Skip to content

Presentations 2023

yo mama

Thursday Morning Keynote

Kevin Johnson

Guardians of Reality: Countering Hype in InfoSec

 

In an era where attention-grabbing headlines and flashy marketing campaigns dominate the landscape, InfoSec finds itself at a crossroads. Kevin Johnson of Secure Ideas will dive deep into the prevailing trend that is steering the industry away from its core mission – to ensure cybersecurity and protect sensitive data.

In an age where clicks and views reign supreme, the industry has been seduced by the allure of quick attention, leaving genuine security concerns languishing in the shadows. This keynote will shine a spotlight on the pressing issue of marketing-driven sensationalism that overshadows the pressing need for substantive solutions.

From the smoke and mirrors surrounding “automated penetration testing” to the proliferation of AI-powered miracle solutions, we will dissect the myths and unveil the truths. Our journey will underscore the fact that genuine penetration testing requires the human touch, the artistry of experts who understand the intricacies of security challenges and the dynamic nature of cyber threats.

As Guardians of Reality, we’ll explore strategies to realign the industry’s focus with its fundamental mission. We’ll navigate through the storm of misinformation, tackling head-on the dangers of sacrificing genuine security solutions for mere attention. It’s time to strip away the veneer of hype and rediscover the essence of InfoSec – protecting our digital world from real-world threats.

 

 

 

tbd1
tbd

Thursday Afternoon Keynote

Zach Hanley and James Horseman

New Isn’t Always Novel: Grep’ing Your Way to $20K at Pwn2Own, and How You Can Too

Join Chief Attack Engineer Zach Hanley and Exploit Developer James Horseman for an eye-opening keynote session where they’ll discuss in detail how the hacker mindset can be applied to seemingly daunting tasks in order to make them more approachable.

Zach and James will show how they approached their first Pwn2Own contest and how they discovered a command injection RCE vulnerability affecting nearly every Lexmark printer. They’ll also share why they think it went unnoticed in previous research and why current open-source static analysis tools can miss this simple bug.

Finally, they’ll release the exploit POC and an additional POC to dump credentials during engagements.

 

 

TBD

Friday Morning Keynote

Nathan Ruehs

June 12th: My Ransomware Breach Story

We’ve all heard case studies regarding organizations that were hit by ransomware, but this is a little different. This is my story about the incident I lived through while working at a MSP that was hit by REvil ransomware. Now working in DFIR, I’ll tell the story of the day it happened and the weeks that followed from the perspective of an incident responder. You can expect to hear lessons learned, the personal toll an incident takes, and the different impact it had on all affected organizations.

 

 

yo mama

Friday Wrap Up Keynote

Chris Roberts

Topic to be determined by number of Feds in the audience.

 

 

 

Patrick Matthews

Invisible Red Teaming

Patrick Matthews

Adding onto my 2019 Derby con talk about using pre-paid cards to gain hosting infrastructure. This talk will detail a few other ways to anonymize Red Team activities. Such as, self-destroying drop box’s to hinder IR; OPSEC notes about using infrastructure with Tor access; highlighting trackers to avoid when cloning site; concealment of devices; OPSEC notes TLS and LTE. I will also review use of pre-paid cards and what no longer works from my 2019 talk.

 

 

Finux

Boats are scary

Arron Finnon

Yeah, it‘s the usual Finux talk. I‘m going to talk about something bizarre and unrelated to security and then find similarities and walks away from said bizarre and unrelated thing which can be applied. If i manage to pull it off is another question entirely. If you‘ve been to GrrCON anytime over the past decade you‘ll have probably seen me try this before. I‘ve been speaking at GrrCON for years, I‘m the guy with the memes who comes from Scotland, talks a lot about history. So this year, I’m going to try boats.

Boats! Yes, you read right I’m going to be talking about boats. Boats are pretty epic, they‘re also very scary, and crazy dangerous. They have a long history, in fact they‘ve helped shaped a lot of it. From exploration to being used as weapons, their role in trade, to the mass migration of people, they‘ve played a crucial part. What i have learned in a year, is that a sailors idea of safety and security is terminal than a nerd from Scotland knew. This talk is not about hacking a boat, barrel roles in a sailboat is a proper terrible idea!

I will go off topic, i will swear, probably a lot, and you‘ll not learn anything you couldn‘t have googled yourself. I‘ll be honest with you all now it‘s tempting to load this entire talk with jokes about seamen. Don‘t judge me, you‘re at GrrCON too! You’ll not find any real walks aways but you might learn a few interesting things, some of them might even be about security.

You should probably go see the other talks 😉

 

 

Matt Schwager

Finding authentication and authorization security bugs in web application routes

Matt Schwager

This presentation introduces route-detect. route-detect is a command-line tool that seeks to aid security researchers and engineers in finding authentication (authn) and authorization (authz) security bugs in web application routes. These bugs are some of the most common security issues found today. The following industry standard resources highlight the severity of the issue:
– 2021 OWASP Top 10 #1 – Broken Access Control
– 2021 OWASP Top 10 #7 – Identification and Authentication Failures
– 2019 OWASP API Top 10 #2 – Broken User Authentication
– 2019 OWASP API Top 10 #5 – Broken Function Level Authorization
Of course, not all authn or authz bugs occur in web application routes, but route-detect seeks to confront this pervasive class of bugs.
Find route-detect here: https://github.com/mschwager/route-detect

 

 

pic

story-time with atlas (with hex)

Atlas of D00m

ch 1: the first 30 years (sped up a bit)
ch 2: hex toys
ch 3: how to dance with the devil by the pale moonlight

 

 

pic

The attackers guide to exploiting secrets in the universe

Mackenzie Jackson

Exposed secrets like API keys and other credentials continue to be a persistent vulnerability. This presentation sheds light on the methods used to discover and exploit such secrets in various environments, including public and private git repositories, containers, and compiled mobile applications. This presentation combines various different research projects that illustrates the different methods attackers use to find and exploit secrets to gain initial access, elevate privileges and created persisted access. It covers research into exploiting secrets in git repositories, private and public, exploiting secrets in compiled mobile applications and exploiting secrets in packages and containers.
This presentation offers valuable insights and information on how to identify and address exposed secrets, one of the most persistent vulnerabilities in application security.

 

 

pic

Being B.A.D. for good reasons! & How we can help others to be better!

Jayson Street

In this talk we cover 3 important topics related to Red Teaming.
We talk about how our approach must change when doing engagements. We need to focus more on how do really help our client. Breaking the client’s network or helping them improve their security which is more imperative really?

We focus on what brings better value for the client. Showing them how leet you can be with your mad Red Teaming skills or by showing them how trivial a breach can be and educating the client’s employees on how to be better secure.

Knowing nice big technical words is great and all. Yet wouldn’t be even better if we talked in ways that everyone can fully understand and therefore create lasting change and improvement to the client’s security posture.

 

 

J Wolfgang Goerlich

Friction

J Wolfgang Goerlich

Our goal is to reduce friction. So people in security have been saying. But is that a good goal? It’s true we’re all frustrated with frustrating security controls, settings, and products. But consider the employees. And by employee, I mean more than end-users. This is a broader conversation; including software developers, IT engineers, DevOps practitioners, and more. How much friction should there be when pushing code? Spinning up or down virtual machines? Changing our cloud tenant? Also, and here’s the kicker, when do people prefer a little friction? In this talk, we’ll challenge conventional thinking and provide a framework for designing and architecting security capabilities.

 

 

Catherine Ullman

Defending Beyond Defense

Catherine Ullman

Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability. But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain first hand experience into this perspective than immersion in the offensive security space. In this talk we’ll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications. By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior. Join me as I discuss how there’s more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.

 

 

Gregory Hatcher
J

Tales of AV/EDR Bypass: Ropping the Night Away

Gregory Hatcher & John Stigerwalt

Over the last couple of year, the evolution of calling Windows APIs in loaders has moved from direct system calls to indirect system calls. However, using indirect system calls will only get a malware developer so far; only the return address is modified, not the entire stack. Windows Event Tracing (ETW) can detect this malicious behavior. However, if we use ROP (return-oriented programming), we can gain control of the call stack. There will be no hard-coded syscalls or jumping to the syscall region. Using various ROP gadgets that create ROP chains, we can make our Windows APIs call stack look completely legitimate and undetectable to modern EDR products. When our functions return, they don’t return back to their own thread when complete. It is not possible to trace the call back to our RX region at all.

 

 

Richard Haight

Recalling early Unix System development at AT&T Bell Labs

Richard Haight

In the case of Unix early development, I accidentally had a front row seat at what surprisingly became history. Recently, I read things (or view on YouTube) about that time that irritate me. My talk will give my version. I have posted a paper on this subject at rch-ideas.com (nothing for sale)

 

 

Allie Abdeljabbar

Legal in the cyber/medical space and all things (shit that can & do go wrong)

Allie Abdeljabbar

This will be a presentation from a former paralegal that hopped over to the cyberspace. As a plaintiffs litigation paralegal, I witnessed so many wrong things surrounding the lack of confidentiality surrounding client’s PHI and PII. I will include how I managed to obtain medical records without a HIPAA or proper documentation in place via fax, how I received a death certificate without proper documentation (full SSN’s are located on Death certificates), how Social Security releases SSN’s of a deceased person on a quarterly basis; thus, opening the gap for stolen identities of a deceased person. I will also include a personal story of how when we send call centers overseas, they do not know about HIPAA laws here in the US and how I could have walked out of a storage facility with a box full of many other peoples medical records. This storage facility houses medical records, but the problem was from a well-known corporate health company (will not disclose the name).
I will also discuss how not performing proper due diligence can be costly with legal ramifications. Trust but verify. So, I was assigned a case that allegedly people worked up. When I was cross referencing facts, they had signed up the brother of the deceased claimant, spoke to the brother, provided case information. The problem with this is the deceased claimant had a wife at death and the brother was not the rightful legal person to talk to. I had to OSINT the surviving spouse, have her provide her marriage license to prove she is who she confirmed she is, provide the Last Will & Testament & her ID, among other docs that had to be signed. I will present the issue that could’ve happened for not proper due diligence.

 

 

Alissa Gilbert - dnsprincess

Hey Ma’ where do pentests come from?

Alissa Gilbert – dnsprincess

Learn how to perform a pentest, explained through a storybook! A penetration test is an important step in protecting one’s own assets, networks, and sanity. But you can’t just go about smashing everything and expecting good results! This presentation will go through the details about how to conduct a pentest, wrapped up with a clever tale.
Find out what makes a great pentest: a good scope, a solid methodology, and the right skill sets. We’ll explore various pentests and their keys areas of success and failure, using examples to show what makes a great pentest. There are fundamentals to be reviewed, as well as some insight from the pentesting community on mistakes and good practices.
As seen from – Twinkle twinkle little script, you can’t scan this folder zipped. With the data packed so high, it’s an exploit in the sky. Twinkle twinkle little port, what rootkit can we import?

 

 

Kyle Hinterberg

PCI DSS v4.0 Is Here – Now What?

Kyle Hinterberg

The Payment Card Industry Security Standards Council (PCI SSC) released v4.0 of the PCI Data Security Standard (DSS) in 2022 and the countdown is on. Organizations that need to comply with PCI DSS only have until April 2025 to implement all the new requirements. Are you ready and, more importantly, do you even know what it will take to be ready?
Many organizations need to comply with the PCI DSS and a major version change can be daunting. To make things worse, most of the information provided by the PCI SSC and other organizations can be vague and/or marketing focused. This leaves individuals confused as to what they really need to be doing to prepare themselves and their organizations. My goal is to break it down Barney-style so that no one gets stuck behind the eight ball when they run their first v4.0 assessment.
During this presentation I will:
-Provide brief definitions of the PCI SSC and PCI DSS
-Explain the history of the PCI DSS (how we got to where we are)
-Provide an overview of the changes in v4.0, specifically avoiding any vague marketing talk and focusing on actionable items to help prepare organizations for v4.0
-Provide a summary of the big-ticket items that organizations should be working on to ease into v4.0

 

 

Matt Hoy (mattrix) - John Stauffacher

Story Time with Matt and John

Matt Hoy (mattrix) – John Stauffacher

Come sit around the nonexistent campfire while we tell the story about John and Matt – Chapter 3

 

 

Gabe Schuyler

How to choose a tinfoil hat (with science!)

Gabe Schuyler

A properly constructed tinfoil hat is essential for the modern information security professional. To the beginner, however, the array of choices may seem daunting. Do you go with the tried and true beam-blocking beanie? Would a silvered Stetson or Faraday Fez suit your threat profile better? (“Fezes are cool.”) Is a quick folded-foil hat sufficient in emergency situations?
In this talk, we’ll demo the construction of some popular styles, paired with highly scientific testing of the resulting protection. (“You could use an Arduino for that.”) You’ll learn not just how to make an appropriate tinfoil hat, but how good they are at blocking 5G, telepaths, and space lasers.

 

 

pic

Empowering Analysts: Leveraging AI for IoT, Ransomware, and Your Data

Jason Bevis

This presentation will showcase real-world attack examples involving IoT and ransomware. We will demystify some AI concepts that can be utilized by both malicious actors and cybersecurity experts. By exploring the dual role of AI in this domain, attendees will gain the knowledge and insights necessary to bolster their defenses and safeguard valuable data in the face of evolving threats.

 

 

pic

Break it to make it: Uplift developer security maturity and smash the cycle of recurrent vulnerabilities

Steve Allor

Imagine pouring your heart and soul into a software build, crafting a new piece of our digital world with all the features, functionality, and user experience that has made modern life so darn convenient. Your work is the envy of your peers, and the code shipped without a hitch. Excellent.

… and then, the gloomy presence of a security specialist tears it all down. They’ve found an exploitable security bug, you won’t be shipping your code, and their suggestions on remediation are at odds with everything in your tech stack.

For many developers, this is the harsh reality of their experience not just with the AppSec team, but with cybersecurity in general. “Security” has negative connotations for them, and it really isn’t a priority when feature-building at speed must take center stage. Developers are key to stemming the flow of common vulnerabilities, and this tension must dissipate if a true DevSecOps environment is to flourish. This session will detail data collected from the results of 100,000 developers playing code-based security challenges, showcasing the current landscape of developers and their security skills, as well as where there is room for significant improvement.

Elevating developers to become not just security-aware, but security-skilled, has been a hot topic for many years, but if the amount of breaches is any indication, the current approach is failing. To understand the right approach to ignite their security fire is to understand the developer, and bring the knowledge to their playground, not the other way around. Pieter Danhieux will leave attendees with a viable direction on where their security program can make

 

 

pic

Unmasking AWS Deceptions: Unraveling Cloud Security’s Sneaky Side

Yossi Tamarov

Explore, and prepare for, real-world scenarios that enable attackers to exploit common cloud security mistakes. From insecure S3 buckets to weak IAM permissions, you’ll discover how missteps in network configurations can create a complex cloud environment and hinder your ability to protect against attackers.

In this session we suggest ways to turn your AWS infrastructure into a more secure environment that frustrates adversaries and, ultimately, guards against access to your sensitive data. You’ll learn actionable ways to deploy deceptive resources, such as honey tokens strategically placed within your AWS environment to bait potential attackers. With these seemingly legitimate credentials, tokens, or files intentionally scattered throughout your infrastructure, honey tokens lure unauthorized access attempts and trigger alerts – raising red flags the moment they are accessed or abused. By leveraging honey tokens, you create a virtual minefield for intruders, drastically increasing the likelihood of early detection and enabling a swift response to unauthorized access attempts.

 

 

Nadav Noy

Don’t let GitHub be your weakest security link

Nadav Noy

Cybercriminals are highly motivated to attack software supply chains due to the valuable targets they contain and the damaging multiplier effect they can inflict downstream. Unfortunately, these exploits are relatively easy earlier in the chain at the source code management (SCM) level, providing attackers with the low hanging fruit they’ve been looking for. Not good.
We’ve seen too many companies fail to secure their GitHub environments, often without even knowing the kind of vulnerabilities attackers may be able to exploit. Without awareness, how can we expect companies to properly detect them? We aim to fix this.
In our presentation, our speakers will tell the untold story the Artifact Poisoning vulnerability we found on Github Actions: (details available below)
https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
These kinds of vulnerabilities allow attackers to execute malicious code in a privileged pipeline which can let an attacker access sensitive secrets, move laterally in the organization, and implement a backdoor. We don’t have to tell you why that’s a bad thing.
By giving attendees the secret sauce of how we discovered these vulnerabilities, they’ll gain valuable insights into the common pitfalls and best practices for maintaining a secure posture in their organization.

 

 

Shahmeer Amir

Breaking Barriers: A Deep Dive into Bypassing Next-Gen 2FA and MFA Security Measures

Shahmeer Amir

As businesses and organizations continue to adopt more advanced security measures to protect against cyber attacks, attackers are constantly evolving their techniques to bypass these measures. In this presentation, we will explore the latest techniques for bypassing next-generation 2FA and MFA security measures, allowing attackers to gain access to sensitive information and systems.
We will start by discussing the basics of 2FA and MFA security measures and their weaknesses. We will then dive into advanced techniques that attackers use to bypass these measures, including phishing attacks, social engineering, and Man-in-the-Middle (MitM) attacks. We will demonstrate real-life scenarios where these techniques have been used to bypass 2FA and MFA measures, highlighting the importance of remaining vigilant and implementing additional security measures.
Furthermore, we will explore the role of emerging technologies, such as artificial intelligence and machine learning, in bypassing 2FA and MFA security measures. We will showcase the latest research in this area and discuss the implications for future security measures.
In addition, we will cover some of the countermeasures that organizations can implement to better protect themselves against these advanced attacks. This will include best practices for implementing 2FA and MFA measures, as well as additional layers of security that can be implemented to provide greater protection against these attacks.
We will also provide recommendations for how organizations can improve their overall security posture to better defend against these types of attacks. This will include guidance on implementing stronger passwords, regularly updating security protocols, and providing employee education and training on how to identify and avoid phishing attacks.
Finally, we will discuss the future of 2FA and MFA security measures and the steps that organizations can take to stay ahead of the curve. This will include exploring emerging technologies that may help to improve the efficacy of these security measures, as well as the importance of remaining vigilant and proactive in the face of evolving threats.

 

 

pic

Seeing is Believing Knowing: Anatomy of APT Exploit and Why Visibility must Evolve to Awareness

Chris Pittman

Visibility is about enumeration and correlation. Awareness is about context and responsiveness. In this examination of APT activity involving Truebot Malware by Nation-State Actors, Chris will reveal network attack footprints that elude many traditional monitoring tools. This discussion matches the technical analysis of exploit activity with mindset management of incident responders to incorporate more action-oriented sec-ops. Sharing some industry attack trend analysis, this talk also aims to incorporate understanding of motivations and behaviors of current attacks to build Cyber Situational Awareness and best position defensive resources.

 

 

pic

All Aboard! Application Security Posture Management is Taking Off!

John “JT” Tierney

Gartner predicts that over 40% of organizations will adopt Application Security Posture Management (ASPM) by 2026. It’s taking off with the tires smoking, but what’s the excitement about?
ASPM solves big issues that have been vexing enterprises for years – poor security visibility into complex developer environments, lack of context to quickly address security issues, and siloed security responsibilities that stifle productivity and speed. All of this results in a strain on developers, AppSec teams, and traditional security tools that’s reached their limit, and ASPM is finally here to help. Join me as I define ASPM, share details on how it helps, and explore the key benefits to get you on board:

Automate security controls from code to cloud so you can do more with less
Improve prioritization on most critical business risks to improve efficiency and effectiveness
Break down inefficient security silos and boost team productivity

 

 

pic

Backup Red Team Exercises – Removing your ability to recover from the last line of defense of your business

Joshua Stenhouse

Joshua Stenhouse is the Field CTO for Cyber Resilience at Rubrik Inc, helping Fortune 500 customers strengthen the security posture of their business with a zero trust approach to data security via backup modernization, immutability and isolation. Joshua helps you build systems and processes for ransomware encryption detection, threat hunting, automated recovery and managing data exfiltration risk, enabling businesses to be ready and resilient to cyber attacks.

 

 

pic

Cloud Native is causing a Culture Shift within Organizations

Tim Connolly

Digital Transformation and the migration to Cloud Native are causing a Culture Shift in the Enterprise. See how now more than ever, the need for Machine Identity Management is critical

 

 

pic

Advanced Persistent Teenagers: Learning from LAPSUS$, 0ktapus, and other groups

Matt Muller

Some of the most creative and high-profile intrusions in recent years have come not from APTs weaponizing 0-days, but from teenagers weaponizing human psychology. This talk explores the evolution of threat actors targeting modern cloud-based organizations, through the lens of real-world experience in detecting and thwarting attacks by LAPSUS$, 0ktapus, and other groups.

 

 

Dwayne Natwick

Architecting a Zero Trust Framework for the Cloud

Dwayne Natwick

In this session, Dwayne will provide guidance toward architecting a Zero Trust Framework within your Cloud infrastructure. He will provide areas of focus for identity, networking, devices, applications, and data for a defense in depth security design. This article will close with a case study example of how to evaluate and consult for a Zero Trust Framework within your company or customer.

 

 

Ryan Thompson

Clearing the Fog: Detection and Defense against Cloud Persistence Techniques

Ryan Thompson

Cloud breaches are typically associated with smash and grab jobs such as cryptojacking or dumping S3 buckets. However, there is a shift in threat landscape in how adversaries are leveraging cloud platforms to achieve more targeted goals. As these techniques become more sophisticated, there becomes a need for adversaries to slow down and establish persistence in these environments.
Traditionally persistence mechanisms have been focused on the host perspective of SSH key creations, reverse shells executed from scheduled tasks or service installations. Complex IAM permissions and cloud services open the door for a variety of unique persistence mechanisms that we need to be on the lookout for.
This talk will cover persistence mechanisms across the three major cloud providers (AWS, GCP, and Azure). The audience will learn about well established persistence techniques but also about creative new mechanisms that rely on newer cloud services. Most importantly it will cover defensive techniques and focus on the bottlenecks defenders can monitor to detect this activity.

 

 

Huxley Barbee

Shining a light into the security blackhole of IoT and OT

Huxley Barbee

The Internet of Things (IoT) and the rise of Operational Technology (OT) networks have significantly increased the number of connected devices in modern networks, creating new challenges in inventorying assets, identifying and mitigating vulnerabilities, and verifying security controls coverage. This presentation will explore the unique challenges that IoT and OT pose for network scanning and provide solutions for effectively addressing these challenges while ensuring the safety and availability of these systems. The presentation will cover topics such as identifying IoT and OT devices on a network, understanding the context of vulnerabilities associated with these devices, and implementing appropriate security controls to mitigate these risks while ensuring the safety and availability of these systems. Attendees will also learn about best practices and tools for IoT and OT network scanning, such as using automated asset inventory, performing regular vulnerability assessments, and testing the changes in a controlled environment before implementing them. This presentation aims to equip the audience with the knowledge and skills to protect their organizations’ networks in the IoT and OT era while ensuring these systems’ safety and availability.

 

 

Nicholas Spagnola

Fun Ways to Run Code in .NET

Nicholas Spagnola

The .NET framework provides offensive security experts with a plethora of ways to execute code. Some of these methods range from the .NET reflection library, DLL injection, and taking advantage of the .NET Just-In-Time Compiler. Offensive security practitioners can leverage these techniques to bypass security controls such as AppLocker or to find ways to load their malicious code in a different process, without being stopped by EDRs. This presentation will demonstrate multiple ways to run code with the .NET framework. Attendees will learn how to leverage the reflection library to load and execute code completely in memory. Attendees will also see how to leverage Microsoft signed programs (lolbins) to execute .NET code within the memory of those processes. Additionally, attendees will see how to abuse functionality of the .NET framework to execute code by performing actions such as leveraging .NET profiling and custom garbage collectors to load a DLL into .NET processes as well as abusing the way .NET code is compiled to hijack .NET methods.

 

 

Tom Howard

Social Engineering from the Detective Perspective

Tom Howard

Some of the best social engineers are Police Detectives and Hostage Negotiators. In this talk, I explain some of the intentional tactics and techniques that I learned through years of training and real world situations. When the stakes are high, these tools work. In this talk I also explain how you can identify when you are the target of these techniques, and how to respond.

 

 

Matt Mahoney

The Dungeon Master’s Guide to Deception in Depth

Matt Mahoney

“Deception technology is a proven, accurate control for detecting and deterring sophisticated attackers that other controls miss, but adoption has lagged for decades. Deception is more than just honeypots. It includes deception at the software, system, application, and data layers. Because it is so rarely deployed, any organization that does has a strategic advantage relative to other organizations.
Utilizing published research findings as background, a strategic framework for deception in depth will be presented. The legendary “Tomb of Horrorsâ€? from Dungeons and Dragons will be used as a fun analogy to illustrate the many ways cyber defenders can regain the initiative from attackers. You will come away with a fresh perspective on deception architecture, an understanding of how the market is changing, and open-source deception platforms you can start using right away to disrupt the cyber kill chain. “

 

 

Brandon DeVault

The Great Task Heist: Stealing the Spotlight on Scheduled Tasks

Brandon DeVault

Unleash the power of scheduled tasks and uncover hidden secrets in Windows! Did you know that lurking beneath the surface are approximately 150 scheduled tasks by default, with over 40 set to hidden by default? Prepare to dive deep into the fascinating (aka, frustrating) world of these elusive artifacts!
Join me as we embark on an enthralling journey, delving into the intricate details and challenges surrounding scheduled tasks. Discover how Microsoft typos, baffling naming schemes, and cryptic execution details make detecting anomalies a thrilling pursuit.
But fear not, for there is hope! This captivating presentation will arm you with potent PowerShell scripts, powerful Elasticsearch dashboards, and an enhanced understanding of hunting down malicious persistence. Get ready to transform your perspective on scheduled tasks and become a hero in shining a spotlight on their hidden mysteries!

 

 

Shane Harsch

AI and Cyber Ops: Optimization, Augmentation, and Assimilation

Shane Harsch

AI promises a lot of things, but what can we expect in the coming months? What practical results are we already seeing? What will be experienced by operations and what operational changes will we need to plan and staff for? Is there a timeline for optimum automation vs assimilation? More importantly, should you pack a toothbrush, a torx driver, or both? Talk will be liberally sprinkled with demos and speculations aplenty.

 

 

Vincent Matteo

I Came in Like a Wrecking Ball

Vincent Matteo

In 2022, businesses with fewer than 1,000 employees were the primary target of about half of all cyberattacks. Why do criminals prey on small businesses? These organizations are the proverbial low-hanging fruit since they lack the resources and security competence.
In this presentation, we will cover the methods an attacker can take to conceal their identity and disguise their digital footprints, as well as real-world examples from the previous year in which full compromise was achieved through human error, seemingly harmless configurations, and insecure products. Then, we’ll examine opportunities for engaging employees and management through gamification and highlight cost-effective strategies for creating a more secure environment.

 

 

Kyle Eaton

How I learned to Stop Worrying & Love Structured File Formats

Kyle Eaton

Zip files are still an incredibly common delivery method for adversaries to use, and the characteristics of zip files can make them very tricky to detect, process and block. This presentation will demonstrate ways you can take advantage of the nature of zip files to write custom detection and show some real-world threats that these rules can work against.

 

 

Aaron Tekippe / Nick Weber

Utilizing Zero Trust to enhance your detective capabilities

Aaron Tekippe / Nick Weber

Telemetry data generated from a Zero Trust deployment is a valuable resource in today’s cybersecurity landscape, providing detailed insights into user behavior and network activity. By analyzing this data, security professionals can identify potential threats and take proactive measures to protect their organization’s assets. One of the key benefits of zero trust telemetry data is the ability to enhance detective use cases. This information can be used to build a more comprehensive understanding of the security landscape, enabling security teams to respond quickly and effectively to emerging threats. With zero trust telemetry data, organizations can take a more proactive approach to cybersecurity, minimizing risk and ensuring the safety of their digital assets.
In this talk we will cover:
An overview of Zero Trust
What Zero Trust telemetry data is and where to get it (Hint you may already have it in your environment for consumption)
The hidden value of Zero Trust telemetry data
Several real world detection use cases

 

 

pic

How to Start a Riot: Transform your security and observability program to meet today’s challenges

Kam Amir

For today’s cybersecurity organizations, escalating security threats and out-of-control compliance costs are driving the need for major change. Engineers and architects know what they need to do, but don’t know how to convince management to support change.
In this talk, Chirag Desai discusses how to turn technical requirements into business objectives, how to talk to executives about transformation, and how to build a roadmap for change. In short, how to make your ideas real and start a riot.

 

 

pic
pic

Latest Developments in the Ransomware Threat Landscape

Jithin Nair & Danny Connelly

Ransomware attacks are becoming increasingly sophisticated, with attackers using various techniques to exploit vulnerabilities in organizations’ systems and networks. This presentation will provide some critical insights into the latest trends, attack sequences and techniques associated with ransomware attacks seen in 2023. We’ll then turn our focus to the transformational change needed to prevent risk, reduce reachability, and improve our survivability within the current threat landscape.

 

 

pic

Malicious Code Incoming, Ready Your Shields!

Ankita Lamba

Attackers are going after developers and the development infrastructure. There is a marked rise in intentional malware in open source components. These are not your Heartbleeds or Log4Shells. These components are intentionally designed to cause harm to your organization. In the modern cloud-native, infrastructure as code world, the development infrastructure has a lot of keys to the kingdom: making it a very sweet target.

 

 

pic

Kicking Open Closed Doors: Offensive Java Code Review

Ryan Emmons

Many closed doors can be kicked open by attackers willing to undergo offensive Java code review and crucial initial access can be established by offensive teams willing to go the extra mile. However, going through that research process for the first time can be intimidating. Acquiring the knowledge necessary for Java offensive code review comes through trial and error, which can delay progress by weeks or months.

We’ve recently identified multiple pre-authenticated remote code execution zero days in enterprise Java software. During this presentation, you will learn the effective workflows, strategies, and techniques leveraged for these zero days. You will also hear more about the identified vulnerabilities, the methodology that led to them, and the development process of effective production-ready exploits. We’ll also outline how to avoid common pitfalls when navigating the responsible disclosure process to ensure a successful resolution.

 

 

JD Shotwell

Strengthening Cybersecurity Incident Response: Collaborative Efforts and Customer Impact

JD Shotwell

In our interconnected world, organizations must recognize the importance of collaboration to protect both their own interests and those of their customers. During this presentation, we’ll discuss the vital role of multi-department collaboration in cybersecurity incident response and how it benefits impacted customers

 

 

Jennifer Shannon

Oil, Circuits, and Cheese: An Additive Model of Failure

Jennifer Shannon

The Swiss cheese model, developed in 1990 by James Reason, is based on the idea that errors can never be eliminated entirely due to complex systems but are instead “layered� like slices of swiss cheese. This model has become a well-known concept in the field of risk management that highlights how multiple layers of defense can fail, leading to a catastrophic outcome. This model aims to provide information to decision-makers to help them reduce the chances of incidents occurring.
It is crucial to keep in mind that all safety measures within an organization are linked, and by implementing appropriate policies and standards, risk can be minimized. So how can we apply this model to cybersecurity, where multiple layers of security can be breached during a compromise? This talk will explore how the Swiss cheese model can be used to understand the vulnerabilities and cybersecurity risks posed to organizations. We will also examine how the layers of defense, including people, processes, and technology, can fail and lead to a breach.

 

 

Lauren Proehl

The Anatomy of a Threat Hunting Hypothesis

Lauren Proehl

This presentation is based off a blog post that explains how to create more effective threat hunting hypotheses using sentence diagramming and impact multipliers. A version of this presentation has been given in 20 minute and 45 minute formats.
The first half of the presentation will illustrate a technique called hypothesis diagramming. This process involves defining a technique, target, and action on objective (or payload) for each hunt. This method teaches analysts or threat hunters a repeatable process for creating hypotheses that ensures an adequate scope is always defined. This is almost like Mad Libs for threat hunt hypotheses. In addition, I will include several examples of real hunt hypotheses with the respective elements mapped.
The second half of the presentation will focus on the various impact multipliers that can be applied to a hypothesis to increase relevancy and potential output. This will discuss five common impact multipliers of relevancy: industry, geolocation, technology stack, VIP status, and trends. Each impact multiplier can tweak a hypothesis to take it from generic to organization specific. For example, if you work for university in Kansas that doesn’t operate out of the state, hunting for point of sale malware that impacts North Korean grocery stores may not be the best use of the time.
Wrapping up, this presentation will give examples of hypothesis diagramming + impact multipliers and real hypothesis examples. Several more advanced hunting resources will be provided at the end of the presentation, in addition to ten more hypotheses for people to explore further.

 

 

Erick Boulter

Can you get High on Hacking

Erick Boulter

Dopamine is a chemical release and creates a synthetic high in our bodies. Hackers obtain the high just like drug addicts. What ahould be looked out for and considered while working in the industry.

 

 

Yotam Perkal

Vulnerability Management: What are we doing wrong and how can we get better?

Yotam Perkal

Let’s face it, as an industry, we are not doing a great job with vulnerability management. Despite the growing awareness of its importance, most organizations are still struggling to get a handle on their software attack surface, let alone patch.
Meanwhile, the number of vulnerabilities discovered each year is constantly growing, and we have more and more code running in our production environment that we didn’t write. Events like Log4Shell have led to increased visibility into the software stack and the growing adoption of SBOM. However, this increased visibility comes with more noise, making it challenging to prioritize vulnerabilities effectively. Patching known vulnerabilities known to be exploited in the wild with an existing patch, which should be the easiest task in cybersecurity, seems to be beyond the grasp of many organizations.
While these gaps only widen over time, we seem to be doing the same thing and expecting different results. Something has to change.
In this talk, we will explore the challenges of vulnerability management and highlight potential solutions. We will discuss why a paradigm shift from “patch everything” to “patch what matters” is necessary for us as an industry to keep up with the evolving threat landscape. We will discuss why prioritization and automation are key elements of this paradigm and how frameworks and standards like CSAF and VEX that can help us get there.
Since some building blocks required to allow for this vision are still being built or have not yet gained wide adoption, practitioners need to know them, understand their limitations, and weigh in to drive improvement and adoption.
I hope that by the end of this talk, attendees will gain a deeper understanding of the challenges and opportunities of vulnerability management and leave with practical insights on how to improve their organization’s security posture.

 

 

Jason Slagle and Matt Lee

MSP’s suck, but the world without them is worse

Jason Slagle and Matt Lee

We get it. MSP’s suck. They often aren’t security focused, they let their clients get pwned, and they are generally a nuisance. Their own homes are often not in order before helping their SMB clients implement their own technology.

But let’s consider the world without them – millions of small businesses using the receptionist or office manager to manage IT. What could go wrong?

They are in an unregulated world, a collection of technology enthusiasts and visionaries turned service providers. No standards. No Regulations. Uneducated SMB Consumer. Extreme EBITA Multipliers and consolidation without real re-work of “What risk level is acceptable”, and “Should we follow processes and procedures?”

Matt and Jason discuss some of the struggles MSP’s face, some of the initiatives going on to make them better, and how the security community can help us all be better.

 

 

Tina Zhang-Powell

Managing Coordinated Vulnerability Disclosure: The Art of Wrangling Cats

Tina Zhang-Powell

Security researchers around the world are doing a great job reporting security vulnerabilities to affected vendors and companies to help protecting users world-wide. We all enjoy learning the technical details and stories behind the vulnerabilities. However, the process of Coordinated Vulnerability Disclosure (CVD) is not always straightforward as it seemed. When a coordinated vulnerability disclosure involves multiple vulnerability and/or vendors, there are a lot more goes into the disclosure process. The Microsoft Vulnerability Research (MSVR) program has been a part of many different CVDs and we are the middle-man that ensures the disclosure is done responsibly.

This talk will present you with some insight into the “invisible” but important portion of the CVD process that we don’t often see or hear about that involves the case management team (“the cat wranglers”) that coordinates these disclosures.

 

 

Dr. Jared DeMott & Michael Fowl

Cloudy with a Chance of SSRF: Vulnerability Trends & Techniques

Dr. Jared DeMott & Michael Fowl

As you’d expect, Microsoft invests significant resources on internal security processes like SDL, threat intelligence, red and blue teams, etc to protect products and customers. Another element is the large bug bounty program run by the Microsoft Security Response Center (MSRC). Periodically we in MSRC share with the public common bug patterns and mitigations strategies within Microsoft. In this talk we’d like to illuminate security researchers and customers on the most common web and cloud vulnerabilities fixed by MSRC. We’ll also talk about some of the mitigation strategies we’re using in this space. We’ll dive deep into novel SSRF variants, and show finders how to understand and search for these nasty critters.

 

 

Brian Halbach

Security Flaw Safari: Reading between the lines and hunting security risks

Brian Halbach

This talk covers the methodology used for hunting previously unknown security risks and how to go on an adventure to read between the lines and uncover the juicy secrets the documentation won’t directly tell you. This talk will also help show a way to estimate if a research project will take 50 hours or 50 years as well as strategies on how to effectively learn a new technology and peel back the layers of complexity until you can find out what is really going on under the hood. There will also be examples and discussion from real world case studies. Audience members should be ready to participate and are welcome to share their own stories and thoughts(assuming they are legally allowed).

 

 

Scott Thomas

Working remote overseas and all that goes wrong

Scott Thomas

It sounds like a dream but it’s true! You’ve always wanted to move to that specific country and now is your chance! Security people can work anywhere right?? Your job has agreed to allow you to work from that far-off country, you have nothing holding you back. Except immigration, finding a place to live, getting stable internet, moving your stuff over, coworkers not respecting work hours, making sure you get paid, tax issues, etc. You’ll need a good bit of resolve to move from the USA to Europe solo on a permanent basis. Based on personal experience with a few anecdotes thrown in from others who have done this or are in a similar process.

 

 

Roy Bray

The Canary War Path: Weaponizing your data for SOC maturity

Roy Bray

Ask an organization what its most sensitive asset is, and they will likely say a server that aligns to the CIA triad (Confidentiality, Integrity, and Availability).

Ask a pentester the same question and they will say it is domain administrator.

Why is that?
Malicious actors don’t know how an organization fully operates.

We need to turn our SOC’s biggest weakness into its biggest strength: blindspots.
Attackers don’t know what will happen when they run a command for the first time in an environment.

This presentation will explore creating checkpoints at key environment operations for attackers, weaponizing the ambiguity of how environments operate. Turning their actions against them, instead into high fidelity canary token detections facilitating automatic response.

 

 

Robert Wagner

Overcoming the CyberSecurity Poverty Line

Robert Wagner

This talk will provide insight on why smaller companies struggle with security costs and offer strategies to overcome these challenges. Smaller organizations are struggling when it comes to cyber security. They strive to balance between the need to drive digital innovation with the cost of potential cyber threats and data breaches, while also streamlining costs and processes. This is a difficult feat, especially when there are so many challenges that prevent smaller companies from accessing affordable security software.

 

 

pic

How (and why) to think like a threat actor in the cloud

Jacob Julian

Security leaders have had to choose between endpoint, container, and cloud security solutions for far too long. Your developers are a target, and if you can correlate information between their laptops and their cloud activity you can unlock a new level of security visibility and protection. In this presentation, we explain how to use one tool to secure everything, from laptop to cloud.

 

 

Jonathan Fischer

His palms are sweaty, C2s up, implants ready…

Jonathan Fischer

Have you ever bought a new toy, only to discover once you got it home that it fell short of expectations? Well, we have too. It’s time that our tools, and not just their marketing, evolved with the times. This was the driving force behind the development of our new HID exploitation hardware implant project, Injectyll-HIDe.
Rather than focusing on a single target like the commercial solutions, we opted to think larger. We developed this implant from the ground up to be customizable, covert, and scalable. Along with our custom C2, our implants communicate over a covert RF mesh network capable of having a thousand endpoints, evading detection. That’s a thousand keyboards relaying, storing, and recording keystrokes! But wait, there’s more! We can also pop shells and exfil data over our mesh network, leaving no record of network traffic to monitor on the target infrastructure. Reviews for this implant range from “oh no, please, this is bad” to “yeah we’ll never detect that” and even sometimes “just yikes” or “#!&%”.
Attendees will learn how to create and customize their own implant using our open-source plans and how to deploy our implant anywhere a keyboard can go.

 

 

Cortez Frazier Jr.

Context Matters: Why Vetted Component Lists Are Mostly Security Theater

Cortez Frazier Jr.

Securing the software supply chain across a large enterprise is a gargantuan task. To solve this problem, enterprise security teams often create established lists of “allowed” components that their developers can choose to use as direct dependencies. These lists are created by analyzing both the components themselves and their transitive dependencies. The general consensus is that this practice keeps vulnerable components out of developer ecosystems and reduces downstream risk.

But contrary to popular belief, these vetted component lists don’t improve the security of the software supply chain in actual practice.

In this talk, we’ll explain:

-The common mistakes process implementers make that introduce vulnerabilities
-How application build tool behavior and dependency install plans are the catalyst for insecure applications
-What teams can do to understand build context, harden their process, and avoid introducing new vulnerabilities

 

 

pic

Breaking into Cybersecurity the Easy Way

Brian Dudek

Cybersecurity has a great deal of job openings, but not enough skilled people to do the job. This presentation will look at all the methods that new IT people can utilize that will help them get into cybersecurity. Plus, some methods that are outside the box.

 

 

pic

Deterring Cybercrime Via A Global Cybergrid

Charles Herring

Detecting, catching and successfully prosecuting cybercrime requires collaboration across private sector, law enforcement, insurance companies and national security agencies. In this session, approaches to collect, analyze, store and share digital evidence will be examined. Methods of safely transmitting data between private sector and law enforcement will be discussed. Demonstration of workflows between investigators, law enforcement, prosecutors and insurance adjusters will be covered.