BSides Las Vegas

Jim Christy will discuss the history and future of using Digital Forensics to solve almost any investigation, including his role leading Cyber Ops for the D.B. Cooper Cold Case Team. In 1971, a man named Dan Cooper (Press misidentified him as D.B. Cooper and that name has stuck) hijacked a Northwest Orient flight showing a flight attendant a bomb in his briefcase. He demanded and received $200,000 cash and 4 parachutes. After releasing the passengers, he directed the flight crew to fly him to Mexico with a refueling stop in Reno, NV. Somewhere over Washington State, it is believed D.B. Cooper parachuted out of the airliner via the rear stairway with the ransom, never to be heard from again. For law enforcement, this is the only unsolved skyjacking in American history. Christy put together an online task force to help Colbert’s team prove the real identity of DB Cooper, starting with the evidence from Colbert’s 2016 documentary and continuing through a surprising number of online sources and contacts for a 45-year-old case. It only took them a few years to prove what had eluded countless investigators in all that time. Learn all about the techniques that brought them success and join Jim Christy after the Keynote for an extended Q&A session and meet & greet in our Underground track!

How to (accidentally?) Change The @%!$ World in just ten years and a couple of two-day follow-ups.

Whenever we discover another breach, adversaries give us a friendly reminder that the status quo in network defense isn’t good enough. Everyone’s telling us that we need to evolve our focus beyond indicators toward tactics, techniques, and procedures (TTPs), yet we struggle with how to do this. MITRE ATT&CK is the first public framework derived from real threats for describing detailed post exploitation activities, and the community is increasingly adopting it to help move toward detecting TTPs.Members of the ATT&CK team will engage in a discussion with the community about how ATT&CK can help us all improve. We will suggest ideas for how analysts, defenders, engineers, and red teamers can use ATT&CK as a common language to help change your approach to defense by orienting towards the adversary. Based on our experiences, we will provide practical advice on how to apply ATT&CK to improve cyber threat intelligence and defenses by tracking adversaries and developing analytics to detect their behavior. Most importantly, we want to hear from the audience about how they are using ATT&CK and what could make it better.

Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by the government. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, drivers, and other puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product.How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing it. If there is anything we learned, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.

Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research. The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve: * Unexpected consequences (why did it decide this rifle is a banana?), * Data leakage (how did they know Joe has diabetes) * Memory corruption and other exploitation techniques (boom! RCE) * Influence the output (input: virus, output: safe!, as seen on (DEF CON 25 – Hyrum Anderson – Evading next-gen AV using AI)[https://www.youtube.com/watch?v=FGCle6T0Jpc]). In other words, while ML is great at identifying and classifying patterns, and an attacker can take advantage of this and take control of the system. This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage! Garbage In, RCE Out ????

Ethereum dApps (decentralized apps) are a core pillar of why development on the platform has skyrocketed. Many of these dApps work by combining standard web applications with a consensus protocol behind them. In other words, users can interact with a standard web application to issue transactions to a series of Ethereum smart contracts. This produces an expanded attack surface for Ethereum dApps: since smart contracts are publicly visible on the blockchain, an attacker can exploit the dApp either through the web application’s logic or by attacking the smart contracts directly. In this talk, I demonstrate how an Ethereum dApp works from top to bottom. I show what transactions through a dApp look like, how they can be spoofed, and the different attacks we can leverage against a dApp — whether over the web or by targeting the smart contract directly — to try and steal its ether.

We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.The Checkmarx Research Team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips to ensuring security prevails in a serverless environment.

Everyone talks about IoT security failures, but who should actual do all the things? We bring back 80s style, while tackling the question of government involvement in the IoTs in a fast-paced game show format that will highlight the problems of expecting easy solutions. We’ll walk through scenarios from the news and some popular proposals, and highlight how they won’t work quite as well as some may hope. Contestants will reveal that, while snarking about security is fun and games, thinking about the complexity of policies isn’t child’s play.

Nation-state offensive digital attacks are on the rise. Especially considering the news headlines. But, what is cyber warfare and what’s realistic? Come on a journey into a twisted but realistic game scenario with real-world implications. What decisions would you make considering the tools at your disposal? Embassy insider threats, leaked Intel agency data & tools, hacked back the wrong system, all the way up to causing mass casualties on internet connected mass transit. Who are your diplomatic “”friends”” and who can you trust? This presentation gives participants a (sanitised) peek behind the diplomatic curtain, revealing some of the challenges, decisions and tools at their disposal. What US allies are preparing for and expectations. How your organisation can use similar techniques such as cooperating with peers against market-wide attacks, scrutinising data before attribution and how computer emergency response teams can help. Studying the outcome, what can be done to improve the situation.

Cybersecurity in manufacturing environments is becoming more and more critical. However, many organizations do not know or understand the cyber risk in their manufacturing networks and plants. “Red Teaming” can help give the organization an edge in assessing, demonstrating, and communicating this risk.This talk will demonstrate some practical methods of performing penetration testing and Red Team assessments in a manufacturing environment. We will begin with the basics of manufacturing networks -how they work, how they are laid out, and the key components that comprise the network. Next, we will get to the fun part -the basics of Red Teaming in manufacturing, and what to assess, how to evaluate it, and some typical findings and vulnerabilities that we have discovered in these assessments. Finally, some methods of mitigating these common vulnerabilities will be presented.Our goals for this talk are two-fold: Motivate organizations and prepare Red Teamers to perform assessments in their own manufacturing environments, as well as shed light on common issues and vulnerabilities in manufacturing networks to help defenders and management.

Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.

Proprietary software is used throughout the criminal justice system, and the trade secrets of software vendors are regularly deemed more important than the rights of the accused to challenge the results of these complex systems. We will lay out the map of software in this space from DNA testing to facial recognition to estimating someone’s likelihood of committing a future crime. We will detail hurdles that prevent oversight and examples of problems found with third-party review. Adams will demo his findings from reviewing NYC’s FST source code, which was made public by a federal judge after years of the city’s lab fighting disclosure. Greco will provide insight into the wider world of software used in the criminal justice system -from technology that law enforcement admits to using but expects the public to not question to technology that law enforcement denies despite evidence otherwise. Matthews will talk about the wider space of algorithmic accountability and transparency and why even open source software is not enough.

Crusade into the wild world of malicious browser extensions. You will learn how to do keylogging, cookie stealing, credential harvesting and building a C&C server allowing you to execute arbitrary JavaScript remotely of your choosing. We will also be talking about CORS (Cross-Site Resource Sharing) and some interesting quirks with the browser extension environment. If you are a front-end developer and you want to dive into malicious code this would be the best way to start learning.

Active Directory remains the most popular corporate solution for organizing devices and users on a network. Central to its responsibilities is providing user authentication and authorization. In particular, password authentication through Active Directory necessitates the use of the strongest defense mechanisms possible. However, the common corporate pattern of enforcing higher complexity passwords by increasing entropy remains an anachronism. This trend of constantly increasing password complexity is not only counterproductive due to its restrictiveness, but is also insecure due to its lack of defense against dictionary-based attacks. With the plethora of attacks centered on brute-forcing and commonly-used passwords, many corporations are falling victim to these attacks despite supposedly strong password enforcement.The solution to these problems is integration of password blacklisting directly into Active Directory, a countermeasure that has yet to reach widespread corporate adoption. This talk will provide a run-down on how corporations can install their own Password Filtering service directly into Active Directory using either in-house solutions or existing ones, and outline why this helps improve overall security and productivity. As an example, I will talk about how Yelp recently deployed this type of solution to improve our authentication flow.

There has been some confusion about NTLMv1 and NTLMv1-SSP reversing to NTLM hashes using hashcats mode 14000. This was largely due to a talk at Derbycon that had some incomplete information combined with a few forum posts on hashcat.net. In order to simplify the process as much as possible a tool called the NTLMv1 multi tool was created to automate most of the steps in converting an NTLMv1 and NTLMv1-SSP hash into a hashcat challenge file.

There are many eCommerce and SaaS businesses that offer loyalty programs. Some involve gift cards and credit points. Some include cash back and currency that can be used somewhere else.Naturally, all these loyalty programs require user authentication before granting access. The authentication method varies from a four-digit code, to a password of your choice. Yet, once you are authenticated, there are no more hurdles before you can use the credited balance.Since this is a single point of failure, you would assume that more attention would be given to defending against automated attacks. But as we’ll see, that assumption is dangerously wrong.In this talk, we will disprove this assumption by exploring examples based on data from our customers (anonymized, of course). With real world data we will show how automated attacks are used to access the accounts and from there the funds, and subsequently siphon them away.We will also go through the entire process, targeting the demo mobile application. Starting from reversing the APK up to running the automated fraud.We will also cover some approaches to protect both the business and the consumer from such attacks.

Typically the impact of constraints on the maximum number of permutations for a password is not considered much-the-less quantified. Password policies that require a minimum character length and mandate the use of lowercase letters, uppercase letters, numbers and symbols may reduce the number of viable passwords by more than 60% of the unconstrained character set. Mandating 12 character password length immediately eliminates 95^11 potential passwords. Every combination of character constraints reduces the number of viable passwords even further. Websites with maximum character lengths and character set constraints can easily eliminate over 50% of the viable eight character password for the allowed and required character sets. In this paper we will quantify the effects of multiple combinations of constraints on 8, 12, and 16 character passwords, and provide the Python script used in our calculations and as a starting point for further analysis by others.

“Talking outside the community about security basics and teaching security awareness without resorting to FUD-tactics can be both challenging and satisfying. Challenging because you don’t want to be accused of being too shrill or dogmatic. Satisfying because when someone hears you about why security is important, you know you are making a difference. Over the past year, I spoke about security awareness to local community groups, professional organizations, and schools. Along the way, I learned that one way to avoid sounding shrill is to tailor the conversation to the audience’s age and perspective. This is partly finding the right examples, but also picking topics that are relevant to how the audience interacts with technology.Less “”parental tech support,”” and more like a “”community awareness training”” event. This talk will help adjust conversations so that the group “”Gets”” why the security topic is important. The audience will walk away with concrete ideas on how they can reach out to their own communities. There will also be a checklist of things that worked, and things to avoid doing again. The goal is to improve security and encourage people to go into their communities and help more people become security-conscious.”

The instant a device is connected to the internet, it gets scanned and interrogated for open ports, software versions, and default passwords. Who conducts these scans? Why? What kind of attacks will you see? The days of mass exploitation are upon us. When every device is connected, a new paradigm for mass exploitation emerges. Vulnerabilities, specifically in core computing components, linger for decades. Many White Hat organizations scan IPv4 constantly to assess the potential impact of a vulnerability, or to understand the shifting technology landscape while less reputable actors scan for more nefarious purposes. We will explore the economics of simple port scans at scale and the associated costs for enthusiasts and enterprises.There are a number of insights you can gain into the systems and tools being used to conduct these scans. From Massscan to Zgrab to AutoSploit, internet scanning tools are prevalent and can reveal patterns of threat behaviors. Anyone in cybersecurity should be aware of how these tools work, what they reveal, and what threats they can uncover.To visualize internet scans, a demonstration of “Internet Radio” will show scans converted into music. This allows visitors to “hear” the background noise of the internet in real time.

Managing security for the WordPress project is a challenge to say the least. The sheer volume of reports, the resulting noise, securing an aging codebase, handling disclosure -all difficult to handle, but just the tip of the iceberg. How do you motivate and organize a volunteer team? How do you keep sites and users secure with so much third-party code? How do you educate users? When is it okay to break things to fix security issues and how do you manage reputation when you do? Should you backport? How far? They may not have it all figured out, but over the years they’ve learned a lot -often the hard way. Aaron has led the WordPress Security Team since the end of 2016 and been a part of it for over five years. He’ll share what he’s learned along the way, how things have improved, what changes didn’t help (even when they were sure they would), and what things they still struggle with. He’ll also share an overview of the tools they use and processes they follow, in hopes that no one else has to learn the hard way.

The value promised and expected by investing in data analytics simply can’t be delivered unless you can GET the data and get THE data. This case study will detail how a global energy company is building out its Security Data Operations program to lay down the fundamental building blocks of an effective data pipeline, that ships the right data to the right platform for the right users. It will also detail ‘the snag list’ of things that can go wrong when trying to get valuable insight out of data, so you can avoid that happening in your organization.

Machine learning is the science of developing programs that can automatically learn from data. First, this talk will give some simple examples of machine learning. Next, we’ll delve into deep learning: a popular, modern subset of machine learning used for things like image recognition, self-driving cars, and malware detection. We’ll walk through exactly how deep learning programs (neural networks) work. This will allow us to touch on why deep learning is such a good tool for detecting never-before-seen cyber threats. Finally, we’ll walk through a demo of a deep learning program developed at Sophos.

The proliferation of ransomware has become a widespread problem culminating in numerous incidents that have affected users worldwide. Current ransomware detection approaches are limited in that they either take too long to determine if a process is truly malicious or tend to miss certain processes due to focusing solely on static analysis of executables. To address these shortcomings, we developed a machine learning model to classify forensic artifacts common to ransomware infections: ransom notes. Leveraging this model, we built a ransomware detection capability that is more efficient and effective than the status quo.I will highlight the limitations to current ransomware detection technologies and how that instigated our new approach, including our research design, data collection, high value features, and how we performed testing to ensure acceptable detection rates while being resilient to false positives. I will also be conducting a live demonstration with ransomware samples to demonstrate our technology’s effectiveness. Additionally, we will be releasing all related source code and our model to the public, which will enable users to generate and test their own models, as we hope to further push innovative research on effective ransomware detection capabilities.

Deep learning architectures have been used with great success to mimic or exceed human visual perception in well-scoped tasks ranging from identifying cats in Youtube videos to cars in self driving systems. Rarely have these techniques been applied to information security. Attacks that attempt to exploit visual perception, such as phishing documents that persuade humans to enable malicious macros and URL (e.g., www.rnicrosoft.com) and file-based (e.g., chr0me.exe) homoglyph attacks, are ripe for similar automated analysis. Our research introduces two methods – SpeedGrapher and Blazar – for leveraging artificial vision systems and features generated by image creation to detect phishing. SpeedGrapher analyzes the appearance of Microsoft (MS) Word documents and leverages an object detection network to identify relevant visual cues to classify samples. Blazar analyzes strings for possible domain or filename spoofing and uses a siamese convolutional neural network and a nearest neighbor index to compare visual similarity of spoofs to known domain or file names with a much greater accuracy than edit distance techniques.

Social engineering is a big problem but very little progress has been made in stopping it, aside from the detection of email phishing. We observe that any social engineering attack must either ask a question whose answer is private, or command the victim to perform a forbidden action. Our approach uses natural language processing (NLP) techniques to detect questions and commands in the messages and determine whether or not they are malicious.Question answering approaches, a hot topic in information extraction, attempt to provide answers to factoid questions. Although the current state-of-the-art in question answering is imperfect, we have found that even approximate answers are sufficient to determine the privacy of an answer.We have tested this approach with over 187,000 phishing and non-phishing emails. We discuss the false positives and false negatives and why this is not an issue in a system deployed for detecting non-email attacks. In the talk, demos will be shown and tools will be released so that attendees can explore our approach for themselves.

To kick off Hire Ground, Lesley Carhart will share how best to leverage your time at BSidesLV and in Hire Ground to help your career. You may be either just starting out or a seasoned professional, but we all need to know tips and strategies to help move along our career paths. Lesley will share her advice just as she does on Twitter, her vlog and at other cons.

Matt DeVost has been hacking for over 25 years and has become one of the leading experts on cyber and security domains. One of Matt’s key phrases is HACKthink – applying the hacker mindset to analyze and dissect complex problems and develop innovative solutions. Matt will share how he has used this mindset to create his career path, and launch several companies.

Everyone knows that security talent is scarce. When interviewing for a position, it is important to fully appreciate what that means. As an interviewee, you have the opportunity to be choosy about where you spend your time and energy. Make sure that the company is just as worthy of that time and energy as you are worthy of theirs. This doesn’t give a potential candidate a license to be rude or snobby but rather levels the playing field in a way that not many other careers have. Ensuring that the company and the candidate are the best fit for each other is a dual responsibility. However, before any of this can matter, a candidate must first know themselves. What motivates you? What tempo are you looking for in a work environment now – what about in three years? This talk will cover the many different aspects of an organization that can impact your enjoyment of the work you’ll be doing in the short-term, and help set you up for success, happiness, and fulfillment in the long-term.

A career in Cyber Security does not always follow a linear path. In some cases, a successful career in cyber security can result from breadth of experience in seemingly unrelated disciplines and roles, with security implications woven throughout. I will share how my varied roles and experiences over 15 years have ultimately led to a career in cyber security.

Many women and underrepresented groups have faced adversity and lack of inclusion in their careers in Security. We have been able to rise above and “hack” through the obstacles. This talk is about overcoming the adversity we face (as Black, Asian, Latina, Indian, Women, self-made students, economically disadvantaged and culturally repressed groups) is a form of hacking in itself. We have been able to rise above the obstacles and elevate our privileges to be active members of the cyber security community.

Panelists of recruiters debate and expand upon the major points brought up in today’s sessions. And every question you wanted to ask a recruiter, you can do so now!

Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both. In “Know Your Target,” four highly respected reporters that regularly cover cybersecurity will share their war stories of working with the security community. They will give you insight into the potential pitfalls of both intentional and unintentional media engagement, and will help you understand how best to build productive relationships with cybersecurity writers. They will also highlight tips and tricks for successful media briefings. This session is an informal panel discussion.

Cybersecurity needs more and better ambassadors, particularly on topics that relate to cybersafety, where creating positive social change is more time-sensitive to avoid public harm. A significant part of this is learning how to work with the many media outlets and publications that regularly cover cybersecurity stories. Unfortunately, security coverage can often be sensationalist and counter-productive. It falls to us to provide reporters with the right information to cover complex and sensitive cybersafety topics appropriately. To help attendees learn how best to work with reporters, the I Am The Cavalry Track will have two complementary back-to-back sessions on “Engaging the Media.” Come for one or stay for both. “Telling your story” is a short interactive workshop, during which, three of our expert reporters will walk attendees through tips and tricks for building compelling and credible cybersecurity stories. The session leads will take you through what makes a story “newsworthy”, how to create “hooks” to grab a reporter’s attention, and how best to get your message across. They will also explain how you can pitch your story to other reporters like them, and you may get a chance to get them interested in your story right then and there. This session will include opportunities for brave audience members to engage in live practice with the reporters, but participation is not mandatory.

IoT security is a known hard problem. A number of efforts are devoted to addressing risks in new devices by codifying and standardizing better security and development practices. The broader challenge will be to understand how these technical and policy efforts overlap–and where they don’t. Moreover, things that were built with better security when new can emerge as risks as they –and the underlying code–ages and more vulnerabilities are discovered. This panel will explore the dynamics of three different IoT security proposals, focusing on coordination around the underlying standards, components, and end-of-life decisions. We will first share work that picks up where the National Telecommunications and Information Administration’s IoT working groups left off, mapping overlapping security controls in existing IoT standards. Amongst this blooming buzzing confusion, and despite unique sectoral attributes, these IoT security standards face similar challenges with respect to patching, cryptography, and supply chain security. By initiating conversations across sector and technical layer we hope to accelerate learning, and improve on current best practices. We’ll then highlight a new NTIA initiative on transparency around third party software components, sometimes referred to as a “software bill of materials.” We’ll review that initiative, and highlight a sometimes overlooked feature of an SBOM–helping vendors and customers make better end-of-life decisions for connected products. Lastly, we’ll explore a topic that some have suggested to help navigate the complexity and information asymmetries of the IoT space: a device registration database. In our vision, hierarchical governance model, device registration with a trusted entity could allow new nodes to be securely authenticated, creating a network of trusted devices. Registration allows the cross-referencing of known threats to preexisting IoT networks, and, upon discovery o

Vulnerability disclosures for safety-critical systems are f’n hard. Even when the finder/reporter and receiver/manufacturer are working closely in good faith, things get weird AF. When there’s low levels of trust, the weird go pro and things quickly break down. But no matter how frustrated we get with each other, we can and must find common ground around the desire to protect patients. Time to put the hard problems on the table and fight together to address them, rather than keeping on fighting each other. This discussion will cover ways to overcome some of the hard problems from vulnerability disclosure in safety-critical systems, through a lens of healthcare and medical device disclosures. This session will cover: The problem with understanding severity and criticality. CVE, CVSS, etc. – CVE and CVSS have issues (see also, our BSidesLV talk), but even when we agree they work well, it’s not generally for safety-critical industries. Communications – Reporter, manufacturer, FDA, DHS, AHA, NH-ISAC, and others all put out information on the same issue, often in conflict. Where is the single source of truth? Who does a doctor/patient listen to? How do you drive alignment? Timelines – Comms takes time. Fixes take time. Often these are staggered, not in parallel. Often they rely on outdated methods like newspaper notices, snail mail, etc. Relay Race – Write the bug -> find the bug -> fix the bug -> test the fix -> publish the fix -> apply the fix. And if you skip a step, or someone doesn’t do their job, patients may be at risk from going public. Year-0 for Healthcare – Medical device makers don’t have 20+ years experience with disclosures like in software/internet. Sometimes they think they don’t MAKE mistakes, or they’re sufficiently bounded to prevent harm from vulnerabilities. Technical Event Horizon – Even when you can show a hack is possible, it may not cause physical effects; even when it does there may be non-technical miti

I’ve spoken elsewhere about the tech and social ecosystems surrounding massive social engineering using misinformation and other forms of “fake news”. Now it’s time to talk about the practicals of doing this yourself, at scales ranging from personal attacks to nationstate.

User interaction is fundamental to successful IT operations within an organization. A disconnect between the end user point of view and the IT professional is growing. For many IT professionals, the so-called “soft skills” required to have successful interactions with end users are non-existent.Users become dissatisfied and unwilling to adopt change, while the IT professional struggles to maintain policy. The solution to help bolster these trying interactions is by emphasizing the use of the three Cs: courtesy, clarity, and comprehension. It has been observed that when engaged, user satisfaction and willingness to comply increases greatly and allows success for the IT professional to accomplish their goals.This talk takes a deeper dive into these meanings and provides useful, applicable tips on how an IT professional can apply them.

Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.This presentation will cover the methods I’ve employed for a teaching / improvement focused SOC. Our practice has been focused around partnering analysts with business units to demonstrate our value as well as identity oppertunities for our improvement.

Political warfare is back. Political warfare or political war is the “use of political means to compel an opponent to do one’s will, political being understood to describe purposeful intercourse between peoples and government affecting national survival and relative advantage.” Political warfare among nation-states is practiced with hostile intent and is by definition an offensive art. Political warfare has been reintroduced to the threat environment because as a strategy it can be implemented cheaply, possesses a high reproducibility, can be automated, waged largely through technical means and has a good rate of return. This presentation seeks to define political warfare as a strategy and then walk through common TTPs.

As a practicing Information Security consultant, I’ve seen many organizations fail at implementing effective security programs, not as a result of having incorrect technology, and not even the result of having the wrong people within the organization. However, it’s different individuals and groups (“The Paladins”) within IT each acting as their own “lion”, with different priorities and goals. Only when they come together and act as one (“Voltron”), can the enemies of the organization be defeated. This is not a technical talk, rather a “from the trenches” style presentation.

This talk will describe the password policy at Pure Storage, which involves the security team actively attempting to crack employee passwords, forcing a change when discovered, and allowing them to keep the password. Nearly two years into this program, I will review our mature implementation and present an analysis of the collected password data demonstrating how this approach has markedly raised security awareness of our employees and improved the strength of their passwords. Day-to-day blue team security is hard and draining; this approach gives the defense team members a chance to play the role of attacker with a fun task quite different from their day-to-day.

Vulnerability management, in the context of information security, is a critical, but often overlooked aspect in a comprehensive security posture. Many organizations are limited by time and resources to simply fighting fires and operating in a reactive methodology. Without a clear, defined, and management-supported vulnerability management effort, an organization may continue to operate indefinitely with a reactive methodology. There are three overarching components of vulnerability management that are to be considered in this process: Vulnerability discovery -how does an organization become aware of existing or newly published vulnerabilities?Vulnerability notification -how does an organization communicate discovered vulnerabilities to those responsible for the affected system(s)?Remediation verification -how does an organization validate the remediation/justification responses of those responsible for remediation? In considering these three factors, I intend to communicate successful examples of vulnerability management from discovery to notification, remediation, and, finally, verification. Recommendations for organizations new to vulnerability management are also included.

Hands on network security monitoring training with Bro. Students will ssh into a live training environment and analyze PCAPs for common types of attacks – brute forcing, smb related attacks and more.

Industrial Control Systems (ICS) are the silent machines that control the world all around us. ICS systems are used to control elevators, subways, building HVAC systems and the electricity we use. The convergence of information technology (IT) and operational technology (OT) in the ICS marketplace has been taking place over the last 20 years. This convergence, while increasing ICS operational efficiency, is also increasing cyber risk. In this full day course, you will learn how to identify the protocols being used in OT networks, how to decode them and the tools and procedures to perform network assessments on these networks.

Inspecting the internals of Microsoft Windows and discovering interesting attack surface for local privilege escalation can be a dark art. Outside of trivial enumeration and fuzzing of drivers there’s little documentation about how you’d find interesting privileged attack surfaces such as brokers, internal RPC/DCOM services and badly configured applications to escape sandboxes and get administrator privileges.This workshop we’ll go through how to use a number of PowerShell tools such as NtObjectManager (https://www.powershellgallery.com/packages/NtObjectManager) that I’ve written to help identify interesting attack surfaces and from that extracting information through reverse engineering to discover how they can be exploited. The workshop will also contain an overview of important areas of Windows internals as they relate to privilege escalation and how PowerShell can give you more a better understanding of how these internal features work together.

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap.

Mobile Application Hacking is a hands-on class designed to teach participants with techniques and tools for mobile application (both iOS and Android) penetration testing. The class covers a wealth of techniques to identify, analyze and exploit vulnerabilities in mobile apps. The class also covers inbuilt security schemes in both iOS and Android platforms and teaches how to bypass those security models on both the platforms. The class is equipped with labs that contain intentionally crafted real-world vulnerable Android and iOS apps by the author and enables participants to learn the art of finding and exploiting flaws in mobile applications. The class also has a CTF in the end which gives the participants the opportunity to test their skills which they will learn in the class. The platform used for the training will be iOS 10 and Android 8. Note: This is a major upgrade of the previous class by the author “Mobile App Attack” which was delivered around the world at conferences such as OWASP AppSec USA, DeepSec, DEFCON, NullCon and BSides LV.

This will be an in-depth dive into network scanning with NMAP and the proper way to approach a target network. In this hands-on-the-keyboard training, you will learn recon, scanning, scripting and enumeration using NMAP. Scanning is one of the most important components of Pen Testing. This course will teach you some of the tricks of the trade to take your NMAP usage to the next level! You will also spend some time late in the afternoon with NMAP’s scripting engine to perform basic vulnerability scans, and by the end of the day come away with an amazing skill set. If you’ve ever wanted to really, truly learn NMAP, then you must attend! This is hands-on training. After a brief overview of the methodology, you will fire up Kali Linux and spend the rest of the day scanning our lab network. Students should have a basic understanding of Bash commands and be able to navigate around in Kali.