0900
Keynote
Dave Kennedy
1000
Nuclear Meltdown vs Process: Designing Workspaces to Prevent Your Worst Day
Aaron Call
Unless you’re in UI or UX, you may not think about the thousands of interactions you have with your environment every day. From the subconscious cues you get from a doorknob or the instructions you read in an app, how effectively or efficiently you operate in your environment is enormously impacted by design. Now, what if design nearly turned a preventable problem into a nuclear meltdown? (It almost did!) And what if design could make you and your team more effective attackers or defenders? (It can!) In this talk, Aaron will discuss concepts you can apply in your workspaces to prevent your worst day.
Sneaky Tips and Tricks with Alternate Data Streams
Sean Pierce
Alternate Data Streams are little known to most Windows (and Mac) power users and can easily be leveraged as sneaky places to hide executable code and scripts. Most administrators don\’t know about them and most AV\’s can\’t scan them – especially when hidden in strange places like File System reserved directories! Come learn about the wonderfully strange ways we can hide and execute code from this often overlooked oddity with several live demos!
1030
Leveraging IAM to Disrupt Attackers
Tom Sheffield
Historically, robust IAM processes, services, and capabilities focused on creating operational efficiencies, maintaining regulatory compliance, enhancing user experience, and increasing security. All true but not enough anymore.
It’s been said countless times over the last few years that ‘Identity is the new perimeter’ but what does that really mean? Attackers’ patterns are predictable; they compromise a user or a machine, establish a foothold, and move laterally to other machines, repeating the process until they reach their target. We should all have controls and capabilities to protect against the initial account compromise but what next? If we all work under the premise that a user can be compromised, despite our best efforts, what can we do within the Identity realm to disrupt the traditional attack pattern? Reviewing the MITRE ATT&CK Matrix, we see a number of identity-related tactics & techniques. How do we defend against them?
Let’s move beyond buzzwords and catch phrases to offer IAM professionals practical approaches to defend against attackers. Attendees of this session will learn how to leverage traditional IAM principles such as Least Privilege and MFA to disrupt an attacker’s TTPs. Attendees can also learn how new capabilities leveraging Identity Analytics to provide contextual authentication experiences, raising the bar to thwart an attacker. This additional friction can not only help to disrupt lateral traversal, but can also provide your IR team more opportunities to detect & contain the attacker.
1100
Empathy for the (Devel)oper: Lessons Learned Building An Application Security Module
Yolonda Smith
Security teams spend a lot of time focused on the results and impact of what happens when applications FAIL at security. In turn, we have a bad habit of \’Monday-Morning-Quarterback\’ing all the things that should have happened to prevent the security failure in the first place. But have you ever attempted to fully implement ALL of the security advice that\’s out there in conjunction with business priorities? Well, I did. In this presentation, I will share what I learned about what it takes to get application security right from design to delivery, how to communicate about REAL risk (without the FUD) and why we should eliminate the word \’just\’ from our remediation recommendations.
Security Awareness Through The Eyes Of A Great Dane…
Chris Roberts
• Curiosity killed the cat, but in OUR world, that’s the job of an OSINT analyst.
• Speaking of cats, plan ahead, they are faster and more agile… think BEFORE acting
• Puppy eyes, drool AND sideways looks work…social engineering IS a good skill to understand
• Try everything at least once, even if it means sticking your head in the trashcan…
• Always be upfront, that way there’s no miscommunication
• If at first you fail, try again; eventually you will get the chew toy on top of the bookcase.
• Never underestimate the need for a good hug
• Nothing is forever; live every moment as if it were your last.
These lessons and more will be covered, dissected AND related to us as humans and us as tech folks ☺
1200
Advanced Wifiphiser Usage for Red Team Campaigns
George Chatzisofroniou
While many red teamers use Wifiphisher, the Rogue Access Point Framework, few understand its full power. In this presentation, Wifiphisher lead author George Chatzisofroniou will detail advanced Wifiphisher usage – from clever hacks for speeding up Wifiphisher, to new features for de-authenticating wireless clients more efficiently, creating custom Wi-Fi phishing scenarios, executing advanced Wi-Fi association techniques and more. This presentation will also demonstrate how easy it is to write simple or complicated Wifiphisher extensions by writing one from scratch and using it in a real scenario.
The Artist Formerly known as CISO
J Wolfgang Goerlich
This session explores cybersecurity as artistic expression. The CISO has a lot on his plate. There\’s managing risk, getting budget, providing cover for his team. There\’s work configuring existing technology, selecting and purchasing new technology. Basically, this is the science of cybersecurity. Yet so much depends on what the CISO\’s users do, on organizational culture, on outcomes and results. In this presentation, we\’ll explore lessons from industrial design and art that apply to building and running cybersecurity programs. We\’ll identify ways for the CISO to become the artist, conveying secure behaviors in a way that people listen and enjoy.
1300
Hacking the Xbox
Jordan Axtman
There\’s a high probability you have a game console in your home, how you use it is somewhat up to you. Here we\’ll take a look at the most hackable console in gaming history. From the beginnings of the \”scene\” to where it is currently. We\’ll look at the security of the original Xbox as well as other consoles, types of hardware hacking, flashing, and even painting for that complete mod look.
Developing an Internal Training Program
Joe Petroske
Is your IR team skilled in every area of expertise that they are expected to be skilled in? Very few organizations can answer “yes” to this. And many do not even know what those areas of expertise should be! Let’s face it: to combat the ever-growing list of threats to your organization, your response team will need to be continuously upping their capabilities. And this does not need to mean tens or hundreds of thousands spent in big-name classes and conferences! Often, the best training resources available are your own people. You can build a training program from within your team, and start seeing (and communicating) its value right away. Let your experienced people become experts, and turn their less-experienced peers into experienced peers. Here’s some information on how to get this started.
1400
Puppet Master: Pulling the Strings of Deception
Ben Butz
By now we have all heard the adage \”\”The attacker only has to be right once, the Defender needs to be right every time\”\”. What if I were to tell you that this doesn\’t have to be the case. No… I\’m not trying to sell you anything. I want to share some ideas and start a conversation around traditional network defense and how we can tweak it a bit to put the aggressor on the defensive. I\’m not talking about Hacking Back, I\’m talking about changing the network / systems / data you are charged with protecting in subtle ways that can change how the attacker perceives your environment; to change some of the observable stimuli that informs her decisions, with the intent of taking actions that are favorable to you the defender. Force her to avoid being wrong for a change.
Deceit and Deception are commonly viewed as negative concepts for obvious reasons. We\’ve been raised to avoid deceiving one another and in most scenarios this is very good advice. When it comes to protecting our sensitive information however, these notions are not doing us any favors. I want to challenge you to re-think your values as it relates to treating your adversary as you would like to be treated. The Golden Rule is out when it comes to cyber security.
P.S. You\’ve been doing some of this for years and never thought twice about it.
Medical Records and Default Passwords: A Healthcare Hacker\’s Perspective
Qasim \”Q\” Ijaz
As a penetration tester with focus on the healthcare industry, I’ve seen patient data in medical devices that lacked authentication, portrayed a medical doctor to dupe help desk into handing over credentials (and vice versa), and gone as far as gaining domain admin in 10 minutes (thank you defaults). This talk will be full of stories, memes, and screenshots portraying cybersecurity issues affecting healthcare environments. I will discuss what I see as root causes and talk about regulatory & industry frameworks that try to mitigate these issues. The attendees will leave the talk with a better understanding of healthcare security issues and ideas to combat these issues head-on.
1430
One Hundred Red Team Operations a Year
Ryan O\’Horo
Our Red Team executes operations with a very high frequency. We present the logistics of such an endeavor.
Host Hunting on a Budget
Leo Bastidas
\”Arrived at an organization where they had zero visibility and zero dollars on the endpoint. They had antivirus solution, but it was a black box, unable to do any type of forensics or live triage. The AV was strictly signature based with magic A.I. machine learning. What can I do in the first 100 days to make a positive impact on the team and organization?
Background, the environment is a global 500 enterprise and is a leader in the technology space. The majority was 97 percent Windows. I turned to Sysmon by Sysinternals, Microsoft. I thought this should be an easy win right? Not so fast, buddy, I had to get buy-in from management and other teams who administer the enterprise, aka IT Ops. I had to prove myself and the technology that it would be beneficial in order to let me deploy it into the environment.
Firewall alert comes in, something is pinging out a malicious domain. This is my chance “your time to shine!”. I quickly deploy sysmon on a few workstations that have a src_ip making an outbound call. I use PowerShell to deploy Sysmon since of course, WinRM is enabled on the whole freaking enterprise. I’m now able to parse sysmon logs with PowerShell and find the artifacts of interest. This thing is using Mshta.exe, a Microsoft HTML Application, and invoking a PowerShell script. Also, I’m able to confirm the registry key for persistence, all logs were captured by Sysmon immediately. Hashes and TTP match the Kovter “fileless” malware.
I have to buy-in from management and IT Ops, I deploy Sysmon and other host-based tools (OSQuery, Auditing, host-based firewall) and go over deployment, benefits and lessons learned after deploying at an enterprise. Also I will go over what I would have done differently.\”
1500
Finding and Exploiting Deserialization Flaws
Tim McGuire
Deserialization flaws are widespread but poorly understood. Automated security tools can report where flaws might be but actual risk can be difficult to determine. There are two types of deserialization flaws: One kind can break the logic of an application by overriding data validation and other protections. A second kind can take advantage of other application components to attack the web server and other infrastructure with Remote Code Execution and Denial of Service. A number of third party components contain flaws, possibly undiscovered, that can lead to remote code execution. There also exists opportunity for further research to find components that enable exploitation of deserialization flaws. This talk will introduce the problem using the Java language as an example, talk about the differences between the types of flaws, and demonstrate tools to look for and confirm vulnerabilities.
Powering up Incident Response with Power-Response
Andrew Schmitt & Matt Weikert
Threat actors and attacks are becoming more sophisticated and complex by the day. Incident responders and information security analysts are tasked with protecting organizations and their assets while rapidly responding to contain, eradicate, and recover when an infection or compromise is identified. Time may be the most valuable asset that incident responders have (or maybe don’t have) during an incident, and it is imperative that we stack our tools and processes in a way that promotes time and process efficiency. This is what lead the authors to create Power-Response. Power-Response is a modular, open-source PowerShell incident response framework that allows incident responders to take advantage of robust tools in a consolidated console while conducting the incident response effort. This talk will focus on the modular capabilities and tools integrated into Power-Response and how they can be used to increase efficiency during an incident. Security professionals will leave this presentation with the knowledge and tools to improve their incident response capability and the ability to scale Power-Response to fit the needs of their organization.