Adversaries Rising: Looking Ahead in Security

Dave Kennedy

Keeping the genie in the bottle. Lessons learned from classic Sci-Fi.

Brian Herr

Mankind has centuries of lessons learned from technology advancement gone awry. So much so that it has sparked the imagination of Sci-Fi writers to dream about what the future may hold and how mankind can possibly #$%^ things up. This talk will progress through classic Sci-Fi tropes of AI and what it means for us as we build & secure the future.

Generative AI: A Threat, Hope or just Hype

Dr. Louis F. DeWeaver III

Surviving the Robot Apocalypse 2: Dawn of the Rise of LLM

J Wolfgang Goerlich

Tales From the Crypt…Analyst: The After Life

Jeff Man

The speaker began his career in InfoSec at the National Security Agency first as a Cryptologist, designing and fielding the first software-based cryptosystem ever produced by NSA, and later becoming the primary architect of the first NSA Red Team. He has shared his NSA story in a series of talks, “Tales from the Crypt…Analyst” and “MORE Tales From the Crypt…Analyst”. This talk is the third installment in his story and features the transition from NSA to the private sector in the early days of Information Security consulting. He will recount stories from the days of trying to convince companies that if they wanted to connect to the Internet they really needed a firewall; how penetration testing evolved to vulnerability assesments and then to security architecture advisory work; convincing clients that you didn’t need a browser to talk to a web server; finding an open network jack really did mean you had access to the network; why it’s not a good idea for your mainframe to be Internet reachable; rooting a mainframe; and ultimately trying to find ways to get organizations to think about Information Security from a strategic perspective rather than just selling them a bunch of blinky boxes and telling them where to place them. Of course, we’ve solved all these problems from the early days…or maybe, just maybe there are still lessons to be learned.

Topic determined by the number of Feds in the room

Chris Roberts

TBD

Demystifying NTLMv1 & MSCHAPv2

Dustin Heywood (EvilMog)

This talk will cover the NTLMv1 & MSCHAPv2 Challenge Response Formats and reversion to NTLM via the magic of Cracking DES keys. This talk will be delivered 100% from the terminal with live demo’s. Feel free to throw foam balls at him if he fails to DFIU. This talk will also briefly discuss MSCHAPv2 pass the NTLM hash for sign-on to wifi.

There will be <8100D> : “Attack Surface of Oil Rigs and ICS”

Weston Hecker

Over the past year I have been investigating some software I came across on a honeypot that a co-researcher and I run as a disposable mail service on TOR. We have come across a lot of custom tailored malware using this avenue including several versions of Ransomeware. In early may we came across a sample that is targeting (WITS) information Wellsite Information Transfer Specification and (MWD)Measure while drilling systems associated with land based drilling platforms. This lead me to do research on what the attack surface of a drilling rig would. This talk will go into detail about how drilling systems communicate and some of the attacks that could be performed on a drilling rig. This includes throwing off toolface information and burning out motors in BITs, Disabling H2S and sour gas detection systems, changing survey data to cause the drilling crew to drill out of zone causing sidetrack and time drilling operations that can cost millions of dollars to a drilling rig. And finally modifying chromatograph information and mud weight causing a blow out and potentially burning a rig to the ground. Infection methods include excel files used by directional drillers and MWD staff and 3rd parties. Also have pentested several offshore and onshore oilrigs and ICS systems.

And we’re back

mattrix x g33kspeed

Matt and John will be returning to GrrCON to enlighten the audience with insights, advice and tips based on real life experience.

Living Off The Land: How Threat Actors Avoid Detection

Anthony Kraudelt

As defenders get better, threat actors are taking steps to avoid detection while remaining active within our computer systems and networks. Living Off the Land (LOTL), a technique once used exclusively by advanced persistent threats (APT), is now being utilized by everyone from APT to financially motived criminal elements to embed themselves throughout our networks. Whether you maintain a large corporate network or a home setup your susceptible to LOTL threats. The discussion will include specific tools and techniques used by LOTL threats and the defensive measure which can be implemented to identify those threats.

To top off the presentation we’ll discuss the role of the Federal Bureau of Investigation in identifying and prosecuting criminal threat actors and how anyone can get in touch with the FBI in their area.

Why you don’t belong in this community or the Label of Hacker in under 30 minutes!

Jayson Street

Automobiles, alcohol, blood, sweat, and creative reversing of an obfuscated Car-Modding tool

Atlas of DOOM

Reversing can feel uber powerful… like you hold God’s honest truth within your hands… most humans don’t understand what you can see and comprehend. until someone tries to hide the truth from you… limit your knowledge… keep you from your glorious purpose!

Obfuscated code can be a real downer. this talk focuses on the story of how i took on an interesting obfuscated target (an automotive modder’s tool with ability to flash firmware and tweak engines), in fun and exciting ways. We’ll discuss several problems with obfuscated code, an approach i took (and tooling), playing in the guts of machine code, and customizations to binary analysis tools that came out of the journey…

There will be much hex, disassembly, green on black, total carnage. You will walk away with powerful ideas and new tools to help you in your pursuit of truth. you will be entertained, enriched, educated, and hopefully inspired. instead of thinking that “atlas is smart” my goal is you feeling, and being, more powerful.

Come with Vivisect installed to follow along!

Where’s the Money: Defeating ATM Disk Encryption

Matt Burch

Holding upwards of $400,000, ATMs continue to be a target of opportunity and have seen over a 600% increase in crime in the last few years. Security research of the enterprise ATM industry has identified 6 zero-day vulnerabilities in Diebold Nixdorf’s Vynamic Security Suite (VSS), the most prolific ATM security solution in the market. 10 minutes or less is all that a malicious actor would need to gain full control of any system running VSS via offline code injection and enable decryption of the primary Windows OS. Diebold Nixdorf is one of three major North American enterprise class ATM manufacturers with a global presence in the financial, casino/gaming, and point-of-sale markets. Similar attack surfaces are currently being used in the wild and impact millions of systems across the globe. Furthermore, VSS is know to be present throughout the US gaming industry, including most of the ATM/cash-out systems across Vegas.

This session will explore the technical intricacies of this research, review the convoluted ATM market, and reveal the discovery process of these zero-day vulnerabilities. The Full Disk Encryption module of VSS conducts a complex integrity validation process to ensure a trusted system state. Executed in a layered approach during system initialization. Examination of the inner workings of this process will highlight various deficiencies, each demonstrated through PoC exploitation.

Each vulnerability presented in this session has been observed to have recursive impact across all major versions of VSS and represents a systemic ongoing risk. We will examine root-cause, vendor remediation steps, and short-comings thereof – perpetuating the attack narrative. In conclusion, proper mitigation techniques and procedures will be covered, providing valuable insights into defending against potential compromise.

Ragnarök: when threat modelling goes wrong

Finux

You’re tasked with ensuring the safety, security, and well-being of nine different locations within your organization. Some of these locations are known to harbor hostility toward you and your organization. Recently, you’ve received credible intelligence indicating an attack on all areas under your jurisdiction. The threat actors are specialists in asymmetric warfare, posing a significant challenge.

Your strategy? Plan meticulously, then plan some more. Remain vigilant, continuously monitoring threat intelligence, and seize every opportunity to disrupt the adversaries’ progress. Incident response plans have been meticulously established, and key personnel have been trained and deployed, ready to defend against any threat that arises.

However, when the anticipated confrontation with the threat actors finally occurs, it unfolds exactly as feared. What if the very threat modeling meant to safeguard against such events inadvertently precipitated this outcome? Could it be that the threat is not external but internal — emanating from within?

Enter Finux, known for injecting unconventional wisdom into discussions, and this time it’s threat modeling. Brace yourself for Ragnarök—a experience likely to feature colorful language that could even leave P1nkN1ghtmare speechless. The takeaway? Perhaps it’s a realization that hindsight is always clearer, as Finux’s unconventional approach may prompt you to reflect on your own choices: “Should I have gone to the other talk?

Becoming a .NET Ninja

Nick Spagnola

.NET payloads and tools are an important piece in any red teamers arsenal. However, .NET code leaves a lot of hidden artifacts that defenders can use to identify activity leading to alerts and possible eviction from environments. Properly masking the presence of .NET code can be cumbersome, with some easily overlooked pitfalls potentially leading to being caught. This talk aims at demonstrating some ways to become a .NET ninja and obfuscate your presence when utilizing .NET payloads. Techniques will range from basic obfuscation techniques to advanced manipulations of the underlying runtime that is responsible for executing .NET code.

Taking the Human Element to the MAX

Alyssa Miller

In the aviation world, when bad things happen there is a culture of avoiding the blame game and instead focusing instead on how we can learn from our mistakes to make everyone safer. With the issues surrounding the 737 MAX series of aircraft over the past couple years, the FAA and NTSB have again held the line on focusing on safety and learning from mistakes despite media sensationalization. But we in the cybersecurity community can also take advantage of this learning opportunity. With news and whistleblower accounts of the design and quality issues leading to the MAX series aircraft, there are many parallels to what happens in the cybersecurity space when we fail to properly account for and incorporate the human element into our programs. In this presentation, we will take that same approach of not bashing or blaming but focusing on learning. We’ll step through the issues that have come to light regarding the 737 MAX series and show how those correlate to cybersecurity. We’ll identify what lessons we can learn and how we can apply those when selecting technology and building processes for our organizations’ security programs. Finally, we’ll discuss the Swiss Cheese model as it applies to cybersecurity and examine best practices for closing those holes before they align and result in disaster.

AI-Charged Quizzes: The Game-Changing Secret to Supercharging Your Training

Jason Bevis

Are you ready to challenge the status quo of your training programs? It’s time to embrace the disruptive potential of artificial intelligence and revolutionize how you assess your employees’ knowledge retention.

In this cutting-edge session, I’ll share how I leveraged large language models to create a dynamic, AI-powered quiz game that takes your training initiatives to new heights. You’ll discover:

– How AI can generate personalized, adaptive quiz questions that engage learners like never before
– Strategies for seamlessly integrating AI-driven assessments into your training workflow
– Proven methods for using AI quizzes to uncover hidden knowledge gaps and transform future training

Prepare to have your assumptions about training assessments shattered. Attendees will leave empowered to harness the transformative power of AI and take their employee development programs to the next level.

Don’t just adapt to the future – dare to shape it. Join this session and learn how you can disrupt your training with AI-driven quizzes.

The Curious Case of: Maria

Jayson Brown

During a cyber-security investigation into a self-described hacker advertising unauthorized access to our flagship point-of-sale product, my team and I encountered an unexpected yet urgent incidental. The primary investigation involved a hacker promising to double the value of transactions for buyers, posing a significant risk to our company’s financial integrity. However, while researching this case, one of our analysts stumbled upon a troubling social media post from an account that appeared to be linked to our organization. The post, made by a woman who seemed to be in acute distress, indicated her intention to take her own life.

Recognizing the gravity of the situation, the analyst immediately escalated the matter to their assigned security engineer, who in turn, brought it to my attention. Understanding the potential life-threatening nature of this incidental, I made the decision to prioritize identifying and locating the woman to provide necessary intervention. I sought and obtained approval from senior leadership, ensuring we had full organizational support for this delicate and urgent task.

This presentation will detail the steps we took to shift our focus from the primary investigation to address this critical incidental. I will outline the specific directions given to the team, the methods employed to identify the individual, and the coordination efforts with relevant departments and external entities to ensure the woman’s safety. Furthermore, I will discuss the challenges faced during this dual-focused investigation and the ethical considerations in balancing our cyber-security responsibilities with immediate human welfare.

By sharing this incident, I aim to highlight the importance of being vigilant to incidental findings during cyber-security investigations and the profound impact such vigilance can have in potentially saving lives.

Breaking Down Binaries: Navigating the Labyrinth of IoT Firmware Analysis

Edwin Shuttleworth

I’m sure everyone’s heard the joke “the S in IOT stands for Security”, but IoT firmware reverse engineering is still a daunting topic to many. It doesn’t have to be this way. This talk is for all the people who don’t have security clearances, an oscilloscope, or spare devices they can afford to brick.

Specifically, we will discuss how to get the firmware for the devices around you through a variety of dirty and not so dirty tricks. Then we will take that firmware, identify how to unpack it and transform it into a more familiar format. Finally, we will discuss analysis techniques from running strings to Linux system emulation, as well as some tips and tricks for investigating RTOSs and Bare Metal firmware.

Protecting the Executive Digital Footprint – Beyond the Usual

Chris Bullock

In a world where there are over 5.22 billion smartphone users, 4.9 billion social media users, 425 million smart home users’ and everything ‘syncs’, people are exposed to cybercrime in a manner that is unfathomable. Many organizations still struggle to put basic cybersecurity protections in place much less protections around their executive team against cybercrime. Top organization officials are targeted by cybercriminals and the attacks all begin around the cybercriminal’s intelligence gathering of the target’s digital footprint. We have all been given definitions of digital footprint that are incomplete and inaccurate. In this session learn what a person’s digital footprint is in its totality and how to protect against its nefarious usage and why organizations need to put in protections around top executives to ensure executive’s exposure to cybercrime is reduced effectively.

The Curious Case of Alice and Bob

Catherine Ullman

The game is afoot! How does the modern science of digital forensics — like Sherlock Holmes’ own deductive reasoning — unveil truths in a landscape where evidence is as elusive as bytes and bits? Join me in this intriguing inquiry where our understanding of the context is as vital as the tools we wield.

In the curious case of Alice and Bob, we will explore beyond the surface of technical know-how. Attendees will navigate the intricate labyrinth of digital investigation, learning not just ‘where’ to seek digital clues – perhaps hidden in the obscure corners of the registry – but crucially, ‘why’ these specific details matter and ‘how’ they fit into the larger puzzle of our investigation. This talk is not merely a walkthrough of tools and methods; it is a narrative adventure, illuminating their practical use in a real-world scenario. For both seasoned and aspiring digital sleuths, this session aims to sharpen your investigative acumen, much like Holmes honing his skills, setting or recalibrating your expectations of what digital forensics can realistically achieve in the art of uncovering the truth.

Analyzing I-Soon with Data Science and Magic

Joseph Hall

Joseph Hall, Dave Mitchell, and Jeff Simms dive into the I-Soon leak and what our research expanded into. We cover the $100b Chinese Military operations surrounding their 20 year existence. This includes their 100gbps Tor network built by exploiting Layer 2 in global corporate and government networks. As part of the talk we have an Ai Intelligence agent tool we built and trained on the isoon data as well as the Enron case.

Using Drones and Arm devices to augment red team engagements

Alex Thines and Bradley Ammerman

Alex and Brads fascination with drones further catalyzed this integration, giving birth to “The Raccoon Squad”. This initiative features two groundbreaking devices: the ‘Flying Raccoon’, representing airborne reconnaissance and intrusion, and the ‘Sneaky Raccoon’, epitomizing ground-level stealth operations. Through this exploration, we gain insights into the future of integrated security solutions that seamlessly blend digital prowess with tangible, real-world applications.

The new SaaS cyber kill chain

Luke Jennings

In the past, we thought of cyber-attacks in terms of recon, port scanning, enumeration, vulnerability identification and exploitation, and we had various approaches to frustrate attackers at every phase. As the cat-and-mouse game of security continued, this morphed into an endpoint compromise-focused process involving initial access, exploitation, persistence, command and control, and lateral movement inside a complex internal network. But with the remote working and SaaS revolution, the way organizations work has changed radically – so what does the cyber kill chain look like now?

This talk will consider what a new SaaS cyber kill chain looks like for modern organizations that are SaaS-native without an internal network and the surprising number of attacks that are possible without touching company-owned infrastructure. We’ll consider topics like how the initial access stage is changing due to the availability of new beachheads, what lateral movement looks like in a world with no internal infrastructure, and how persistence methods have changed and are resilient to common containment measures such as password resets and secure device wipes. Finally, we’ll consider how the open-source SaaS attacks matrix can be used by red and blue teams to help navigate this new world.

The Data Risks of Jumping on the RAG Wagon

Justin Hutchens & Eric Johnson

As a result of the latest hype cycle, there is a tremendous amount of pressure on companies to innovate with AI. For most organizations, the first step (and the easiest) on this journey, is to implement an enterprise RAG (Retrieval Augmented Generation) solution like MS CoPilot. What better way to rapidly take advantage of AI at scale than by giving it access to all of your enterprise data??? Unfortunately, for many security conscious organizations, this seemingly easy first step, is raising some challenges. While enterprise RAG solutions do not introduce new data security risks, they do significantly exacerbate data security risks that already exist. This presentation will look at the rapidly transforming landscape of data risk, and the impacts of enterprise RAG solutions upon that. The speaker will begin by addressing some of the notable challenges related to the implementation of generative AI for this use case — specifically guardrail implementation and search & retrieval problems. Next, the speaker will discuss how enterprise RAGs increase the accessibility of enterprise data — for legitimate users and for cyber adversaries alike. And finally, the speaker will conclude by addressing strategies that organizations can implement related to advanced auditing and data protection.

Anatomy of a cloud attack: Insights from Real-Life Experiences

Iman Randhawa

Embark on a fascinating journey into cloud security. Join me as we unravel the intricate details of a real-life cloud attack, shedding light on the tactics employed by cyber adversaries. Delve into vulnerabilities, evasion techniques, and the covert maneuvers used to breach cloud environments without detection. Gain a deeper understanding of the far-reaching consequences of such attacks and the vital steps taken to recover, strengthen defenses, and prevent future breaches. This session is an opportunity to foster knowledge and empower yourself in the ever-evolving cloud landscape. Come, be part of the conversation, and equip yourself with invaluable insights to protect your organization from sophisticated threats.

CVE-2023-52709: Phone as Key DOS in Cars & Supply Chain Risk

Kevin Mitchell

The discovery of the CVE 2023-52709 (TI Bluetooth stack can fail to generate a resolvable Random Private Address leading to DoS for already bonded peer devices) vulnerability affecting various Texas Instruments Bluetooth Low Energy (BLE) MCUs can significantly impact the supply chain. With over 2.6 million units in inventory and a total value exceeding $2.6 million, a widespread recall or patching process might be required. This could lead to production delays, increased costs, and potential shortages of these critical components in various industries relying on BLE technology, including automotive, consumer electronics, and IoT devices. Ensuring timely mitigation and communication with stakeholders will be crucial to minimizing disruption. I will demonstrated the vulnerability during this talk.

The Great Cybersecurity Resignation: are you ready for it?

Ashley Townsend

A shocking amount of cybersecurity professionals are planning an exit from the field within the next several years. Let’s take a look at why and discuss what is necessary from cybersecurity leadership to sustain a positive working environment when times are tough and mental health may be slipping.

Deepfakes are eating the world, where ya gunna hide?

MacDaddyMoe

Generative AI is capable of creating deepfakes at an alarming pace. Forget elections, advertising and porn. Enterprises need to be ready for deepfakes across their communication channels of email, voice, video and web. The user CANNOT be trained well enough to detect a deep fake, especially if internal AI systems can’t do the job.

Let’s look at this complexing situation and all agree that adding friction to the user communication stream is arguably a method that should be considered.

Forging in Fire: Application Injection Payloads and Norse Mythology

Kevin Johnson

Attacking applications and APIs is just the first part of a penetration test. The important part is assessing the risk a flaw exposes, and to do this well requires exploit payloads. The issue is that most people are trained with ‘ or 1=1; — or <script>alert(‘xss’)</script>. While these will “exploit” the flaw, they don’t help in understanding the risk to the organization or application. This requires better and more complex payloads. And these require the supporting knowledge to build. In this presentation, Kevin Johnson of Secure Ideas will walk attendees through the building of more advanced payloads. Working through the variety of attacks against APIs and applications, Kevin will explore various risks and the related exploits.

Furthermore, this presentation will walk attendees through a new tool, Brokkr Exploit Toolkit. BET is named after Brokkr who helped his brother Eitri forge Mjolnir. As with the original Brokkr, this toolkit is designed to support the tester in their efforts to build exploit payloads for the application or API being tested. This open-source tool is focused on building and testing payloads, so that the penetration tester can focus on discovering the holes and weaknesses and then leverage Brokkr to build the custom payload to show the risk.

Hacking Shame: A New Psychology for Advancing Infosec

George Kamide

In cybersecurity, the pervasive influence of shame significantly impedes progress for individuals, teams, and the industry overall. This talk will challenge the stigma of shame in infosec, where admitting “I don’t know” or getting “pwned” is unfairly seen as a sign of weakness or ineptitude. Shame is deeply embedded within the fabric of the cybersecurity culture. It manifests through individuals’ feelings of imposter syndrome, competitive one-upmanship within teams, and a collective industry struggle against repeated attacks employing unchanged TTPs. In this session, we’ll investigate how uncertainty fuels shame, then we’ll hack it.

New research in psychology and neuroscience now demonstrates the untapped power of embracing the unknown. This session will unpack this research and teach attendees how to harness uncertainty to improve adaptive thinking, critical to evolving security risks. The implications of embracing uncertainty could have a transformative impact on cybersecurity at every level. For individuals, it paves the way for overcoming imposter syndrome by valuing continuous learning and vulnerability. At the team level, it cultivates a culture where expertise is balanced with open-mindedness, mitigating counterproductive competition. On an industry-wide scale, acknowledging and leveraging uncertainty can drive innovation in defense strategies and operational tactics.

This presentation will investigate how reframing our relationship with uncertainty can dismantle the shackles of shame, fostering a more resilient, innovative, and inclusive cybersecurity community. Attendees will leave with new ideas about how uncertainty can be harnessed for improving individuals’ growth, team dynamics, and strategic industry advancements.

EHLO World: Spear-Phishing at Scale using Generative AI

Josh Kamdjou

Email-based attacks remain at the forefront of the cybersecurity threat landscape, ever-evolving to circumvent defenses and trick unsuspecting users. In this presentation, we discuss the risks of Generative AI in the context of the email threat landscape. Specifically, we examine how Generative AI facilitates the automation of targeted email attack creation, resulting in increased campaign reach, diversity, and the likelihood of success.
We’ll show real, in-the-wild attacks with completely fabricated contents, including conversations between multiple individuals that never happened, to demonstrate the sophistication LLMs can afford attackers in conducting convincing phishing campaigns at scale.

Tips and Tricks To Creating Your First Conference Talk

Whitney Phillips

Have you ever attended a security conference (or any conference for that matter) and thought, I would really like to present but don’t know how to get started? Well, I am here to help! This talk will guide you through the process of applying for a conference, writing the talk, and what to do when you get to the conference.

Who stole the cookies? Evolution of access vectors

Rachel Giacobozzi

Recently major news stories have come out detailing attackers using stolen cookies or token to facilitate their access. Everyone has the same question, why are they focusing on cookies? I think it is important to understand how threat actors have evolved their access attacks over the years. We will start with port scanning for open connections through to the abuse of key signing for token creation. We will discuss how cyber security has evolved to tackle these vectors, and how this forced the threat actors to pivot to new attacks and vectors. Finally, we will discuss the shift to token and cookie abuse, and where the security is successful in detecting and blocking these attacks. I will close out the talk with looking at how identity and security products need to continue to evolve to take on this latest threat.

What’s in a Name – Hiding in Plain Sight

Brian Olson

In our increasingly digital world, detecting malicious activities via DNS analysis has become crucial for cybersecurity. This presentation briefly discusses DNS basics, domain registration norms, and dives into several advanced detection techniques to enhance security measures and identify data exfiltration, C2 communications, and other malicious activities.

Hacking Trucks through RP1210 Shimming Attacks

Jaime Lightfoot

Trucking is one of those “boring” industries that secretly holds our society together, by means of just-in-time deliveries of food, medicine, gas, your latest Amazon impulse buy, you name it. And those trucks are held together by maintenance garages, which are often running outdated OSes and repair tools. Even better, this software has trusted access to the ECUs of those six-figure and 10+ ton vehicles. This talk is about attacks using RP1210, an industry recommended practice that unified vehicle diagnostic adapter (VDA) design. We’ll walk through the construction of a DLL shim to demonstrate attacks with maintenance environments, while also covering mitigations and some Optimus Prime trivia.

PROMPT INJECTIONS V1T4L V3RN4CUL4R V3RB0S3LY V3X1NG

Kyle Meyer

In the days where LLMs are beginning to explode into every web application and process, companies are adding additional attack vectors thereby increasing overall risk. According to OWASP, prompt injections as the top risk for LLMs that offer a chat feature and prompt injections can be broken down plainly into 10 distinct types. Balancing the bot’s desire to be helpful with adherence to company policy is a challenging task. Threat actors exploit this conflict, along with other inherent coding vulnerabilities, to generate malicious responses.

Leveraging AI to Enhance a Cyber Security Analyst Investigation Workflow

Lisa Jones-Huff

In the dynamic landscape of cybersecurity, the role of the analyst is crucial in detecting and mitigating threats effectively. However, with the ever-growing volume and complexity of cyber incidents, traditional investigation methods are proving insufficient. This presentation explores the integration of Artificial Intelligence (AI) technologies to bolster the capabilities of cybersecurity analysts and streamline their workflow. By harnessing AI algorithms such as machine learning and natural language processing, analysts can automate repetitive tasks, sift through vast amounts of data, and extract actionable insights at unprecedented speed and scale. From anomaly detection to threat hunting, AI-driven solutions augment human expertise, enabling analysts to focus on strategic decision-making and proactive threat prevention.

Birthing Perjury-free AI

Charles Herring

While believability of an AI (Turing test) is important in many applications, the need for forensic truth is paramount in cybersecurity application. In this session, we will evaluate methods for training and tuning models that meet requirements of evidence handling, business analysis and legal and martial response. Data verification, sanitization, and vectorization will be reviewed in this session. Research for preventing AI “hallucinations” and treating data as evidence in inferences will also be covered.

The Azure Necronomicon: Unraveling Identity’s Cosmic Horror

Brandon DeVault

Dive into the eldritch depths of Azure’s identity management, where the seemingly mundane task of handling user identities and service principals transforms into a journey through cosmic horror. In this talk, we will embark on an arcane expedition to decipher the mysteries of Azure identities. Witness how the multitude of GUIDs, those cryptic runes cast by Microsoft into every log, hold the secrets to understanding and mastering the dark arts of cloud identity management.

This session is for those brave souls who dare to confront the bewildering complexity of Azure’s identity services, seeking to cross-correlate the abyssal expanse of activities within the Azure cosmos. Prepare to have the veil lifted on the arcane rituals of authentication, authorization, and the spectral analysis of logs. Whether you are a novice acolyte or a seasoned necromancer of cloud identities, this talk promises revelations that will enlighten, terrify, and empower you to command the forces of Azure’s identity infrastructure.

Old Bugs on New Roads: How Legacy Attacks Threaten CarPlay

Dmitry Moiseev

In this talk I will explore a vulnerability that affects both wireless CarPlay and Android Auto systems – a two-decade-old denial of service attack mechanism that can still cripple the advanced infotainment systems found in modern vehicles. Despite technological advancements, many such systems remain susceptible to simple yet effective attacks that involve jamming Wi-Fi communications by sending minimal packets with an exaggerated NAV (Network Allocation Vector) value. This technique can indefinitely shut down an infotainment system, leading to a range of safety and convenience issues. I will dissect the problem, discuss the implications for manufacturers and users, and explore potential mitigation strategies to protect against such vulnerabilities.

MSRC Vulnerability Update

Dr. Jared Demott

Two years ago at GrrCon we updated the audience on vulnerability trends, root causes, protections, and bug bounty information related to Microsoft cloud. This year we will provide an updated view. We will present on the types of root causes we are now seeing, and how those are being addressed. Join Dr. DeMott in a stimulating view of Microsoft Security Response Center work.

How to find an IOC across thousands of servers in seconds

Joshua Stenhouse

In this session, you will learn how to solve the fundamental problem of finding post-compromise tooling across billions of potentially malicious files to prevent re-infection of an environment when recovering from the last line of defense of any business, immutable backups.

Its not my fault your kids are stupid

Erick Boulter

Technology influences in society and the laziness of adolescent brains, why the younger they are-the more reliant on technology. Is the future of existence based on what children are programmed to say?

Monsters Under Your Bed – Mapping the Dark Web with Python

Zack Smith

With cyber crime and threat actor activity on the rise, it is more important than ever to understand the dark web and monitor it for potential risks or signs of a breach. There are several tools and intel providers that can do this, but they’re not cheap. So why don’t we just do it ourselves?

Python can handle simple tasks surrounding dark web scanning and offers more customization for complex tasks. Using strictly free open-source libraries and any system you have available, you can set up an automated scanner and detect threats as they arise.

Scan for IP addresses, potentially compromised emails, crypto addresses, and any regex patterns that you desire. Map your findings to the most relevant onion sites and get an understanding of where your adversaries tend to operate. This is just a start. From here, you can go almost anywhere. Let’s get scanning!

The Essential Role of AI in Effective Data Governance

Ben Corll

Generative AI platforms like ChatGPT represent yet another opportunity for sensitive data to leak from organizations. This is on top of an expanding roster of remote endpoints, public cloud instances, and SaaS applications in widespread use today that make the practice of data loss prevention seem almost insurmountable. But while AI has in some ways made data protection more difficult, its capabilities can also be put to effective use by defenders. Join this session to learn how AI enables critical data protection capabilities including automated discovery, public cloud configuration, and generative AI governance.

Assess, Adapt, Secure

Aaron Rose

Boost your cybersecurity and streamline operations through practical exercises and tailored guidance. Learn how to strengthen your security setup while aligning it with your broader goals. This is your chance to explore, adapt, and secure your systems in a way that’s both informative and enjoyable.

Introducing Ruzzy, a coverage-guided Ruby fuzzer

Dominik Klemba

Ruzzy is a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software that processes untrusted input. In pure Ruby, these bugs may result in unexpected exceptions that could lead to denial of service, and in Ruby C extensions, they may result in memory corruption and remote code execution. Notably, the Ruby community has been missing a tool it can use to fuzz code for such bugs. Ruzzy fills that gap.

Ruzzy is heavily inspired by Google’s Atheris, a Python fuzzer. Like Atheris, Ruzzy uses libFuzzer for its coverage instrumentation and fuzzing engine. Ruzzy also supports AddressSanitizer and UndefinedBehaviorSanitizer when fuzzing C extensions.

This presentation will go over the motivation behind building Ruzzy, provide a brief overview of installing and running the tool, and discuss some of its interesting implementation details.

Saving Lives Around the Table: Firefighters’ Insights on Tabletops

John Hollenberger

It’s 2:00 AM on Friday. The phone buzzes and you need to respond. Sound familiar? You are likely thinking that the SOC just called with a cybersecurity incident and that it is your turn to be on call. But actually, it is the volunteer firefighters’ phone with a reported fire in the neighborhood. Whether a firefighter or a cybersecurity first responder experience that middle of the night alert for the latest incident.

Both professional and volunteer firefighters spend significant parts of their conducting scenario-based training to prepare for emergencies of all shapes and sizes, from fires, to floods, to windstorms, and even terroristic activities. This training helps to prepare the firefighters for any emergency at any time. Cybersecurity and information technology personnel must also conduct frequent tabletop exercises and training scenarios to prepare for the worst-case scenario within their organization.

Every cybersecurity exercise relies on key factors that the presenter will focus on, including:

– When and how often tabletop exercises should be performed.
– Who is in charge of the tabletop and the facilitators’ role.
– What to include in the tabletop exercise and how to make it realistic.
– Who should be involved in the exercise.
– And more…

Participants will have an engaging conversation and see firsthand how they are the firefighters of the cyber world.

Who’s gonna to carry the boats

Chris Burrows

Leading InfoSec through hard times; Often InfoSec teams are small and asked to solve highly complex problems which is similar to the Navy Seals; Infosec is about teamwork and shared responsibility. Everyone should know their role. Hear some battle stories and learn solutions to add visibility, gain support and build an infosec program you will tell your grandkids about or at least make you highly impactful and marketable.

Pretty Dope Format (not really)

Kyle Eaton

PDF files are commonly used by threat actors as a means of distributing both malware and phish. In this talk we’ll discuss ways you can detect malicious PDF files, and introduce a new technique which can be used for detection and clustering of malicious PDFs.

Penetration Test != CTF

Patrick Matthews

Using the Rocky Horror Picture show as a backdrop I will pierce the confusing of “mono” color testing to open some eyes to what a penetration test really is, A Security Assurance Assessment conducted under the clients’ parameters. Unfortunately, all the pentest models are for CTF, exam taking or a tester ego, not answering security assurance questions for most common type of engagements. Since the end goal of any engagement, is to provide some level of assurance based on awesome methodology, that answers some concern, Governing body requirement or Insurance due diligence.

Through this talk I will be speaking about how a business can get the assurance they need from a penetration testing company and how testers/security providers can meet a client needs. I will touch on the contradiction of guidelines and the short fall of frameworks, such as OWSAP Top10 or CWE Top concerns. So to build a better security assurance methodology.

The target audience will be security managers, C Level and new security professionals.

Replacement CISOs in the Post-AGI Era

Roman Eng

In this enlightening presentation, we dive into the evolving landscape of cybersecurity in the post-Artificial General Intelligence (AGI) era, provoking the notion of replacing the traditional CISO role with intelligent AI agents. We walk through the Uncanny Valley where humanized AI agents will be poised to make impactful autonomous executive contributions within the corporate workplace. This talk explores the intricacies of AGI and the future implications for executive decisions and cybersecurity leadership.

How will the new-age cybersecurity professional prepare for this new paradigm? We will dive into the importance of upskilling human agency, offering actionable insights into how current professionals can adapt and thrive in this new era. With the burden of balancing the potential of AGI with irreplaceable human values, we set out on a journey to find a synergistic approach in protecting our human flaws and weaknesses against the rapidly evolving threat landscape.

We Don’t Like That Part, so we Turned it Off

William Fielder

Words that make many engineers wince: SELinux, iptables, firewalld, fapolicyd. Many a tutorial begins with telling the reader to turn them off. To that we say “bah!” This talk will shine a bright light upon the falsely perceived darkness of these valuable built-in RHEL security tools. We’ll discuss what they’re for, how they’re used, and how to make them work for you like a well provisioned army.

We are thinking about XDR wrong

JD Bacon

A talk discussing the philosophy of extended detection response. There is no hard line set of technology solutions that define XDR. XDR should be thought of as a philosophy or a strategy that improves security posture, detection capabilities, and a holistic approach to analysis and response.

Bridge the gap between Requirements and Budget with a Security Telemetry Pipeline

Bill Emmet

Every day, security engineers and analysts face the challenge of aggressive threat actors and rapidly growing data volumes without their budgets growing at the same rate. Security teams are stuck in a gap between requirements and funding that is tough to bridge without innovative thinking and new approaches. Teams are working with limited staffing, so every decision and project has to be focused on efficiency. Unfortunately, too many teams are flailing, struggling with chaos, and looking for direction. SOC analysts are struggling with cases where easy access to information takes too much time, and too many details are getting missed

A new approach to data SIEM architecture is vital to solving challenges around cost management, effective analytics, and meeting retention requirements. With the right toolset and security strategy, security teams have better visibility into the data sets to accelerate detection and incident response and efficiently deliver enterprise objectives.

In this session, attendees will learn how to use an observability pipeline to:

– Achieve best-in-class SIEM architecture.
– Scale staffing to handle increased demands through automation.
– Leverage a data lake to facilitate the data exchange, lower retention costs, and offer better analytics options.

Zero to GRC Hero

Micah K Brown

Over time we all accumulate Technical Debt. After we adopted a new IT and IT Security Policy, I was charged with creating a mapping to how we meet this policy with organizational norms, EA Patterns & Building Blocks, a new Control Self-Assessment tool, and training our staff. We built an internal GRC tool to help us both become more efficient and audit proof. Join us to learn how we were able to tell a consistent story across our entire GRC and enable the business.

The contextual approach to IoT cybersecurity

Jason Masker & Yaniv Maimon

SIM-enabled devices have evolved into critical infrastructure, redefining Automotive and Smart Mobility IoT risks and requiring stakeholders to ensure safety, operational availability, and data integrity.
In this session, Jason Masker & Yaniv Maimon will delve into the complexity of cybersecurity detection & response required effectively safeguard IoT control, functionality and data:
– The non-standardised data challenge
– Full lifecycle transactional monitoring and detection
– The secret sauce: contextual and business logic detection, the power of the digital twin

A Security Peace of Mind

Shane Harsch

Managing workplace stress and anxiety in cybersecurity and embracing self-advocacy. Maintaining a strong security posture requires intense focus and effort on work that never ends. How does that impact your operational readiness? Striking a reasonable work-life balance in the face of SOC stressors can be challenging. I will discuss some of the most common stressors and how you can best manage them so you can prioritize your own security and peace of mind.

Pwning SaaS Apps Like a Boss – Vulnerabilities Leads to Bankruptcy

Babar Khan Akhunzada

In the modern digital era, businesses are increasingly diverging their operations across various online platforms, utilizing the Software as a Service (SaaS) model to sell their services and products. While SaaS offerings are a hotcake, commonly targeted at large enterprises, the threat landscape has evolved, and hackers are no longer solely focused on traditional vulnerabilities like SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Remote Code Execution (RCE).

Instead, hackers have shifted their attention to exploiting the financial side of applications, paving the way for a complete takeover of businesses by targeting payment gateways and chaining together vulnerabilities within the applications themselves. SaaS apps are widely utilized across various industries, including eCommerce, eGaming, and product-based platforms, making them attractive targets for malicious actors and use it for financial gain or data breaches for potential competitive advantage.

Alarmingly, many enterprises remain unaware of the exploited orders and transactions perpetrated by hackers who leverage vulnerabilities within their applications to gain unauthorized access and manipulate financial operations. These nefarious activities can have severe financial consequences for organizations, potentially leading to substantial losses or even bankruptcy in the worst-case scenarios.

Hackers have become adept at exploiting application integrations and internal payment gateway APIs, selling their high-paid SaaS exploitation services on the dark web and hack forums at relatively low costs. This thriving underground market poses a significant threat to businesses, as even a single successful exploit can result in substantial financial damage.

During this session, we will delve into the mechanics of how these financial attacks unfold and provide insights into the strategies and techniques employed by hackers to compromise SaaS applications and payment gateways. Additionally, we will explore effective measures enterprises can implement to secure their platforms from these financially-motivated attacks, mitigating the risks of financial losses and potential bankruptcy.

Applying Machine Learning to Enhance Malware Analysis, Classification, & Detection

Solomon Sonya

Malware continues to increase in prevalence and sophistication. VirusTotal reported a daily submission of 2M+ malware samples. Of those 2 million malware daily submissions, over 1 million were unique malware samples. Successfully exploiting networks and systems has become a highly profitable operation for malicious threat actors. Traditional detection mechanisms including antivirus software fail to adequately detect new and varied malware. Artificial Intelligence provides advanced capabilities that can enhance cybersecurity. The purpose of this demolab is to deliver a new framework that uses Machine Learning models to analyze malware, produce uniform datasets for additional analysis, and classify malicious samples into malware families. Additionally, this research presents a new Ensemble Classification Facility we developed that leverages several Machine Learning models to enhance malware classification. To our knowledge, this is the first research that utilizes Machine Learning to provide enhanced classification of an entire 200+ gigabyte-malware family corpus consisting of 80K+ unique malware samples and 70+ unique malware families. New, labeled datasets are released to aid in future classification of malware. It is time we leverage the capabilities of Artificial Intelligence and Machine Learning to enhance detection and classification of malware. This demolab provides a pathway to incorporate Artificial Intelligence into the automated malware analysis domain.

Identity Threat Hunting Insights: Unveiling Real-World Cases

Sharon Nachshony

In today’s cyber threat landscape, identity has emerged as a critical yet often overlooked aspect of cybersecurity. Join me as I delve into the world of identity-based threat hunting, highlighting its importance and complexity. As cybersecurity professional, I’ll share insights from my experiences and real-world cases, providing a comprehensive overview of how identity can enhance threat detection and incident response.

This presentation will explore the initial goals of harnessing big data and ensuring identity isn’t sidelined in threat hunting. We will discuss the distinct types of identity and contrast identity-based threat hunting with traditional methods that rely on Endpoint Detection and Response (EDR) or network data. While Indicators of Compromise (IoCs) in EDR and network contexts are typically clear, identity-based IoCs often remain elusive, requiring a more nuanced approach.

Using a hypothetical company, “Nexus” as a case study, I’ll illustrate how understanding normal identity behavior can help identify and mitigate abnormal activities promptly. Real-world scenarios will show how early detection of credential scanning and malicious actors through identity threat hunting can transition into effective incident response before significant damage occurs.

We’ll examine how compromised accounts can be identified and contained, showcasing the importance of lateral movement detection and comprehensive attack visibility from an identity perspective. The session will also cover how identity-based insights can significantly expedite incident response during breaches, using the Nexus case study to highlight these benefits.

Attendees will learn about common security gaps, such as the misuse of administrator accounts and the risks of elevated privileges. We’ll discuss practical strategies to eliminate these vulnerabilities, aiming to leave no loopholes for attackers.

Prepare for an engaging and technical session that underscores the vital role of identity in threat hunting and incident response. No prior specific materials are required, but a basic understanding of cybersecurity concepts will be beneficial.

A Weekend Dive into Open Source Intelligence

Gabe Schuyler

When a quick google search on a mysterious acquaintance’s name comes up empty, it’s time to up my game on Open Source Intelligence (OSINT) with a quick weekend project. Come hear the story, full of real tools and techniques, of how to:

* Fine-tune your search engine skill for more effective results,
* Search based on an image to trace online footprints,
* Locate people from a phone number or address,
* Mine social media,
* Search arrest and voting records, and even
* Cover your tracks.

Whether you’re a curious mind, an amateur sleuth, or even wondering about your own digital footprint, this talk provides practical skills and privacy tips to help you navigate the vast ocean of online information.

As we go we’ll keep a close eye on ethics, provide tips on stealth, and investigate counter-measures that you can take to reduce your own digital footprint. Your private information is constantly spilling into the open but there are steps you can take to minimize it both pro- and re-actively.

In this beginner-friendly talk, you’ll learn about dozens of free methods for looking up people — including yourself — that you can start using today. Let’s dive in!

All Access: A press photographer’s perspective on Red Teaming scenarios

Mansoor Ahmad

In this engaging talk, we explore the intriguing intersection of photography and red teaming. We unveil how a press photographer’s unique perspective enhances our understanding of red teaming scenarios, shedding light on the intricacies of modern day media access to events ranging from games, concerts to presidential rallies and industry conventions.

From the art of observation to the science of interpretation, we delve into the parallels between the keen eye of a photographer and the discerning tactics of a red teamer, focusing on how lessons learned as a press photographer can directly be applied by red teamers (or malicious threat actors) to gain a foothold in crucial infrastructure. Once that is achieved, attackers can pivot around to a significant number of targets, and depending on the event space/venue, attackers could have access to highly sensitive data belonging to a wide array of organizations, ranging from professional sports teams, musicians and bands, to political leaders and lawmakers.

This talk discusses the importance of looking at the ‘bigger picture’, and being aware of threats where people might not have considered them to come from. In this case, it is threat actors disguised as members of the media; writers, reporters and photojournalists. It will discuss the role of the press, and will pivot to how this can be exploited in real life by threat actors, taking advantage of security misconfigrautons, lack of awareness and the First Amendment. It will end with a discussion on a couple of potential attack vectors.

Mouse in the house, operationalizing purple teaming

Trevor Olson

Not many places are blessed to have an internal penetration testing team and an internal threat hunting team and we wanted to take advantage of that here at Rocket Companies. What we came up with was Mouse in the House, which at the core is an ongoing purple team engagement between the two teams. This talk will be centered around how we took the two teams that didn’t really interact that much and operationalized the process with the goal of completing two of these engagements per month. The thought process that was used, tooling used for shared reporting and then how we structured our reports so that they would be able to be consumed by folks in the c suite.

Cute cats and copy cats – the ancient issue with clipboards

Eric LaVoie

When ease of use meets ease of theft, there’s bound to be trouble, with a capital ‘T’ and that rhymes with ‘C’ and that stands for Clipboard. How can we be more aware of and manage our data on our clipboards, especially on mobile devices, to be more private and secure?

Hack the Hash: Unveiling Password Cracking Strategies

Evan Hosinski

This presentation will explore the complexities of password cracking, starting with an overview of fundamental cracking techniques and the principles behind them. We will discuss the concept of megahashes per second (MH/s) and how different GPUs significantly speed up the password cracking process. We will focus on the release of the NVIDIA GeForce RTX 4090, demonstrating how this powerful GPU has halved the time required to crack numerous types of passwords, revolutionizing the field.

Next, we will talk about the importance of password complexity and length in preventing cracking attempts. We will introduce a detailed methodology for handling passwords of varying lengths, emphasizing the recursive process necessary for passwords, especially those exceeding eight characters. This method involves a cycle of finding, cracking, rerunning, and generating custom masks to match the patterns of successfully cracked passwords.

A key highlight will be the efficiency of mask attacks in reducing the time needed to crack passwords, especially when the target length is known. By tailoring mask attacks based on the characteristics of previously cracked passwords, we can significantly enhance the effectiveness of our cracking efforts.

Join us to gain a comprehensive understanding of modern password cracking tactics, the impact of advanced GPUs, and strategic approaches to tackling complex password challenges. This presentation is essential for cybersecurity professionals looking to stay ahead in the ever-evolving landscape of password security.

Ransomware as a Business

Ken Westin

We know a lot about the technical aspects of ransomware, however what is less understood is how ransomware groups operate as a business. Many of the ransomware groups offer affiliate programs and provide software development lifecycles that rival many tech companies, many even offer a high level of support for both their affiliates and targets. In order to better understand that threat of ransomware it is important to understand the business drivers of these groups operations. In this session Ken Westin will highlight specific ransomware groups and provide an overview of not just their technical implementations, but how the operation runs as a business and how it drives continuous improvement and efficiencies in ransomware operations.

OSINT CTF Winner’s Panel: Description

CG Consulting

On Friday, bright-eyed contestants will be vying for the crown in the OSINT CTF (Open Source Intelligence Capture the Flag). Only the most creative, persistent recon artists will collect enough flags to rise to the top of the leaderboard. You are invited to join a panel at 4pm in J Track where the winners of the OSINT CTF will spill their secrets, letting you in on the action behind the scenes of the CTF. Plus, take advantage of the opportunity to ask a question in the live Q&A!