David Kennedy (@HackingDave)
Founder, Senior Principal Security Consultant of Trusted Sec / Chief Hacking Officer of Binary Defense
Dave is the founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from an offense and a defense perspective. David also serves as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David is the co-founder of DerbyCon, a large-scale conference in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.
David Maynor (@Dave_Maynor) and Danny Adamitis (@dadamitis)
Two Notify All
Inside of the Cisco Talos Threat Intelligence group is a team of dedicated research engineers that have a dual mission: sharing threat information with external partners and proactively hunting adversaries. In the last year, Talos has investigated several high impact campaigns in the public domain such as. Nyteya, VPNFilter, and Olympic Destroyer. While you might have heard talks about these prominent investigations, this talk will focus on our daily operations and several of the lesser know investigations. We will outline how new campaigns were discovered, funny anecdotes, mistakes made along the way and uncomfortable truths about the business. This talk is the behind the scenes look at the people, politics, and drama of threat intelligence at a global scale.
Chris Sanders (@chrissanders88)
Choice Architecture for Security Practitioners
The security of a device or network often hinges on a single choice made by a non-technical user. This could be the choice to click a button to enable macros in a word document, the choice to enable flash on a page in chrome, or the choice to execute an attachment sent over e-mail. Each of these choices was designed for the user, in part, by a security practitioner. In this talk, we’ll examine the concept of choice architecture and the delicate balance that exists between allowing users to make choices that benefit them while also nudging them in a direction that keeps them from unwittingly unleashing disaster. We’ll go through several practical examples of common choices users make that have security implications and discuss a framework for architecting software and websites in a way that better aligns choices with security best practices. You’ll walk away from this presentation with a greater awareness of how security practitioners influence and impact user behavior.
Chris Truncer (@ChrisTruncer)
Isolated to Constrained Language Mode: Living within the Confines
WMI has recently been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. Even with the recent surge in WMI use, not everyone knows how to interact with it. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario. Want to read files, perform a directory listing, detect active user accounts, run commands (and receive their output), download/upload files, and do all of the above (plus more) remotely? The goal for this workshop will be to enable students to walk away with an understanding of how WMI, a service installed and enabled by default since Windows 2000, is utilized by attackers, demystify interacting with the service locally and remotely, and give students the ability to leverage WMI in the same manner as attackers.
Josh Bower (@DefensiveDepth)
Live Interrogation With Osquery
Osquery is an open source endpoint visibility tool that allows you to query your system as if it is a relational database. We will introduce osquery, and then demonstrate how to use it to interrogate a suspect system. The focus will be on abnormal process attributes as well as common persistence techniques.
Jake Williams (@malwarejake)
ABRACADABRA – make your breach reporting woes disappear!
In today’s environment where there’s a new breach announced in the media on a daily basis, there is no way to truly understand how much the response costs. Because no central standard exists for what can and cannot be included in breach costs, organizations are free to put anything and everything they deem related into the final balance reported to the public. We introduce the ABRACADABRA framework to remedy this and standardize breach cost reporting. In this session, Jake will introduce the framework. He’ll also walk through real world (ridiculous) costs that organizations have tried (and succeeded) in reporting as breach related, highlighting why the framework is needed in the first place and what compliance with ABRACADABRA will mean for the industry.
ABRACADABRA stands for:
Best (practices for)
Dispensing of the
Adam Mathis (@ch41_)
Comparing apples to Apple
Many defenders have hard fought experience finding evil on Windows systems, but stare blankly when handed a Mac. You know all the ways PowerShell can own a box, but how about AppleScript? You know all the Run keys by heart, but where would you find rogue kernel extensions? This practical talk will give defenders a primer in finding adversarial activity on macOS using the TTPs they know and love from other platforms as a reference point.
Justin Kohler & Patrick Perry (@_p_value_)
Objectively Measuring Hunt Value
Working with many customers and lots of data on a network security monitoring platform inevitably leads to the question, “how can I start to track my network hunting activities?” or‚ how can I tie back my hunting outcomes to real impacts for the organization?‚ DFIR personnel invest lots of time in hunting today and threat hunting programs are encouraged as part of a mature and successful CIRT. However, management is looking for the‚ so what‚ or metrics to demonstrate the value of threat hunting in real terms. After all, threat hunting involves dedicating man-hours from highly skilled professionals – a big investment for enterprises. Therefore, it is natural to want to collect data to drive decisions. How do you know if a hunt is worthwhile? Are you wasting your time? What could I do to become a more efficient hunter? There is plenty of information on suggested metrics to collect to start answering these questions but there is a lack of direction how this can be done in an operational workflow. In this presentation, we will demonstrate how to operationally track and report on hunt outcomes that have helped our customers demonstrate value from threat hunting operations.
Bryson Bort (@brysonbort)
Hack the Planet
Howdy Neighbor, a model smart house will be used to visually demonstrate to the audience how multiple interactive smart home products, including webcams, smoke detectors, power meters, HVAC systems, smart ovens and refrigerators, video game consoles, smart TVs, toasters, coffee makers, locks, and light bulbs (etc.), can be hijacked by attackers of various skill level to expose real-world vulnerabilities. This will provide attendees a great way to learn about common oversights made in development, configuration, and setup of IoT devices. More than just showing folks how your Nest smart thermostat can take over your home, we created Howdy Neighbor to actually demonstrate the problem and raise awareness to help train conference-goers. To do that, it had to be realistic. So Howdy Neighbor is a miniature homemade to be from kitchen to garage. It’s a test-bed for reverse engineering and hacking distinct consumer-focused smart devices, and to understand how the (in)security of individual devices can impact the safety of your home, and ultimately your family.
I will demonstrate how to build a mass attack campaign to take over thousands of devices at the same time, then how to automatically pivot through the local network to steal PII and financial information.
Ray Davidson (@raydavidson)
Creating a Volunteer Cyber Department: Dispatches from the Back Office
In 2013, the State of Michigan created a public-private partnership to leverage information security resources in the state. The stated goal was to create a cadre of volunteers to assist the state in responding to cyber-emergencies. To date, there have not been incidents which have justified mobilization of the force, and the scope of the force is being expanded to include assistance to local/regional government, educational and health/medical organizations. Experienced professionals will read the previous sentence and have many questions of a theoretical and practical nature. The goal of this presentation is to answer as many of those as possible from our experience and to collaborate with attendees to come up with additional answers which can be used to raise the security culture in other states.
Skill Sharpening @ the CyberRange: Developing the next generation Blue Team
How do you gain defender skills? Do you know exactly how offense should inform defense? Are you learning on the job in the heat of the moment? How to you measure outcomes and ensure success? Blue Team Cyber Operations skill development depends on reusable, repeatable, and measurable scenarios that reflect complex networks to pit the blue team against a modern attacker. It isn’t enough to take a class and run through a lab. Attackers and Red Teams have dozens of options (including your network), and so does the Blue Team. On a Cyber Range can get you there, but it’s much more than a few virtual machines. It’s about achieving a real outcome: a trained operator, armed with tools, techniques, and practices that so they can get in the hunt. This presentation will introduce you to a modern range, survey best of breed tools and capabilities, and highlight how a range can support skill development for the Blue Team operator.
Wes Widner (@kai5263499)
The sound of evil
Supposedly, there’s a shortage of Information Security professionals. Some people agree while others disagree. However, there is one thing most infosec professionals will agree on‚ and that is the fact that we all run around like our hair is on fire because we don’t have enough resources to accomplish everything that needs to get done. I know this is the case for most infosec people I talk to. Even if we get an additional headcount, our list of compliance checkboxes, projects, and daily responsibilities keep growing at a phenomenal pace. How do we keep up with this fast-paced growth, insane workload, alerts out our ears and no end in sight? One of the best ways to make a big impact is through automation. Whether you have a massive budget or no budget at all, I will discuss your options and how to start the automation journey or improve upon what you already have. I’ll talk about using existing tools, creating your own scripts, using API’s and even the latest fad in security automation, SOAR (security operations analytics and reporting). We will discuss how to determine what you should automate first, automation use cases in infosec, and how to tell if theres something you shouldn’t automate. Let’s face it, we are over tooled and understaffed. We need automation to help us out.
Tim Crothers (@soinull)
Leveraging Deception Techniques for Strong Detection
Breaches are occurring at an ever increasing rate which seems to amply demonstrate that many attackers know how to evade our typical prevention and detection technologies otherwise the breaches wouldn’t have occurred. In this talk, we’ll cover several ways of leveraging deception techniques that are both difficult for an adversary to detect and, more importantly, evade. The bonus is that the techniques won’t break the bank (i.e. free) and are accessible to organizations of any size.
John Grigg (@Sk1tchD) & Michael Butler
Automation and Open Source: Turning the Tide on Attackers
The security world is still trying to figure out how to deal with the overwhelming number of security alerts and data deluge most SOCs are faced with and then turn them into intelligence that is useful and actionable. Throwing more people and tech at the problem has proven to be ineffective and costly. In this talk, I walk through methods and tools (that you can actually employ) to turn the tide in your favor and create a security team that proactively deals with threats.
Leo Pate (@ltpate3) & Donald Miller (@446f6e616c64)
A Legend Has Arisen: How to use XXE to your Advantage in any Environment
In 2017, XML External Entities (XXE) saw its first appearance on the OWASP top 10 at number four. It has taken 5+ years for organizations (and L33T hackers) to realize how important (and simple) it is to exploit XXE vulnerabilities. This talk will focus on teaching the ins and outs of XXE, the unveiling of a custom tool, and how Blue, Red, and Purple teams can use our tool, and XXE, as an advantage in their organizations.
Martin Holste (@mcholste)
An Anatomy Of A Cloud Hack: Detecting And Responding To Adversaries In The Cloud
In most ways, the public cloud is more secure than a traditional data center. Asset management, inventory, audit logging, two-factor access controls, connectivity redundancy, and firewalls are built-in to the cloud provider platform. And yet, assets on public cloud are compromised just as those in traditional data centers. Mandiant estimates that fifteen percent of all of its incident response involves public cloud assets. If the cloud is more secure, why is it still getting hacked? This presentation will describe cloud threats learned from incident response and how they can be mitigated using traditional and emerging approaches by delving into the anatomy of a cloud compromise. It will provide a look at critical controls for securing IaaS, SaaS, and PaaS implementations against advanced threat actors and some questions to help assess your organization’s current level of cloud security.
Brice Self (@B__Selfless)
Breaking into Banks Like a Boss
Is your money safe? Are the movies real? Can you dodge lasers, sneak through vents, and dress in disguise to steal millions of dollars? Yes. Yes, you can. Let me show you how broke into banks with billions of dollars on the line through social engineering and bypassing physical security.
Hunting APTs and Script Kiddies with Beer Money
The assumption that threat hunting is an expensive, time-consuming activity reserved for enterprise organizations and threat researchers is not completely accurate. In June of 2017, I bought a Pastebin account and began hunting malware staged on their platform. For [far] less than I spend on beer in a year, and with just a little Python, I learned all sorts of stuff about threat actors at all levels. In this talk, I will share how I did this and some of the interesting things I learned along the way.
Ryan Wilson (@SpotlightCybsec)
OpenWRT + cheap routers = Cheap, customized security sensors & training devices
OpenWRT is a popular embedded Linux distribution designed for use on those wireless routers typically used by consumers and small businesses to get online. These routers typically come with a stock firmware that has minimal capabilities, but under the hood, they are very capable devices that can be unlocked with custom firmware. Enter OpenWRT to make this easier to accomplish! There are many uses for these from setting up cheap training networks (for example, to test cracking wireless security) to establishing network monitoring and interception points (for example, a cheap network tap). The presenter will present some use cases and do a quick walk-through about how to set one up.
Matthew Batten (@SleepZ3R0) & Collyn Hartley (@HA12TL3Y)
Movement After Initial Compromise
Once a system is compromised there are many avenues to consider. It brings up a lot of questions. Who am I on this network? Where am I in this network? Can I move to another system with my current permissions? Can I privilege escalate on my current system? We are going to go over enumeration utilizing living off the land techniques and on tools that an attacker can use for enumeration. Examples of some tools that we will go over for enumeration are SharpHound, Powersploit’s collection of Microsoft Powershell modules and others.
We will then go into what is Port Forwarding and why it is useful. Then we will show several ways to execute Port Forwarding. We will have video examples for utilizing SOCKS in Cobalt Strike and SSH port forwarding techniques. Once enumeration is done we will go over how to move to another system on the network. We will provide multiple examples such as; WMIC, Psexec, AT, Schtasks, WINrm, Remote Registry, DCOM, Multi-relay, SMB-relay. Screenshot and videos will be provided during the talk. The last part we will go over is how to detect or attempt to protect against these techniques that attackers implement.
Robert Wilson (@frcolumba)
Windows Event Forwarding and OSSEC – You can do this!
Most organizations in the United States are small, and many can’t afford MSSP’s or SIEM solutions. In some cases there may be only one administrator for a small business and they want to take additional steps to secure their organization. Using native windows tools and the open source HIDS OSSEC, we will cover setting up Windows event forwarding to a collection server, customizing OSSEC for a modern windows environment, and tuning rules to gain client visibility. We will then look at using OSSEC for detecting current techniques like AppLocker bypasses, PowerShell logging, and modern Windows tools like Defender Controlled Folder Access Blocking and Network Protection. All of this will cost you nothing other than using your brain, some virtual machines, and whatever hardware you need – which you probably already have.
Michael Nowatkowski, Eric Kilgore, and Nick Wylds
Reverse Hardware Engineering
Hardware hacking, or hardware reverse engineering, is the process of extracting information from hardware, such as firmware, instruction sets, and configuration information. We will discuss processes and tools to help people to start investigating hardware systems. The variety of tools and techniques is overwhelming and there is a lack of material and resources geared towards someone new to the field. During this talk, we will describe basic hardware hacking processes, techniques, and tools using common devices found at a local electronics store (routers, extenders, etc). The purpose of this presentation is to give an entry-level hardware enthusiast a beginner guide to understanding the uses and capabilities of these tools along with a basic understanding of how to access hardware serial connections
Josh Rykowski (@ryko212) & Seans Eyre (@oni_49)
Armadillo: A layered approach to portable security
Traveling is an inherently stressful endeavor and trying to maintain a secure computing environment while traveling seems like an impossible task. In our talk we introduce a physically small, cheap, and portable security stack. This stack provides an environment with consistent structure and services while allowing users to easily plug-and-play new client devices. It has a small form-factor which is easy to move, making it ideal for travel, and can easily be expanded with new services. The aim of Armadillo is to make security on the go easy, even while using filthy and dirty hotel Wi-Fi, all while providing the user with access to the services they rely on.
Credentials so good you’d use them again…. Cred stuffing for fun and profit…
After a web breach, billions of credentials are discovered in the wild. What happens to them? How are they being misused for profit and how is the actual reuse accomplished? This talk will discuss how it is done, what tools are out there and the monetization currently being seen in the wild.
Prashant Anantharaman & Rebecca Shapiro
Ghost Busters: A Tale of Spectre, ELF ABI, and Computational Privilege
In this talk, we describe ELF-based access control (ELFbac) and how it can naturally mitigate Spectre (variant 1). ELFbac is a novel technique for defining and enforcing policy at an intra-process granularity. Its mechanisms allow us to isolate semantically distinct code and data by placing them in separate ELF sections. This isolation can be used to effectively “hide” sensitive data from code that handles untrusted inputs. ELFbac leverages the ABI format and the forgotten capabilities of the ELF loader as first-order security primitives.
hosted by Mark Baggett (@MarkBaggett) – Georgia Senate Bill 315 and the Future
This year Georgia’s proposed cyber law SB-315 passed the state legislature with wide support before being vetoed by the Governor. The proposed legislation was only 43 lines in length but was widely regarded as bad legislation that criminalized many activities in the cyber community. Today the state of Georgia has no state laws prohibiting hacking. With a new governor taking office this year our legislators are sure to reintroduce similar legislature in next years session.
This panel of infosec practitioners, law enforcement, Georgia state legislators and legal experts will discuss the need for legislation, the issues created by SB-315 and how to reconcile the two.
Panelists: Georgia State Legislator Jodi Lott, BSides National Founder Jack Daniels, Security Practitioner Jake Williams, Lawyer Liz Elisabeth Wharton, Law Enforcement TBA
hosted by John Nixon, COO ClearedJobs.Net – Finding the Right Code to Build Your Resume
There are plenty of ways to build your resume, but are you burying the key parts of your skills and experience so that recruiters can find you? This recruiter panel discussion will share the key things that recruiters are looking for in your resume so that you will stand out and to help you get to the next step which is an interview.