Chris Griffin
Nathan Apperson
Dwayne McDaniel
Adrian Sanabria
Andy Jaw
Tina Shakour
Tina Shakour
Chris Martinez
Talk Abstracts
Logs Out: An IR Mystery - LitMoose
Opening Keynote
Join us for an afternoon who-dun-it – an environment has been murdered and the logs have a secret to tell. You have been invited to the conference room, a few will get a gift from a Mr. Admin, and you all have something in common. Was it Mrs. Peacock in the DC with the reverse shell? Or maybe Colonel Mustard in the ESXi cluster with vCenter creds? Help solve the mystery before it’s too late, and the auditors arrive!
The Fight For the Future - Dave Kennedy
Closing Keynote
Cybersecurity continues to expand, mature, and find its own way. This talk will dive into what we all can do to shape this industry, make it our own, and make a difference in making the world a safer place. We’ll dive into the struggles in technological solutions with crafty adversaries and ease of tooling and weaponization as well as what we can do to combat various threats. This talk will go into how past, present, and future generations contribute to the success of this industry and how working together we can make a huge difference in what future generations look like. With technological progression moving at a rapid rate – newer technologies taking form, our roles will only expand to the defense of civilization and well-being. This industry is truly in a unique spot in history, and we can all play a role in how it turns out for the positive. This will of course, be Back to the Future themed with many references to hoverboards, DeLorean’s, and flux capacitors.
Defending Beyond Defense - Catherine Ullman
Assumptions burn defenders every day. Perhaps the most pernicious one is that systems and their controls will always work as designed. Best practices in security may be good guidelines, but unfortunately also suffer from these same blind spots. For example, best practice recommends the use of LAPS for local administrator account passwords of domain-joined computers, yet misconfiguration of active directory can turn it from a protective control into a vulnerability.
But what if there was a way to challenge these assumptions up front? The best way to dismantle these types of assumptions is to experience how deeply flawed they are. There is no better way to gain first hand experience into this perspective than immersion in the offensive security space. In this talk we'll explore how to immerse yourself in the offensive security world to obtain this knowledge without needing to change careers or obtain additional certifications.
By being more informed about offensive security, defenders are better able to recognize relevant intel, understand existing threats, and more readily discover attacker behavior. Join me as I discuss how there's more to defending than just defense, and how you can find and engage with the amazing resources that are out there waiting to be explored.
Click Here to End the World - Johnathan Rogers
A new week, a new vulnerability or at least that’s the way it seems to go. With every new vulnerability we cybersecurity professionals are told that the sky is beginning to fall and shortly all of cyberspace will come to an end. As it was for Chicken Little though, so it is for us and we continue forward holding our breath waiting for the end to come. Here we are stuck in this cycle bouncing from vulnerability to vulnerability with a constant headache
The question becomes how do we deal with the constant pressure of this cycle? How do we reasonably handle vulnerabilities without losing our minds? In this talk we will talk about how one can avoid getting stuck in the loop of this vulnerability hype cycle and how we can maintain a reasonable mindset while dealing with so many vulnerabilities. What are the things we should look at to determine if a vulnerability is all noise or if it is something to be concerned with. At the end of this talk listeners will be equipped to better handle vulnerabilities without getting caught in hype and hopefully having some sanity left.
The Dog Was the Mastermind - Wolfgang Goerlich
It’s a mystery. Everything seemed to be going fine. We finally had enough budget and we actually had the right people. But then, for some seemingly unexplained reason, the project went off the rails. Sure, there were clues. People had their pet theories. Maybe we’re not ready for identity and access management or mature privileged management. Perhaps zero trust architectures are all smoke and mirrors.
Some thought the hiring manager was clueless, or the CISO tone deaf. The trouble is, without solving the puzzle, we know we’re simply going to find ourselves in the same unexpected and unexplained situation. This session will present five mysteries and ask you, the Circle City Con audience, to find the villain.
We’ll conclude with a framework for avoiding the crime of unsuccessful projects. Pull out your magnifying glass and get ready. You don’t need to have a name like Hercule Poirot or Benoit Blanc or Sherlock Holmes to get better at solving the mystery of cybersecurity failures. Here are the clues you can look out for.
What is a firewall? Understanding common security tools and concepts - Zach Raizen
The goal of the presentation is to focus on "raising the bar" for everyone around concepts and tools that are standard within the information security field. I want to ensure that even less technical security teams and business teams understand what is being referred to when IT or Security mentions they are using these tools and what the key benefits and limitations are. By broadening the understanding of these, I think it helps us all work together to develop even stronger security solutions and identify solutions which don't inhibit necessary functions.
We all use firewalls, VPNs, antimalware solutions, WiFi, cloud services, and IoT devices as a part of our everyday lives, either knowing about them or not. There is a lot of misleading information out there on what will keep you safe, and instead of busting myths, I want to educate people on the strengths and limitations of these solutions so they know what to look for and how to gauge the level of protection they may need or get, based on their own risks.
When management asks you: “Do you accept Agile as your lord and savior?” - Daniel Lagos
So you’ve been told that your organization is going to implement Agile methodologies across ALL of IT, and not just in development. And you’ve been given the responsibility to implement it in Security Operations, and without a clear plan or measurable objectives other than “make the team more efficient”.
While one can complain that someone in the C-Suite heard of the book “Scrum: The Art of Doing Twice the Work in Half the Time”, you still have a job to do. So the basics of Project Management, Agile, Scrum & Kanban are covered and how one can shoehorn these concepts into working in an operations context. Oh, and there will also be some finagling of where DevOps stands regarding Agile and Operations.
Will the Real Zero-Trust Please Stand Up - Chris Griffin
The OSSTMM (Open Source Security Testing Methodology Manual), created in 2001, has become a name in Compliance and Security methodologies.
The OSSTMM is referenced in many security books, by NIST and even included in PCI's penetration testing guidelines among many other sources.
This talk will give a short intro to the OSSTMM for anyone unfamiliar with it but then break out into Trust (a vulnerability) and how to apply (the OSSTMM 10) controls relating to it.
While it is impossible to educate someone on the whole methodology in 30 minutes or even a whole day, this will be set to peak interest and spark creative thought.
Going Undercover in the Underground - A Practical Guide on How to Safely Infiltrate and Engage - Michael-Angelo Zummo
The dark web is filled with threat actors planning nefarious crimes. Cybersecurity professionals know that threat hunting in these underground environments is necessary, but they don’t know the most crucial step to beginning the process. ‘How do you access the deep and dark web?’ and ‘How do you gain a threat actor’s trust?’ These are the most commonly asked questions of cybersecurity professionals preparing a proactive threat hunt.
The Pillars of Protection: Fundamental Ways to Protect Organizations Against Cybercrime - Erich Kron
There are a lot of great tools available for cybersecurity defense, however far too often organizations find themselves adding new tools and products without ensuring that the foundational principles of cybersecurity are in place and can bear the load. Without strong pillars to stack these tools on, it becomes far too easy for it all to come crashing down.
In this session, we will look at the underlying base of cybersecurity principles that can help support the other tools in place to help secure organizations. From auditing permissions to segmentation of the network, we will better understand why these things mean so much to keeping an organization secure
"Securing your Azure Cloud: Secrets from a Cloud Penetration Tester" - Edwin David
Is your Enterprise in the Azure Cloud? Has it ever had a penetration test? It’s time to get some answers on problems that are lurking in the cloud and what you can do to protect your cloud assets from attackers. If you cloud has never had a penetration test and you are a blue team defender you will not want to miss this talk. This talk will encompass common attack vectors that are used to gain a foothold into Azure and escalate privileges.
Open Season - Setting Up Structured Threat Hunting - Nathan Apperson & Chris Martinez
Threat Hunting has been around for about the past 8 years but there has been very little documentation on how to get started tracking, managing, and reporting hunts in a structured manner. In this session atendees will learn how to get started with tracking and managing threat hunts in a structured manner using using common tools within the Microsoft O365 realm and also learning how to document hunts with Obsidian.
Stop Committing Your Secrets - Git Hooks To The Rescue - Dwayne McDaniel
No one wants their keys, passwords, and other secrets exposed. Most devs are familiar with using .env and .gitignore files to help prevent Git from tracking specific files and folders. But did you know that you can leverage Git hooks, and some open source awesomeness, to keep from accidentally committing your secrets in the first place? Walk away from this session with some concrete actions you and your devs can take to make sure no secrets make it into your shared hosted repos ever again! But that is just the start. If you are not actively using Git hooks in your workflows, then this talk is for you. Let's look into the .git folder and unlock a whole world of automation possibilities!
The Pillars of Protection: Fundamental Ways to Protect Organizations Against Cybercrime - Erich Kron
There are a lot of great tools available for cybersecurity defense, however far too often organizations find themselves adding new tools and products without ensuring that the foundational principles of cybersecurity are in place and can bear the load. Without strong pillars to stack these tools on, it becomes far too easy for it all to come crashing down.
In this session, we will look at the underlying base of cybersecurity principles that can help support the other tools in place to help secure organizations. From auditing permissions to segmentation of the network, we will better understand why these things mean so much to keeping an organization secure
How Purple Teaming & subsequent Threat Index Evaluation can boost up the confidence of a CISO? - Rupali Narang
- Performing a full-circle purple team.
- Orchestrated Attacks.
- Evaluate existing security technologies/tools [viz. Web gateway, Perimeter firewalls, micro-segmentation controls, EDR , XDR ].
- Attacks mapped to MITRE framework.
- Risk prioritization for failed Attacks.
- Identify the gaps [viz. Lateral Movements, Incomplete Logs]
- Your Industry Threat Index exposure.
- Fixing the identified gaps.
- Closing the purple -team circle - by re-running the earlier failed attacks."
Zero to Senior in Five Years: How a Taco Changed My Career including Tips, Tricks, and Unsolicited Advice - Tyler Uffelman
Are you new to cyber security or considering a career in cyber security? Looking for advice on how to break into the field or how to advance your career? Then this is the talk for you! Come learn about my experience and how Circle City Con helped me.
Myths and Lies in Infosec - Adrian Sanabria
In InfoSec, many closely held beliefs, commonly accepted best practices, and accepted ‘facts’ are just wrong. These myths and lies spread quickly. Collectively, they can point security teams in the wrong direction. They can give rise to ineffective products. They often make their way into legitimate research, clouding results. > "Sixty percent of small businesses close within 6 months of being hacked." There's a good chance you've seen this stat before. It has no basis in reality. The available evidence suggests quite the opposite. > "Attackers only need to get it right once, defenders have to get it right every single time." This idea has been repeated so often in InfoSec that it has become generally accepted as a true statement. It isn't just wrong, it's demotivating and encourages defeatist thinking that can sink the morale of a security team. Most of the myths and lies in InfoSec take hold because they *seem* correct, or *sound* logical. Similar cognitive biases make it possible for even the most preposterous conspiracy theories to become commonly accepted in some groups. This is a talk about the importance of critical thinking and checking sources in InfoSec. Our industry is relatively new and constantly changing. Too often, we operate more off faith and hope than fact or results. Exhausted and overworked defenders often don't have the time to seek direct evidence for claims, question sources, or test theories for themselves. This talk compiles some of the most interesting research I’ve done over the past decade. My goal is to convince you to treat vendor claims, commonly accepted industry statistics, and best practices with healthy skepticism. You don't need to be a data scientist or OSINT expert to test theories and discover the truth - you just need to sacrifice a bit of your time now and then. I'll show you how.
Bride of Pod People: An Analysis of a WordPress-Targeting Spam SEO Campaign - Courtney Falk
Bride of Pod People is a spam search-engine optimization campaign that targets WordPress sites. The spammers use credential-based attacks to steal existing users’ accounts in order to post spam links, driving web traffic to affiliate advertising networks. This paper documents the current indicators that identify the Bride of Pod People campaign and analyzes how the spam links and redirection operate together.
A World Without Passwords - Andy Jaw
A world without passwords is possible. Password attacks and MFA phishing attacks are on the rise. In this presentation, we'll talk about why we should get rid of passwords, the various configurations for passwordless solutions available to Windows and Azure Active Directory, and how easy it is to get started. We'll go through how to deploy Windows Hello for Business in both cloud or hybrid configurations. We will also discuss how to implement passwordless authentication and phish resistant MFA with Azure Active Directory for Microsoft 365 and Azure AD federated applications.
Navigating Negotiation - Tina Shakour
Negotiation: a difficult practice for many, especially women and minorities, or folks early in their career. Along the arc of my career, I have learned much about negotiation through trial and error. In this session, I'll share some of the core concepts I've learned and use to coach people at all stages of their career on how to get what they want: salary, projects, resources, and funding.
Career Pivoting: Becoming a Security Specialist - Tina Shakour
“There is nothing permanent except change.” So claimed the Greek philosopher ‘Heraclitus’ back in 500 BCE. Was he speaking specifically about pivoting into a career as a security specialist? Hmm. We will never know. I started my career as a very technical person, which over time shifted into product marketing, which then became speech writing for executives. (How on earth did this happen? A story for another day). So I had to make a very conscious devision to pivot back to a technical role, interacting directly with customers. As a woman in tech, there have been some barriers and challenges, and I will share with you methods and mechanisms I used to gain my end goal. It’s a session Heraclitus would give five stars.
Old Services, New Tricks: Cloud Metadata Abuse by Threat Actors - Nader Zaveri
Mandiant (Now Part of Google Cloud) has identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Although the threat actor specifically targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of similar attacks. Related threat actor motives and operations are gaining prominence as enterprises continue their migration to cloud hosting services. Mandiant has tracked access attempts by the threat actors to access S3 buckets and additional cloud resources using the stolen credentials. This presentation covers how threat actors performed the exploitation and IMDS abuse, as well as related security hardening guidance on how to detect, remediate, and prevent this type of instance metadata abuse in an organization’s environment. As part of this presentation, we will walk through a demo of the web application that was abused and show how easy it is to obtain credentials if the organization is using the legacy version of IMDS. Then, we will show how by performing the remediation techniques mentioned in the presentation, the organization will be able to block such credential harvesting methods via the instance metadata service.