Presentations

Thursday Keynote – Chris Roberts

[REDACTED]

Friday Keynote – Mark Kikta

Welcome to the Butter Zone: Turning the Hackers 3D interface into a reality

Minority report, Hackers, Swordfish. What do these movies have in common other than being absolute shit? How about useless, garbage 3d interfaces. In this talk, we’ll explore how to create our own garbage 3d interfaces to operationalize and explore patterns in threat intelligence indicator lists.

Travis Goodspeed and EVM

Symgrate: A Symbol Recovery Service for ARM Firmware

ARM firmware is statically linked, with no import or export tables to clue a reverse engineer in to the meaning of a standard C function. C standard libraries are a pain for embedded reverse engineers for a number of reasons. Even when you can tell what compiler a target firmware was built with, there can be hundreds of versions of libraries from that compiler. We needed a super fast method for fingerprinting standard library functions. So we filled a SQL database with hundreds of thousands of function fingerprints from hundreds of embedded SDKs, and we exposed this database through a JSON API. You give our server the first eighteen bytes of a function, and it might give you back a pretty good guess at the name. The server is free to use, and there are client plugins for GHIDRA, Vivisect, IDA Pro, and Binary Ninja.
In this lecture, we’ll cover the internals of the service and teach you what can be built when modern web development tools are applied to firmware reverse engineering. We’ll also talk about what we learned about the ecosystem of ARM standard libraries, and how those lessons might apply to the rest of the embedded processor ecosystem.

Dave Kennedy

Building the Next Generation of Hackers

We always hear there is a skills shortage in security. This is true – there is a skill shortage in already established senior level positions in security. The gap between fresh out of college, high school, or minimal experience versus the in-between to senior is alarming. Companies and organizations are focusing their efforts on hiring individuals with years of already established experience causing a massive skills gap due to the inability to train up our next generation of hackers. This talk will dive into what we are doing to fix that, and how you can differentiate yourself to land a junior job at a number of different organizations. In addition, I’ll be discussing how we train junior level resources up and how our program has been successful in creating a diverse workforce that continues to try to chip away at the skills shortage. We have to train our next generation of hackers, and it starts with all of us.

Kevin Johnson

Exploding Whales: Actual Examples of engineers/developers not understanding results

In 1970, engineers blew up a whale. No, really, they did, and they thought it was the best idea to solve a rotting carcass problem. While this example doesn’t appear to be related to application security, we see this misunderstanding or disregard for results quite often as we test. In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various tests from his career as an application penetration tester. These examples will include the problems Kevin and his team found and the techniques for finding the issues in your applications. After listening to the presentation, the audience will understand the flaws, how they are misunderstood, and how to look for them in their own software development practices.

Jayson Street

Ranty Time with Jayson or Old Man Shouts at Crowd!

Abstract is basically in the title! 🙂

Luke “Pyr0” McOmie

You’re Doing It Wrong!

Since 1994, I have broken in to many of the largest companies, governments, and private businesses to help advised my clients on how they are doing it wrong. This speech will focus on what has worked (and failed) and why I think the entire security industry needs to step back and refocus on what’s important.
This quick paced, humorous, factual discussion will address many of the challenges and missteps that have led us to the corporate security dumpster fire that is 2020. Companies continue to do what they are told by overly broad compliance requirements and industry “best practices” that don’t address the unique business or their needs. Millions of dollars are spent each year to check boxes so that the C-levels can say that they did their due diligence. But the truth is, these business are often assessing less than 10% of their assets and relying on “hacker insurance” when they get owned. They pay out for identity protection or to settle class action lawsuits, while BILLIONS of people continue lose any expectation of protection, privacy, or anonymity they had. This is NOT OK and we have to do better. I will present real world examples, methodologies, and provide a fresh look at how we should be protecting our businesses and clients in a ever increasingly complex world.

atlas 0f d00m

The Power of Emulation to Know All the Stuff

Reversing something cool? Looking for vulnerabilities to exploit? Have i got a talk for you. Bug-hunting and and RE can be daunting and thankless tasks, with nigh infinite possible approaches and outcomes. Learning to love the tasks and understand the process can improve results and reduce burnout. This talk will discuss some of the playtoys I’ve been using over the past year to do the stuff… if you’re already a master, or if you’re a n00b, you won’t regret coming, there’s something for everyone!

Wolfgang Goerlich

Mistaken Identity

While everyone was focused on credentials, criminals quietly moved to exploiting mistakes in identity. You have a long and strong password? That’s sweet. You’re using all three types of multi-factor? That’s cute. It won’t matter when the adversaries compromise identity protocols after authentication. But at least you tried. The trouble is that protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) are difficult to get right. Few security professionals get it right every time. Most of us get these protocols mostly working — misconfigurations be damned. This session provides an overview of common mistakes and a set of practices for protecting federated identity and single sign-on. Attendees will leave with a knot in their stomach and a list of things to check with their developers.

Magno Logan

Kubernetes Security: Attacking and Defending K8s Clusters

This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We’ll dig deeper into a real-world attack scenario using real-world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. But first, we’ll give an overview about Kubernetes and its architecture, covering the main components from the Control Plane and the Worker Nodes. Then, we’ll use the K8s Threat Matrix and the MITRE ATT&CK for Containers published this year to discuss the Tactics, Techniques and Procedures to demonstrate the Recon, Exploitation and Post-Exploitation phases. After that, we’ll provide some best practices to securing your cluster based on the scenarios and the CIS Benchmarks for Kubernetes. We’ll show how to use RBAC for Access Control, to enable audit logs for security and troubleshooting, and we’ll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.

Ben Gardiner

Commercial Transportation: Trucking Hacking

Join us for a technical review of the how-to of hacking big rig trucks. Included is an overview and introduction to commercial transportation, specifically trucking (tractors and trailers), and its technologies. It will cover the vehicle networks J1939, J1708/J1587 and J2497, how they operate and what they can be used for both intentionally and unintentionally. Several tools for truck hacking are presented and a survey of the public truck attacks are covered. Many tools are introduced and discussed, some are covered with examples. Attendees should leave with a good sense of what are the potentially fruitful areas of technical research into commercial transport cybersecurity and how they can equip themselves to successfully explore those areas. Some exposure to the CAN bus is assumed but no specific experience with commercial transport is needed.

Cat Self

Purpling the waters – Using MITRE ATT&CK® for Red, Blue, and the Intelligence conversations in-between

Adversary Emulation, Threat Hunting, Cyber Threat Intelligence. So many of us are interested in these disciplines, but where do we start? What does this look like in an organization? Using the MITRE ATT&CK® knowledge base, we walkthrough how to get started and grow as an intelligence analyst, adversary emulation engineer, and a threat hunter in an organization. For each discipline we explore where to start, what different maturity levels look like, and open-source resources that help raise the tide.

Mr. Jeff Man

Hackers Are Neither Created Nor Destroyed

I am a hacker. Looking back on my life I realize I’ve always been a hacker, although I wouldn’t have always claimed that moniker. I began my career as a Cryptanalyst for the National Security Agency. Cryptanalysts are hackers. In the early 90’s I got into computer and network hacking and became an “ethical” or “white hat” hacker/pen tester/red teamer. I pretty much stopped doing that around 2004 – but I still call myself a hacker and I’m still very involved in the security of systems and networks – but really I hack my clients business cultures/operations to figure out how to make them secure – whether they realize it or not.
Recently I was asked to become an “advocate” for a non-profit group called “Hacking is NOT a Crime” whose stated mission is advocating for global policy reform to recognize and safeguard hacker rights. I want to take some time to explain the concerns that have prompted the formation of this and similar groups, discuss some of the things that have happened that concern like-minded folks, and provide some of my own thoughts on how best to address this issue and also to voice some of my own concerns about how the term “hacker” has been used, abused, and co-opted – particularly even within our own community.
My primary goal for this talk is to promote open discussion and dialog within our community amongst hackers, non-hackers, apprentice hackers, affiliate hackers and the like. Let’s figure out how to hack how we are seen by “the global media and popular culture”. #Shallweplayagame #SetecAstronomy #HacktheGibson

G33kspeed

The Legend of Six Tickets: An introspective in modern SOC management, the dangers of KPIs, and how to turn lead into gold

Join me in a tale as old as time, as we walk through the Legend of Six Tickets. Throughout this talk, we will walk through the legendary tales of a Security Operations Center that wasn’t exactly working at their peak performance. We will see them work through alert fatigue, burn out, turnover, and the almost hilarious bad habits the analysts got themselves into. This is a cautionary tale, and one that has some good lessons learned for any “Boss of The SOC”. So sit down, buckle up, and hold on — its gonna be a bumpy ride

Rob Wagner

20 Free Ways to Improve Your Defenses Today

Most organizations don’t have enough budget to buy every tool nor hire every person they need. They also don’t realize there are plenty of FREE tools, tactics and procedures available to the Blue Team. Here’s 20 things you can do today to level up your People, Processes, and Technology at little to no cost.

Stefano Ciccone

Securing the Local Biometric Authentication in Mobile Applications

The local biometric authentication in the mobile applications is a convenient mechanism to authenticate users before performing sensitive actions, such as unlocking the application or confirming financial transactions. However, this form of authentication introduces an additional attack surface, and it could be potentially bypassed if implemented in an unsafe fashion.
The presentation will illustrate the common pitfalls when integrating the biometric authentication with mobile applications, it will provide examples on how to bypass this security control in not sandboxed environments (e.g., rooted/jailbroken device) using public tools such as Frida or Objection, and it will present ideas and examples on how to implement a more secure authentication process.

Erich Kron

Masters of Emotion: Modern Scams and Social Engineering

Modern scams are multi-billion dollar problem that impacts a variety of industries and organizations of all sizes. From Fortune 50 companies to car dealerships and not-for-profit organizations, nobody is immune and the attackers are smart and very skilled.
One of the most effective social engineering attacks is phishing. It’s effective in scamming organizations and individuals out of money, stealing sensitive information, spreading malware and ransomware and much more. Many don’t understand that these attacks are so successful because the attackers use our emotions and vulnerabilities against us. Fear, outrage, anger and joy are just some of the lures that attackers use to make their money.
This session will look at the tactics the cyber criminals are using to trick people into performing the kinds of actions that lead to breaches and will examine ways to identify and counteract these attacks. It will also cover recent real-world attacks and the social engineering tricks that made these attacks so effective.

Charity Wright

Agent of Influence: A Spy’s Guide to the Digital Disinformation Battlefield

Never before have nation-states had a tool as far-reaching as the internet to tell stories, spread messages, and deceive friends and foes alike. Today, over 95% of Americans are connected to the internet, making them an ideal target for foreign influence. The US is facing an unprecedented disinformation disaster. Through storytelling, persistence, and deception, foreign governments like China and Russia are effectively infiltrating US social networks, political parties, news media, and culture to spread pro-China/Russia sentiment and counter Western criticism. In the process, they aim to isolate the US and bring allies to their side. Dive deep into the hidden-in-plain-sight world of foreign influence operations with Army and NSA veteran Charity Wright as she demonstrates real-life, current day examples of Chinese and Russian influence. Through undercover investigations and analysis of both foreign and US media, Charity will demonstrate how and why foreign governments are pouring their resources into this work, why the US DOD just spent $1B to counter disinformation, and how we can protect ourselves from falling prey to foreign online influence.

Dr. Xor & Yoav Iellin

Spoof! it’s Gone! Exploiting Kerberos and LDAP to Bypass Security Products

Active Directory environments rely on Kerberos as their main authentication protocol as a superior alternative to NTLM and plain text LDAP. But guess what? There is nothing that partial implementation cannot screw up and Kerberos is no exception – and we’ve spotted such implementation at four leading security products exposing them to easy takeover (Cisco, IBM, F5 and Palo Alto Networks – but no worries all disclosed, reported and fixed, no worries).
When correctly implemented, Kerberos involves three exchanges: an Authentication Service exchange, followed by a Ticket Granting Service exchange, and concluded with a Client/Server exchange. However, the four products we’ve analyzed featured a partial implementation in which the Client/Server exchange (number three) was not present at all. While it seems as if the authentication works properly even without this exchange (which is probably why it was omitted in the first place), its absence creates a huge gap that can be easily exploited in a spoofing attack. In this session we’ll deep dive into the details of this spoofing attack and demonstrate how it can use to either bypass security controls or gain full admin privileges in Cisco ASA, IBM QRadar, F5 Big-IP APM, and Palo Alto Networks PAN-OS.

Aaron Heikkila

Ransomware, a Real Problem

While ransomware incidents are on the rise, security professionals and business people alike are wondering, “What does a ransomware incident look like?” In this presentation, I’ll distill a year’s worth of firsthand incident response experience to extract the most important lessons learned. We’ll take a look at the attack paths that are most common in ransomware cases, discuss easily implementable and effective practices that are underutilized by businesses, and learn how to make life easier for your incident responders.

Daniel Farber Huang

How the FBI, Media, and Public Identified the U.S. Capitol Rioters

In this engaging presentation the audience will learn about the FBI’s wide range of investigative techniques – some using cutting-edge technology and others using old fashioned, knocking-on-doors detective work – used to pursue the hundreds of thousands of leads received from the general public related to the assault on the U.S. Capitol. This presentation is filled with real world tactics drawn from hundreds of formal investigations conducted by the FBI in the weeks immediately following January 6, 2021. In this information-abundant talk, we will examine case studies, specific resources and practical techniques to equip both beginner and seasoned OSINT investigators with the right tools for their OSINT toolboxes.
We will analyze the FBI’s investigations of suspects, including the tactics, techniques, and procedures used by law enforcement, the media, and public sleuths to track down, identify, and – most importantly – verify the identities of suspected rioters. Learn how the FBI sifted through hundreds of thousands of leads, false positives, dead ends, as well as numerous unexpected leads to perform their investigations.

Sol Roberts

Ez-Mode mTLS with Linkerd for a legacy revenue generating application

We’ve all been there. A Legacy Revenue Generating™ application needs to be migrated to the cloud! The problem? It uses a database or API layer that doesn’t have TLS. We cannot upgrade any part of this app; it’s “lift ‘n shift” the whole way.
Enter, Linkerd! The lightweight, secure service mesh for Kubernetes. Yes, there are dozens of service mesh’s out there, but only one that can be deployed in minutes and automagically adds mTLS to every deployed service. In this talk, we’ll take a look at how to deploy, configure, and test Linkerd mTLS on an application

Quinton Babcock

Ransomware & Sanctions Risk: An introduction to Anti-Money Laundering for InfoSec

Have you considered whether your ransomware payment is violating international sanctions against terrorist financing? The feds have. In 2020, the Department of the Treasury issued the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. This advisory explains how ransomware payments can come to violate international sanctions and what factors the Treasury Department will consider when deciding if they will send your compliance officer to jail for violating these sanctions.
This presentation will provide a broad introduction into the fields of anti-money laundering and counter terrorist financing, including why it should matter to you, how bad actors leverage compromised access controls to commit financial crimes, and examine the case study of ransomware payments through the 2020 guidance issued by the United States Department of Treasury Office of Foreign Asset Control.

James King

Gardening 101

Cultivating an InfoSec department with relevant and repeatable processes is similar to gardening, and I’ll show you how and why in this 25min talk. There will be advice for both novice and well-established blue team professionals and teams on how to manage risk, document and iterate on processes, and better understand your environment.

Anthony Ralston & Ryan Fisher

ISE-Skating – bypassing NAC in under a minute

Network access control (NAC) solutions are leveraged by organizations of all sizes to prevent unauthorized devices from accessing enterprise networks. This represents a large spend for the organization, but how effective is this control? In this session we’ll answer that question and discuss the methods that I use to bypass NAC in under one minute.
We’ll explore the historical methods of bypassing NAC solutions, primarily mac authentication bypass (MAB) device bypass and abusing inefficient or incorrect configurations. Next, I will explain ISE Skating i.e. the process of allowing the extensible authentication protocol (EAP) to occur and riding that authentication for access. This exploitation is possible because of the lack of the authenticator’s ability to detect intermediate devices which do no emit bridge port data units (BPDUs). Once EAP authentication occurs, the authenticator only validates the MAC address of the connected device.

John Seaman

Why Asset Management Fails for Cybersecurity (and How to Fix it)

Despite the fact that every major cybersecurity framework lists asset management as the most foundational element, security teams still struggle with the downstream impact of incomplete, inaccurate, and outdated asset data. Without an accurate understanding of everything in an environment, all other initiatives suffer.
But there’s good news. It doesn’t have to be this way. Join this session to learn how security frameworks like the CIS 20 and industry-specific mandates like NIST and HIPAA approach asset management requirements, how previous approaches to solving asset management fall short, and how cybersecurity initiatives like incident response, vulnerability management, and CMDB reconciliation are impacted. We’ll also discuss a new approach that leverages existing data to solve the asset management challenge for cybersecurity

Wally Prather

What Do You Mean They Touch, SolarWinds and Exchange Connections

This talk examines the connections between the SolarWinds Orion supply chain attack and the Hafnium exchange server vulnerability. This talk will show the infrastructure, infrastructure connections, attribution, and processes / code overlap with known international state sponsored threats. This talk comes from the view of an intelligence professional working to better understand the processes behind the threat.

Reid Gilman

Practical Solutions for Active Directory Security

Active Directory is at the heart of many businesses – and intrusions. Attackers are experts at finding and exploiting weak permissions, but defenders often struggle to find and fix these weaknesses. For many organizations, this is one of the highest-impact security projects they could pursue, but too often it seems like an intractable problem.
We make this problem more approachable with a practical, metrics-driven approach. We will introduce an open-source tool called Practical AD Security: it helps defenders discover, prioritize, and remediate common AD misconfigurations that make their networks easy targets for attackers. It automates the process of auditing your environment, presents the results in tools you already use, and gives you clear paths to make improvements.
This talk focuses on how defenders can improve the state of their AD security no matter where it is today. We will not rehash well-documented attack techniques because there is already excellent research covering these topics (but we will give you lots of links to learn more!). Although we will talk briefly about the importance of AD in your overall security posture, this talk assumes that you already know AD security is important and want to know how to take the next steps.

Ted Joffs & Shae Bailey

Thinking Beyond the Incident Response Plan You Likely Won’t Use Anyway

While we wanted to chit-chat about all the stuff you are doing wrong, we decided we wanted to help you plan beyond the Incident Response Plan that you really are not going to use. To do this, we will walk through lessons learned from the trenches of Incident Response and Digital Forensics tying them back to the key things that your business leaders and responders should have planned for but didn’t. We will cover fun things like cybersecurity insurance, legal counsel, what capabilities you really need in house, and delve into really hot topics like should you pay that F*&^%*g Threat Actor that is holding you ransom? This may or may not change anything you do but you should listen and laugh at us anyway. Come listen to the rants, interrupt and ask questions, and perhaps get a laugh or two at our expense. Oh, and get an invite to a really nice event afterwards too!

Scott Thomas

Should I stay or should I go now?

You’ve got a job. Maybe it’s a good job, or maybe it just pays the bills. It could be a complete cluster and you want to leave, you could be completely happy but be good at what you do with companies asking you to work for them instead. Maybe a job just turned up on your doorstep and you can’t ignore it. Regardless, you may find yourself with a reason or opportunity to leave your current job. When is the right time? What should you consider? How do you leave without turning that bridge into smoldering ash in case you need to go back to that company or that boss? How do you turn down a good job because it’s not the right time or right fit for you? Sometimes soft skills are going to help you as much as tech skills in the career world.

Rob Richardson

Continuous Security by Design

Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to “run fast and break things”? Just because we’re moving fast doesn’t mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We’ll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously.

Andrew Spangler

If it ain’t broke, you still need to fix it

This talk will have something for everyone: a little history, some reverse engineering, some policy talk, and a tool release which tens of people across the world will be excited about.
We will discuss some of the security issues surrounding long term, often homegrown, software utilities and processes which ‘just work’ and have been largely forgotten about in organizations. This will touch on the popular topic of third-party software, because your third-party software supplier is likely suffering from the same issues.
We will walk through an example of reverse engineering the KiXtart scripting engine to create a decryption and detokenization tool for KiXtart scripts to reverse them back to plaintext, inserting malware, then retokenizing and encrypting them for tasty, stealthy, malicious action.

Charles Herring

Machine Learning Driven Social Engineering

Machine learning (ML) is arguably the most potent advancement in technology since atomic fission with similar benefit and risk extremes. The outcome driven nature of machine learning allows computers to rapidly test theories to find pathways to support specific goals. These approaches applied to social engineering can be used to manipulate human factors for purposes including cybersecurity breach. This session will cover the philosophies, strategies and tactics used to accomplish a successful campaign to recruit human assets to a cause. Factors to mitigate risk in these advanced social engineering attacks will also be examined.

Jeff Miller

The Simple Way to Prevent Data Exfiltration

Many organizations have overlooked one of the simplest forms of security foundationally required in core network services that is used in almost every communication, that service is DNS. During this session we will discuss the fact that DNS is an application on your network with little to no security, always available, easily accessed and exploited in almost every cyber-attack. We will then dive into how DNS is exploited in a Data Exfiltration demonstration as well as why Machine Learning and Artificial Intelligence are so critical when securing the DNS protocol. Organizations who successfully pivot DNS from an IT Utility into a Security Strategy will greatly improve visibility, identification and response within their operations. I always encourage organizations to objectively think about if the DNS protocol was being exploited right now; what in the existing security stack would be able to not only identify the activity but also classify the activity in order to operationalize DNS security within the organization?

Anthony Ralston

PeapBomb – Attacking modern wireless networks

Organizations of all sizes use NAC on wireless networks to prevent unauthorized devices from accessing the enterprise. Security professionals have historically tested this control by abusing misconfigurations. Blue teamers know the techniques that testers use to attack these areas and build their controls to prevent security professionals as opposed to malicious attackers.
PEAP is a popular EAP method used in wireless authentication. Security professionals often use the “”evil twin”” attack to target these systems, attacking the networks from their cars or sitting in public areas. It’s easy to think of gimmicks to get to areas where the ESSIDs are accessible. Our attack take a more subtle and effective approach by password spraying PEAP-protected wireless.

Chris Pittman

SOC – Rise of the Humans

The bad behavior of end users is a celebrated cliche in the world of Security. Despite spending BILLIONS of dollars on education and awareness, phishing and social engineering attacks remain the number one threat vector for cyber attacks. Meanwhile, the world of security tools and services relies increasingly on Artificial Intelligence to supplant the inabilities and inefficiencies of human security analysts. But WHAT IF this wholesale discounting of the human factor is the true vulnerability in our security philosophies? Emerging security services and studies are demonstrating that human-led security training AND human-led A.I tools provide the greatest success for security programs. This talk examines some telling statistics along with compelling anecdotal evidence suggesting the rise of the machines has been greatly exaggerated.

Eric Kaiser

Structured security analytics for the modern attack surface

The security community has embraced osquery as a way to gather and normalize telemetry from endpoints. Now, new extensions can bring that SQL-driven approach to cloud infrastructure and container environments.
This session will cover the basics of the open-source osquery project and introduce cloudquery and kubequery, two open-source extensions to the osquery project that enable security teams to strengthen their cloud security posture. This session will also provide examples of detections and investigative workflows that join together telemetry from cloud-based hosts, container environments, and cloud infrastructure.

AJ Lopez

Replication Devices (You Might Call Them Printers)

IT hates printers, hackers love them. Printers are often anonymously used and aren’t typically patched. Learn how printers are used in an attack and how companies are defending against them.

Catherine J. Ullman

Dumpster Fires: 6 things about IR I learned as a firefighter

Threats surround us like a ring of burning fire. Unfortunately, incident response doesn’t come naturally to an operational mindset where the focus tends to be on reactive problem solving. As a volunteer firefighter for over twenty years, the presenter has learned a lot about what is and isn’t effective. There are surprising parallels between fighting real-life fires and the fire-fighting that passes for today’s incident response. For example, striking a balance between swift response and patient reflection is often the the difference between life and death, in a very literal sense for the firefighter and a figurative sense for the security professional. It’s also all too easy to get tunnel vision and focus on the wrong areas, costing precious time. The security world is full of dumpster fires these days, so join this session to learn from a good firefighter what makes a good security person.

Eric Wing

Why is everyone talking about Zero Trust?

The world is changing, and our traditional security models have failed to keep up. It seems nearly every day you hear news about data and identity breaches that stress the need for security models to change. The network perimeter is gone and VPN is not the answer, we have to remove that network edge mentality from the security landscape. The Zero Trust model is unique because it is about trusting no one, verifying every identity and device either inside or outside your network. In this session we will discuss the reasoning behind the Zero Trust model and the value it provides.

Jason Slagle

Pwning Managed Service Providers for fun and profit

In this session, I will cover the security threats exposed by a proliferation of tools in use by Managed Service Providers. From their remote monitoring and management tools to small little boutique tools, MSP’s increasingly rely on a complex stack of technology to get their job done.Each tool they bring into that stack increases their risk exposure, and many vendors do not take the rest they expose the community to seriously. The end goal of this discussion is to increase awareness of the weaknesses in some of these tools, and to bring the light of the general community onto them to make them better – by bounty or force.

Brock

Sensory Magnets: The Biohacker Journey

“F*cking magnets, how do they work?” – Shaggy 2 Dope (ICP)
Have you ever looked at your microwave and thought…I wonder what your magnetic field feels like? No? Just me? Well…anyway, how exactly does someone decide to implant RFID microchips in their body like they’re about to get picked up by Animal Care and Control and scanned, and more importantly, why would anyone ever take a homebrew magnet, cut their finger open, and shove it inside?
FDA who? Never heard of them…
This definitely isn’t a talk about butter in your coffee, “smart drugs”, or advanced stretching techniques. What it is, though, is the story of how I ended up back at a DEF CON hotel room getting jabbed by a large-bore needle, spent the next several years searching for a biocompatible magnet and someone to install it, and finally…discovering what it’s like to perceive a new sense! Turns out the real journey was the friends we made along the way – Biohack the Planet!

Ryan Mostiller

Bring Out The Skeletons In Your Closet

Blue Teams and Cyber Defenders do a great job at securing 95% of their assets, but everyone has skeletons in their closet – the legacy machines, unpatched software, and other security risks. Instead of pretending they don’t exist, let’s discuss how we can lead with this information to best secure the environment. This is an action oriented presentation that will help any defender identify, discover, and document their worst security issues and how to communicate the risks effectively to all levels of management. Once identified, now let’s address how to secure them as best as possible, especially when killing them is not an option. Everyone has vulnerabilities, its time to highlight them and plan accordingly. We can all help each other in this process.

Kevin Bong

Finding a Hidden Website Compromise

Attackers are becoming increasingly savvy at hiding malware such as backdoors and card skimmers on compromised web servers, and building sophisticated attack chains to steal cards, even from servers using supposedly secure iframes for payments. When customers start to complain about stolen cards, it is very common for the web developers to review the site and find nothing nefarious. In this talk, Kevin will use examples from recent website breach investigations to demonstrate the tactics that attackers are using as well as techniques intended to help investigators find and interpret malicious code.

Ell Marquez & Nicole Fishbein

APT’s Transition to the Cloud

Every day, wars are being waged on an invisible battlefield. The enemy is hiding and stealthily leveling its attacks from within. This formidable foe isn’t an opposing army. Instead, it may very well be a single malicious actor or a state-sponsored group of hackers.
Attackers are now investing more time and effort into creating malware tailored to Linux environments. The best-case scenario outcome of a successful attack is a tarnished reputation; the worst, significant (and potentially irreparable) damage to a brand and its business.
This presentation will focus on the techniques attackers use to transition traditional tools and create malware tailored to Linux and cloud environments. And, of course, the solution to how to change our security approaches to address the continuously changing threat landscape.

Ang Cui & Hans Wu

p3wning Trustzone in Cisco phones yet again.

In this presentation, we will demonstrate the use of a text-to-speech, “deep fake” model on a Cisco 8841, a widely used office phone. While training a useful inference model requires long hours on hefty servers, running the inference alone doesn’t; today’s “garden variety” embedded devices are now capable of running the “business end” of a deepfake model.
Our story begins with the disclosure of a second set of vulnerabilities we discovered in the API of Trusted Execution Environment (TEE) services which leverage ARM TrustZone capabilities. These vulnerabilities allow privilege escalation and arbitrary code execution within the TEE. We demonstrate exploitation of these vulnerabilities, and discuss the security implications of vulnerabilities at this system level. Having established the ability to load code on such systems, we also demonstrate that it is possible to produce realistic, real time audio deepfakes directly on an off-the-shelf device. We discuss mitigation strategies for the disclosed vulnerabilities, and what is really needed for improving the security posture of embedded devices.

Nick Roy

OSINT and the Hermit Kingdom

OSINT tools provide security analysts with a powerful set of tools and data that can be leveraged to discover accounts, infrastructure, and long forgotten services that are still running. Using these sources we can research specific companies or users, find easy targets for bug bounties, and begin reconnaissance efforts against our own systems. Learn more about different techniques to gather information while examining North Korea’s public facing infrastructure.

Stephen Frethem

Reduce Ransomware’s Blast Radius

Ransomware gangs are now stealing their victims’ data before unleashing ransomware – forcing victims to pay up or deal with the fallout when attackers post highly sensitive data for all to see. Join Stephen Frethem (Director of Enablement) as he walks through some of the ways that cybercriminal groups identify internal system to target, elevate rights, find sensitive data, and finally exfiltrate it before detonating ransomware. Stphen will also provide tips on ways to spot the attackers at each step before it’s too late

Eric Mannon

‘Flipping the Script’ – Building a Threat Informed Defense with Purple Teaming

Purple-teaming activities combine threat modeling, threat intelligence, and threat emulation against your production infrastructure assets so your defenders can identify ineffective security controls, missing data sources and actively improve your enterprises’ defensibility. Understanding how threat actors think, act, and pivot, you ‘flip the script’ and use their TTP against them, shortening your detection times and making the attackers goals harder to achieve. Join Eric Mannon to hear how purple-teaming is the most straightforward practical expression of threat-informed defense.

Alex Holden

Why I Go to the Dark Web Every Day.

It is not a surprise that the Dark Web is full of stolen data. By the end of each day, nearly every company and individual has been victimized by cybercrime and has their data trafficked on the dark side of the Internet. Most of us are fighting cybercriminals from within our corporate fortresses building defenses against an enemy that is constantly attacking our virtual perimeter walls. But what would happen if we journeyed beyond our walls into the enemy territory? We could try to gather intelligence about the cybercriminal’s actions and technology and find ways to mitigate the loss of the data they have taken hostage.
This approach is not new but is still rarely utilized by the cyber security community. It is often feared and misunderstood. But those that take this leap find themselves in a new world that is traitorous and obfuscated, but full of treasures that can improve our defense capabilities.

0DDJ0BB

Threat Model Your SIEM Alerts

Alert fatigue burning your team out? Do you have a lot of alerts in your SIEM enabled because they’re there? Having trouble making metrics make sense to executive management? In this talk you will learn how to threat model, how to apply the concept to SIEM alerts, and how to create an alert development life cycle to manage your alerting, use cases, and correlation rules. By threat modeling your alerts, you ensure you only have the logs needd to raise an alert in your threat model, saving you precious storage dollars, disregard alerts that aren’t actionable saving you previous response time, and keep up with threats you actually care about gaining access to your organization.

Aaron Herndon

Phishing with Payloads: A Crash Course in Bypassing EDR/EPP

Establishing initial access to an environment through a phish, with a well-crafted payload, is a wonderful feeling. Though at times, nothing is more frustrating than bypassing EDR and EPP. Join us as we demonstrate ways to modify, obfuscate, and deploy evasion techniques which bypass EDR with a Covenant Grunt payload sent in common phishing formats. This entry level crash course will cover both offensive techniques as well as defensive countermeasures to reduce the attack surface available.

Julian Wayte

Digital Detection & Investigation with Osquery and YARA

Osquery and YARA are great tools for digital investigation, in this talk we will detail how both can be used for malware detection and digital investigation purposes. We will dive into malware detection by scanning all run processes with YARA for threat detection. Digital investigation use cases will also be covered using osquery to detect vulnerable packages present on computers.

Dave “Heal” Schwartzberg and Chris “EggDropX” Payne

Getting to GrrCON 0xA Badge

Digital event badges are a Payne in the ass. Listen to the stories behind GrrCON’s 10th anniversary badge. Learn about the technical deatils, how to hack into it, bullshit from China, and functional and dysfunctional features. This might just be the last digital badge you get at GrrCON.

Rob Carson

Guerrilla Warfare for the Blue Team

Blue teamers in the trenches need to stop living groundhog’s day. Time to punch Bill Murray in the face and change the game in our favor. The game has changed but the basics are the same. The three-block war is described as full-scale military action, peacekeeping operations (PKO) and humanitarian aid within the space of three contiguous city blocks. How does this compare to starting your morning activating your incidence response (IR) plan due to a suspected credential breach, Change management meetings (Compliance), and handing out hugs while CXO’s change their passwords for the first time. 1. No one is shooting at you. 2. Not much else… Just as methods of warfare have changed, so too has the way we must run security programs. What does takes to prepare and execute your own 3 block Blue team war?

Brett DeWall

Skim Job – Skimming Your Way In

Organizations seem to be more aware of social engineering today as many social engineering tactics are being tested and prevented throughout various industries. However, onsite social engineering is still quite successful. This talk presents a new toolset which will quickly elevate an operative from no access to keys to the kingdom. The demonstrated toolset helps the operative gain physical building access without alerting employees to common social engineering indicators. During this talk you will learn about the current social engineering attacks utilizing RFID, a full walkthrough of a newly created RFID skimmer toolset, and opportunities for organizations to better protect themselves.

Vince Matteo

I Want To Be A Hacker

In this talk, I discuss my decade long journey into offensive hacking while contrasting lab environments versus reality. I then dive into current real-world techniques I use to breach environments, establish footholds, and then I share my current methods for living off the land, evading detection, enumerating resources, and how I push deeper into the environment with the overall goal of gaining full control.

Jim Hunter

Have another drink, corporate security head scratchers

Every year I think I’ve seen it all in cybersecurity assessments conducted, and the head scratchers keep rolling in. In this presentation, I’ll take you through experiences I’ve had doing security assessments for a variety of clients and share where some of them have nailed it and where some have failed it. I’ll share some practical, sometimes surprisingly simple ways to improve or help raise the security bar.

Serge Borso

Stop Snitchin – How, and why malicious website get taken down

Have ever hosted less than reputable content on a website, and then one day, realized your domain was being flagged as malicious or had you hosting provider suspend your service? Well I have… more than once! The purpose of this talk is to share the results of a research project centered on how websites hosting malware and phishing elements become the subject of takedown/abuse requests. If you are engaged in spear phishing campaigns, hosting BeEF hooks and exploit payloads/C2 servers etc. and want to avoid service interruption, this talk may be right for you. How does a given anti-malware service know about your wares? How does Google’s safe browsing project know when you have a phishing site? At what point does your ISP get involved and how can you better prepare for these outcomes? Join this talk to find out the surprising answers.

Micah K Brown

How a 1993 CCG prepared me for a life in Info Sec

Magic the Gathering (MTG) is one of the most iconic and popular customizable card games of all time. At its heart the game is all about resource management and strategic thinking. Since 1993 MTG has been able to build and maintain and communicate a constant vision of the game both internally to create new cards and externally to attract new and old players alike. Join me as I release an open-source documentation framework with downloadable demo VM.

Jason Bevis

Passwords Revealed – Xray Vision using Network Goggles

Everyone knows weak passwords are a risk, but what if I told you, it doesn’t matter how strong your password is, if it can be seen on the network. In this talk we uncover network exposures that are wide open for almost any malicious insider or attacker to take advantage and wreak havoc on the environment. We will also discuss techniques to hunt for these exposures so they can be remediated quickly.

Melissa Bischoping

Hunt the Stank – Finding Attacker Behavior Before You Pay for It

It’s going to happen. You’re going to get breached. When you do, are you confident that you can look into your environment and separate attacker behavior from the expected or benign? As threat actors continue to personalize their operations, traditional methods of detection miss opportunities to stop them early in the attack.
Understanding the behavior of the bad guys and being able to rapidly recognize it is your most powerful weapon to minimize damage. Effective incident response to modern ransomware breaches starts long before the attacker is in your network. Knowing your baseline and understanding in real-time the state of your environment gives you an easy-button view for when things deviate. In this talk, I discuss the importance of baselining, asset inventory, and understanding your data flows, as well as walking through the steps of the offensive chain, and the numerous opportunities you have to monitor, detect, and disrupt along the way.

Morgan Wright

What Elon Musk and SpaceX Can Teach Us About Ransomware and Cybersecurity

As a kid I always assumed that when you shot a rocket into space, other than the capsule, all the other parts burned up on re-entry into the atmosphere. Elon Musk asked why couldn’t you just reuse the rocket? And SpaceX was launched. To change cybersecurity, we have to change our mindset. In 30 minutes I will challenge conventional thinking, proverbial wisdom, and ask a new question.

Len Noe

Biohacking: The Invisible Threat

Biohackers exist and walk among us. Most security professionals would not allow users into their environment with offensive security tools. How do you address individuals who have surgically implanted such devices into their bodies?
Len Noe, with CyberArk, has multiple subdermal implants that range from NFC, HID/Prox and RFiD devices. This allows him to become the attack vector. In this talk, he will provide a brief overview of the types of bio-implants on the market and share various case studies on the potential damage malicious biohackers can inflict including quickly compromising loosely connected devices and hacks that avoid any physical evidence of a breach allowing them to gain access to data as well as physical access to secured locations.
As security professionals, we must anticipate the unknown. These include any individuals that enter our facilities or are simply around us in public. These types of attacks are becoming more common. A majority of security community are not aware they exist. Discussions on what was once thought to be science-fiction are now science fact.
Through continuing education on phishing and social engineering attacks, tightening MDM restrictions, endpoint management, behavioral analytics, least privilege and privileged access, we can take preventive measures around the threats we can’t see.

Michael Khalil

Modern Day Multi-Cloud Security Strategy

If one cloud deployment was not stressful enough, multi-cloud deployments are the new norm in modern organizations. Be prepared to build a cloud security strategy for your environment. Learn how to plan out your cloud security program to meet the needs of your current and future use cases. I will be discussing secure landing zone design considerations, extending your security policy to the cloud, and practical use cases when choosing automation and other tooling for your cloud security operations.