Presentations 2023
Thursday Morning Keynote
Kevin Johnson
Guardians of Reality: Countering Hype in InfoSec
In an era where attention-grabbing headlines and flashy marketing campaigns dominate the landscape, InfoSec finds itself at a crossroads. Kevin Johnson of Secure Ideas will dive deep into the prevailing trend that is steering the industry away from its core mission – to ensure cybersecurity and protect sensitive data.
In an age where clicks and views reign supreme, the industry has been seduced by the allure of quick attention, leaving genuine security concerns languishing in the shadows. This keynote will shine a spotlight on the pressing issue of marketing-driven sensationalism that overshadows the pressing need for substantive solutions.
From the smoke and mirrors surrounding “automated penetration testing” to the proliferation of AI-powered miracle solutions, we will dissect the myths and unveil the truths. Our journey will underscore the fact that genuine penetration testing requires the human touch, the artistry of experts who understand the intricacies of security challenges and the dynamic nature of cyber threats.
As Guardians of Reality, we’ll explore strategies to realign the industry’s focus with its fundamental mission. We’ll navigate through the storm of misinformation, tackling head-on the dangers of sacrificing genuine security solutions for mere attention. It’s time to strip away the veneer of hype and rediscover the essence of InfoSec – protecting our digital world from real-world threats.
Thursday Afternoon Keynote
Zach Hanley and James Horseman
New Isn’t Always Novel: Grep’ing Your Way to $20K at Pwn2Own, and How You Can Too
Join Chief Attack Engineer Zach Hanley and Exploit Developer James Horseman for an eye-opening keynote session where they’ll discuss in detail how the hacker mindset can be applied to seemingly daunting tasks in order to make them more approachable.
Zach and James will show how they approached their first Pwn2Own contest and how they discovered a command injection RCE vulnerability affecting nearly every Lexmark printer. They’ll also share why they think it went unnoticed in previous research and why current open-source static analysis tools can miss this simple bug.
Finally, they’ll release the exploit POC and an additional POC to dump credentials during engagements.
Friday Morning Keynote
Nathan Ruehs
June 12th: My Ransomware Breach Story
Friday Wrap Up Keynote
Chris Roberts
Topic to be determined by number of Feds in the audience.
Invisible Red Teaming
Patrick Matthews
Boats are scary
Arron Finnon
Yeah, it‘s the usual Finux talk. I‘m going to talk about something bizarre and unrelated to security and then find similarities and walks away from said bizarre and unrelated thing which can be applied. If i manage to pull it off is another question entirely. If you‘ve been to GrrCON anytime over the past decade you‘ll have probably seen me try this before. I‘ve been speaking at GrrCON for years, I‘m the guy with the memes who comes from Scotland, talks a lot about history. So this year, I’m going to try boats.
Boats! Yes, you read right I’m going to be talking about boats. Boats are pretty epic, they‘re also very scary, and crazy dangerous. They have a long history, in fact they‘ve helped shaped a lot of it. From exploration to being used as weapons, their role in trade, to the mass migration of people, they‘ve played a crucial part. What i have learned in a year, is that a sailors idea of safety and security is terminal than a nerd from Scotland knew. This talk is not about hacking a boat, barrel roles in a sailboat is a proper terrible idea!
I will go off topic, i will swear, probably a lot, and you‘ll not learn anything you couldn‘t have googled yourself. I‘ll be honest with you all now it‘s tempting to load this entire talk with jokes about seamen. Don‘t judge me, you‘re at GrrCON too! You’ll not find any real walks aways but you might learn a few interesting things, some of them might even be about security.
You should probably go see the other talks 😉
Finding authentication and authorization security bugs in web application routes
Matt Schwager
– 2021 OWASP Top 10 #1 – Broken Access Control
– 2021 OWASP Top 10 #7 – Identification and Authentication Failures
– 2019 OWASP API Top 10 #2 – Broken User Authentication
– 2019 OWASP API Top 10 #5 – Broken Function Level Authorization
Of course, not all authn or authz bugs occur in web application routes, but route-detect seeks to confront this pervasive class of bugs.
Find route-detect here: https://github.com/mschwager/route-detect
story-time with atlas (with hex)
Atlas of D00m
ch 2: hex toys
ch 3: how to dance with the devil by the pale moonlight
The attackers guide to exploiting secrets in the universe
Mackenzie Jackson
This presentation offers valuable insights and information on how to identify and address exposed secrets, one of the most persistent vulnerabilities in application security.
Being B.A.D. for good reasons! & How we can help others to be better!
Jayson Street
In this talk we cover 3 important topics related to Red Teaming.
We talk about how our approach must change when doing engagements. We need to focus more on how do really help our client. Breaking the client’s network or helping them improve their security which is more imperative really?
We focus on what brings better value for the client. Showing them how leet you can be with your mad Red Teaming skills or by showing them how trivial a breach can be and educating the client’s employees on how to be better secure.
Knowing nice big technical words is great and all. Yet wouldn’t be even better if we talked in ways that everyone can fully understand and therefore create lasting change and improvement to the client’s security posture.
Friction
J Wolfgang Goerlich
Defending Beyond Defense
Catherine Ullman
Tales of AV/EDR Bypass: Ropping the Night Away
Gregory Hatcher & John Stigerwalt
Recalling early Unix System development at AT&T Bell Labs
Richard Haight
Legal in the cyber/medical space and all things (shit that can & do go wrong)
Allie Abdeljabbar
I will also discuss how not performing proper due diligence can be costly with legal ramifications. Trust but verify. So, I was assigned a case that allegedly people worked up. When I was cross referencing facts, they had signed up the brother of the deceased claimant, spoke to the brother, provided case information. The problem with this is the deceased claimant had a wife at death and the brother was not the rightful legal person to talk to. I had to OSINT the surviving spouse, have her provide her marriage license to prove she is who she confirmed she is, provide the Last Will & Testament & her ID, among other docs that had to be signed. I will present the issue that could’ve happened for not proper due diligence.
Hey Ma’ where do pentests come from?
Alissa Gilbert – dnsprincess
Find out what makes a great pentest: a good scope, a solid methodology, and the right skill sets. We’ll explore various pentests and their keys areas of success and failure, using examples to show what makes a great pentest. There are fundamentals to be reviewed, as well as some insight from the pentesting community on mistakes and good practices.
As seen from – Twinkle twinkle little script, you can’t scan this folder zipped. With the data packed so high, it’s an exploit in the sky. Twinkle twinkle little port, what rootkit can we import?
PCI DSS v4.0 Is Here – Now What?
Kyle Hinterberg
Many organizations need to comply with the PCI DSS and a major version change can be daunting. To make things worse, most of the information provided by the PCI SSC and other organizations can be vague and/or marketing focused. This leaves individuals confused as to what they really need to be doing to prepare themselves and their organizations. My goal is to break it down Barney-style so that no one gets stuck behind the eight ball when they run their first v4.0 assessment.
During this presentation I will:
-Provide brief definitions of the PCI SSC and PCI DSS
-Explain the history of the PCI DSS (how we got to where we are)
-Provide an overview of the changes in v4.0, specifically avoiding any vague marketing talk and focusing on actionable items to help prepare organizations for v4.0
-Provide a summary of the big-ticket items that organizations should be working on to ease into v4.0
Story Time with Matt and John
Matt Hoy (mattrix) – John Stauffacher
How to choose a tinfoil hat (with science!)
Gabe Schuyler
In this talk, we’ll demo the construction of some popular styles, paired with highly scientific testing of the resulting protection. (“You could use an Arduino for that.”) You’ll learn not just how to make an appropriate tinfoil hat, but how good they are at blocking 5G, telepaths, and space lasers.
Empowering Analysts: Leveraging AI for IoT, Ransomware, and Your Data
Jason Bevis
Break it to make it: Uplift developer security maturity and smash the cycle of recurrent vulnerabilities
Steve Allor
Imagine pouring your heart and soul into a software build, crafting a new piece of our digital world with all the features, functionality, and user experience that has made modern life so darn convenient. Your work is the envy of your peers, and the code shipped without a hitch. Excellent.
… and then, the gloomy presence of a security specialist tears it all down. They’ve found an exploitable security bug, you won’t be shipping your code, and their suggestions on remediation are at odds with everything in your tech stack.
For many developers, this is the harsh reality of their experience not just with the AppSec team, but with cybersecurity in general. “Security” has negative connotations for them, and it really isn’t a priority when feature-building at speed must take center stage. Developers are key to stemming the flow of common vulnerabilities, and this tension must dissipate if a true DevSecOps environment is to flourish. This session will detail data collected from the results of 100,000 developers playing code-based security challenges, showcasing the current landscape of developers and their security skills, as well as where there is room for significant improvement.
Elevating developers to become not just security-aware, but security-skilled, has been a hot topic for many years, but if the amount of breaches is any indication, the current approach is failing. To understand the right approach to ignite their security fire is to understand the developer, and bring the knowledge to their playground, not the other way around. Pieter Danhieux will leave attendees with a viable direction on where their security program can make
Unmasking AWS Deceptions: Unraveling Cloud Security’s Sneaky Side
Yossi Tamarov
Explore, and prepare for, real-world scenarios that enable attackers to exploit common cloud security mistakes. From insecure S3 buckets to weak IAM permissions, you’ll discover how missteps in network configurations can create a complex cloud environment and hinder your ability to protect against attackers.
In this session we suggest ways to turn your AWS infrastructure into a more secure environment that frustrates adversaries and, ultimately, guards against access to your sensitive data. You’ll learn actionable ways to deploy deceptive resources, such as honey tokens strategically placed within your AWS environment to bait potential attackers. With these seemingly legitimate credentials, tokens, or files intentionally scattered throughout your infrastructure, honey tokens lure unauthorized access attempts and trigger alerts – raising red flags the moment they are accessed or abused. By leveraging honey tokens, you create a virtual minefield for intruders, drastically increasing the likelihood of early detection and enabling a swift response to unauthorized access attempts.
Don’t let GitHub be your weakest security link
Nadav Noy
We’ve seen too many companies fail to secure their GitHub environments, often without even knowing the kind of vulnerabilities attackers may be able to exploit. Without awareness, how can we expect companies to properly detect them? We aim to fix this.
In our presentation, our speakers will tell the untold story the Artifact Poisoning vulnerability we found on Github Actions: (details available below)
https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
These kinds of vulnerabilities allow attackers to execute malicious code in a privileged pipeline which can let an attacker access sensitive secrets, move laterally in the organization, and implement a backdoor. We don’t have to tell you why that’s a bad thing.
By giving attendees the secret sauce of how we discovered these vulnerabilities, they’ll gain valuable insights into the common pitfalls and best practices for maintaining a secure posture in their organization.
Breaking Barriers: A Deep Dive into Bypassing Next-Gen 2FA and MFA Security Measures
Shahmeer Amir
We will start by discussing the basics of 2FA and MFA security measures and their weaknesses. We will then dive into advanced techniques that attackers use to bypass these measures, including phishing attacks, social engineering, and Man-in-the-Middle (MitM) attacks. We will demonstrate real-life scenarios where these techniques have been used to bypass 2FA and MFA measures, highlighting the importance of remaining vigilant and implementing additional security measures.
Furthermore, we will explore the role of emerging technologies, such as artificial intelligence and machine learning, in bypassing 2FA and MFA security measures. We will showcase the latest research in this area and discuss the implications for future security measures.
In addition, we will cover some of the countermeasures that organizations can implement to better protect themselves against these advanced attacks. This will include best practices for implementing 2FA and MFA measures, as well as additional layers of security that can be implemented to provide greater protection against these attacks.
We will also provide recommendations for how organizations can improve their overall security posture to better defend against these types of attacks. This will include guidance on implementing stronger passwords, regularly updating security protocols, and providing employee education and training on how to identify and avoid phishing attacks.
Finally, we will discuss the future of 2FA and MFA security measures and the steps that organizations can take to stay ahead of the curve. This will include exploring emerging technologies that may help to improve the efficacy of these security measures, as well as the importance of remaining vigilant and proactive in the face of evolving threats.
Seeing is Believing Knowing: Anatomy of APT Exploit and Why Visibility must Evolve to Awareness
Chris Pittman
All Aboard! Application Security Posture Management is Taking Off!
John “JT” Tierney
Gartner predicts that over 40% of organizations will adopt Application Security Posture Management (ASPM) by 2026. It’s taking off with the tires smoking, but what’s the excitement about?
ASPM solves big issues that have been vexing enterprises for years – poor security visibility into complex developer environments, lack of context to quickly address security issues, and siloed security responsibilities that stifle productivity and speed. All of this results in a strain on developers, AppSec teams, and traditional security tools that’s reached their limit, and ASPM is finally here to help. Join me as I define ASPM, share details on how it helps, and explore the key benefits to get you on board:
Automate security controls from code to cloud so you can do more with less
Improve prioritization on most critical business risks to improve efficiency and effectiveness
Break down inefficient security silos and boost team productivity
Backup Red Team Exercises – Removing your ability to recover from the last line of defense of your business
Joshua Stenhouse
Cloud Native is causing a Culture Shift within Organizations
Tim Connolly
Advanced Persistent Teenagers: Learning from LAPSUS$, 0ktapus, and other groups
Matt Muller
Architecting a Zero Trust Framework for the Cloud
Dwayne Natwick
Clearing the Fog: Detection and Defense against Cloud Persistence Techniques
Ryan Thompson
Traditionally persistence mechanisms have been focused on the host perspective of SSH key creations, reverse shells executed from scheduled tasks or service installations. Complex IAM permissions and cloud services open the door for a variety of unique persistence mechanisms that we need to be on the lookout for.
This talk will cover persistence mechanisms across the three major cloud providers (AWS, GCP, and Azure). The audience will learn about well established persistence techniques but also about creative new mechanisms that rely on newer cloud services. Most importantly it will cover defensive techniques and focus on the bottlenecks defenders can monitor to detect this activity.
Shining a light into the security blackhole of IoT and OT
Huxley Barbee
Fun Ways to Run Code in .NET
Nicholas Spagnola
Social Engineering from the Detective Perspective
Tom Howard
The Dungeon Master’s Guide to Deception in Depth
Matt Mahoney
Utilizing published research findings as background, a strategic framework for deception in depth will be presented. The legendary “Tomb of Horrorsâ€? from Dungeons and Dragons will be used as a fun analogy to illustrate the many ways cyber defenders can regain the initiative from attackers. You will come away with a fresh perspective on deception architecture, an understanding of how the market is changing, and open-source deception platforms you can start using right away to disrupt the cyber kill chain. “
The Great Task Heist: Stealing the Spotlight on Scheduled Tasks
Brandon DeVault
Join me as we embark on an enthralling journey, delving into the intricate details and challenges surrounding scheduled tasks. Discover how Microsoft typos, baffling naming schemes, and cryptic execution details make detecting anomalies a thrilling pursuit.
But fear not, for there is hope! This captivating presentation will arm you with potent PowerShell scripts, powerful Elasticsearch dashboards, and an enhanced understanding of hunting down malicious persistence. Get ready to transform your perspective on scheduled tasks and become a hero in shining a spotlight on their hidden mysteries!
AI and Cyber Ops: Optimization, Augmentation, and Assimilation
Shane Harsch
I Came in Like a Wrecking Ball
Vincent Matteo
In this presentation, we will cover the methods an attacker can take to conceal their identity and disguise their digital footprints, as well as real-world examples from the previous year in which full compromise was achieved through human error, seemingly harmless configurations, and insecure products. Then, we’ll examine opportunities for engaging employees and management through gamification and highlight cost-effective strategies for creating a more secure environment.
How I learned to Stop Worrying & Love Structured File Formats
Kyle Eaton
Utilizing Zero Trust to enhance your detective capabilities
Aaron Tekippe / Nick Weber
In this talk we will cover:
An overview of Zero Trust
What Zero Trust telemetry data is and where to get it (Hint you may already have it in your environment for consumption)
The hidden value of Zero Trust telemetry data
Several real world detection use cases
How to Start a Riot: Transform your security and observability program to meet today’s challenges
Kam Amir
In this talk, Chirag Desai discusses how to turn technical requirements into business objectives, how to talk to executives about transformation, and how to build a roadmap for change. In short, how to make your ideas real and start a riot.
Latest Developments in the Ransomware Threat Landscape
Jithin Nair & Danny Connelly
Malicious Code Incoming, Ready Your Shields!
Ankita Lamba
Kicking Open Closed Doors: Offensive Java Code Review
Ryan Emmons
Many closed doors can be kicked open by attackers willing to undergo offensive Java code review and crucial initial access can be established by offensive teams willing to go the extra mile. However, going through that research process for the first time can be intimidating. Acquiring the knowledge necessary for Java offensive code review comes through trial and error, which can delay progress by weeks or months.
We’ve recently identified multiple pre-authenticated remote code execution zero days in enterprise Java software. During this presentation, you will learn the effective workflows, strategies, and techniques leveraged for these zero days. You will also hear more about the identified vulnerabilities, the methodology that led to them, and the development process of effective production-ready exploits. We’ll also outline how to avoid common pitfalls when navigating the responsible disclosure process to ensure a successful resolution.
Strengthening Cybersecurity Incident Response: Collaborative Efforts and Customer Impact
JD Shotwell
Oil, Circuits, and Cheese: An Additive Model of Failure
Jennifer Shannon
It is crucial to keep in mind that all safety measures within an organization are linked, and by implementing appropriate policies and standards, risk can be minimized. So how can we apply this model to cybersecurity, where multiple layers of security can be breached during a compromise? This talk will explore how the Swiss cheese model can be used to understand the vulnerabilities and cybersecurity risks posed to organizations. We will also examine how the layers of defense, including people, processes, and technology, can fail and lead to a breach.
The Anatomy of a Threat Hunting Hypothesis
Lauren Proehl
The first half of the presentation will illustrate a technique called hypothesis diagramming. This process involves defining a technique, target, and action on objective (or payload) for each hunt. This method teaches analysts or threat hunters a repeatable process for creating hypotheses that ensures an adequate scope is always defined. This is almost like Mad Libs for threat hunt hypotheses. In addition, I will include several examples of real hunt hypotheses with the respective elements mapped.
The second half of the presentation will focus on the various impact multipliers that can be applied to a hypothesis to increase relevancy and potential output. This will discuss five common impact multipliers of relevancy: industry, geolocation, technology stack, VIP status, and trends. Each impact multiplier can tweak a hypothesis to take it from generic to organization specific. For example, if you work for university in Kansas that doesn’t operate out of the state, hunting for point of sale malware that impacts North Korean grocery stores may not be the best use of the time.
Wrapping up, this presentation will give examples of hypothesis diagramming + impact multipliers and real hypothesis examples. Several more advanced hunting resources will be provided at the end of the presentation, in addition to ten more hypotheses for people to explore further.
Can you get High on Hacking
Erick Boulter
Vulnerability Management: What are we doing wrong and how can we get better?
Yotam Perkal
Let’s face it, as an industry, we are not doing a great job with vulnerability management. Despite the growing awareness of its importance, most organizations are still struggling to get a handle on their software attack surface, let alone patch.
Meanwhile, the number of vulnerabilities discovered each year is constantly growing, and we have more and more code running in our production environment that we didn’t write. Events like Log4Shell have led to increased visibility into the software stack and the growing adoption of SBOM. However, this increased visibility comes with more noise, making it challenging to prioritize vulnerabilities effectively. Patching known vulnerabilities known to be exploited in the wild with an existing patch, which should be the easiest task in cybersecurity, seems to be beyond the grasp of many organizations.
While these gaps only widen over time, we seem to be doing the same thing and expecting different results. Something has to change.
In this talk, we will explore the challenges of vulnerability management and highlight potential solutions. We will discuss why a paradigm shift from “patch everything” to “patch what matters” is necessary for us as an industry to keep up with the evolving threat landscape. We will discuss why prioritization and automation are key elements of this paradigm and how frameworks and standards like CSAF and VEX that can help us get there.
Since some building blocks required to allow for this vision are still being built or have not yet gained wide adoption, practitioners need to know them, understand their limitations, and weigh in to drive improvement and adoption.
I hope that by the end of this talk, attendees will gain a deeper understanding of the challenges and opportunities of vulnerability management and leave with practical insights on how to improve their organization’s security posture.
MSP’s suck, but the world without them is worse
Jason Slagle and Matt Lee
We get it. MSP’s suck. They often aren’t security focused, they let their clients get pwned, and they are generally a nuisance. Their own homes are often not in order before helping their SMB clients implement their own technology.
But let’s consider the world without them – millions of small businesses using the receptionist or office manager to manage IT. What could go wrong?
They are in an unregulated world, a collection of technology enthusiasts and visionaries turned service providers. No standards. No Regulations. Uneducated SMB Consumer. Extreme EBITA Multipliers and consolidation without real re-work of “What risk level is acceptable”, and “Should we follow processes and procedures?”
Matt and Jason discuss some of the struggles MSP’s face, some of the initiatives going on to make them better, and how the security community can help us all be better.
Managing Coordinated Vulnerability Disclosure: The Art of Wrangling Cats
Tina Zhang-Powell
Security researchers around the world are doing a great job reporting security vulnerabilities to affected vendors and companies to help protecting users world-wide. We all enjoy learning the technical details and stories behind the vulnerabilities. However, the process of Coordinated Vulnerability Disclosure (CVD) is not always straightforward as it seemed. When a coordinated vulnerability disclosure involves multiple vulnerability and/or vendors, there are a lot more goes into the disclosure process. The Microsoft Vulnerability Research (MSVR) program has been a part of many different CVDs and we are the middle-man that ensures the disclosure is done responsibly.
This talk will present you with some insight into the “invisible” but important portion of the CVD process that we don’t often see or hear about that involves the case management team (“the cat wranglers”) that coordinates these disclosures.
Cloudy with a Chance of SSRF: Vulnerability Trends & Techniques
Dr. Jared DeMott & Michael Fowl
Security Flaw Safari: Reading between the lines and hunting security risks
Brian Halbach
Working remote overseas and all that goes wrong
Scott Thomas
The Canary War Path: Weaponizing your data for SOC maturity
Roy Bray
Ask an organization what its most sensitive asset is, and they will likely say a server that aligns to the CIA triad (Confidentiality, Integrity, and Availability).
Ask a pentester the same question and they will say it is domain administrator.
Why is that?
Malicious actors don’t know how an organization fully operates.
We need to turn our SOC’s biggest weakness into its biggest strength: blindspots.
Attackers don’t know what will happen when they run a command for the first time in an environment.
This presentation will explore creating checkpoints at key environment operations for attackers, weaponizing the ambiguity of how environments operate. Turning their actions against them, instead into high fidelity canary token detections facilitating automatic response.
Overcoming the CyberSecurity Poverty Line
Robert Wagner
How (and why) to think like a threat actor in the cloud
Jacob Julian
His palms are sweaty, C2s up, implants ready…
Jonathan Fischer
Rather than focusing on a single target like the commercial solutions, we opted to think larger. We developed this implant from the ground up to be customizable, covert, and scalable. Along with our custom C2, our implants communicate over a covert RF mesh network capable of having a thousand endpoints, evading detection. That’s a thousand keyboards relaying, storing, and recording keystrokes! But wait, there’s more! We can also pop shells and exfil data over our mesh network, leaving no record of network traffic to monitor on the target infrastructure. Reviews for this implant range from “oh no, please, this is bad” to “yeah we’ll never detect that” and even sometimes “just yikes” or “#!&%”.
Attendees will learn how to create and customize their own implant using our open-source plans and how to deploy our implant anywhere a keyboard can go.
Context Matters: Why Vetted Component Lists Are Mostly Security Theater
Cortez Frazier Jr.
Securing the software supply chain across a large enterprise is a gargantuan task. To solve this problem, enterprise security teams often create established lists of “allowed” components that their developers can choose to use as direct dependencies. These lists are created by analyzing both the components themselves and their transitive dependencies. The general consensus is that this practice keeps vulnerable components out of developer ecosystems and reduces downstream risk.
But contrary to popular belief, these vetted component lists don’t improve the security of the software supply chain in actual practice.
In this talk, we’ll explain:
-The common mistakes process implementers make that introduce vulnerabilities
-How application build tool behavior and dependency install plans are the catalyst for insecure applications
-What teams can do to understand build context, harden their process, and avoid introducing new vulnerabilities
Breaking into Cybersecurity the Easy Way
Brian Dudek
Deterring Cybercrime Via A Global Cybergrid
Charles Herring