but no one stops to think. Telling the vulnerability management story
    Security leadership, do you know what data to expect from your vulnerability management program? Does your 30,000-foot executive report include the condensed status you need or just a page with numbers? Vulnerability management professionals – are you telling a story with your reports or hoping to hide the lack of improvement behind canned vendor graphs? The conversation between you both depends on the industry, goals, and where the program needs to get to in the future.


     
     
     
    image description

    SKent ‘picat’ Gruber

    InSpec: Compliance as Code
    Compliance requires specific policies to be followed in a system, or many. Often these policies exist outside of the continuous integration life cycle of modern deployments and tend to require hacky scripts. Moreover, they can be horribly unreadable, especially for non-programmers or the programmers that didn’t write them. To address this, InSpec provides a rich framework to turn policy requirements into human-readable code. These policies can be used to automatically detect compliance issues in the cloud, on premise, in containers and more. We’ll go over how to get started testing your systems with a demonstration of InSpec.


     
     
     
    image description

    Danny Akacki

    To Fail is Divine
    6 1/2 years. Pushing ever closer to a decade in information security. How the hell did I get here? It seems like just yesterday I was a snot nosed baby analyst in my first SOC, horrified that I had no idea what a packet was. One thing I know for sure, current success is absolutely no indication of a flawless career. Quite the contrary, it usually involves no small amount of failures and heaping spoonfuls of luck and support from colleagues, friends and family.
    What are the important ingredients to make your way in the information security industry? How do we deal with things like burnout and imposter syndrome while trying to find the bad guys doing bad things to our customers? How many times can I fit “blockchain” “machine learning” and “threat hunting” into a single presentation? All stress inducing questions that I’ll try and handle in our GrrCON chat.

    I don’t have all the answers but I’m going to try and get us through this the only way that’s ever worked, and that’s together.


     
     
     
    image description

    Adam Hogan

    Malware Mitigation Sample Detonation Intelligence Automation: Make Your Binaries Work for You
    Threat Intelligence creation and operationalization remains a challenge for many organizations – despite being one of the hottest topics in our industry. To assist with this growing problem, CrowdStrike will demonstrate how you can use technology to automate the creation, ingestion, and dissemination of threat intelligence to endpoints, from the cloud, at machine speed. Stop dropping intelligence on the floor. Make your malware work for you


     
     
     
    image description

    Spencer Brown

    Over the Phone Authentication
    Much of our activity online, done through our mobile or desktop devices, can also be accomplished by calling the customer support number. Making bank transfers, purchases, and general account changes without appropriately authenticating over the phone can lead to malicious individuals bypassing two-factor authentication. We will talk about how to improve overall phone call authentication for your customer support lines.


     
     
     

    image description

    Sarah Elie

    Designing a Cloud Security Blueprint



     
     
     
    *Speakers are subject to change with little or no notice