Keynote: The Abyss is Waving Back…The four paths that human evolution is charging down, and how we choose which one’s right…
Chris Roberts
As humans we have four evolutionary paths: 1. We embrace nanotechnology and Bionanotechnology… we become more dependent upon machines and slowly move towards integration with the systems (we know we’re looking at 80% integration in the next 20 years at least) 2. We embrace consciousness and some of us end up in New Zealand hanging out in an AS/400…bodies no longer needed 3. AI wakes up, looks round wonders WHY humans are in the driving seat and takes over… OR we end up unplugging it and rebooting back to the 1900’s… 4. The stumbling drunk…simply put we keep staring into the abyss and almost falling in, only to somehow manage to come back from the collapse, the challenge is HOW many times can we do this before we simply fall in?


CISO Leadership panel
Panelists: Rich Agostino (Target); Patrick Joyce (Medtronic); John Valente (3M).  Moderated by Jodie Kautt (Target)

Within the past few years, the Twin Cities has become one of the fastest-growing tech cities in the country. So how do the Cities’ leading CISOs continue to recruit, retain and grow their teams amidst so much change and competition? How do they help their teams adapt when the threats are more frequent and sophisticated? Hear the CISOs from 3M, Medtronic and Target talk about how they lead their organizations through constant change. Listen to them as they share advice for other cyber security leaders, talk about how they build and motivate their teams, and reflect on the things they wish they would have known when they started their careers in cyber security.

DNS – The Security Platform No One Care About
Andrew Guck
Every organization is dependent on DNS to function, but rarely do they think about the ways DNS is both a risk and a boon to their organization’s security. See an overview of some of the various vulnerabilities and risks DNS brings to your organization such as denial of service, data exfiltration, and resolving malicious domains. We’ll also cover some ways that we can mitigate these problems – provided the audience can contain their excitement.

Murky Waters: Analyzing Phish Kits
Kyle Eaton
Email remains one of the moist successful vectors into a company, and phishing attacks show no sign of stopping. However, attackers can be lazy and sloppy, often leaving behind copies of their code in zip files from the initial deployment of a website. This talk will discuss collecting, and analyzing phish kits as well as automating this process.


Legit Comms: Evolving Both Red and Blue
David Kennedy
Attackers haven’t had to change their techniques for close to a decade. New techniques were present however traditional detection focused primarily on server infrastructure and the perimeter. With detection getting slightly better at most organizations, attackers are continuously evolving based on our ability to detect attacks earlier. As attackers we must continuously evolve and get better morphing to more legitimate attack patterns. As defenders we must get better at identifying abnormal patterns of behavior. This talk walks through legitimate attacks scenarios for red team that is designed to be highly effective and evade detection, but most importantly, how to look for strange patterns of behavior that attempt to evade detection.

Keeping the Lights On
Leonard Jacobs
The world is full of control systems that are vulnerable. Our lives are surrounded by them from air conditioning systems to the systems that control the production and flow of electric power to run our homes and natural gas to heat our homes. This presentation provides an overview of industrial control systems and how to protect them from cyber threats.


Incident Response, more than just a plan
Ben Butz
If you think your organization’s Incident Response Plan is going to cut it going forward, I’m here to warn you that you may be in for disappointment. 2017 saw more big name victims like Equifax, Deloitte, Whole Foods Market, Uber, Hyatt Hotels, Saks Fifth Ave, Chipotle, Arby’s, Kmart, Xbox and PSP. The tempo of news worthy data breaches is directly tied to the critical skills gap in information security, particularly in Incident Response.

Your investments in network and host based prevention are helping but they will not stop everything. An effective IR program is essential to securing your organization from advanced threat actors. I will discuss ways you can improve your Incident Response program to ensure that your analysts are capable of identifying, scoping and containing a wide variety of security incidents. This means pulling your analysts away from ineffectual break-fix operations like responding to failed logins, and reacting to system outages and instead focus them on actively building detection for indications of adversarial activity through detailed investigation and threat intelligence gathering. These concepts are typically overlooked in Bachelor level InfoSec degree programs in favor of policy, legal, architecture and disaster recovery. Training your analysts is key to developing effective incident responders and I will discuss ways you can build your IR skillset through internal and external training opportunities.

Eee El Kay spells WTF: A journey into deploying an ELK stack to support an Incident Response Investigation
John Stauffacher (@g33kspeed)
So…you are tired of your SEIM, not really digging Splunk…Want to roll you own ELK stack? Pull up a chair, get comfy as we walk through the highs and lows of a recent ELK install we did to support a rather large IR engagement. Along the journey we will encounter sizing issues, performance bottlenecks, unusable UIs, and all sorts of odd beasts. Though at the end of the journey you should be thoroughly prepared, and scared shitless to take on this ‘simple’ project.


Cybersecurity Utilization and Planning Framework
Scott Goethel & Vince Peeler
Capturing an organizations security tool inventory (sensors) and capabilities is not for the faint of heart. Knowing your security posture does not begin with how many sensors you have or that you have utilized major vendors.

Do you keep answering the same questions about why did we pay big $ for that solution and it’s not providing the value we need? Can’t find a way to capture and present data to help you move attacks further up in the kill chain?

Optum has created a standardized data capture process and business intelligence dashboards to capture broader and deeper visibility into sensor capabilities, identify gaps, and look for opportunities to enhance our organizations security posture. The core information gathered focuses on not only sensor capabilities as a whole, but if our organization is utilizing those capabilities, where it is deployed, where it sits in the environment, and how it relates to the Lockheed Martin Cyber Kill Chain© Attack Analysis Model.

In addition, linking this collected data to our threat intelligence and vulnerability information provides for a higher quality proactive risk assessment.

Benefits of the process and model:

• Common framework capturing sensor information.
• Up-to-date sensor and sensor flow information to aid in investigations.
• Identify gaps in security fabric and enhance security posture.
• Identify duplicate technologies/features and pick best of breed.
• New product requirements review.
• Alignment of defensive capabilities vs. Adversary TTP’s (Tactics, Techniques and Procedures).
• Turn reactive cyber defense into proactive cyber defense.

While this process and model relate to small, medium, and large organizations, it does require a commitment to gather and maintain the information to be practical in proactive cyber defense.

Creating a Fusion Center – The Highs and Lows of Integration
Rachel Giacobozzi
As the combination of intelligence, detection, and response into a integrated team become more popular, many companies are turning to the “fusion center” style SOC. It may seem as simple as putting all the teams into one room and asking them to communicate with each other. However, learning to interact with each team and understanding what you can provide each other takes time. This is a panel talk with members of Target’s Cyber Fusion Center, from the Threat Intelligence, Threat Detection, and Incident Response teams. The panel will focus on obstacles and wins for the teams as they learned to work together everyday. The panel will be moderated and audience participation is encouraged.


WiFiPi: Rasperries and Radios and Antennas, oh my!
Ray Doyle
Tired of carrying heavy backpacks? Wondering why wireless assessments can be such a drag? Script kiddies making fun of you for your outdated tools and techniques? If so, then the WiFiPi is for you!

In this talk, I’ll discuss using Raspberry Pis to assess wireless networks. Your Pi can be a valuable tool in pentesting, remote monitoring, managing networks, signal testing, and more.

If you’re new to Raspberry Pis, this talk will give you general methodolgy for wireless assessments as well as tips for making your gear more portable. If you’re not into wireless testing, then hopefully you’ll come away with some other half-baked ideas for all of those Pis that we all have Pi-ling up!

Regex to Machine Learning: Techniques to Get Ahead of Cyber Attackers
Evan Gaustad
In this technical talk, we’ll dive into the difficult problem of identifying patterns in millions of logs by looking at a variety of analytical techniques available, from proven tools like regular expressions to more advanced Machine Learning techniques. We’ll explore a data set together of phishing links, as malicious links in emails are still one of the most successful techniques used by cyber attackers to steal sensitive data and gain unauthorized access.