KEYNOTE

David Kennedy (@HackingDave)

Founder, Senior Principal Security Consultant of Trusted Sec / Chief Hacking Officer of Binary Defense

Dave is the founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from an offense and a defense perspective. David also serves as a board of director for the ISC2 organization. David was the former CSO for a Diebold Incorporated where he ran the entire INFOSEC program. David is a co-author of the book “Metasploit: The Penetration Testers Guide”, the creator of the Social-Engineer Toolkit (SET), Artillery, and several popular open source tools. David has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. David is the co-host of the social-engineer podcast and on several additional podcasts. David has testified in front of Congress on two occasions on the security around government websites. David is one of the founding authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. David is the co-founder of DerbyCon, a large-scale conference in Louisville, Kentucky. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.

SPEAKERS

 

David Maynor (@Dave_Maynor) and Danny Adamitis (@dadamitis)

Two Notify All

Inside of the Cisco Talos Threat Intelligence group is a team of dedicated research engineers that have a dual mission: sharing threat information with external partners and proactively hunting adversaries. In the last year, Talos has investigated several high impact campaigns in the public domain such as. Nyteya, VPNFilter, and Olympic Destroyer. While you might have heard talks about these prominent investigations, this talk will focus on our daily operations and several of the lesser know investigations. We will outline how new campaigns were discovered, funny anecdotes, mistakes made along the way and uncomfortable truths about the business. This talk is the behind the scenes look at the people, politics, and drama of threat intelligence at a global scale.

Chris Sanders (@chrissanders88)

Choice Architecture for Security Practitioners

The security of a device or network often hinges on a single choice made by a non-technical user. This could be the choice to click a button to enable macros in a word document, the choice to enable flash on a page in chrome, or the choice to execute an attachment sent over e-mail. Each of these choices was designed for the user, in part, by a security practitioner. In this talk, we’ll examine the concept of choice architecture and the delicate balance that exists between allowing users to make choices that benefit them while also nudging them in a direction that keeps them from unwittingly unleashing disaster. We’ll go through several practical examples of common choices users make that have security implications and discuss a framework for architecting software and websites in a way that better aligns choices with security best practices. You’ll walk away from this presentation with a greater awareness of how security practitioners influence and impact user behavior.

Chris Truncer (@ChrisTruncer)

Isolated to Constrained Language Mode: Living within the Confines

WMI has recently been publicized for its offensive use cases. Attackers, and now red teams, are discovering how powerful WMI can be when used beyond its original intent. Even with the recent surge in WMI use, not everyone knows how to interact with it. This workshop intends to showcase how you can leverage WMI on assessments to do nearly anything you would want to do in a post-exploitation scenario. Want to read files, perform a directory listing, detect active user accounts, run commands (and receive their output), download/upload files, and do all of the above (plus more) remotely? The goal for this workshop will be to enable students to walk away with an understanding of how WMI, a service installed and enabled by default since Windows 2000, is utilized by attackers, demystify interacting with the service locally and remotely, and give students the ability to leverage WMI in the same manner as attackers.

Josh Brower (@DefensiveDepth)

Live Interrogation With Osquery

Osquery is an open source endpoint visibility tool that allows you to query your system as if it is a relational database. We will introduce osquery, and then demonstrate how to use it to interrogate a suspect system. The focus will be on abnormal process attributes as well as common persistence techniques.

Jake Williams (@malwarejake)

ABRACADABRA – make your breach reporting woes disappear!

In today’s environment where there’s a new breach announced in the media on a daily basis, there is no way to truly understand how much the response costs. Because no central standard exists for what can and cannot be included in breach costs, organizations are free to put anything and everything they deem related into the final balance reported to the public. We introduce the ABRACADABRA framework to remedy this and standardize breach cost reporting. In this session, Jake will introduce the framework. He’ll also walk through real world (ridiculous) costs that organizations have tried (and succeeded) in reporting as breach related, highlighting why the framework is needed in the first place and what compliance with ABRACADABRA will mean for the industry.

ABRACADABRA stands for:
Acceptable
Best (practices for)
Reporting &
Accounting
Costs
Accrued
Dispensing of the
Adversary and
Breach
Reporting
Activities

Adam Mathis (@ch41_)

Comparing apples to Apple

Many defenders have hard fought experience finding evil on Windows systems, but stare blankly when handed a Mac. You know all the ways PowerShell can own a box, but how about AppleScript? You know all the Run keys by heart, but where would you find rogue kernel extensions? This practical talk will give defenders a primer in finding adversarial activity on macOS using the TTPs they know and love from other platforms as a reference point.

Justin Kohler & Patrick Perry (@_p_value_)

Objectively Measuring Hunt Value

Working with many customers and lots of data on a network security monitoring platform inevitably leads to the question, “how can I start to track my network hunting activities?” or‚ how can I tie back my hunting outcomes to real impacts for the organization?‚ DFIR personnel invest lots of time in hunting today and threat hunting programs are encouraged as part of a mature and successful CIRT. However, management is looking for the‚ so what‚ or metrics to demonstrate the value of threat hunting in real terms. After all, threat hunting involves dedicating man-hours from highly skilled professionals – a big investment for enterprises. Therefore, it is natural to want to collect data to drive decisions. How do you know if a hunt is worthwhile? Are you wasting your time? What could I do to become a more efficient hunter? There is plenty of information on suggested metrics to collect to start answering these questions but there is a lack of direction how this can be done in an operational workflow. In this presentation, we will demonstrate how to operationally track and report on hunt outcomes that have helped our customers demonstrate value from threat hunting operations.

Bryson Bort (@brysonbort)

Hack the Planet

Howdy Neighbor, a model smart house will be used to visually demonstrate to the audience how multiple interactive smart home products, including webcams, smoke detectors, power meters, HVAC systems, smart ovens and refrigerators, video game consoles, smart TVs, toasters, coffee makers, locks, and light bulbs (etc.), can be hijacked by attackers of various skill level to expose real-world vulnerabilities. This will provide attendees a great way to learn about common oversights made in development, configuration, and setup of IoT devices. More than just showing folks how your Nest smart thermostat can take over your home, we created Howdy Neighbor to actually demonstrate the problem and raise awareness to help train conference-goers. To do that, it had to be realistic. So Howdy Neighbor is a miniature homemade to be from kitchen to garage. It’s a test-bed for reverse engineering and hacking distinct consumer-focused smart devices, and to understand how the (in)security of individual devices can impact the safety of your home, and ultimately your family.

I will demonstrate how to build a mass attack campaign to take over thousands of devices at the same time, then how to automatically pivot through the local network to steal PII and financial information.

Ray Davidson (@raydavidson)

Creating a Volunteer Cyber Department: Dispatches from the Back Office

In 2013, the State of Michigan created a public-private partnership to leverage information security resources in the state. The stated goal was to create a cadre of volunteers to assist the state in responding to cyber-emergencies. To date, there have not been incidents which have justified mobilization of the force, and the scope of the force is being expanded to include assistance to the local/regional government, educational and health/medical organizations. Experienced professionals will read the previous sentence and have many questions of a theoretical and practical nature. The goal of this presentation is to answer as many of those as possible from our experience and to collaborate with attendees to come up with additional answers which can be used to raise the security culture in other states.

Don Murdoch 

Skill Sharpening @ the CyberRange: Developing the next generation Blue Team

How do you gain defender skills? Do you know exactly how the offense should inform defense? Are you learning on the job in the heat of the moment? How to you measure outcomes and ensure success? Blue Team Cyber Operations skill development depends on reusable, repeatable, and measurable scenarios that reflect complex networks to pit the blue team against a modern attacker. It isn’t enough to take a class and run through a lab. Attackers and Red Teams have dozens of options (including your network), and so does the Blue Team. On a Cyber Range can get you there, but it’s much more than a few virtual machines. It’s about achieving a real outcome: a trained operator, armed with tools, techniques, and practices that so they can get in the hunt. This presentation will introduce you to a modern range, survey best of breed tools and capabilities, and highlight how a range can support skill development for the Blue Team operator.

Wes Widner (@kai5263499)

The sound of evil

Our ears are the original nexus of information security. The environments we’re in are constantly streaming valuable information to us. All we have to do is listen properly. “Let he who has ears” and all that. Join me as we explore the fascinating world of audio security.

We’ll cover:
* some meta information about audio
* the basics of digital signal processing
* the fascinatingly complex world of determining what “silence” means
* modern machine learning approaches to sound event detection
* attacks on audio interfaces like Alexa

I’ll end with a practical audio security system using open source components that you can use to create your own custom audio security system

Tim Crothers (@soinull)

Leveraging Deception Techniques for Strong Detection

Breaches are occurring at an ever increasing rate which seems to amply demonstrate that many attackers know how to evade our typical prevention and detection technologies otherwise the breaches wouldn’t have occurred. In this talk, we’ll cover several ways of leveraging deception techniques that are both difficult for an adversary to detect and, more importantly, evade. The bonus is that the techniques won’t break the bank (i.e. free) and are accessible to organizations of any size.

Michael Wylie (TheMikeWylie)

*The Costly Mistakes of Being Unprepared*

Atlanta spent millions to clean up the Ransomware attack earlier this year. Could the city have been better prepared? Would the damage have been so crippling? Lack of resources often lead to gaps in security posture leading to costly and inconclusive incident response ventures.
This talk will use the recent Atlanta ransomware incident and how the city responded to it. We will use Atlanta as a case study in examining the costly mistakes of being underprepared.
The goal of this presentation is to provide insight to IT and organizational decision makers of the incident response process, costs, outcome, and how preparing can prevent costly IR ventures.
This talk will cover the following topics:
• The Atlanta ransomware incident and timeline
• Incident Response process
• The true costs of being underprepared

Leo Pate (@ltpate3)

A Legend Has Arisen: How to use XXE to your Advantage in any Environment

In 2017, XML External Entities (XXE) saw its first appearance on the OWASP top 10 at number four. It has taken 5+ years for organizations (and L33T hackers) to realize how important (and simple) it is to exploit XXE vulnerabilities. This talk will focus on teaching the ins and outs of XXE, the unveiling of a custom tool, and how Blue, Red, and Purple teams can use our tool, and XXE, as an advantage in their organizations.

Martin Holste (@mcholste)

An Anatomy Of A Cloud Hack: Detecting And Responding To Adversaries In The Cloud

In most ways, the public cloud is more secure than a traditional data center. Asset management, inventory, audit logging, two-factor access controls, connectivity redundancy, and firewalls are built-in to the cloud provider platform. And yet, assets on public cloud are compromised just as those in traditional data centers. Mandiant estimates that fifteen percent of all of its incident response involves public cloud assets. If the cloud is more secure, why is it still getting hacked? This presentation will describe cloud threats learned from incident response and how they can be mitigated using traditional and emerging approaches by delving into the anatomy of a cloud compromise. It will provide a look at critical controls for securing IaaS, SaaS, and PaaS implementations against advanced threat actors and some questions to help assess your organization’s current level of cloud security.

Brice Self (@B__Selfless)

Breaking into Banks Like a Boss

Is your money safe? Are the movies real? Can you dodge lasers, sneak through vents, and dress in disguise to steal millions of dollars? Yes. Yes, you can. Let me show you how broke into banks with billions of dollars on the line through social engineering and bypassing physical security.

Paul Melson(@pmelson)

Hunting APTs and Script Kiddies with Beer Money

The assumption that threat hunting is an expensive, time-consuming activity reserved for enterprise organizations and threat researchers is not completely accurate. In June of 2017, I bought a Pastebin account and began hunting malware staged on their platform. For [far] less than I spend on beer in a year, and with just a little Python, I learned all sorts of stuff about threat actors at all levels. In this talk, I will share how I did this and some of the interesting things I learned along the way.

Ryan Wilson (@SpotlightCybsec)

OpenWRT + cheap routers = Cheap, customized security sensors & training devices

OpenWRT is a popular embedded Linux distribution designed for use on those wireless routers typically used by consumers and small businesses to get online. These routers typically come with a stock firmware that has minimal capabilities, but under the hood, they are very capable devices that can be unlocked with custom firmware. Enter OpenWRT to make this easier to accomplish! There are many uses for these from setting up cheap training networks (for example, to test cracking wireless security) to establishing network monitoring and interception points (for example, a cheap network tap). The presenter will present some use cases and do a quick walk-through about how to set one up.

Matthew Batten (@SleepZ3R0) & Collyn Hartley (@HA12TL3Y)

Movement After Initial Compromise

Once a system is compromised there are many avenues to consider. It brings up a lot of questions. Who am I on this network? Where am I in this network? Can I move to another system with my current permissions? Can I privilege escalate on my current system? We are going to go over enumeration utilizing living off the land techniques and on tools that an attacker can use for enumeration. Examples of some tools that we will go over for enumeration are SharpHound, Powersploit’s collection of Microsoft Powershell modules and others.

We will then go into what is Port Forwarding and why it is useful. Then we will show several ways to execute Port Forwarding. We will have video examples for utilizing SOCKS in Cobalt Strike and SSH port forwarding techniques. Once enumeration is done we will go over how to move to another system on the network. We will provide multiple examples such as; WMIC, Psexec, AT, Schtasks, WINrm, Remote Registry, DCOM, Multi-relay, SMB-relay. Screenshot and videos will be provided during the talk. The last part we will go over is how to detect or attempt to protect against these techniques that attackers implement.

Robert Wilson (@frcolumba)

Windows Event Forwarding and OSSEC – You can do this!

Most organizations in the United States are small, and many can’t afford MSSP’s or SIEM solutions. In some cases there may be only one administrator for a small business and they want to take additional steps to secure their organization. Using native windows tools and the open source HIDS OSSEC, we will cover setting up Windows event forwarding to a collection server, customizing OSSEC for a modern windows environment, and tuning rules to gain client visibility. We will then look at using OSSEC for detecting current techniques like AppLocker bypasses, PowerShell logging, and modern Windows tools like Defender Controlled Folder Access Blocking and Network Protection. All of this will cost you nothing other than using your brain, some virtual machines, and whatever hardware you need – which you probably already have.

Michael Nowatkowski, Eric Kilgore, Nick Wylds, and Thomas Gordon

Reverse Hardware Engineering

Hardware hacking, or hardware reverse engineering, is the process of extracting information from hardware, such as firmware, instruction sets, and configuration information. We will discuss processes and tools to help people to start investigating hardware systems. The variety of tools and techniques is overwhelming and there is a lack of material and resources geared towards someone new to the field. During this talk, we will describe basic hardware hacking processes, techniques, and tools using common devices found at a local electronics store (routers, extenders, etc). The purpose of this presentation is to give an entry-level hardware enthusiast a beginner guide to understanding the uses and capabilities of these tools along with a basic understanding of how to access hardware serial connections

Josh Rykowski (@ryko212) & Sean Eyre (@oni_49)

Armadillo: A layered approach to portable security

Traveling is an inherently stressful endeavor and trying to maintain a secure computing environment while traveling seems like an impossible task. In our talk, we introduce a physically small, cheap, and portable security stack. This stack provides an environment with consistent structure and services while allowing users to easily plug-and-play new client devices. It has a small form-factor which is easy to move, making it ideal for travel, and can easily be expanded with new services. The aim of Armadillo is to make security on the go easy, even while using filthy and dirty hotel Wi-Fi, all while providing the user with access to the services they rely on.

Mike Opacity

Credentials so good you’d use them again…. Cred stuffing for fun and profit…

After a web breach, billions of credentials are discovered in the wild. What happens to them? How are they being misused for profit and how is the actual reuse accomplished? This talk will discuss how it is done, what tools are out there and the monetization currently being seen in the wild.

Prashant Anantharaman (@parsingpunisher) & Rebecca “.bx” Shapiro (@bxsays)

Ghost Busters: A Tale of Spectre, ELF ABI, and Computational Privilege

In this talk, we describe ELF-based access control (ELFbac) and how it can naturally mitigate Spectre (variant 1). ELFbac is a novel technique for defining and enforcing policy at an intra-process granularity. Its mechanisms allow us to isolate semantically distinct code and data by placing them in separate ELF sections. This isolation can be used to effectively “hide” sensitive data from code that handles untrusted inputs. ELFbac leverages the ABI format and the forgotten capabilities of the ELF loader as first-order security primitives.

Brian Hysell (@BrianHysell)

Pentesting Modern Web Apps: A Primer

Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.

Joe Pilkington (@_Pilk_)

Purple Reign: Elevate Your Analysts, Build Your Playbook

Purple teaming is all the rage right now and has proven to be a very effective mechanism for building and strengthening defenses. While purple teaming generally involves the emulation of adversary techniques to develop detection techniques and analytics to counter them, purple teaming can provide teams so much more. I’ll address the much broader benefits purple teaming provides teams, including its role in analyst development, and developing living playbooks through updated information on attack trends and emerging threats. Purple teaming is a vastly underutilized approach that can augment capabilities, defenses, and teamwork without requiring a ton of external resources.

In addition to the advanced detection benefits, purple teaming also helps analysts better understand attack trends and emerging threats. Analysts who participate in purple team exercises, and leverage a framework such as MITRE, are more likely to develop a better understanding of techniques and be more prepared to identify them during regular threat detection workflows. In many ways, this epitomizes the notion of “train how you fight”, and prepares analysts for a range of scenarios because they have already experienced them. Second, purple teaming helps build a living playbook that evolves in sync with the changing threats. Through purple teaming, the team gains a better understanding of the manual analytic processes needed to identify some techniques, as opposed to the automated detections that need to be triaged when they are triggered. Finally, lower tier analysts often are not involved in purple teaming, and so teams miss out on a great opportunity to develop these analysts within a collaborative and information-rich environment. Each of these areas will be discussed in detail, along with some real-world examples, to demonstrate the broad benefits of purple teaming well beyond building new detections.

PANELS

hosted by Mark Baggett (@MarkBaggett) – Georgia Senate Bill 315 and the Future

This year Georgia’s proposed cyber law SB-315 passed the state legislature with wide support before being vetoed by the Governor. The proposed legislation was only 43 lines in length but was widely regarded as bad legislation that criminalized many activities in the cyber community. Today the state of Georgia has no state laws prohibiting hacking. With a new governor taking office this year our legislators are sure to reintroduce similar legislature in next years session.

This panel of infosec practitioners, law enforcement, Georgia state legislators and legal experts will discuss the need for legislation, the issues created by SB-315 and how to reconcile the two.

Panelists: Georgia State Legislator Jodi Lott, BSides National Founder Jack Daniels, Security Practitioner Jake Williams, Lawyer Liz Elisabeth Wharton, Law Enforcement TBA