Talks

 

speakers & abstracts

C

Whose Job is it anyway? Opening Keynote

Amélie Koran

C

PKI - Avoiding Common Pitfalls

Rick Davis

B

Personal Privacy in an OSINT World

Tina Shakour

C

Log4j Vulnerability: Emulation and Detection

Brandon DeVault

C

After These Messages: Taking Security Awareness off the Air

Wolfgang Goerlich

B

Keys to Staying Hidden: Defense EVasion with WIndows Registry

Ryan Thompson

B

The Case for Outcome-Based Cybersecurity

Kevin Jackson

C

Applying the Theory of Constraints to Security Operations Centers

Kurt Waller

C

Minimum Viable AppSec

Justin Spencer

B

A Day in the Life of a Threat Hunter

Tyler Uffelman

C

Intro to IoT Hacking

Doug Kras

C

Password Attacks to Take Over the world

Woland

C

Whatever Happened Last Time, It Wasn't A Penetration Test

Joseph Sarkisian

C

A Golden Ticket to the Cloud

Nader Zaveri

B

Emulating Adversaries for Auditors and the Business

Alex Martirosyan

B

Don’t Drown IR! Combatting the Dangers of Alert Fatigue.

Caitlin Kiska

B

We're not from the government, but we're here to help them help you

Ray Davidson

B

EHLO is that you?

Catherine Ullman

C

Hackers are Neither Created Nor Destroyed - Closing Keynote

Jeff Man

B

Digital Desire: A Brief History of Cyber Sex

Stefani Goerlich

C

"Let's See Who You Really Are!" The Mystery of the QR Code

Meag Lees

Whose Job is it anyway – opening keynote

Speaker: Amelie Koran
“Where the takes are hot, and the points really don’t matter.”

 

DEFCON turned 30 this year, many local security conferences have started counting a tens digit in their “versions”, most of the “old guard” as it were are living up to that moniker with all the ailments that somebody “who’s been around a bit” and “seen things” has to deal with. It’s what Indiana Jones said, “it’s not the years, honey, it’s the mileage”, but how have things gotten better, and how have they gotten worse in this passion project we call our careers in security?!

 

The skills needed to defend networks and systems have slightly changed, but the volume of need for those skills has increased. The sophistication of attackers have not only increased, but also broadened in the source as well as targeting of what they want to steal from or disrupt. Society’s insatiable demand for technology and services built on top of it has complicated securing and managing those solutions, and internationally, the public and private sectors struggle to make sense as to what problems to tackle.

 

What does the future entail for us, our mentors, our mentees, families, peers, friends, and the rest of our communities when we are still moving quickly and head first into a place that requires more of us, but we can’t scale to meet the demand. Are we ready to give up and Leroy Jenkins the whole thing, or is there a way to break down these challenges into something that we can maybe address like space travel in the latter part of the 20th Century.

PKI – Avoiding COmmon Pitfalls

Speaker: Rick Davis

Rick Davis is currently a Senior Customer Engineer at Microsoft focusing on Cybersecurity. With over 20 years in the field he has worked in all industry verticals including public, private and federal sectors in roles ranging from architecture to red team as well as adjunct professor and guest lecturer in areas of statistics, number theory and cryptanalysis. In addition to proactively working with customers to deploy security tools, train staff and better defend their environments Rick works with Microsoft’s global Incident Response team responding to some of the largest threats, ransomware outbreaks and other cybersecurity events. He is a subject matter expert on key technologies such as PKI, Active Directory and the Microsoft Defender ecosystem.

This session will explore the most common security and implementation problems and misconfigurations with ADCS (PKI). We will discuss the impact of issues, how to avoid them and what can happen if they are not addressed.

Personal Privacy in an OSINT World

Speaker: Tina Shakour

Tina has over 20 years in the tech world and been in sales, executive, and engineering roles. With a career that started in IT and Network Engineering, she now helps customers migrate to the cloud quickly and securely. She volunteers with the US Department of State Program – TechWomen – and coaches folks on how to gain a foothold or pivot in to a career in tech. She is a contestant and judge for the TraceLabs OSINT Global Search parties to help find missing persons. She is also currently a member of the staff on the Republic of Hackers.

OSINT (Open Source Intelligence) means folks can find out a lot about you – fast. Our data is breached, leaked, and sold on the daily. Bad actors use this data to “swat” and bully individuals – or worse. What can you do to help protect yourself and mitigate some of the risks of our digital world?

In this talk you will learn about a few of the key OSINT sites out there and just what they know of you, along with key takeaways on how to monitor your digital footprint, and reduce what is known about you.

Log4j Vulnerability: Emulation and Detection

Speaker: Brandon Devault

Brandon DeVault is an Sr. Security Author focusing on general blue team operations, incident response, and threat hunting at Pluralsight. He is also a member of the Florida Air National Guard and works as a threat hunter on a Mission Defense Team (MDT) defending North America’s air tracks. Prior to joining Pluralsight, Brandon worked with Elastic as an Education Architect creating and delivering security content. He also worked with Special Operations Command where he had two deployments to Afghanistan on deployable communications teams. His experience spans satellite communications, radio technologies, system and network administration. Brandon is also passionate about hardware hacking, soldering, hiking, and currently holds the GCIA, GCED, and Elastic Engineering certifications.

Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened.

In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods.

This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection.

We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain.

After these messages: taking security awareness off the air

Speaker: Wolfgang Goerlich

Security awareness has been the answer to all security problems since Taz-Mania and Darkwing Duck were tops on Saturday morning. IT people not following procedure? Awareness training. If the developers wrote vulnerable code? Awareness training. If the people clicked on the wrong thing? Training, training, training. And yet studies find that less than 15% of people change their security behavior following security awareness training. After these messages, we’ll be right back… with more awareness training. This session shares lessons from behavior economics on to drive action on security initiatives, along with successes organizations have seen from taking a commercial break from the regularly scheduled programming.

“Let’s See Who You Really Are!” The Mystery of the QR Code

Speaker: Meag Lees

Are they the hot new threat, or is it just the same old phishing villain in disguise? From Coinbase and Halo to alerts from the FBI, QR codes are fast becoming daily news. This 30 minute talk dives into their configuration, uses, and a realistic look at the risks associated with them. We’ll also take a brief look at resources available for red teams and pentesters who want to incorporate generating malicious QR codes into projects, and realistic mitigation strategies blue teams and defenders can recommend.

Keys to Staying Hidden: Defense Evasion with windows registry

Speaker: Ryan Thompson

The Registry is a critical component of the Windows Operating System that is often misunderstood and even avoided by security professionals. Unfortunately, many adversaries are adept at leveraging the Registry to achieve a variety of objectives against their targets. In order to successfully defend against these attacks we must close this knowledge gap.

This presentation will demystify the Windows Registry and dive into the Registry modifications that State-nexus and eCrime actors leverage in interactive intrusion campaigns. The registry keys covered in this talk come from analysis of hands-on-keyboard commands issued by a range of adversaries during recent real-word intrusions with a focus on Defense Evasion.

Attendees will leave with a stronger understanding of how the registry works, how attackers abuse it, and how to spot suspicious registry changes.

The case for outcome-based cybersecurity

Speaker: Kevin Jackson

The challenges faced by today’s cybersecurity practitioners are well documented. But with all due respect to the many experts who regularly cover the subject, the situation is worse than described. It’s not just that cybersecurity is extremely complex. It’s not just that compliance requirements and the cost of non-compliance both continually escalate. It’s not just that cybersecurity threats evolve at a breathtaking rate. And it’s not just that all of the above have to be managed with increasingly limited pools of cybersecurity personnel and constrained financial resources. The frightening truth is that all of these problems are simultaneously relevant.

Perhaps it’s time to take a page from other industries tasked with managing complex, multidimensional problems. Consider the design processes used to create the next major passenger aircraft. The plane’s engineers do not simply develop to the standards then hope for the best. Instead, they test extensively and collect data. Designs that fail must be improved or discarded.

Is the safety and security of our corporate information systems, our financial data, and our operational technology any less important?

What if there was a cybersecurity testbed, a worldwide collection of active cybersecurity programs, that could be leveraged to collect data on which cybersecurity approaches deliver positive results… and which approaches fail, and at what cost? Such a collection of active cybersecurity programs exists. Every organization with an email address or a website is a live testbed for what actually works in cybersecurity. The global collection of information-enabled organizations is, in effect, a “World-Wide Lab” of cyber strategies and outcomes. Tapping into this nascent data pool can give rise to outcome-based cybersecurity. The results of such a shift in the global cybersecurity landscape could produce outsized positive results and are therefore worth pursuing.

digital desire: a brief history of cyber sex

Speaker: Stefani Goerlich

This historical retrospective will explore the evolution of erotic imagery from 7200 BCE until today. We will discuss the role that erotica has played in the development of technology as well as the way that technology has been used to foster connection, romance, and sexuality. In addition to a timeline-style discussion of erotica, we will discuss the sociological and psychological perspectives of cybersex and teledildonics. This session contains adult content- including photographs and video- and is not appropriate for attendees under 18.

applying the theory of constraints to security operations centers

Speaker: Kurt Waller

Operations Management (OM) is pivotal to overall efficient operations of any system. A Security Operations Center is, if nothing else, a system. The Theory of Constraints (ToC) is a theory within OM that states, “The Theory of Constraints is a methodology for identifying the most important limiting factor (i.e., constraint) that stands in the way of achieving a goal and then systematically improving that constraint until it is no longer the limiting factor. In manufacturing, the constraint is often referred to as a bottleneck.” This talk aims to apply the ToC to SOCs in hopes to enable a higher throughput of detections or other capacity gains for the overall system.

Minimum viable appsec

Speaker: Justin Spencer

Everyone wants to have a secure application, but few know how to get it. Consumers don’t know how to ask for security, developers don’t know how to build-in security, and managers don’t know how to evaluate security. This talk fixes that. Based on the recent minimum software verification recommendations from NIST, you’ll learn what tools and processes to use, where to use them, and how to get started. By the end of this talk you’ll be able to evaluate how good your current AppSec program is, what’s missing from it, and have a plan to achieve Minimum Viable AppSec. This talk is for everyone.

a golden ticket to the cloud

Speaker: Nader Zaveri

In a post-pandemic world, more and more organizations are moving to the cloud. Due to this rapid migration, we have also observed an influx of cloud-based breaches that we have been requested to investigate and respond.

The SolarWinds threat actors introduced another novel method of gaining access to a cloud environment bypassing Federation Services in a technique dubbed the Golden SAML attack. Hope is not lost, though, because even if the federation certificates are compromised, these unauthorized logins are still detectable, as long as authentication logs are correlated between the federation and the cloud environment. By abstracting the attack technique to its core components, using open-source tools, we can engineer detection events relevant to multiple providers and environments.

The presenters will also provide a case study of this novel attack technique (Golden SAML) and demonstrate high-fidelity detection approaches to assist the Security Operations in defending against adversaries. We also will be discussing multiple open-source tools an organization can utilize to assist their understanding of their cloud environments and provide the possibility to identify misconfigurations.

You’re not broken…just different: Don’t Let Undiagnosed Neurodivergence Ruin Your Life

Speaker: Chris Culling

Have you ever felt that there’s something different as to how your brain works, but you can’t quite put a finger on it? That you excel in some parts of life, but fall behind in others?

The type of person drawn to InfoSec seems to include a lot of folks from the neurodivergent side of the tracks. Autism, ADHD, anxiety, depression, dyslexia, Tourette’s, bipolar disorder, and OCD are some of the more common types of neurodivergence. However, many folks are unaware of their own neurodiversity and how to live with it. If left undiagnosed and untreated, it can cause untold harm to them, their families, and their careers.

I was undiagnosed…and I fell into addictive behaviors and substance abuse to self-medicate away the pain of not knowing what was different about me. But I found help. And after finding the right medication, along with therapy, I can mostly function these days…and without the substance abuse.

This short presentation will explain neurodiversity and show some of the issues that undiagnosed neurodivergents face and how they can be overcome…using my own life as a case study.

Cameras, CACs & Clocks: Enterprise IoT Security Sucks

Speaker: Brian Contos

With two IPOs & seven acquisitions Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as an executive, board advisor, security company entrepreneur, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, and Verodin.

Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and he co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA and CIA Director. Brian has written for and been interviewed by security and business press and regularly presents at conferences worldwide like Black Hat, RSA, & BSides.

While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security.

Hackers are Neither Created Nor Destroyed – Closing Keynote

Speaker: Jeff Man

Respected Information Security advocate, advisor, evangelist, international speaker, keynoter, host of Security & Compliance Weekly, co-host on Paul’s Security Weekly, Tribe of Hackers, TOH Red Team, TOH Security Leaders, TOH Blue Team, Hacking is Not a Crime Advocate, Darknet Diaries #83, Honorary Lifetime Associate Member of Special Forces Association, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past twenty-five years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best known companies.

I am a hacker. Looking back on my life I realize I’ve always been a hacker, although I wouldn’t have always claimed that moniker. I began my career in 1986 as a Cryptanalyst for the National Security Agency. In the early 90’s I got into computer and network security and became an “ethical” or “white hat” hacker/pen tester/red teamer. I pretty much stopped doing that around 2004 – but I still call myself a hacker and I’m still very involved in the security of systems and networks – but really I hack my clients people/business cultures/operations to figure out how to make them secure – whether they realize it or not.

Recently I was asked to become an “advocate” for a non-profit group called “Hacking is NOT a Crime” (https://www.hackingisnotacrime.org/) whose stated mission is advocating for global policy reform to recognize and safeguard hacker rights. This got me asking myself questions like, “what is a hacker?”; “why do I call myself a hacker?”; “how did I become a hacker?” I also realized that a lot of what helps me self-identify as a hacker is skills and traits that got me into this industry in the first place. Which got me to thinking about how I got my start in the business in the first place.

People often ask me “how’d you get our start in Information Security?” to which I usually respond that I started at NSA. But lately I’ve realized that the real question to answer is “how’d you get into NSA in the first place?” My experience was not in any way typical then or now, and I think that means something and even provides a lesson for today for those seeking to find a place in our profession. Essentially NSA knew how to find and hire hackers, particularly – those who didn’t fit the “mold”.

I’ve pretty much concluded that I’ve always been a hacker – that I was born that way. I want to share with you the things about me that make me a hacker and are also how NSA was able to identify these characteristics. I hope you’ll find that we have a lot in common and I hope this serves as an encouragement to all those that aspire to have careers in information security.

.

A Day in the Life of a Threat Hunter

Speaker: Tyler Uffelman

Tyler W. Uffelman is a threat hunter at Allegion PLC with over 5 years experience working in security monitoring including the following industries: government contractor, MSSP, publicly traded OT/ICS organization. Additional experience includes a masters degree in cyber security, CySA+ certification, and a published IEEE IoT researcher.

First, there is no such thing as an average day in the life of a threat hunter. Every day in cyber security is different but there are common elements that describe what we do on a regular basis. The target audience for this presentation includes aspiring or new security analysts, primarily geared toward SOC analysts/blue teamers. If you aren’t sure what a SOC analyst or a blue teamer is, this is the presentation for you!

.

Emulating Adversaries for Auditors and the Business

Speaker: Alex Martirosyan

Security teams are often tasked with building a layered control environment through a defense-in-depth approach. Audit and compliance teams may even require these controls to align to a specific benchmark or framework. Unfortunately, the scenario often arises where these controls are only put to the test when a real attack occurs leading teams confused when responding to an incident. Assumptions are made by all business units about the operating effectiveness of the environment. Remember when we all relied on the perimeter firewall for security a decade ago? We now have the same problem with heavily relying on default configs within EDR’s. Business leaders may be lulled into thinking that these tools will prevent sophisticated attack chains by nation state adversaries and meanwhile get burned by lazy PowerShell tradecraft that goes undetected. These assumptions are rarely validated through active testing or standard day-to-day activity due to the complexities of a behavior or technique. From an auditing perspective, this is a critical hidden gap that creates a cyclical problem. We are maybe the only industry that provides technical solutions that still requires customers to continuously tune and validate they are working as intended. Although the controls may align to a specific need on paper, significant gaps go unnoticed allowing attackers to achieve their end objectives. A purple team/threat emulation exercise can help prevent this. However, most businesses are often unequipped to know where to begin.

Many of us are not speaking the same language as the business when attempting to introduce the enterprise matrix from MITRE ATT&CK(®). Further, we have now entered an unfortunate reality where every vendor, tool, and third party reference the framework. As an industry, we need to be able to use this framework in a concise and repeatable manner. We also must be honest with the short comings of ATT&CK and what it cannot be used for. It is extremely enticing to fall under several traps when attempting to use the framework and perform simulations internally. This includes playing bingo and not truly understanding how techniques are emulated in an environment.

As assessors we build test procedures to identify gaps, remediate issues, and retest just like any traditional audit. When examined closely, we are effectively quality assurance for cybersecurity. We have specific playbooks of what adversaries attempt upon achieving initial access. Think about the Conti Playbook that was released and translated earlier this year. We can leverage existing tooling to emulate the identified behaviors in our environment creating a “data-driven” and threat informed test. Equipped with this knowledge, we can layout controls that allow the business to operate and provide assurances that an attack chain is mitigated. We have rich and continuously improving public cyber threat intelligence reports that must be used in our programs. Public annual reports from Red Canary, Microsoft, DFIR Report, Scythe, and countless others all can be used to tune our controls against a specific threat. Security professionals can emulate adversaries for cheap all the while expanding budgets and showcasing their work to executives. My hope is to be able to bridge existing understanding of ATT&CK and provide a path to reliably use it regardless of size or complexity of an institution.

Intro to IoT Hacking

Speaker: Doug Kras

With a background in penetration testing, I made the change to becoming an IoT pentester. With 0 hardware, IoT experience, reverse engineering experience, I quickly learned how to find critical risk vulnerabilities in products. Having a curious mindset, has allowed me to pose questions on what if I supplied this data to this program, what would happen. Sometimes that leads to gaining code execution on devices. I love learning new things, and continually am reading up on the latest hacking news!

IoT devices can be anything from temperature sensors to that new Smart Fridge in your house. When reviewing these devices for security issues, there are a wide variety of methods to discover weaknesses. Many companies will publish their firmware on the internet to allow users to update their systems. This is a great place to start finding vulnerabilities, and you can do it without even owning the device. The world of IoT presents difficulties for security, because many times these devices don’t have the capacity to run full security stacks such as Anti-Virus and logging. Come on a journey where you can learn how to hack hardware and software!

.

Don’t drown ir: the dangers of alert fatigue

We’re not from the government, but we’re here to help them help you.

ehlo is that you?

After These Messages: Taking Security Awareness off the Air

Speaker: Wolfgang Goerlich

J. Wolfgang Goerlich is an Advisory CISO for Cisco. He has been responsible for IT and IT security in the healthcare and financial services verticals. Wolfgang has led advisory and assessment practices in cybersecurity consulting firms.

Security awareness has been the answer to all security problems since Taz-Mania and Darkwing Duck were tops on Saturday morning. IT people not following procedure? Awareness training. If the developers wrote vulnerable code? Awareness training. If the people clicked on the wrong thing? Training, training, training. And yet studies find that less than 15% of people change their security behavior following security awareness training. After these messages, we’ll be right back… with more awareness training. This session shares lessons from behavior economics on to drive action on security initiatives, along with successes organizations have seen from taking a commercial break from the regularly scheduled programming.

.

Password Attacks to Take Over the World

Speaker: Woland

Woland is a ex-investigative journalist turned bartender turned pentester. In her spare time she enjoys boxing, the outdoors, and tiki drinks.

Passwords are problematic, and they’re not disappearing anytime soon. As one of the largest attack vectors used by multiple protocols, have you ever wanted to learn how to hack these long-suffering logins?

Join the presenter as she uses some of our favorite cartoon characters to introduce the whacky world of password exploitation. In this animated crash course you’ll learn the difference between password spraying and cracking, along with the magic of credential stuffing. Learn how to create killer wordlists, and how to audit your own password policy to better protect yourself.

While there are multiple misconceptions about password security, tune in for some no-nonsense talk about the strengths and weaknesses of different offensive tactics.

 

Whatever happened last time, it wasn’t a penetration test

Speaker: Joseph Sarkisian

As a penetration tester, I have lots of awkward conversations when a client has misguided assumptions about their security. One of the most awkward is when we complete our testing and have a laundry list of low-hanging fruit that needs to be fixed that previous vendors never brought up. This leads to fear, uncertainty, and doubt, often times resulting in one or more of the following:

• But we let you in.
• That’s not a realistic scenario.
• Our MSSP would have stopped you.
• This report does not adequately reflect our environment.
• But we’re tracking that issue.
• Our report was clean last year.
• Why didn’t the previous vendor find this?

Clearly, whoever was hired to do this last time failed to adequately explain why we do what we do

 Offensive security practitioners need to do a better job at partnering with clients to enable them to make security a part of the business that helps it function better, not a cost center that is seen as a burden. Our job is not to play gotcha, it is to help security teams build trust within their organizations that will holistically create a secure environment for all.

If you want to know:

• The difference between a penetration test and that vulnerability scan that was sold to you as one
• Why you likely don’t need a red team exercise
• How to evaluate what your MSP/MSSPs are actually doing for you
• Why phishing metrics are not as simple as your click rate
• Why there are so many competing ideas on how to perform and report these
assessments in a way you can understand

Then this talk is for you!

Exploiting Advanced Volatile Memory Analysis Challenges for Fun and Profit

Speaker: Solomon Sonya

Malware continues to advance in sophistication. Well-engineered malware can obfuscate itself from the user and the OS. Volatile memory is the unique structure malware cannot evade.

I have engineered a new construct for memory analysis and a new open-source tool that automates memory analysis, correlation, and user-interaction to increase investigation accuracy, reduce analysis time and workload, and better detect malware presence from memory.

This talk demos a new visualization construct that creates the ability to interact with memory analysis artifacts. Additionally, this talk demos new, very impactful data XREF and a system manifest analysis features. Data XREF provides an index and memory context detailing how your search data is coupled with processes, modules, and events captured in memory.

The System Manifest distills the analysis data to create a new memory analysis snapshot and precise identification of malicious artifacts detectable from malware execution especially useful for exploit dev and malware analysis!