Skip to content

Presentations 2022

yo mama

Thursday Morning Keynote – John ‘g33kspeed’ Stauffacher

[REDACTED]

[REDACTED]

 

 

Aamir

Thursday Afternoon Keynote – Aamir Lakhani

How I accidentality became the Foreign Minister…. and other simple hacks from the frontline

 

 

 

 

 

 

yo mama

Friday Morning Keynote – Alyssa Miller

From IRC to the Boardroom, A lifetime of hacking

Here’s a story of how a bullied 12-year old got a job, bought a computer, and hacked into one of the most prominent online communities of the time and now three decades later stands at the pinnacle of her career in cyber security as the CISO of a global organization. Forged in the IRC chatrooms of 90’s hacker culture, she stumbled through a series of serendipitous twists and turns to build a successful career.
In her keynote Alyssa Miller shares not only her journey, but the many lessons she learned along the way. She will describe how she’s used her own origin story to hack the minds of directors in some of the toughest boardrooms on Wall Street. Alyssa will discuss where these lessons can be applied to ensure new generations are able to successfully enter our community and impact the digital world with all the vigor of a 12 year-old hacker.

 

 

 

Super Sekret

Friday Wrap Up Keynote – Arron Finnon

How I accidentality became the Foreign Minister…. and other simple hacks from the frontline

So yeah this talk isn’t a talk rather a collection of weird and wonderful coincidences that left me with the ability to pretend to be the foreign minister of a rather large EU member state… Which is crazy worrying in the current geopolitical nightmare we find ourselves in, that ClappyMonkey’s mate can tell KGBs most famous brother to go and do one on behalf of one of the bigger players in Europe.
Was not so long ago we actively defended a female politicians website during an election, it was crazy how much hostile action one little website could see in any one day. However when we assessed the overall landscape of the other players in the election, a far bigger and worrying signs revealed how easy it could be to ruin people and destroyer their chances whilst undermining the trust of electorate. Dunning Kruger, confirmation bias, and straight up eejits all have cameo roles in this tale of lulz…
While i can only promise the smallest crumbs of educational walk always’, I can assure you a feast of WTF moments and with a healthy dollop of lulwuts’…..
After my 10th talk for GrrCON i guess my bio is… I’m finux, and you know i know how to rant…

 

 

 

 

 

Alissa

Alissa

Hey Ma’ where does malware come from?

This talk discusses malware writing, sharing, and malware-as-a-service. Who writes malware, how does it find its targets, and is there a customer service line if your malware doesn’t work? These answers and more as Alissa explains the lifecycle of malware and how to get some malware yourself! Woo! Now that you know where the malware came from, what can you do about it to improve your defenses? Come see. Oh and the password is infected.

 

 

Kevin Johnson

Kevin Johnson

WTF?!?!: Why do we keep doing this stuff and how do we get better

As a security consultant, Kevin Johnson of Secure Ideas is often asked “why” he does what he does. In response, Kevin likes to quote Simon Sinek’s book “Start With Why”: “People don’t buy what you do, they buy why you do it.” While it doesn’t sound like the correct answer to the question, it is.
In this presentation, Kevin will discuss the why AND the how of running a consulting business. He will explore how Secure Ideas is focused on its “why” in everything they do. This focus on purpose drives the entire organization and affects the work they do every day. By being clear on your “why,” your organization will be able to serve its clients better and create lasting value. This talk will explore how security organizations, internal and external, can better focus, moving us from the “paranoids” to functioning and recognizably helpful parts of our organizations and companies.

 

 

David Kennedy

David Kennedy

Adversaries Rising: Looking Ahead in Security

We continually see capabilities of various adversaries ranging from ransomware to nation states continue to change their tactics, techniques, and procedures to go after larger and larger companies. Our defenses largely rely on crowdsourced data, but those are largely for more mature companies that have the capabilities of understanding them and building them into their defenses. Defense is still complex, attacks continue to get more complex – how do we fix where lower-risk security breaches are only granted to a small percentage of companies with large security teams. This talk will dive into some previously known data breaches, current methods that attackers are using, and look into the future of how we need to tackle security.

 

 

Jayson

Jayson Street

Perceptions: From a Blue Pill to a Blue & Black Dress

Some of the best lessons in life are the ones that we learn from direct experience. Not taught in a class or seen on a screen but those we are actively engaged with. This talk will consist of how Jayson E. Street works to be that bad experience in an employee and company’s day (without causing damage that a real criminal/attacker would). Instead of a breach of private information, theft of trade secrets, destruction of one’s property through undiscovered vulnerabilities or massive theft of company/private equipment and money, Jayson provides lessons and works with potential victims so they will now be ready when a real criminal or attacker tries to attack them. He will walk you through how an attack can easily happen to you if you’re not prepared. We will see some of the tools and personas Jayson creates to infiltrate a company and exploit the companies own employees. Turning them from a dedicated worker to an insider threat in less than a minute all without them knowing what they have done was against themselves.

The most important and vital part of this talk occurs at the end. Now that Jayson has your attention, he’ll show you ways that you can defend yourself from these very real active criminals and help to turn your employees from potential targets to the vital members of your Information Security team like they should have been all along. The audience should walk away from this not just with better insight on the simplicity with which these attacks can occur but also with things they can do immediately with very little effort or cost put in place that will help better secure their environment and detect possible attacks in their network.

 

 

peter luo

Peter Luo

Automating security operations with Node-RED platform

Node-RED is a very popular automation platform. In this talk, we would like to share how we use Node-RED to automate many security operation scenarios, opening up doors to unlimited possibilities.

 

 

Dr. Phil

Dr. Phil

Bashing into File Carving

In this presentation we will investigate the use of the bash shell for doing a few forensics tasks such as file carving (finding files without having to understand the filesystem used to store them). We will learn a couple of bash tricks along the way and also make a comparison to doing similar things with Python and other tools. Only basic Linux knowledge is needed to get something from this presentation.

 

 

Pic

Ben Opel

Ransomware is our Institutional Narcotic. Stop. Get Some Help.

A hospital can’t provide critical care for X days. A historic college has to shut its doors. Power goes out in large swathes of country Z. Clearly, the information security community should be losing its collective mind over the complex moral reasoning and shrewd avarice behind this, yes? What? You mean we should worry about how they keep doing it? Get out. Baddies do what they do for a variety of reasons and we have to account for that, but at the end of the day, the “how” is what matters. Our competence in the fundamentals is the problem–and that’s largely agnostic of the intent behind an attack. The term “ransomware” is a marketing canard; this talk is here to lay that fact bare, make wild-but-generally-justified assertions, and hopefully engage in some mutual changing of minds.

 

 

Pic

Jason Bevis

Unnecessary Anxiety – Miners, NFTs, and Web3

Anyone engaged in network monitoring will attest to the increase in crypto mining activity and its creative usage in the attack space. This led me down a rabbit hole of learning more about the crypto space specifically around the new hype of NFTs and Web3. What I wasn’t prepared for was the huge gap in security that these new technologies are exposing but also, somewhat surprisingly to me, the lessons we could gain from this industry to improve security operations

 

 

Pic

Tim Helming

“Under Construction

TBA

 

 

Pic

Pablo Armas

Growing into Cloud Detection and Response

Attackers that have cloud credentials typically need to discover what is in the environment and escalate their privileges before they can achieve their goal, whether stealing data, installing coin mining software, or deploying ransomware.
CDR capabilities analyze cloud logs looking for this activity and alert cloud security teams to attacks in progress. When a threat actor steals credentials to your cloud environment, time is of the essence to detect their activity before they achieve their goal.
In this talk, we’ll examine different scenarios on how a threat actor can take advantage of stolen or granted credentials, we’ll cover how CDR detections need to correlate discrete events so that alerts are only fired when there is high confidence of malicious behavior to prevent noise caused by false positives.

 

 

Pic

Justin Moss

Cover Your SaaS: How to Overcome Security Challenges and Risks

SaaS adoption at organizations usually starts slow. Applications are managed by a few team members that may be responsible for spinning up your Salesforce, Slack, and a few other productivity-boosting applications. Since SaaS applications offer so many benefits, it’s become almost a necessity to onboard providers as fast as possible. While the growth of SaaS offers many positives, it also drives an exponential increase in IT, security, and business complexity. Shadow users, data sprawl, misconfigurations, and excessive spending are just a few examples of the challenges SaaS applications pose. In this session, we’ll cover the relationship between SaaS apps and IT and security teams, along with the challenges at hand and several actionable solutions. By focusing on SaaS security posture management, your team can accomplish the following: – Discover both known and unknown SaaS apps – Uncover and mitigate various security risks that put sensitive customer and business data at risk — including identifying misconfigured SaaS settings and suspicious or malicious behavior – Deliver the insights on user access and app utilization needed for better IT management and cost optimization across all SaaS apps.

 

 

J Wolfgang Goerlich

J Wolfgang Goerlich

Street Cred: Fixing Auth From Passwords to Passwordless

Don’t say no one likes passwords. It isn’t true. Criminals love them. Passwords are easy to steal, copy, and re-use. Who wouldn’t like that? Well, I mean, other than victims and those in charge of protecting systems. Between user complaints about complex password policies and admin complaints about help desk calls and password resets, perhaps it is time for a change. After all, for as long as people have been securing IT, the credentials have been the first and last line of defense.
This talk provides a walking tour of the authentication landscape. Red versus blue style, we’ll compare attacks and defenses and walk along the evolution of strong authentication. To the left, we’ll see multi-factor with SMS, soft tokens, push authentication, and biometrics. To the right, we’ll see single sign-on with SAML and OIDC. Look straight ahead for passwordless methods such as Windows Hello and FIDO2. This session will conclude with the latest practices for protecting authentication and give a glimpse of the changes to come. Attendees will be able to provide authentication that even a criminal could love.

 

 

Pic

Avi Avivi, CISO

Continuous Breach Attack Simulation: A pragmatic approach to your security portfolio

Avi Avivi, SafeBreach Chief Information Security Officer, looks at some guiding principles that make a case for using continuous breach attack simulation as one of the best ways to test and exercise your security posture. He examines the notion of abiding by the spirit of the compliance framework vs. the letter of that framework.

 

 

Pic

Chris Pittman

Seeing is Believing Knowing: Why Visibility Must Evolve to Awareness in CyberSecurity

Geo-political tensions, integration of supply-chains, disparate legal statutes, and cybersecurity insurance mandates are driving new levels of complexity into the already overwhelming challenge of Sec-Ops. Meanwhile, Federal and Industry Cybersecurity standards continue to mature, placing visibility at the center of every security framework. But the successful CISO must shift from a baseline of visibility to operational awareness in order to protect their infrastructure. CISA’s Continuous Diagnostics and Mitigation (CDM) Program provides a sound philosophy for conquering the chaos with the mandate of visibility at the core. This talk suggests practical approaches for effective security operations based on battlefield disciplines of situational awareness.

 

 

Pic

Justin Buchanan

Ransomware and the Future of Cyberwarfare

Ransomware as a class of malware has exploded in use in recent years, causing millions in damages to organizations across the world. This damage isn’t slowing. On the contrary, ransomware as tool is being adopted by a wide array of perpetrators, including nation-states, both for cash and to use the demand for cash to obfuscate activities like espionage and sabotage. Ransomware’s unique power as a tool of asset seizure and extortion—along with the wider ability of malware to allow individuals and small organizations to punch above their weight class—has lent to its use by criminals, activists, and even sanctioned governments for multiple purposes up to and including use as a weapon of war. The use of ransomware and its close cousin, wiperware, is only accelerating. In this talk, we will examine how the proliferation of ransomware brought us to this point, what it means for current global conflicts, and for the future of cyberwarfare

 

 

Pic

KJ Gambhir

Optimizing the Workforce for Cyber Crisis Resilience — An Interactive Simulation

As we continue to evolve our corporate defenses, even the best crisis response plans struggle to account for the human element. The performance of your technology might be a known quantity, but what about your human capabilities? This interactive session will test organization wide decision-making skills using a realistic cyber crisis.

Join me for this interactive session to:
– Understand the business impact of technical choices, stakeholder management actions and more
– See real time data on the effects of decisions on crisis management and response
– Strengthen your organization on both sides for greater resilience

 

 

Sebastian Castro

Sebastian Castro

Suborner: A Windows Bribery for Invisible Persistence

Whenever an attacker is trying to persist the access on a compromised machine, the first offensive approach usually involves the creation of a new identity. Nevertheless, this may not work easily under hardened environments with diverse detection mechanisms against common attack vectors.
What if we “suborn” Windows to create our own hidden account that will grant us total access to a victim, while stealthily impersonating any account we want?
Now it is possible with the Suborner Attack.
This technique will dynamically create an invisible machine account with custom credentials and custom properties without calling any user management Win32 APIs (e.g. netapi32.dll::netuseradd) and therefore evading detection mechanisms (e.g Event IDs 4720, 4721). By “suborning” Windows, we can also impersonate any desired account to keep our stealthiness even after a successful authentication/authorization.
To show its effectiveness, the attack is going to be demonstrated against the latest Windows version available.

 

 

Rafal Los

Rafal Los

The 5 P’s of Preparedness – Hope is Not a Strategy

Hope is not a strategy. Unfortunately, few organizations are truly prepared for when things … “go sideways”. This talk is a collaboration of a body of work from cybersecurity leadership and breach attorneys. The talk walks through, using my brand of humor and sarcasm to keep it from being boring, the five parts of a truly prepared organization – from cyber, to legal, PR, and everyone in between.

 

 

TC & KG

TC & KG

Techies & Lawyers? Interdisciplinary Teams Can Improve Cybersecurity

What do you mean I could be charged with a felony if I pay the ransom? NO WAY!!!! You can’t be serious! Oh, we are and its totally a possibility! Laws and their impact on cyber can seem as clear as mud sometimes but there are some important things to consider before, during, and after a cyber incident. This session will cover topics ranging from the legality of paying a ransom to the importance of having policies in place so your booty can be covered if an incident occurs. Info for the session is based on our real-life experiences trying to help fix things after they have broken. One of us is a lawyer and the other is in IT. You can choose which one of us is the cooler kid of the group! Either way, we make a massively nerdy force who hopes to help you not make the mistakes we have seen others make.

 

 

Soya Aoyama

Soya Aoyama

The Ransomware Protection Full Of Holes

In the fall of 2017, in response to the WannaCry outbreak, Microsoft implemented Ransomware Protection in Windows 10 as a countermeasure. The basis of Ransomware Protection of Windows is Controlled Folder Access, but this feature is full of holes and many researchers have pointed out various flaws. However, Microsoft says that it is a Defense-in-depth security feature and is not subject to bug bounties.
In 2021, Forbes published an article titled “Windows 10’s Ransomware Protection Is Effective for Protection” (although the title seems to have already changed). To show that the article was wrong, I decided to recheck with Windows 11 my past research that injects a malicious DLL into File Explorer and encrypts files. Then it seems that Microsoft has secretly fixed this issue and files could not be encrypted with my method. I was very frustrated, so I started looking for other holes in the Ransomware Protection and found a new ridiculous bypass method.
In this talk, I will show the previous bypass method, a new ridiculous bypass method, as well as remote attacks using other vulnerabilities, with demonstration videos. It is so simple that anyone can easily imitate it, but please never create ransomware using this method.

 

 

Matt Muir

Matt Muir

Overcoming Anti-Forensics and Foiling Botnets in the Cloud

With a sustained migration to the cloud and the widening attack surface that this brings, organisations are more susceptible than ever to attacks that are increasing in both severity and sophistication. Despite this, defenders haven’t adapted at the same pace. Recent cloud-focused malware campaigns targeting East-Asian Cloud Service Providers (CSPs) have shown adversary groups possess an increased awareness of incident response techniques and cloud security mechanisms, which are being leveraged across attacks.
In this session, Matt will provide an overview of two distinct malware campaigns where the threat actors’ knowledge of these mechanisms becomes evident in the TTPs employed. Matt will guide the audience through notable examples of anti-forensics and system-weakening techniques, many of which have never been discussed before, used in real-world attacks on cloud infrastructure. Matt will also highlight specific methods used by attackers to evade detection and foil attribution, and how these can be identified by defenders.

 

 

Ryan Kelso

Ryan Kelso

Securing Secrets to a Billion Dollars

In this talk, we’ll be presenting the problem of securing secrets used in infrastructure-as-code, how to approach this problem, and the nuances of addressing the risk of secrets management. We’ll provide concrete examples, leveraging cloud technologies and Infrastructure-As-Code tooling, as well as various CI/CD processes and technologies. The scenario we’ll be presenting will be securing secrets for use within the cryptoexchange industry and the threats and risks of exposing those secrets even internal to the organization.

 

 

Gabe Schuyler

Gabe Schuyler

“Shifting right” with Policy as Code

So you’ve “shifted left,” adding security to the software development lifecycle. Developers are checking for vulnerabilities in their work as they create, merge, test, and deploy. But you’re missing half the equation if you’re not “shifting right,” to leverage developers’ knowledge and methods as well.
“Policy as code” lets developers codify the expected inputs, outputs, and behavior of applications. And once codified, defenses can be kept always up-to-date, without slowing you down.
In this talk, you’ll learn the basics of policy as code, see some real-world examples, and learn how to get started applying the technology and techniques to your own environment.

 

 

James Niven Lindsay Kaye

James Niven and Lindsay Kaye

Crossing the Event Horizon: Intergalactic Travels of a Ransomware Crew

Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later…or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as well as interview the ransomware operators themselves. We will take you through our discovery of the BlackMatter ransomware group, provide a technical deep dive on the ransomware itself and talk about how the group evolved into ALPHV ransomware. We will also address how this evolution trend shows up in the larger ransomware operator landscape, especially among sophisticated actors.

 

 

Kris Wall

Kris Wall

Digital Forensics: Reconstructing an Attack in Modern Web Apps

With modern application development moving at a feverish pitch, application security is struggling to catch up. Attacks against applications continues to grow in the wild west of new and untested development ideas. Web3? DevOps? Pipeline? Supply chain? With so many buzz words and an untold number of zero days yet to find, where does digital forensics fit? Where does your incident response team even start after an incident?
Join us as we discuss the wild and wacky world of digital forensics in the modern era of application development and develop strategies to prepare your application security team for a breach.

 

 

Mike Kunz

Mike Kunz

Recreating the source by hiring reverse engineers overseas

The tool fpipe was simple 13kB windows console application written by Robin Keir that could redirect network traffic from one port from one computer to another. You can find it’s usage in many early hacker books. As a hacker, I find fpipe’s beauty is truly in its simplicity, with fpipe you don’t have to download a 5mB golang binary, you don’t have to bring along a cygwin library for socat, you don’t have to rely upon programming languages being on the host, there’s no configuration, you just download this very small executable and run it from a command line. The fpipe program has been around since the early 2000’s and it’s source code never saw the light of day. Thanks to modern decompilers like ghidra the task of reverse engineering how it works has become a more manageable task. With pseudocode in hand I hired a team of developers around the world to rebuild what was lost. In this talk you will learn about cost, detailed interactions, and lessons learned. You will leave the talk with a better understanding of the freelance developer community and perhaps even the source code to fpipe.

 

 

Mr. B3an

Mr. B3an

Defeating Professional Consumer Security System with $110 of equipment

Our homes provide a place to store our personal belongings and secure them against theft. That’s one of the reasons why we have locks and security devices. Since these are protecting our belongings, and our families, these should be secure from most people being able to break in and act in a criminal manner. Many of the Professional Security Systems are exceptionally vulnerable to very simple attacks. The presentation will show how to render moot these professional security systems using four different sample systems and $110 of equipment easily purchased online. The procedure is so easy, even a caveman can do it. Also, we re-tested an updated system for one manufacture, which was still a failure. The manufacturers have been contacted several times as part of the responsible disclosure protocol.

 

 

Andy Winiarski

Andy Winiarski

Identity Security Blindspots – Closing the Gaps in Your IAM Perimeter

Identity has become the frontline in the battle with cyber adversaries, but it is NOT a traditional perimeter at all – certainly not in today’s distributed, dynamic landscape. Each IAM platform has hidden capabilities and shortcomings that need to be examined to get a full picture of identity risk. Join me for a fast-paced, case study based discussion of identity loopholes and IOCs, and approaches to close them with methods you may not know existed.

 

 

Yonatan Khananshvili

Yonatan Khananshvili

Chasing the GOLD: Cross Data Source Detection of Golden SAML

The Golden SAML attack takes place through a complex set of steps and allows an actor to abuse the trust between on-premise and cloud components. We will deep dive into the internals of ADFS and the unique properties associated with the attack, while sharing how to efficiently detect it today through cross-correlation of different data sources over enterprise, SaaS and Cloud surfaces in addition to raising research questions about the difficulties of traditional single-surface solutions to detect it.

 

 

Nick Ascoli

Nick Ascoli

The Richest Phisherman in Colombia

Adversaries have increasingly been leveraging completely legitimate 3rd party web hosting products to circumvent traditional domain reputation analysis engines, and successfully get their phishing pages in front of their victims. Using these third party services also offers them a great opportunity to limit the exposure of their own infrastructure, offering a great OPSEC advantage. However, in one investigation, a few breadcrumbs left in the adversaries code led us down a rabbit hole to slowly uncovering the person behind what is perhaps the largest Facebook credential harvesting campaign ever investigated, as reported by cybersecurity blogs and news media worldwide in mid June 2022.
In this talk, we will follow the breadcrumb trail left by a threat actor, demonstrating how we pieced together the shocking scale of their credential harvesting and malversating operation. From comments in their code, to their various online identities, to accessing their infrastructure – we will walk through our investigation into a wanted Colombian Cyber Criminal.

 

 

Paul Jaramillo

Paul Jaramillo

Leveling Up With Structured Threat Hunting

One of the current challenges with internal threat hunting today, is that the majority of it is done ad-hoc and in a reactive fashion. While this is still useful, in order to take your hunt operations to the next level of maturity it needs to be both proactive and provide business relevant outcomes.
To achieve this, you need to design into your program several critical components including
– automated retrohunts
– security architecture feedback loop
– backlog and queue management
– sourcing and analytical technique drivers
– strategic use of repeatable microhunts
– easy to consume value output reporting
Focusing on the above six areas will not only advance your program maturity much quicker, but provide decision makers with great metrics to make the case for a larger investment in threat hunt staff. During the session, I will take the audience through the steps I took to operationalize this approach and how it yielded great security outcomes.

 

 

Nick Schroeder & Cody Kretsinger

Nick Schroeder & Cody Kretsinger

This Little Light of Mine, I’m Going to Get it Pwned

The dazzling special effects and light shows you see on prestigious buildings, bridges, theaters, and landmarks are controlled by a unique class of devices and communication protocols. But how do these systems turn complex lighting designs into reality? How easy it is to alter the carefully choreographed show to something more nefarious? What if you manipulate it from thousands of miles away, watching carefully from the comfort of your couch?
Industrial Lighting Controllers are commonly installed in large scale illumination projects for complex lighting effects; imagine historic bridges, national monuments, and massive award-winning convention centers. It turns out these devices, if not configured properly, lack the most basic security controls. It gets more fun when they are connected to the internet. And we have proof.
Nick Schroeder and Cody Kretsinger present their findings surrounding their research of Industrial Lighting Controls and their weaknesses (CVE(s) pending). This talk guides you from Nick and Cody’s initial curiosity in these systems to uncovering vulnerabilities in internet-exposed industrial lighting controllers across the world. The discussion includes covering a few popular Industrial Lighting Control products, their design, locations they’ve been installed in, what they control, and ultimately: sensitive information disclosure.
So, gather ’round, crack open a cold one, and join us for 25 minutes of compromise, laughs, and visual effects

 

 

Andrew Lemon

Andrew Lemon

How to rob a bank.

We’ve all thought about it… every time you see a new toy you know you’ll never be able to afford, or when you know aren’t going to make ends meet this month. How would you do it? I suggest avoiding the jail time and learning from someone who’s successfully (legally) done it 20 times last year alone. Sometimes hitting multiple banks in the same day. Somewhere between a smash and grab and Oceans 11 is where we’ll land for this presentation. Everything from OSINT, PreTexting, and social engineering to physically planting dropboxes to pivot through the network exploiting cameras for shoulder surfing passwords and finally pivoting to monetizing all that hard work to a simple swift transfer or a full blown crypto vault heist.

 

 

Brandon DeVault

Brandon DeVault

Tracing Transactions: Threat Hunting for Financially Motivated APTs

You’ve got a secure environment and alerting in-place, yet the adversaries are still able to bypass your defenses. How do you find and stop the adversary before they are able to compromise your environment?
In this talk I’ll walk through a real-world attack chain from FIN7 and showcase strategies on how to hunt for specific techniques. This talk focuses on network analysis and covers the following topics:
– SMTP Email Header Analysis
– Bidirectional C2 using legitimate cloud services
– Lateral Movement with RDP and SSH
I’ll be using open-source tools like Zeek and Elasticsearch so we can really focus on the methodology and hunting for the behaviors. And hopefully, you’ll leave this talk with some new skills for network threat hunting. I’ll also be releasing some threat hunting focused dashboards you can use in your own environment.

 

 

Mike Behrmann

Mike Behrmann

Tales from the [De]crypt Keeper: Lessons Learned from Ransomware Cases

The threat posed by ransomware, and, more importantly, essential protective measures continue to go unappreciated by countless American businesses large and small. One reason may be that businesses do not fully appreciate how easily they can become a victim and how challenging it is to overcome a ransomware scenario. This presentation examines five ransomware attacks experienced by small-to-medium and mid-market businesses from across the nation by means of a simple and methodical qualitative evaluation. What follows are practical lessons learned that the business community, and particularly information security practitioners, should understand to effectively protect their own organization.

 

 

Kevin Bong and Michael Vieau

Kevin Bong and Michael Vieau

Five Projects to Get Started in Digital Amateur Radio

Getting involved in traditional amateur radio can seem daunting, between licensing requirements, equipment costs and learning protocols and norms. However there are many ways to work with digital radio that do not have these barriers. This talk will go through the hardware and software needed for and demonstrate five inexpensive digital radio projects that are great for beginners and do not require a HAM radio license. Examples of technologies and topics covered include software defined radio, smart meters, APRS and LORA.

 

 

Jared DeMott

Jared DeMott

Trends and Strategies in the Cloud Vulnerability Landscape

As you’d expect, Microsoft invests significant resources on internal security processes like SDL, threat intelligence, red and blue teams, etc to protect products and customers. Another element is the large bug bounty program run by the Microsoft Security Response Center (MSRC). Previously MSRC has shared detailed data (BlueHat IL 2019 – Matt Miller – YouTube) on common bug patterns and mitigations strategies within Microsoft. That excellent talk focused more on lower-level memory protections. With the rise of cloud services, we’d like to illuminate security researchers and customers on the most common web and cloud vulnerabilities fixed by MSRC. We’ll also talk about some of the mitigation strategies we’re using in this space.

 

 

Micah K Brown

Micah K Brown

I Got 99 Problems but a WAF ain’t one

Deploying a WAF is the hardest IT Security projects I ever completed. It requires implicit trust and support between IT Security and App Dev. A WAF project demands networking, traditional IT Architecture, Cloud Architecture, and App Development skills. Join me as I discuss the challenges, the ‘short cuts’, and the tips and tricks I learned as I deployed over 30 WAFs in under 3 months.

 

 

Terryn Valikodath

Terryn Valikodath

DFIR 102 – Investigation Methodology

I am talking through the steps of how to go through an investigation from start to finish. Giving a procedure to investigations from an analyst’s perspective without just “jumping in”. I walk through the background knowledge that will help with forensic investigation.
– Forensic Investigation definition
– Investigator Mindset
– MITRE ATT&CK
– Incident Response Cycle
The second half discusses seven key steps to properly follow an investigation.
– Incident Scoping
– Evidence Collection
– Detection & Analysis
– Correlation
– Timeline Analysis
– Intelligence Correlation
– Reporting
I provide guidance based on my experience as a DFIR expert/consultant with Cisco Talos Incident Response. I take our usual steps but make sure it can apply to anyone performing an investigation whether you are DFIR, SOC, Sysadmin, etc. A majority of the steps are non-technical but make sure to touch on some technical tips so there is no confusion around what the analyst or leader should be looking for.

 

 

 

John Ventura

John Ventura

How The Sausage is REALLY Made: CloudOps for Red Teamers

If you are going to target other people’s network environments professionally (or for any reason), it really helps to know how they are built. Learning current CloudOps and/or DevOps methodologies and design patterns lets you get inside the heads of people who build these systems, find the common mistakes, and understand how to exploit them. This introductory talk will include discussions of real world CloudOps tools and techniques that are commonly applied in industry as well as the security implications brought about by widespread patterns of use and misuse. Attendees will get an introduction to generalized design patterns that they can use to target other people’s infrastructures or even build their own. This talk will focus on cloud based infrastructure and how people in the real world build complicated systems that are not only resilient but scale to meet the needs of even the largest businesses. Members of red teams can not only use this insight to focus their attacks, they can also develop a better intuition for the common and very exploitable mistakes that developers make all the time. Professional red teams can also apply these practices to automate their own methodologies. In addition to exploitation, security professionals can learn to build portable and highly disposable environments to serve as the back-end for a phishing campaign, test out new attack techniques, and much more.

 

 

Vincent Matteo

Vincent ‘v1nc3nt’ Matteo

I Know What You Did Last Summer…

In 2021, nearly 50% of all cyberattacks targeted businesses of 1000 employees or less. Why do attackers target small businesses? Because these organizations lack the resources and the security expertise – they are the proverbial low-hanging fruit.
In this talk, we’ll explore the steps an attacker might use to mask their identity, hide their tracks, and we’ll examine some real-world scenarios from over the past year where full compromise had been accomplished through human error, seemingly harmless configurations, and vulnerable products. We’ll then explore avenues for engaging employees and management through gamification and we’ll outline several cost-effective measures to create a more hardened environment.

 

 

Pic

Rachel Giacobozzi

Social Engineer Your Career

In 2021, nearly 50% of all cyberattacks targeted businesses of 1000 employees or less. Why do attackers target small businesses? Because these organizations lack the resources and the security expertise – they are the proverbial low-hanging fruit.
In this talk, we’ll explore the steps an attacker might use to mask their identity, hide their tracks, and we’ll examine some real-world scenarios from over the past year where full compromise had been accomplished through human error, seemingly harmless configurations, and vulnerable products. We’ll then explore avenues for engaging employees and management through gamification and we’ll outline several cost-effective measures to create a more hardened environment.

 

 

Pic

Mike ‘takko_the_boss’ Curnow

Cell Games – Averting Chaos of Mobile Communications in Critical Infrastructure

Our critical infrastructure and the cyberphysical systems which comprise them are becoming increasingly reliant on cellular network communications to facilitate near real-time applications. Deficiencies in the cellular Radio Access Network (RAN) empower bad actors to leverage technologies & techniques which circumvent proper cell selection and registration procedures of User Equipment (UE) to a cell. This topic is typically addressed through a lens of “Privacy”, expanding the aperture to additionally account for cyberphysical incidents allows us to identify catastrophic implications in the real physical world, resulting in damage to property and ultimately loss of life.

This presentation seeks to inform participants of critical infrastructure sectors which rely on cellular communication use, results of cellular-based attacks on those systems, and potential mitigation & prevention measures.

 

 

Pic

Erik Hunstad and Alberto Rodriguez

Stop writing malware! The Blue team did it for you

In the age of machine learning driven endpoint detection and response, advanced sandboxes, global threat intelligence, and highly trained threat hunt teams, why are attackers still writing malware, or worse, using popular commercial C2 frameworks? When actual adversaries are using adversary simulation tools, has the industry become a self-fulfilling prophecy? What if instead, your malware was developed and signed by a Senior Security Engineer at Meta, invisible to the user, had a 0/72 detection score on VirusTotal, was cross platform, free, and open source? That is the reality we will present in this talk – one where “remote monitoring and management,” and “endpoint detection and response,” are just marketing terms and shells are shells, no matter the logo on the web front-end or company name in the digital signature. Join us as we explore what is possible through the full attack chain when you stop writing malware, and instead use the blue team tools against their authors. We’ll also release a tool suite that includes an extension to a popular open source threat hunt tool and automation for a popular log aggregation tool that expands their capability into full remote access tools.

 

 

Pic

Tim K

What We Do in the Shadows: Going Dark Online

“You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That’s a typo. Orwell is here now. He’s livin’ large.”

We are giving more of our personal information to big players in the data game every day, including Google, Meta, Apple, Amazon and others.

Increasingly, people must provide individual information to access, explore and purchase products and services. And as IoT devices equipped with microphones and cameras enter our homes, the transfer of this data is easier and more fluid than Orwell imagined. Even the guise of “parental controls” makes it easier for “spying” to occur.

Can we reclaim our privacy? Yes, but we’ll have to pull control back. Data is the coin of the modern world, and few who barter with it want to let it go. Using Tor, Signal, and other privacy-focused tools isn’t enough. You will leave this presentation with a better understanding of current data privacy challenges. You’ll receive actionable information to improve your personal data privacy NOW and adapted to protect your organization’s employees and users from the same risks.

 

 

Pic

Elliott Hirzel

Privileged Access Management and You

An introductory presentation to the Privileged Access Management (PAM) landscape of today. This includes an overview of key players, concepts, goals, and more. This talk will communicate not only the importance of PAM, but how it can be blended with other solutions. This is talk is meant to be an adventure on PAM and how success can be derived from their proper implementation, maintenance, and overall operations, using a goal oriented lens.

 

 

Pic

Casey Bisson

Solving the other half of the code security problem

Most of us think of code security in terms of how the code behaves—runtime vulnerabilities like XSS and SQL injection—but as a category, those represent only about half the risk in our code.

The other half of the risk is the secrets in our code, the details of all the systems our code connects to, and the passwords and keys to get in.

Modern devops tools eliminate these risks with dynamic discovery and secure secret stores. And for many, this is an issue of code quality. But how do we measure that and make it actionable?

Join us to learn how developers are taking ownership of code quality, and the practical solutions engineering leaders are using to normalize secure code quality for their teams—and enable deeper conversations about secure design patterns along the way!

Key takeaways will include:
Hear from experts how developers and security teams can focus on code security to mitigate risks early in the development cycle.
Discover how for the first time, consolidating both internal code related risks with external dependency risks can deliver a more complete risk posture.
Learn about a new category of tools that foster collaboration between development teams and AppSec teams to respond to security issues without disrupting developer workflows.

 

 

Pic

Paul Jaramillo

Leveling Up With Structured Threat Hunting

One of the current challenges with internal threat hunting today, is that the majority of it is done ad-hoc and in a reactive fashion. While this is still useful, in order to take your hunt operations to the next level of maturity it needs to be both proactive and provide business relevant outcomes.

To achieve this, you need to design into your program several critical components including
– automated retrohunts
– security architecture feedback loop
– backlog and queue management
– sourcing and analytical technique drivers
– strategic use of repeatable microhunts
– easy to consume value output reporting

Focusing on the above six areas will not only advance your program maturity much quicker, but provide decision makers with great metrics to make the case for a larger investment in threat hunt staff. During the session, I will take the audience through the steps I took to operationalize this approach and how it yielded great security outcomes.

 

 

Pic

Tyler Fordham

Hacking the Air Force to help it move faster

Since the Air Force’s initial foray into agile development with Kessel Run in 2018, the authorization landscape across the services has changed rapidly. While traditional risk management framework processes are still in place, the advent of authorization frameworks like Fast Track and Continuous ATO have enabled software factories and more traditional organizations alike to get their capabilities delivered to the warfighter at a record pace.

Behind the scenes, one of the biggest factors in this evolution has been the application of penetration testing and red teaming as a consistent tool in the authorizing official’s repertoire for testing the functional, rather than theoretical, security of their networks, applications and weapon systems. Dark Wolf Solutions has been conducting offensive security assessments against a wide range of Air Force organizations since the inception of Kessel Run, and its growing team of specialists have seen first hand how bringing in hackers can help organizations find and fix vulnerabilities and weaknesses in their systems that traditional methods of assessment might miss.

In this presentation, Dark Wolf’s original Air Force penetration tester and current day lead of Dark Wolf’s offensive security efforts, Tyler Fordham, will cover war stories from Air Force penetration tests, share anecdotes of authorizations being expedited through offensive security, and ultimately demystify how this process ties into the security lifecycle.