A Hacker’s Guide for Changing The World (and Where do we go from Here?)
I Am The Cavalry, 17:00 Wednesday
The Capstone event for the IATC Track! We started with inclusion and empowerment. In that spirit we want to share of the less obvious difference makers and tools, to equip future change agents to be successful… Beau and Josh often joked that our book would be called: “We have no idea what we are doing, but it seems to be working”… A decade later, maybe we have a few ideas. We would like to democratize, empower, and enable you with successful recipes to change the world. Special guests will contribute to some of the following collective works: Empathy, Storytelling, Soft skills/media training, Cyber-civics 101, Theory of Constraints, Stone Soup, etc.
Actions have consequences: The overlooked Security Risks in 3rd party GitHub Actions
Ground Floor, 14:30 Wednesday
After reviewing the build logs of public CI pipelines, I noticed security issues related to permissions and build integrity. To investigate the extent of the problem, I analyzed the build logs of the top 2,000 starred repositories on GitHub, and the results surprised even me. In this talk, I will share my findings on the prevalence of the world’s most popular repositories that fail to manage their build permissions. Such failure can lead to severe consequences, such as creating tokens to access cloud resources or introducing malware to repository code and artifacts. Next, I will uncover the existence of “unpinnable actions.” We will challenge a highly recommended countermeasure for protecting against compromised third-party actions: pinning. Pinning assures that the action’s code cannot be tampered with. However, even when pinned, new malicious code can still sneak into your pipeline. I will share the conditions that make an action unpinnable and reveal the significant percentage of the world’s most popular actions that we all use and pin, but are actually unpinnable.
Adding SAST to CI/CD, Without Losing Any Friends
Training Ground, 15:00 Tuesday
Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this learning lab we will discuss multiple options for adding static application security testing (SAST) to your CI/CD, in ways that won’t compromise speed or results, such as learning which results can be safely ignored, writing your own rules, company-specific checks, scanning PRs instead of commits, splitting blocking scans versus deep audit scans, etc. We will also cover ways to continuously find vulnerabilities.
All You Need is Guest: Beyond Enumeration
Breaking Ground, 17:00 Tuesday
Azure AD guest accounts are widely used to grant external parties limited access to enterprise resources, with the assumption that these accounts pose little security risk. As you’re about to see, this assumption is dangerously wrong.
In this talk, we will show how guests can leverage undocumented APIs to bypass limitations and gain unauthorized access to sensitive business data and capabilities including corporate SQL servers, SharePoint sites, and KeyVault secrets. Furthermore, we will reveal how guests can create and control internal business applications to move laterally within the organization. All capabilities presented in the talk work will be demonstrated with the default Office 365 and Azure AD configuration.
Next, we will drop PowerGuest, a powerful tool designed to uncover the true scope of guest access in your tenant. PowerGuest can automate limitation bypass, enumerate and dump all accessible data, and allow for interactive non-read actions by the researcher.
Finally, we will make up for shattering the illusion of guests having limited access by sharing concrete steps to harden your Azure AD and Office 365 configurations to prevent such attacks and suggest detection logic to catch them if a change in configuration is not possible.
An Everything Is On Fireside Chat with Jen Easterly, Director of US C.I.S.A.
Breaking Ground, 13:30 Wednesday
Keren Elazari of the Interdisciplinary Cyber Research Center at Tel Aviv University holds a fireside chat with Jen Easterly, Director of the United States Cybersecurity and Infrastructure Security Agency (CISA) on how we can all help build a more resilient cyber ecosystem internationally, and how hackers can be part of driving the conversation and the solutions that arise from it.
And Together We Crossed the River…
Breaking Ground, 09:30 Tuesday
a decade of change
Are We too Early for the Party? (the perils of Baking Cyber in from the Beginning)
Common Ground, 17:30 Wednesday
A common cybersecurity trope often stated during/after security design and testing is “we/they should have built cyber in from the beginning.” BUT….How many of us have actually built cyber in from the beginning? The presenters have an uncommon perspective on this matter, and are living the build cyber in dream/nightmare right now. We discuss the perils: product teams unwilling to incorporate cyber, lack of business processes incorporating good cyber design, the reluctance to develop secured designs during demonstration phases versus “certification-only” focus. We discuss the benefits (obvious & not so obvious): requirements documentation, identifying cybersecurity controls, interfacing with product teams, and building a value chain from the start. Just don’t expect being involved early to be the easy button.
Are your secrets safe - How mobile applications are leaking millions of credentials
PasswordsCon, 14:00 Tuesday
Secrets like API keys, security certificates, and other credentials are the crown jewels of our applications. They give access to our most sensitive information and systems like databases, cloud infrastructure, and third-party services. Despite being highly sensitive, these secrets are being leaked in our source code and compiled mobile applications.
Research shows that after reverse engineering 50,000 android apps hosted on the PlayStore, nearly 50% contained plain text credentials. We review this research to show the most common types of secrets found, where they were found, and the industries they appear within. But how exactly do secrets end up in applications? To answer this we explore research from GitGuardian which every year scans every single public contribution to GitHub (over 1 billion commits) for secrets. The 2023 report showed 10 million credentials leaked publicly on GitHub. Here we break apart mobile applications’ public code and see exactly how secrets leak through code history. We explore the connection between the two research projects (from code to applications) and reveal how many mobile applications are leaking secrets and of course how to keep your secrets secure.
Authentication Proxy Attacks: Detection, Response and Hunting
Breaking Ground, 10:30 Tuesday
Over five years ago, evilnginx was released, demonstrating the ease of stealing authentication session tokens from MFA-enabled logon processes with a simple reverse proxy. Despite being a well-known technique, few of these attacks were seen in widespread use among cybercrime threat actors, until recently.
The advent of the EvilProxy and similar platforms has given attackers the ability to compromise targets with strong authentication without resorting to burdensome SIM swapping or noisy push fatigue attacks. With nascent adoption rates of phish-resistant MFA outside government-aligned sectors, organizations need to know how to detect and respond to these attacks.
In this talk, we will provide an in-depth look at the tactics, tools and procedures used in MFA-enabled account takeover. We’ll demonstrate how the ingenuity of this attack has a fatal flaw at its core, allowing us to hunt, detect, mitigate and block this type of attack.
BSides Las Vegas Pool Party
Middle Ground, 22:00 Wednesday
It’s not BSides Las Vegas without the pool party! Drink, eat, and float around the Tuscany’s fantastic pool while listening to artfully curated jams by Jackelope, An Hobbes, and DJDead. Don’t forget your swimsuit and conference badge!
BSides Organizers Meet-Up
Middle Ground, 19:00 Tuesday
The Security BSides Las Vegas Meet-Up for current organizers of existing Security BSides events is a wonderful opportunity to share stories and get to know each other. Come meet and mingle with your fellow security cultists!
Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations
Ground Floor, 18:00 Tuesday
Batman once said, “you either die a hero or live long enough to see yourself become the villain.” What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by “becoming the villain.” Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.
Beyond the Perimeter: Uncovering the Hidden Threat of Data Exfiltration in Google Cloud Platform
Breaking Ground, 15:00 Wednesday
Google Cloud Platform (GCP) is a cloud computing platform that has gained immense popularity due to its scalability, flexibility, and advanced features for data analytics, machine learning, and application development.
GCP audit logs provides valuable information for detecting and investigating security incidents. By analyzing audit logs, security professionals can identify suspicious activities and detect potential breaches, allowing for timely and effective incident response.
In this talk, we will discuss the numerous ways attackers can steal data from Google Cloud Platform (GCP) resources with minimal chance of detection. It explores five different methods an attacker can use to exfiltrate data in the popular services: Google Cloud Storage, Cloud SQL and BigQuery. For each method we will show a short demo and describe the generated log events and what to look for to detect malicious behavior.
Overall, the lecture highlights the importance of proactive security measures and recommends best practices such as preparing for security incidents by enabling audit logs of data activity and implementing access controls to prevent unauthorized data exfiltration. By following these best practices and leveraging the insights gained from audit logs, the participants can better protect their GCP resources and respond quickly to potential security incidents.
Big SIEM Energy at micro-SIEM cost
Common Ground, 15:00 Wednesday
What if you’ve got a major need to, well, manage security incidents and events in your AWS infrastructure but you’re just not feeling the GuardDuty vibes?
There’s a million reasons why you may have specific security monitoring requirements that aren’t fulfilled with heavy-duty solutions. GuardDuty comes with an assortment of pre-built rules for detecting traditional threats to your infrastructure that are specifically tuned for AWS and the average usage of AWS, but what if that’s too much for your use cases or your budget? One-size-fits-all but rarely does it do so well.
This talk will provide a detailed template for a micro-SIEM tuned to your specific needs, using cost effective AWS services such as EventBridge, CloudTrail, SNS, and ChatBot. Discover how to replicate this approach in your own environment or scale similar concepts to a CSP of your choice.
Breaking Business as Usual: Attacking Android Enterprise Solutions
Breaking Ground, 14:00 Wednesday
On the BYOD bandwagon, it’s more important than ever to understand how to secure the Android enterprise ecosystem. However, managing the security of this solution entails understanding how the ecosystem is designed and its threat model from the point of view of the three main stakeholders - the IT administrator, the Enterprise Mobility Management (EMM) service provider and the work apps developer.
In this session, we will explore Android Work Profiles which provide platform-level separation of work apps and data, giving organizations full control of the data, apps, and security policies within a work profile. We will address the questions of personal apps querying work app data, the possibility of IT admins expanding their privileges, and how rootkits, and malicious apps installed within either the work or personal profiles can violate security assumptions. We will demonstrate this research via proof of concept (PoC) walkthroughs and exploits.
We close our talk by supplying actionable steps anyone can follow, providing a cheat sheet for work profile security configurations offered by any EMM Service (Microsoft Intune, MobileIron, Samsung Knox, etc.)
Join us for a thought-provoking discussion on the balance between security, control, and privacy in the rapidly changing mobile security landscape.
Breaking In: Unleashing the Power of Physical Offensive Security
Proving Ground, 12:00 Tuesday
Do you know SPY×FAMILY? It is Japanese anime in which a brilliant SPY plays an active role. The SPY can easily infiltrate a company building. But in fact, even if you’re not that skilled of a SPY, you can easily infiltrate.
Physical security is often overlooked when companies consider cybersecurity. Insufficient physical security measures allow attackers to physically intrude into restricted areas and even break into cyberspace by hacking LAN ports in offices. And indeed we were able to conduct evaluations against several companies and subsequently break into their corporate networks and take files that imitated confidential information.
In this presentation, we will explain and demonstrate attack methods such as intruding into a building by impersonating an external company, breaking through security gates by duplicating RFID using the latest technology, and bypassing MAC address filtering by LAN port hacking. We hope to help the audiences understand how easy physical attacks are and to help companies strengthen their physical security measures.
Breaking Windows with your ARM
Underground, 17:00 Tuesday
Our research aims to shed light on the current state of Windows on ARM (WoA) rootkits.
Although we have yet to find Windows malware targeting the ARM (or ARM64 aka AARCH64) architecture, and more specifically rootkits are yet to be discovered for this platform, we know that the arms race has begun and its only a matter of time until a rootkit for WoA will emerge.
In our research we looked for ways to implement a rootkit using known mechanisms such as different hooking techniques and callback functions and developed a tool to detect rootkit infections on the WoA platform by looking for in-consistencies in critical kernel structures.
ARM64 architecture provides mobile devices with better battery life while maintaining great performance, and we believe that the future of mobile devices running Windows is in ARM. As WoA gains popularity among users, including those using Apple Silicon devices, it is essential to prepare for the inevitable emergence of rootkits.
Using our tool we hope to lay the groundwork for IR and malware analysts that would have to reverse engineer the malware of the future.
Build Your Own Cat-Shaped USB Hacking Tool!
Training Ground, 15:00 Wednesday
Want to learn how hackers exploit computers in seconds? This beginner-friendly workshop walks you through assembling your own cat-shaped hacking console, which you’ll use to try out fun hacking demos! You’ll learn to solder, write your own USB attack scripts, and learn the techniques hackers use with your new cat companion!
Build hybrid mobile applications like a security pro!
Ground Floor, 10:30 Tuesday
Hybrid mobile applications, unlike native ones, primarily function through a set of external, generally open source, libraries that help access the mobile operating system’s native capabilities. But what does this mean in terms of security? Mobile applications come with their own set of security loopholes and attack vectors. Does this approach pose new challenges or exacerbate existing ones? In this talk, instead of discussing a known set of secure libraries, the attendees will understand the mobile threat model and learn how to vet a library by themselves.
Building Your Own AI Platform and Tools Using ChatGPT
Ground Truth, 15:00 Tuesday
Artificial Intelligence (AI) is taking the world by storm. There seem to be so many new platforms popping up daily. AI platforms for red and blue teams already exist, but are they custom tailored to your organization’s environment? If not, then maybe it is time to create your own.
This talk explores the basics of creating your own AI platform using TensorFlow and how it gives adversaries an advantage in the AI sphere. Topics covered will be the use and benefits of using TensorFlow, collecting, cleaning, and training the data using modeling algorithms, working with TensorFlow .H5 files and bringing everything together into a basic working platform using a command-line interface (CLI). Working with additional .H5 files to test data sets to add to the platform will also be included. Pre-made tools will be demonstrated if time and technology restraints allow for it. If you are interested in learning about building your own AI platforms and learning the basic steps and components involved in creating your own, then this talk is for you.
Building a Culture of Cybersecurity: A Case Study Approach to Enhancing Risk Management
Proving Ground, 12:00 Wednesday
Risk Management Culture is a critical component of a comprehensive cybersecurity strategy, yet it can be challenging to cultivate and sustain. The most effective way to build a risk-aware culture is to educate and engage both technical and non-technical staff. This presentation will explore the benefits of a risk management culture, and provide a case study-based approach to training security staff and educating non-technical executives. The presentation will draw on real-world examples to illustrate the importance of effective risk management, and provide practical strategies for promoting a risk-aware culture within an organization. The audience, consisting of a highly technical crowd, will appreciate the depth and detail of the content, as well as the focus on real-world applications. This presentation is a must-attend for anyone looking to deepen their understanding of risk management culture and build a more secure organization.
Breaking Ground, 19:00 Wednesday
Cognitive Security and Social Engineering: A Systems-Based Approach
Ground Truth, 14:00 Wednesday
Cognitive Security is differentiated from more traditional security domains in three ways. First, cognitive security is concerned with protecting cognitive systems not necessarily humans; second, cognitive security considers multiple dimensions of system interaction, and third cognitive security considers multiple scales of operation. Adopting a “systems” perspective considers the interconnectedness of system elements, the function of the system, and scalability; systems-of-systems which may result in one system influencing another. This can be problematic from a security perspective because an effect might be induced in one system that causes an effect in another system, without the effected having visibility into the original cause. Three scales of engagement: the tactical level (single engagements), the operational level (multiple engagements), and the strategic level (traditional security concerns in addition to political and economic levers); combed with an extended OSI Model which includes Layers 8, 9, and 10 to describe human factors, describes a full stack for cognitive security. In order to successfully launch a cognitive attack, threat actors must achieve the objectives of four phases of a Cognitive Security Attack Cycle: Collection, Preparation, Execution, and finally Exploitation. Each phase of the implies points of vulnerability at which an attack might be disrupted.
Comprehensive Guide to Runtime Security
Training Ground, 15:00 Tuesday
The adoption of containers and orchestration systems skyrocketed over the last few years. The popularity of these platforms makes them common targets for cybercriminals. Kubernetes combats this risk with built-in controls (such as Admission Controllers and RBAC authorization), but what if you want to observe the behavior of pods at runtime to detect intrusions? In this hands-on training, instructors will depict the cloud-native security landscape, dive into cloud detection and response and show how to detect unexpected behavior and intrusion.
This training is a comprehensive guide to Falco, the de facto CNCF open-source threat detection standard for Kubernetes environments. From using the default rules to customizing existing rules, and writing new Falco rules, attendees will walk away confident they can protect their environment against runtime threats, the last line of defense. Every participant will use a web browser to access their own lab environment, in which they will use Falco to identify and notify intrusions.
This session is for security practitioners who are new to cloud-native and want to expand their knowledge of runtime security, as well as those who are familiar with Falco and want to customize its detection capabilities by writing new rules.
Conti Leaks and CARVER Analysis for Threat Intel Analysts
Common Ground, 11:30 Wednesday
In 2022, the Conti ransomware group’s inner chat room discussions were leaked by a dissenting member of the group due to the Russian invasion of Ukraine. As a former intelligence officer of 20 years, I applied the CARVER vulnerability assessment model to the leaked data to rapidly assess the potential risk posed to my large financial firm’s enterprise model. This talk will share the methodology applied and the steps taken to maximize the intelligence value of this rare event;
Could Passwordless be Worse than Passwords?
PasswordsCon, 11:30 Tuesday
The use of passwordless technologies has increased lately, and more companies are providing their support for it; this includes big names such as Microsoft, Apple, and Google. Passwordless is a no-brainer for increasing account security since passwords are one of the most common targets of attacks still in 2023. While Passwordless technologies are inherently more secure than traditional password-based authentication, there seems to be an overall idea of this technology being unhackable, and a perception that account takeover and user impersonation are not even possible when using it.
This talk will cover real-world risks and vulnerabilities of passwordless solutions for Web applications and how a faulty implementation can lead to a more significant security breach than when using passwords alone. We will see how as a consequence of an attacker managing to compromise the passwordless authentication, users will not have that tiny piece of protection preventing other people from accessing their details: ironically, a password.
This talk will also cover the best practices for developers looking to integrate a passwordless mechanism (WebAuthn) into their Web application. Recommendations will be included for pentesters, enterprises, and end-users, too.
Cyber Crash Investigations: Seizing the Opportunity to Learn from Past Crises
Common Ground, 10:30 Wednesday
In this talk, Julia and David discuss their work in cyber crash investigations, delving into what they’ve learned about opportunities to avoid incidents, minimize their impact, and respond to them effectively, underlined by real-life case studies. The objective of the talk is not to provide a comprehensive checklist for imperviousness to attacks, but to prompt attendees to enquire about their organization’s readiness in less-obvious areas. Just as aviation experts learn from accidents to improve safety, Julia and David hope to provide recent and constructive insights from responding to significant cyber crises.
Cyber Threat Hunting (CTH) – Day 1
Training Ground, 10:30 Tuesday
Understanding and practicing Cyber Threat Hunting activities
Cyber Threat Hunting (CTH) – Day 2
Training Ground, 10:30 Wednesday
This is the second day of the 2-Day training
Cyber risk: How does cyber events become so costly?
Ground Truth, 10:30 Wednesday
Cyber security incidents are costly. Quantifying cyber risk is problematic because it requires deep understand of technology, asset and knowledge of business functions. Data on actual losses is not available, and public information is only partial data. Many top companies have leverage our cyber risk models to quantify their risk. This session will show attendees on a high level, how we quantify cyber risk & what to look out for.
Some of the components of that cost such as ransom payment and business interruptions are making headlines. This presentation identifies and describes other costs that may be less well-known but may be equally, if not more important, and explains how to model these costs.
Training Ground, 10:30 Wednesday
The 2021 OWASP Top Ten introduced a category “Insecure Design” to focus on risks related to design flaws. In this training, we will focus on building defense-in-depth software. What can we do to proactively architect software to be more resilient to attacks? What type of findings may not be discovered via automated static analysis? How can we design our software to be more friendly during incident response scenarios?
This one-day training is perfect for engineers as well as security practitioners that have some familiarity with the OWASP top 10. During this training, we will focus on identifying often-overlooked architectural anti-patterns and vulnerabilities to be on the lookout for. We will utilize source code review to analyze patterns for improvement in both real-world applications as well as intentionally vulnerable applications. Every interactive exercise will involve discovering concerns and writing code to engineer solutions. The course will wrap up with real-world vulnerability analysis of open-source software with an effort to help provide more secure architectural recommendations for these projects.
Do you know where your secrets are? Exploring the problem of secret sprawl and secret management maturity
PasswordsCon, 15:00 Tuesday
Do you know what Uber, CircleCI, and Toyota all have in common? They had hardcoded credentials in plaintext somewhere in their environments, which led to either a public leak or enabled an attacker to expand their footprint during a breach.
It is easy to understand why hardcoding secrets is a problem, but do you know how widespread this problem is or how fast it is escalating? Do you know how it keeps happening? Do you know what you can do about it?
Double Entry Accounting for Security
Ground Truth, 11:30 Wednesday
Double entry accounting is a practice that forms the foundation of present-day bookkeeping and accounting. When the methodology was discovered, it revolutionized finance. Could a similar practice work for cybersecurity? This session will walk through ways that you can (and unknowingly already have) implemented a form of double entry accounting that can help you revolutionize your security program.
EMBA - From firmware to exploit
Breaking Ground, 12:00 Tuesday
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.
Email Detection Engineering and Threat Hunting
Training Ground, 10:30 Wednesday
Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.
In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.
Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.
Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.
Emulation, PowerPC, and Transition
Breaking Ground, 15:00 Tuesday
One part self discovery, one part technological innovation, this talk follows one hacker’s journey to create a new framework for baremetal emulation while simultaneously realizing and learning to accept fundamental truths about the very core of who she is.
The talk will delve into the details of what an emulator is and why both DARPA and industry giants needed one so badly for the PowerPC architecture. There will be educational background provided into how emulation works and how it can be used to enhance efforts at reverse engineering and security.
There will be a discussion of both the technical and logistical development of the framework and how it can be used to test or reverse engineer industrial systems. This will also includes the technical nuances and challenges of working with PowerPC while making it accessible and user-friendly. The tool will be demonstrated by emulating an engine controller that is actively transmitting messages.
Interspersed throughout the discussion of the projects technical timeline will be photos, stories and anecdotes from both Erin’s transition towards womanhood, as well as insights into the lives and humanity of her and her team.
Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention
Ground Floor, 10:30 Wednesday
In “Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention,” attendees will learn to bridge the gap between Cyber Threat Intelligence and Offensive Security.
We’ll explore the importance of cross-functional collaboration with Detection Engineering and Red Team operations, examining challenges in Threat Intelligence and Purple Team operations.
Addressing common challenges faced by offensive security and threat intel teams, such as securing buy-in from management and improving testing efficiency, we’ll discuss how our teams collaborate to execute realistic operations, fostering a positive relationship between offensive security and threat intel resources.
The presentation will include live demos of real-world adversary examples, like web shells and EvilGinx, and showcase open-source tools for streamlining efforts. By focusing on shared problems, we aim to demonstrate the importance of security investment and gain support from key stakeholders with financial resources and decision-making authority.
We’ll address limitations of existing frameworks that haven’t effectively kept pace with real-world threats and conclude with a showcase of open-sourced tooling created by Meta’s Purple Team to tackle the issue.
Enemy at the Gate, and Beyond: Detecting and Stopping Account Takeover
Proving Ground, 11:00 Tuesday
Account Take-Over is about more than just getting authenticated. Access acquisition has many faces, including for MFA-enabled accounts. Access leverage can have many faces as well, and having authenticated no longer guarantees you’re indeed who you say you are. We present a novel methodology for analyzing IAM and infrastructure access logs for detecting the various attack scenarios.
Energy Poverty and Potential Impacts to Other Critical Infrastructures & Powerful Paths to Progress
I Am The Cavalry, 11:30 Tuesday
Energy delivery for all utility sizes is undergoing disruptive change with unprecedented levels of federal and state funding. In this talk I will describe how that’s evolved over the past 20 years, and how we are trying to make it equitable, secure, resilient, affordable and clean in one swoop. Dealing with both historical injustice, climate threats, and international turmoil. Its an impossible proposition. How do we do it better? Is it too late? Can we communicate this in a better way and get social buy in from those who profit? I will also discuss if we are asking the right questions, and if we have already gone past the point of being able to get people to care about death and destruction….
F*** Your ML Model
Ground Truth, 10:30 Tuesday
Yeah, Machine Learning is cool, but have you ever curled up with Logic Programming on a rainy day? Ever watched a baby AI Planner take its first steps? Ever ditched work early on a Friday and roadtripped to Vegas with an Optimization Solver?
In this session we’ll take a step back from all the machine learning gigahype and look at the wider world of AI. We’ll explore how NASA drives robots on Mars, how video games create intelligent agents, and how Google interrogates its massive Knowledge Graph.
In each case we’ll see how the same AI methods can be adapted to tackle hard security problems, like tool orchestration and attack surface minimization, and we’ll build out small-scale versions of these problems and show how to solve them using open source libraries.
Failing Upwards: How to Rise in Cybersecurity by finding (and exploiting) your weaknesses
Hire Ground, 10:30 Tuesday
One day as an sysadmin I was asked to just deal with the WAF one day and now I’m a CSO, 18,000 miles, 5 countries and 6 years later. How did this happen?!
Full disclosure: I’m a mediocre sysadmin, an okay engineer, an acceptable architect, and a reasonably good infosec officer. What links them, and my rise through the corporate layers, is that at one point or another my hard work hit a wall and they said “you know what? You’ve done well but how about you head upward while the more apt people finish what you started?”
So here I am, rising far too quickly, doing just enough to keep the Imposter Syndrome at bay, and somehow succeeding at (cybersec) business without really trying. Come find out how!
Farm to Fork(ed): The Forces Fueling Food Chain Risk
I Am The Cavalry, 15:00 Tuesday
Building on the prior session, Paul will lead a discussion on the broader risks from Farm to Factory, and from Factory to Fork. Independent of cyber disruptions, dangerous concentrations of market power in the hands of a small number of large corporations increase the brittleness of the food supply chain. Add to that the risks posed volatile weather patterns, regional conflicts and the fact that the food supply chain is one of the most dependent on other sectors such as: water, chemical, ground transportation, rail, cold chain and cold storage, and electricity. As the industry slow walks its response to growing cyber risk, cyber adversaries are increasing their forays, targeting key food supply chain players. Assuming that we all like to eat, we have our work cut out for us. Paul will be joined by Sick.Codes for this discussion.
Follow the white rabbit down the rabbit hole
PasswordsCon, 18:00 Tuesday
Password cracking is all about patterns, behavior, understanding, and adapting. New technologies and password policies may mandate specific password generation patterns but they also drive a “culture” of wider adoption of phrases, l33t5p34k, and pseudo randomness. When one runs out of techniques and exhausts all the wordlists, rulesets and masks but still only reaches the 98%-mark, new techniques become essential to improvise for handling the remaining 2% of the hashes. The elusive 2% are those which benefit from the new techniques which will be discussed in this talk. Complex and multidisciplinary techniques usually drive cracking sessions down rabbit holes. With the only feedback being a single successfully cracked complex password, is impossible to use these techniques for cracking ‘mainstream’ passwords. And this is why mainstream tools and ethical hackers won’t waste time testing or using these techniques. However, the few remaining uncracked passwords normally contain privileged and/or advanced user accounts. In this talk, I will therefore cover non-traditional password cracking techniques that (through trial and error and randomness) produced good results and yielded interesting passwords.
For Intel and Profit: Exploring the Russian Hacktivist Community
Underground, 18:00 Wednesday
It is not common for analysts to have the opportunity to study the social circles of criminal organizations, but occasionally, a threat group that is more transparent than others emerges. Since the Russian invasion of Ukraine, the security community has had the opportunity to examine several threat groups that are part of the growing Russian hacktivist community, gaining valuable insight into the structure, operations, relationships, and connections between its members and the community around them. These interactions over the last year have taught us about the social and financial backing of the Russian hacktivist community and shown us what the future of hacktivism will look like.
Friends Of Bill W Meet-Up
Middle Ground, 20:00 Tuesday
Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Tues and Wed, 20-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door.
Friends Of Bill W Meet-Up
Middle Ground, 20:00 Wednesday
Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Tues and Wed, 20-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door.
From LLM Obstacles to Open Doors: A Tale of Three CISOs
Breaking Ground, 09:30 Wednesday
When it comes to GenAI and LLMs, there are three concerns and three corresponding opportunities.
Reknowned security researcher and executive Sounil Yu discusses solving for all three of these concerns, and provides specific frameworks and models that allow us to understand the necessary guardrails for each.
Gang Gang: Assembling and Disassembling a Ransomware Gang
Underground, 14:00 Wednesday
Ever wonder what goes into a ransomware gang startup? Take this trip with me as I share with you my journey into the ransomware world. Listen to how I struggled to gain acceptance, engaged in a small romance and worked my way up the wobbly ladder.
Good Doesn’t Always Win: Understanding technical and enterprise tradeoffs in Cybersecurity
Common Ground, 18:00 Wednesday
You have just started a new job, and, after settling in, find a huge cybersecurity gap. The great news is you have the perfect solution! The bad news is the company said no thanks. You are taken back and try to explain that this is simple cybersecurity basics, but the company has any number of reasons why they don’t feel it’s a good solution: money, time/effort of implementation, “we have never had a problem before”, or maybe your own IT department is saying that it won’t work. What do you do to make sure your company stays secure? Cybersecurity has arguably reached the point where most organizations understand its necessity, at least in concept. But that doesn’t mean that everyone is open to hearing about the latest threats and all the work (and money) that needs to be spent reducing your risk. This talk is designed to be an open discussion on understanding human behavior, and some tools that could help a cyber professional be more successful, particularly when it comes to negotiating better decision making.
Google Workspace Forensics – Insights from Real-World Hunts & IR
Breaking Ground, 14:00 Tuesday
Google Workspace is now the core IT infrastructure for many organizations, according to Google’s “2021 Year in Review”, 3 billion people use Google Workspace, drawing hackers to directly attack GWS users and resources. Forensics investigators may struggle identifying threats in GWS logs efficiently because of the complexity and the uniqueness of the logs.
In this talk, we share our knowledge & expertise on how to hunt and perform IR investigation over Google Workspace logs based on real-world threat hunt focused on data exfiltration from Google Drive. In this presentation, we will show the work of forensic investigator in Google Workspace (formerly G Suite) domain.
We believe this knowledge is necessary for those who want to investigate Google Workspace logs.
Got Hashes. Need Plains | Hands-on Password Cracking
Training Ground, 15:00 Tuesday
A condensed, but nonetheless still very effective version of our commercial training on password auditing, recovery and cracking techniques.
Cracking passwords is a critical skill for today’s information security professionals. With the increasing amount of sensitive information and systems relying on passwords, protecting against unauthorized access is more important than ever. Whether you are looking to crack passwords to gain access to systems, or auditing systems for weak passwords to make them more secure – you will gain a deeper understanding of what various common hashing algorithms are, and how to effectively crack passwords using those hashing algorithms. By the end of this training, you will have a solid foundation of password cracking techniques and be equipped with the knowledge to use password cracking for offence and defence that will allow you to grow your skills and research. We will cover creating powerful wordlists and rules (and why you need them), the tools used to crack hashes and advanced techniques. This training will give you a strong baseline to get you started in your password cracking experience. See the description for the full outline.
Hiding in Plain Sight - The Untold Story of Hidden Vulnerabilities
Breaking Ground, 18:00 Tuesday
In today’s software development landscape, vulnerability scanners and SCA tools play a vital role in identifying potentially vulnerable software components and mitigating associated risks. However, their effectiveness remains questionable due to differences in implementation, coverage, and performance, as well as inherent blindspots that make them oblivious to critical vulnerabilities in real-world scenarios.
In this talk, we will present the results of a groundbreaking benchmark and root cause analysis research that evaluated leading commercial and open-source vulnerability scanners and SCA tools. We will showcase the main causes of scanner misidentifications, including blindspots created by common build and deployment practices, and thousands of hidden vulnerabilities we identified in real-world applications, many of which are known to be exploited in the wild.
Our findings expose a significant gap in the effectiveness of these tools and raise awareness about the need for objective evaluation criteria. Attendees will leave with a better understanding of the limitations of vulnerability scanners and SCA tools, as well as the importance of adopting more holistic approaches to software security.
High Stakes HIDe-N-SEEK
Underground, 15:00 Tuesday
Phishing attacks and weak passwords aren’t the only things that are keeping Blue teams up at night. Imagine a nearly undetectable device in the user’s keyboard stealthily leaking out information or acting as a malicious user. Welcome to the nightmare game of HIDe-N-SEEK.
In our public talks about the Injectyll-HIDe project, we were limited by our fear of showing our real capabilities. Unlike our other talks about this implant, in this Skytalks presentation we will go off the record and take a candid deep dive into why the Injectyll-HIDe project is the thing of nightmares. We will be taking an uncensored look at the inner workings that make it so dangerous and why you might need to start walking your enterprise halls with bug sweepers. Audience participation is highly encouraged.
Audiences will leave with a deeper understanding of how the project works, a new platform to use for future Red Team operations, some fun stories, and even some nightmares.
Warning, I am not to blame for any loss of sleep after this talk.
Home Labs for fun and !profit (Put your home lab on your resume!)
Hire Ground, 13:30 Wednesday
Oh sure, you read all those posts about “My Home Lab” with all the pictures of 19” racks in a garage or basement. But seriously, how can you truly utilize your home lab, not just to learn, but to boost your career and help you get noticed as being that “Unique Individual” that a company really wants to hire!
Come join this talk to learn about building a Home Lab on a budget AND using it to really get ahead. Your lab should be an advantage and a fun learning experience without breaking the bank. Let’s build some systems, run some demos and see how to use all of this to NAIL that next job interview!!
How I Met Your Printer
PasswordsCon, 14:00 Wednesday
Often on penetration tests I encounter printers. Lots of printers. The smarter the printer the more likely I’ll gain access to your entire organization by making it do things that will make your IT admins gasp in fear! Come watch as I demonstrate how you too can get your printers to give up all of its secrets.
How to Handle Getting Dumped: Compromised Passwords
PasswordsCon, 11:30 Wednesday
Your company has a strong password policy, awareness campaigns, and established a culture of good password hygiene. None of it seems to matter in that soul crushing moment when a malware operator dumps passwords that include one of your company’s accounts. I’ll step you through renewing hope after a password dump including where they come from, what to do with them, and what the best value and pitfalls can be.
How to build a security awareness strategy that works!
Training Ground, 10:30 Tuesday
I created this training as a short, invigorating course that should help you whether you are established in your career in awareness, or want to break into the sector. Or just curious about how to make awareness more than phishing and posters. We will go over key themes of trust building, inclusion and accessibility, qualitative data instead of dashboards and how to evaluate vendors. Full resource packs are given to all attendees.
How to communicate with non-security specialists to drive action
Common Ground, 11:00 Tuesday
How many times have you let someone know about a critical issue, only to be dismissed? Or maybe you see a significant improvement to a process that can be made, but no one senses the urgency or understands why they need to change their way of working?
So much of the work in security today is persuading people to act - to fix, to change, to update, to communicate.
Technical prowess is often the starting point of many careers, but the ability to communicate and persuade people to act is what will fuel career growth and influence change within an organization.
In this talk, security practitioners of all levels learn the valuable pieces of communication to resonate with others and drive action.
How to have perfect vulnerability reports and still get hacked
Common Ground, 18:00 Tuesday
What vulnerabilities are really lurking in a given application? The assumption that we can answer that question undergirds US government mandates both recent and decades-old. Hackers, of course, know that this is absurd: attackers have 0days and aren’t afraid to use them. But even a much-humbler goal, “free of known vulnerabilities,” isn’t as feasible as we’ve been led to believe. In this talk, we’ll see the pitfalls of common tools—software composition analysis (SCA) and software bills of material (SBOMs)—commonly brought up as silver bullets for this issue. We’ll see the vulnerability reporting ecosystem, including databases and manual triage of vulnerabilities in your application.
Nonetheless, we’re hopeful: these tools are stronger together and can do a good job in many scenarios. Further, we’ll see what the future holds for bringing us closer to “free of known vulnerabilities” status, from open-source tooling to better government policy.
Attendees to this session will learn about:
- automated security tools that miss what’s right in front of them,
- empirical research exposing vulnerability management challenges,
- the fight against security by obscurity, and
- the daily commitment to keep applications free of known vulnerabilities.
How to prioritize Red Team Findings? Presenting CRTFSS: Common Red Team Findings Score System Ver. 1.0
Ground Truth, 14:00 Tuesday
Robust red team practices generate multiple findings gradually; defenders struggle to keep up with remediations and detections. All red team findings are critical, but if everything is a priority, then nothing is. Organizations cannot feasibly defend against all ATT&CK techniques. They have more findings than they can optimally assign resources to and focus on the critical ones; they need a system to help them make this task manageable. This talk introduces CRTFSS: A methodology to prioritize red team findings using adversary behaviors observed in real-world threat intelligence and mapped to the MITRE ATT&CK based on the most frequent TTPs that score each finding based on the complexity of remediation and exploitability.
Sure, not all findings can be categorized through this methodology, but it's a start. Whether you work in a security team, need help prioritizing the red team findings that resulted from external assessments or BAS tools, are in an internal red team helping blue teams address critical outcomes, or work as a consultant needing support when reporting to clients, come learn how to prioritize your red team findings better and improve categorizing, tackling the critical ones first, and feel less overwhelmed with this daunting task.
Hungry, Hungry Hackers: A Hacker’s Eye-view of the Food Supply
I Am The Cavalry, 14:00 Tuesday
Sick Codes has dazzled Hacker Summer Camp and the world for the last few years - most recently with last year’s Doom on a Deere. His last several years of research and engagement with the food supply and it’s vulnerable equipment extends beyond tractors. He will share some of what he has found, how others can get involved, and some of the increasing risks and stakes for the food we put on our table. This hacker perspective will feed into the subsequent session that will further cultivate the risks to the larger food supply ecosystem.
Hunting Cryptoscam Twitter Bots: Methods, Data & Insights
Underground, 15:00 Wednesday
“Having issues with your crypto wallet? send a DM! contact us at email@example.com!” This is the kind of message anyone mentioning specific crypto-brands in a tweet is receiving. Our talk will deep dive into the bots spreading these fraudulent tweets and its operators. We will use a dataset collected over several months to educate about what triggers bots and deduce about the infrastructure behind it. We will also demonstrate how this data can be used effectively to not only hunt bots at scale but also detect unknown trigger-words and monitor fraud trends (guess for example what happened after certain exchanges collapsed?). As a bonus, we will share our multiple correspondences with fraudsters, pretending to be “innocent victims” and how we leveraged social engineering to track them down.
Hyper-scale Detection and Response
Ground Floor, 15:00 Tuesday
Are you tired of paying exorbitant fees for your current SIEM platform? Are you looking to improve your organization’s Threat Monitoring and Detection capabilities without breaking the bank? Look no further! Our session will provide insights on how you can avoid the rising licensing costs of a third party SIEM and build near real-time detections on logs at a hyper-scale of 45TB+ per day! You won’t want to miss this opportunity to learn about cutting-edge open source technologies that can transform your security operations. Get ready to say goodbye to expensive SIEM solutions and hello to cost-effective, highly scalable, and efficient security monitoring.
Introduction to IATC Day Two
I Am The Cavalry, 10:30 Wednesday
Intro to IATC Day 2
Introduction to the Track, Reflections on a Decade of IATC
I Am The Cavalry, 10:30 Tuesday
A decade ago, Josh and Nick brought passion and provocation: The Cavalry isn’t coming… So what are YOU willing and able to do?? “Our dependence on connected technology is growing faster than our ability to secure it… in areas affecting public safety and human life.” Using empathy, trust building, teamwork, and tenacity this crazy mission has profound impact on safety and public policy… and yet there is so much more to do! A decade later, the world is in a very different place. To adapt to the world ahead we need a fresh and sober assessment of what worked, what didn’t, what is sustainable, and what is most missing. Longstanding Cavalry leadership will close a decade of public service and articulate a vision for the next decade and generation.
It’s all about Talent
Hire Ground, 12:30 Wednesday
Two truths and lie: Cybersecurity jobs are more resilient in an economic downturn. At any given time there are over 500,000 open jobs in cybersecurity. Making a career in cybersecurity is easy.
This talk will cover the landscape of cybersecurity hiring with tips and tools for a successful job hunt and advancing your career. Cybersecurity is a broad industry with many avenues to pursue based on an individual’s interests and curiosity. We’ll cover best practices to interview and stand out from the competition along with preparation for how to advance career opportunities once you’re hired.
It’s not the end of the world but you can see it from here.
Underground, 17:00 Wednesday
I will discuss real-world equipment hacks caused by nation-state actors attacking humans and ways to mitigate similar impacts. Examples will cover a range of laboratory equipment, including research labs and industrial manufacturing facilities. In this talk, we will explore the common causes of laboratory and OT equipment breaches caused by human error, including misconfiguration, misuse, and malicious actions. We will examine the potential consequences of such failures, including data loss, damage to equipment, and even injury. I will also present a range of strategies for preventing such issues, including implementing standard operating procedures with a security focus, using equipment monitoring systems, and adopting best practices for equipment architecture.
Jumping from cloud to on-premises and the other way around
Training Ground, 10:30 Tuesday
The use of the cloud is becoming more and more predominant in large companies. However, transitions from legacy infrastructure are sometimes done through “brutal” strategies (migration of 80% of the IS in 2 years). In fact, not all teams are properly trained to the new paradigm of security in the public cloud, leading therefore to blind spots in IS security.
This workshop aims to reintroduce the main principles of the public cloud (shared responsibility model, managed services, RBAC rights model), and to highlight the possible ways of elevating privileges within CSPs and lateralization between the management plane (CSP) and the data plane (AD).
Through a combination of theoretical lectures and hands-on exercises on dedicated labs, participants will gain a practical understanding of these concepts. No prior knowledge of cloud security or AD security is required.
Lies, Telephony, and Hacking History
Ground Floor, 11:30 Tuesday
Who’s ready for some “Show & Telecom”? This talk takes attendees on a historic retrospective journey through time. Learn when Social Engineering first intersected with Technology, following previous advancements in Telecommunications. Our expedition highlights the technological origins of Phone Phreaking, Computer Hacking, Social Engineering, and how these activities relate to modern times. The speaker brought numerous hardware relics from the past to show the crowd throughout this presentation. Come learn about what the underground phone phreak and early computer hacker scenes were like before there was a Cybersecurity industry and associated career paths.
Linux Digital Forensics: a theoretical and practical approach
Training Ground, 10:30 Wednesday
As hardening and monitoring of Windows systems is becoming more mature in corporate environments, cybercriminals and APTs increasingly turn to Linux hosts to conduct their campaigns.
Whether you are new to incident response (IR), or a tailored responder looking to improve your Linux forensics skills, this workshop aims to provide you with the necessary knowledge and tools to investigate compromised Linux systems.
This workshop will cover the different steps of Linux IR, from data acquisition to TTPs analysis, while introducing Linux malware analysis fundamentals. Participants will be able to practice their newly acquired abilities on a hands-on exercise, which consists of a triage collection and a disk image from a compromised system. Inspired by several IR engagements of the CERT-W, this challenge will give insight on real-life attacks of Linux systems.
Linux Privilege Escalation
Training Ground, 10:30 Tuesday
Attackers never stop at initial compromise; there is always an end goal objective which often requires privileged access to specific devices or systems. Identifying the correct privilege escalation vector can often feel like looking for a needle in a haystack, however with the right approach and understanding of the various controls in play, gaining full control can often be a safe assumption in many instances following initial foothold.
This workshop aims to equip those likely to find themselves with an initial foothold, with the skills to practically exploit a given privilege escalation vector on the target Linux system.
Machine Learning for Insider Threats: At the Intersection of Security and Privacy
Ground Truth, 11:30 Tuesday
Your boss is watching! While employee supervision isn’t a new idea, electronic monitoring and vetting using machine learning is relatively new. At the same time, consumer privacy law is being extended to employees. What are the hazards, and is bossware worth it?
Mainframe Hacking for CICS and Giggles
Breaking Ground, 11:30 Wednesday
Mainframe systems continue to drive global economic activity despite the “legacy” label they are often associated with. In fact, mainframes are responsible for business-critical functions across 70 percent of Fortune 500 companies. If you have ever withdrawn cash at an ATM, done your taxes online, or booked a flight for your next holiday, you have likely interacted with a mainframe application. As with all business-critical systems, ensuring they are secure is imperative. This talk is designed for anyone interested in the security of these mainframe applications.
We will go over how mainframe systems work, why they are so important, how the applications work, how they are used, and how the researchers were able to exploit a number of vulnerabilities in real world mainframe applications.
Management Hacking 102: Personalities, Empathy, and Difficult Conversations
Hire Ground, 10:30 Wednesday
Why do some employees act and communicate very differently than others? Could you have been more empathetic with a challenging employee? How does your team deal with change and why do we avoid difficult conversations? No matter how long you’ve been a leader, eventually you’ll be faced with these situations and unfortunately they don’t get any easier to deal with.
Last year in Management Hacking 101 we discussed the fundamentals of managing and leading teams such as coaching, hiring, evaluating performance, and understanding emotional intelligence. In this talk we’ll dive deeper into four of the most important areas that all leaders need to know more about: understanding the personalities, relationships, and motivations of our employees, how we can be more empathetic with the people we lead, guiding employees through the change cycle, and how to have difficult conversations.
Join Tom Eston, VP of Consulting & Cosmos at Bishop Fox, as he shares his personal lessons and stories from years of leading teams on these topics so you can become a better manager and leader.
Navigating Security pitfalls during M&A : Playbooks & Strategies for doing acquisitions right
Ground Floor, 15:00 Wednesday
In this talk, we will share our firsthand experience and practical insights from having done over a dozen acquisitions. We will walk through playbooks that we developed to scale the pre acquisition security evaluation process and post close integration steps. The talk focuses on minimizing risk to the parent org without slowing down the business. By attending this talk, the audience can walk away with a comprehensive framework to do M&A securely.
Negotiating Compromise: How to avoid being labeled a “Chicken Little” while promoting better security decision making
Ground Floor, 17:00 Tuesday
Even though businesses know that cybersecurity is important (most of the time), cybersecurity professionals still have a challenge convincing business leaders -and sometimes even IT- of good cyber hygiene practices. FUD (fear, uncertainty, and doubt) can be an easy temporary actic to get teams to take you seriously, but it must be tempered. This presentation discusses common (and sometimes under utilized) negotiation techniques to help cyber professionals escape from being the physical manifestation of the doomscroll and facilitate better security decisions enterprise wide.
Next Generation Enterprise Security
Ground Floor, 18:00 Wednesday
The single best way Humans transfer knowledge is through stories. We are a social species and there are no better stories than Star Trek episodes. Nearly every episode of Star Trek involves some sort of security incident. Everything from someone stealing data (or Data), insider threats, APT, malware, and more.
Even though the stories are fictitious, we can use them to help tell a story. We can start to ask questions like who is the biggest insider threat the ship faces: Data or Wesley? Why is security so terrible, does Worf ever do his job? Have these people ever heard of two factor authentication? Maybe the holodeck should be sandboxed!
Our industry is one of very serious questions and discussions, but sometimes you can be too serious. Rather than focus on serious security lessons, let’s have some fun. There are a lot of lessons to be learned in Star Trek TNG episodes.
In this session we are going to break down the security themes in Star Trek. Who are threat actors. Who are defenders. What are some mitigations that could be applied. There are many examples of recurring incidents because nobody fixed the problem the first time.
OH-SINT: Merging OSINT Into RE Workflows to Simplify Analysis
Proving Ground, 11:30 Tuesday
Anti-analysis features are becoming more prevalent as developers gain skills and spread knowledge amongst themselves. Adding in the increasing use of crypt services, it’s making RE more challenging when you need to get information out of malware quick and dirty. We look at leveraging more OSINT into the process to track down information, sometimes straight from the developers including occasionally scoring gold with full developer docs, and how this can be reincorporated into the analysis workflow to potentially speed up time to value when the hunt is on.
Oops, I Leaked It Again - How we found PII in exposed RDS Snapshots
Breaking Ground, 18:00 Wednesday
The Amazon Relational Database Service (Amazon RDS) is a Platform-as-a-Service (PaaS) that provides a database platform based on a few optional engines (e.g., MySQL, PostgreSQL, etc.).
A Public RDS snapshot is a useful feature that allows a user to share public data or a template database to an application, but when wrongly used, may accidentally leak sensitive data to the world, even when using highly secure network configuration.
We at Mitiga, discovered hundreds of databases being exposed monthly, with extensive Personally Identifiable Information (PII) leakage.
In this talk we cover the main aspects of RDS snapshots and how easy it is to accidentally expose sensitive data widely to the world. Our research process is based on extensive investigation of the RDS service, its configurations, and limitations.
In the session the participants will get relevant knowledge about RDS snapshots, including real-life examples of the risk of using this service, and recommendation of how to prevent, detect and remediate the risk of accidentally sharing RDS snapshots publicly. We will share an in-depth description of our automated process, which includes procedures to constantly monitor for public snapshots, and remove any if found.
Open Source GitOps for Detection Engineering
Ground Floor, 11:30 Wednesday
Detection engineering is a key aspect of modern security operations, but implementing effective detection strategies can be complex and time-consuming.
This talk will introduce an open-source GitOps framework that enables security teams to manage their detection rules and policies efficiently. GitOps is a methodology that streamlines the management of infrastructure and applications using configuration files managed in Git as the source of truth. With GitOps, teams can version control their entire detection infrastructure, including detection rules, alerts, and remediation workflows.
The open source GitOps framework we will discuss offers several advantages for detection engineering. First, it allows security teams to collaborate and manage their detection infrastructure in a more agile and effective manner. Second, it provides greater transparency and auditability, enabling teams to track changes to their detection infrastructure over time. Third, it enables automated deployment of detection rules and policies, reducing the risk of human error and improving the speed of response to security threats.
Live demos and configuration samples will be provided to demonstrate the implementation of this framework with osquery, Fleet, and Matano.
Opening Remarks - Day One
Breaking Ground, 09:00 Tuesday
Opening Remarks - Day One
Opening Remarks - Day Two
Breaking Ground, 09:00 Wednesday
Opening Remarks - Day Two
Overcoming Barriers in Security DSLs with BabbelPhish: Empowering Detection Engineers using Large Language Models
Ground Truth, 12:00 Wednesday
The rise of detection-as-code platforms has revolutionized threat detection, analysis, and mitigation by leveraging domain-specific languages (DSLs) to streamline security management. However, learning these DSLs can be challenging for new detection engineers.
In this talk, we introduce BabbelPhish, an innovative approach utilizing large language models to bridge the gap between natural language queries and security DSLs. We demonstrate its application to MQL, Sublime Security’s free DSL for email security, and its potential extension to other DSLs. BabbelPhish enables users to harness the full potential of detection-as-code platforms with familiar natural language expressions, facilitating seamless transitions from triage to querying and coding.
We will discuss BabbelPhish’s architecture, training process, and optimization techniques for translation accuracy and MQL query validity. Through live demonstrations and user interviews, we will showcase its real-world applications and implementation options, such as a VSCode plugin.
Join us as we explore how large language models can integrate natural language capabilities with the precision of security DSLs, streamlining security management and threat hunting, and making detection-as-code platforms accessible to a wider range of security professionals.
Password911: Authentication Adventures in Healthcare
PasswordsCon, 17:00 Tuesday
Healthcare is a tricky field when it comes to cyber security. It’s a bad day if your anesthesiologist gets locked out of their account mid-surgery. Likewise, when you have a medical emergency halfway around the world you might not be in any condition to give local caregivers authentication credentials. This talk will cover some of the challenges with providing authentication in clinical settings as well as current approaches to tackling this issue.
Passwords: Policies, Securing, Cracking, and More
PasswordsCon, 10:30 Wednesday
We can’t get rid of passwords, no matter what you read. They are essential for service accounts, dev accounts, and more. So, how do you secure them in AD and AAD? We will cover that and more. We will cover the basics and the complex. We will cover how to create a more-secure password and how attackers can crack passwords that are weak. You must understand that MFA can’t be used everywhere, so passwords are essential in every environment!
Penetration Testing Experience and How to Get It
Hire Ground, 13:00 Tuesday
There are many resources to learn how to become a pentester but the lack of experience can be an obstacle when getting that dream role in pentesting. The Pentester Blueprint coauthor Phillip will share ways to get experience and demonstrate the experience and skills that are helpful in getting started in a pentesting career.
Pentesting ICS 101
Training Ground, 10:30 Wednesday
Do you want to learn how to hack Industrial Control Systems? Let’s participate in the one and only CTF in which you really have to capture a flag, by hacking PLCs and taking control of a robotic arm! We’ll start by explaining the basics of Industrial Control Systems : what are the components, how they work, the protocols they use… We’ll learn how PLC work, how to program them, and how to communicate with them using Modbus, S7comm and OPCUA.
Then we’ll start hacking! Your goal will be to take control of a model train and robotic arms to capture a real flag! The CTF will be guided so that everyone learns something and gets a chance to get most flags!
Playing Games with Cybercriminals
Ground Truth, 17:00 Wednesday
Up to this point in time, the primary law enforcement strategy used to fight cybercrime has been the “hammer”. Given a core function of policing has been to arrest criminals, it is no surprise that offenders involved in digital crimes like hacking, online fraud and malware have also faced prosecution. Alongside arrests, has been the takedown of cybercriminal infrastructure, such as marketplaces or botnets. This has been carried out by law enforcement, with industry also playing a role. But questions have been raised about the long-term impact of such operations, and whether new players or infrastructure simply emerge with the cybercrime threat continuing unabated, or even growing.
This talk moves beyond the law enforcement hammer, and examines whether there are softer approaches which might also be used to reduce the threat of cybercrime. In particular, it focusses on the underlying economics of cybercrime and the levers which could be pulled to damage the efficiency of cybercriminal markets and disrupt illegal operations. In short, can law enforcement, and their partners in industry, play games with cybercriminals?
Public Service Journeys (To and From Hacking Culture)
I Am The Cavalry, 18:00 Tuesday
From an Air Force combat pilot into the loving arms of the helpful hacker community and ultimately co-founding the Aerospace village, “Spanky” has found common cause and common purpose with this motley crew and community… From an intern and Cavalry Force of Nature organizing the first Congressional Delegation to Hacker Summer Camp, Ayan is now serving in the White House Office of National Cyber Director (ONCD). These journeys and pathways both run through the mission of I am the Cavalry, the Aerospace Village, and culminated in intense collaboration in the CISA COVID Taskforce. Part of the strength of this decade of making the world a safer place draws from the diversity of skills and experiences.
Our differences have made us stronger and we have asked these two to reflect on their origin stories and different teammates and skills that have helped to protect the public.
QueerCon Pool Mixer
Middle Ground, 20:00 Tuesday
Join QueerCon at the Tuscany pool. Don’t forget your swimsuit and BSides conference badge!
Middle Ground, 08:00 Wednesday
Regular expressions are good, actually: A technical deep-dive into an ideal infosec regex implementation
Ground Truth, 17:55 Wednesday
Regular expressions are everywhere in information security, but are often seen as opaque, academic, and boring. Regular expressions are anything but boring! This talk starts by explaining what regular expressions are (from a theoretical perspective) and why they’re such a good fit for Infosec. The talk then proceeds to explain how common implementations aren’t designed for Infosec use, sometimes even to the point of creating security risks. A brief survey of desired features is then given, and finally a technical dive (including code and benchmarks) is presented on how an ideal regular expression engine for Infosec might be implemented.
While this talk has some math, it is designed to be accessible to anyone with a background in Infosec, including newcomers to the field.
Resume Review & Career Coaching (Day 1)
Hire Ground, 15:00 Tuesday
Resume Review & Career Coaching
Resume Review & Career Coaching (Day 2)
Hire Ground, 15:00 Wednesday
Resume Review & Career Coaching (Day 2)
Rockstar Role: Security TPM
Common Ground, 15:00 Tuesday
The Security Technical Program Manager is probably one of the most misunderstood roles today. If you ask five people what TPMs do, you will get wildly different answers, which makes it hard for folks to break into the role as well as recruit for the role. This talk will dive into what the role is, what the role is not (and what to do if you find yourself doing these things), what makes someone successful in this role, common (and uncommon) paths to securing your first TPM role, how to hire for this role, and why we think this is one of the best roles in security.
Saving Lives in Healthcare: Trust, Teamwork, Tangible Outcomes (Decade of Change) with special government teammates
I Am The Cavalry, 14:00 Wednesday
Part 1 - Hour 1-Dr. Suzanne Schwartz will share her perspective on how IATC has impacted medical devices and health care in the United States. She will be joined by Jessica Wilkerson (OST) Monroe Molesky(OST), Arvin Eskandarnia (OST), and Matthew Hazelett (OPEQ/IO) as well as Beau Woods to talk about a decade of progress. Part 2 Hour 2 Blueprint for Changing the World
Security Data Science Teams: A Guide to Prestige Classes
Ground Truth, 17:00 Tuesday
As more of security becomes driven by data, a menagerie of job titles have cropped up across the industry. Data Scientist, ML Engineer, Data Engineer, AI Researcher, and more have become de rigeur job titles – but the lines between each role remain blurry, especially for early career and non-data folks.
In this talk, we talk about where the skills of these roles overlap, how to pursue a security data career, and crucially, offer some hot takes on why maybe we need some clearer lines.
Separating Fact from Fiction: The Realities of Working in Government
Hire Ground, 11:30 Wednesday
Working for the government is great…
When you read that did you think, “I doubt it, no way…” or “Maybe, I guess it could be…”?
There are plenty of stereotypes and misperceptions about working in government from the endless bureaucracy, outdated tech, and more acronyms than anyone can handle. This is your opportunity to hear directly from those who know best the good and the more frustrating aspects of working for Uncle Sam.
Our panel of policy and technical experts will address the rumors and dispel the myths. They will share their firsthand experiences working in a variety of government agencies to support veterans, secure air travel, and protect critical infrastructure. Most importantly, you will learn why they choose to deal with red tape for the rewards of serving in their roles.
Join us for a candid discussion to learn more and answer your questions at the easiest Spot the Fed opportunity ever!
Shining a light into the security blackhole of IoT and OT
Proving Ground, 11:30 Wednesday
The Internet of Things (IoT) and the rise of Operational Technology (OT) networks have brought about a significant increase in the number of connected devices in modern networks, creating new challenges for blue teams in terms of inventorying assets, identifying and mitigating vulnerabilities, and verifying security controls coverage. This presentation will explore the unique challenges that IoT and OT pose for network scanning and provide solutions for effectively addressing these challenges while ensuring the safety and availability of these systems. The presentation will cover topics such as identifying IoT and OT devices on a network, understanding the context of vulnerabilities associated with these devices, and implementing appropriate security controls to mitigate these risks while ensuring the safety and availability of these systems. Attendees will also learn about best practices and tools for IoT and OT network scanning, such as using automated asset inventory, performing regular vulnerability assessments, and testing the changes in a controlled environment before implementing them. This presentation aims to equip blue teams with the knowledge and skills they need to effectively protect their organizations’ networks in the IoT and OT era while ensuring these systems’ safety and availability.
So Who’s Line Is It Anyway? Recruiter Panel
Hire Ground, 11:30 Tuesday
Conversations with recruiters are always challenging. What do you say? What do they say? Who goes first? Who should follow up? This panel is made up of two amazing recruiters who are long time volunteers in the community who know how to coach hackers in their job search but also how to navigate the hiring process. Come to listen to a frank discussion about recruiting and job search. More importantly, come to ask questions!
Social Engineering: Training The Human Firewall
Ground Truth, 14:30 Tuesday
Phishing is one of the leading cyber attacks worldwide, resulting in numerous social engineering training exercises to train average users to defend against these attacks. This discussion focuses on research that took a pool of users with three different phishing campaigns, each of these campaigns focused on a different threat. The purpose of the study is to find the psychological reasoning as to why users click phish. The results will teach the audience how to measure risk, improve security education, and understand the users in their business.
Strategies for secure development with GraphQL
Common Ground, 14:00 Tuesday
Join me for a tour through what I have learned developing, testing, and operating a GraphQL API in the real world.
This talk will discuss how to build security into your GraphQL API from the ground up. We will cover how to approach security as a core feature of your graph, how to build the tools developers need to construct secure applications, and how to log GraphQL requests in a way that fits your use case.
Sure, Let Business Users Build Their Own. What Could Go Wrong?
Common Ground, 17:00 Wednesday
Business professionals are tired of waiting for IT to address their needs. Instead, they are building their own applications with low-code / no-code platforms. Recent surveys show that most enterprise apps are now built outside of IT by business professionals who hold no previous experience in building software.
Enterprises are placing developer-level power in the hands of 100x new business developers.. What could go wrong? In short, everything.
In this presentation, we will share extensive research on the security of low-code / no-code applications based on scanning >100K applications across hundreds of enterprise environments. We will demonstrate how most applications get identity, access and data flow wrong, cover a wide range of security issues found in real environments, and share their backstories and implications.
Finally, we will share the OWASP Low-Code / No-Code Top 10, the first-ever security framework for categorization and mitigation of common security issues with business-led development. We will illustrate why the involvement of AppSec teams is desperately missing from business-led development, and share stories about organizations that got it right.
System Dynamics in Risk Management: A Primer
Ground Truth, 15:00 Wednesday
Systems thinking is a mental model from engineering disciplines. Its sub-discipline called system dynamics visualizes the world in terms of stocks, flows, and feedback loops. In system dynamics, systems represented as a set of stocks and flows are constrained through balancing feedback loops, or they can enter compounding spirals (virtual or vicious) through reinforcing feedback loops. The goal is to identify leverage points where a small change can cause big and beneficial changes throughout a system. This way of thinking, analysis, and problem-solving can be applied to almost any field, yet information security education programs typically don’t cover systems thinking and system dynamics.
This primer will introduce systems thinking and walk attendees through creating causal loop diagrams with stocks and flows for information security and risk management scenarios, identifying balancing and reinforcing feedback loops, and understanding how delays and oscillations can affect complex systems. Consultants as well as risk management and infosec practitioners who are internal to companies may benefit from this session, which introduces a different approach that can become part of their toolset.
The Art of Letting Go: Secure delegation of permissions in AWS environments
Ground Floor, 17:00 Wednesday
This talk will tell the story on how we used SCPs (service control policies), IAM permission boundaries and IAM policies across our AWS Organization to set up the necessary guardrails to allow our engineering teams to use privileged IAM actions in AWS environments, enabling them to move fast without the need for manual approval workflows for the creation of resources. Additionally, we used an event based solution powered by EventBridge and Lambda to analyse for compliance, perform automated remediations and send notifications, which increased our visibility without adding to our workload. Cloud service providers forever changed how engineering teams work. Many companies have moved, or are starting to move, away from maintaining and operating cold and unforgiving server rooms, allowing that to be someone else’s problem. The time and effort required to have a server up and running went from weeks or days to seconds or minutes. Infrastructure as Code elevated that, allowing teams to have consistent working environments thus enabling the business to support as many customers or features as they wish to, reliably. Security teams’ need to find comfort in flexibility to empower engineering teams. Identity and access management, are a vital part of that journey.
The Birds, the Bees, and the CVEs: Understanding the Novel Vulnerabilities in Critical Infrastructure
Proving Ground, 10:30 Wednesday
During this talk, Iain Deason will describe the difficulties and the techniques used to understand the impact of product vulnerabilities to different sectors to critical infrastructure. When new and novel vulnerabilities are disclosed, especially in control systems and medical devices, it can be difficult for asset owners to understand the potential impacts to the larger ecosystem or the affected critical infrastructure sector. The audience can learn of different strategies that have been utilized to understand the risk with new and novel vulnerabilities and potentially a new perspective on when vulnerabilities enter the ecosystem and coordinated vulnerability disclosure.
The Brazillian DeepWeb. How Brazilian fraud groups work on Telegram and WhatsApp
Proving Ground, 11:00 Wednesday
Many investigative agents talk about cybercrime on Deep and Darkweb, but in Brazil the reality is a little different. The study shows an insight into how groups act, the main scams and especially how the use of counterintelligence can help in gathering information about targets.
The British are Coming! (To Talk IOT Secure By Design)
I Am The Cavalry, 10:45 Wednesday
Representatives from the UK will be present to discuss the Department for Science, Innovation & Technology: Major Goals: -positioning the UK at the forefront of global scientific and technological advancement -driving innovations that change lives and sustain economic growth -delivering talent programmes, physical and digital infrastructure and regulation to support our economy, -security and public services
- R&D funding
The Dark Playground of CI/CD: Attack Delivery by GitHub Actions
Breaking Ground, 11:30 Tuesday
GitHub provides an official CI/CD feature called GitHub Actions. While this feature is convenient for developers, it may also offer an attractive attack vector for attackers, motivating us to research the potential for attacks using GitHub Actions.
This study investigates known attack techniques already used by attackers and includes unknown attacks not yet observed in the wild. Attacks abusing the features of custom action and self-hosted runner have not been previously used by attackers nor published by researchers; our research has uncovered new attack vectors.
In this presentation, we will demonstrate the attack techniques we developed, “Malicious Custom Action” and “GitHub Actions C2”, including code explanation and demos, and share our research findings on threats “Free Jacking”, “Malicious Public PR&Fork” and “Theft of Secret”. Furthermore, we will discuss the systematization of these attacks based on two perspectives: GitHub’s features and threat levels.
Other CI/CD services have similar features to GitHub, which means these attacks could be abused other than GitHub. By discovering threats in CI/CD, we hope to enhance the overall security of these services. Regarding this research, we have been in contact with GitHub and are taking steps towards information disclosure and countermeasures.
The Ever-shifting Habits of Cloud-focused Malware Campaigns
Breaking Ground, 17:00 Wednesday
Cloud-focused malware campaigns have continued to evolve as adoption of cloud technologies increases. After observing a shift away from solely targeting cloud compute resources, and on to serverless environments and containers, it’s clear that cloud services are an increasingly attractive target for malware campaigns pursuing a variety of objectives.
In this session, Matt will discuss analysis of recent cloud-focused malware campaigns, including those which have diversified from the common objective of cryptojacking. TTPs, including persistence mechanisms and defence evasion techniques specific to cloud environments will be discussed. Matt will also provide an overview of recent trends in proprietary telemetry of cloud attacks, including an increase in the use of cloud services themselves to support malware attacks.
The Evolution of Magecart Attacks
Common Ground, 17:00 Tuesday
The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree
Underground, 16:00 Tuesday
How wide can a GitHub Actions worm spread? In this talk, I’ll demonstrate how a worm can crawl through actions and projects, infecting them with malware. We will explore the ways in which actions are loosely and implicitly dependent on other actions, and create a graph-based dependency tree for GitHub actions. This map will set the path for our worm, that is searching its way to infecting as many action dependencies and target as many GitHub projects as possible. Join this talk to learn about the methods our worm uses to make its way towards other actions, to get familiar with the high profile open source projects we could hijack, and to see this worm in action over a demo.
The History of Malware- From Floppies to Droppers
Common Ground, 11:30 Tuesday
Modern malware, such as ransomware, has become synonymous with some of the most devastating cyber attacks of our time.. But it hasn’t always been so. Not too long ago, malware was considered a myth. The first ransomware, for example, was created over 30 years ago as a wild scheme, devised by a man armed with 10,000 floppy disks and a virus. Since then, malware has evolved in many different ways, as technology changes and evolves. Looking back and analyzing this history gives us an unusual perspective- what elements of malware have changed throughout the years, and what has remained consistent? How has this evolved into the most impactful form of cybercrime today, and what can this surprising, untold history teach us about our present and future?
The Importance of Engineering Privacy From the Get Go
Ground Floor, 15:30 Tuesday
The software we build has a human impact even if at surface level it doesn’t seem that way. We as engineers are the stewards of our users’ data so it’s important to know how users are expecting us to protect their identity because it is the right thing to do even if it takes a little more time and effort to build in. This talk will cover the current challenges to securing user data and provide tips on how to protect it.
The Telenovela of Latin America Banking Trojans: A Dramatic story about Cybercrime
Ground Floor, 14:00 Tuesday
Get ready for a thrilling ride as we dive into the Telenovela of Banking Trojans! This talk is not your average cybersecurity talk, it’s a drama-filled story of bad threat actors and their relentless attacks.
Join us as we uncover the twists and turns of one of the most insidious threats to the world of cybercrime. We’ll be exploring the dramatic rise of Latin American banking malware families and how it’s making its way across the world.
We’ll delve into the anatomy of some malware families, and their sneaky modus operandi, and explain why they’re so darn hard to get rid of. Think of it like trying to get rid of a bad ex, except this one is actually damaging your bank account.
As the world battles with cybercrime, banking trojans have emerged as one of the most persistent threats. So, grab some popcorn and join us for this riveting drama of cybercrime.
The attackers guide to exploiting secrets in the universe
PasswordsCon, 17:00 Wednesday
Secrets like API keys and other credentials continue to be a persistent vulnerability. This presentation sheds light on the methods used to discover and exploit such secrets in various environments, including public and private git repositories, containers, and compiled mobile applications.
Recent research has shown that git repositories are a treasure trove of secrets, with 10 million secrets discovered in public repositories in 2022 on GitHub alone. Private repositories are also an issue as they regularly contain large numbers of secrets in their history. The presentation’s first segment delves into discovering and exploiting secrets in both public and private repositories through various methods such as abusing GitHub’s public API, discovering exposed .git directories on networks, and exploiting misconfigurations in git servers. The second segment of the presentation discusses how attackers can discover secrets inside compiled applications. We review how almost 50% of mobile applications hosted on the Google Play Store and nearly 5% of docker images hosted on DockerHub.com contain at least one plain text secret.
This presentation offers valuable insights and information on how to identify and address exposed secrets, one of the most persistent vulnerabilities in application security.
Threat Modeling 101 - Burn risks, not hope
Training Ground, 10:30 Tuesday
Threat Modeling is the best way to discover and remediate threats in your system before they are even created. If done correctly, it is one of the most impactful security programs that you can run within your organization.
In the Security Industry, threat modeling has been misunderstood and many security folks are afraid to carry out a threat model. While it is commonly performed by Application Security or Cloud Security professionals, threat modeling can be done by anyone.
This hands-on workshop will cover the threat modeling workflow and common classes of vulnerabilities in a way that is easy to understand. You will also walk through many hands-on threat modeling examples to ensure that you will be empowered to discover threats in your systems.
Towards Effective & Scalable Vulnerability Management
Common Ground, 10:30 Tuesday
While the security landscape is constantly changing, our approach toward vulnerability management hasn’t changed much over the last couple of decades.
The increasing reliance on third-party code, the growing number of vulnerabilities being discovered, as well as the increased visibility into our software stack in the advent of Log4Shell and the adoption of SBOM, make a more effective and scalable vulnerability management paradigm a necessity.
What would such a paradigm look like?
Join me in this interactive discussion as we’ll explore the challenges of vulnerability management and highlight potential solutions. We’ll discuss current frameworks and standards that can help address this issue, such as CSAF and VEX, and demonstrate how once adopted, they can be used towards automating many aspects of vulnerability management which today are manual and extremely time-consuming.
We’ll explore how to use exploitability as a strong signal for prioritization, and how automation can play a crucial role in making vulnerability management more effective and scalable. By the end of this talk, you’ll have a deeper understanding of vulnerability management and practical insights on how to improve your organization’s security posture. Let’s explore the future of vulnerability management together!
Trusted Devices: Unlocking a Password Manager without a password
PasswordsCon, 18:00 Wednesday
How do you unlock a password manager without a password? How do you get a decryption key from an SSO sign-in or a passkey? In this talk, we’ll discuss how we approached the problem, and the fundamental changes to password manager design needed to make good on the promise of passwordless.
Unveiling the Hidden: Discovering RDP Vulnerabilities using PDF Files
Breaking Ground, 14:30 Tuesday
In our latest research, we explored innovative approaches in uncovering security vulnerabilities within the RDP protocol. Rather than leveraging the conventional reverse engineering tools, we exclusively utilized Open-Source Intelligence (OSINT) techniques, leading us to discover significant security shortcomings, including instances of remote code execution, as well as bypasses of security mechanisms. Our presentation will introduce the RDP protocol and its various use cases, in addition to detailing the motivations behind our adoption of an unconventional research methodology. We will delve into how protocol specifications, open-source implementations, and other publicly accessible resources can be used to reveal hidden vulnerabilities. We will give a comprehensive overview of the vulnerabilities discovered and an in-depth analysis of the most significant ones.
Volunteer Appreciation Poolside Karaoke
Middle Ground, 20:00 Tuesday
Volunteer Appreciation Poolside Karaoke
Vulnerability Intelligence for All: Say Goodbye to Data Gatekeeping
Common Ground, 12:00 Wednesday
Vulnerability management is only as effective as the data driving its prioritization, but critical disparate threat feeds are just out of reach for many. Discover how the Exploit Prediction Scoring System (EPSS) consolidates some of the industry’s best threat intelligence so teams can accelerate their vulnerability management maturity and make better decisions faster.
Water, Water Everywhere: The Krakens, Kelpies, and Mermaids in today’s Water Sector
I Am The Cavalry, 17:00 Tuesday
Water is life…and increasingly exposed to accidents and adversaries. There are over 150,000 water systems in the United States alone. Further, water is critical path for the resilient functioning of Health, fossil and nuclear power plants, food production, living populations. Dean will be discussing some of the existing security challenges of the water system, and how they can impact other critical infrastructure sectors.
What the Yandex Leak Tells Us About How Big Tech Uses Your Data
Common Ground, 18:30 Wednesday
In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee. While the leak itself did not contain user data, it reportedly contained the source code for all major Yandex services, including Metrika, which collects user analytics through a widely used SDK, and Crypta, Yandex’s behavioral analytics technology. While there has been lots of speculation about what big tech companies can do with the massive amounts of data they collect, this is the first time outsiders have been able to peek behind the curtain to confirm it, and what we’ve found is both fascinating and deeply unsettling.
Wolves in Windows Clothing: Weaponizing Trusted Services for Stealthy Malware
Breaking Ground, 10:30 Wednesday
Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably already see where this is going..
In this talk, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.
We will go behind the scenes exploring how this service works, what attack surface it exposes on machine and cloud, and how Microsoft managed to enable it without explicit user consent. We will demonstrate how Office cloud services can be harnessed to act as a C2 server making detection and attribution extremely difficult.
Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.
Wrangling Cats: How We Coordinate Red Team Testing
Common Ground, 17:30 Tuesday
Cybersecurity testing can be a challenging endeavor for an organization and managing this effort can add an additional layer of complexity due to the collaboration and administration that is required. Having a dedicated resource that can provide this level of coordination for an organization’s Red Team is vital to ongoing success, freeing them to do the research. During this presentation we will explore an end-to-end process that can be utilized to coordinate Red Team testing, how we leverage Jira to enhance the organization of assessments and connecting with our business partners for solution engineering.
The coordination of Red Team assessments includes the initial onboarding of the request, prioritization, scoping, resource allocation, training, account provisioning, removing obstacles, and tracking and communicating status is involved throughout the duration of the engagement. By sharing an end-to-end process that a dedicated resource can use to coordinate an organization’s Red Team, the attendees of this conference will be provided with the knowledge and tools that they can adopt in their companies to enhance their Red Team.
You CAN get there from here!
Hire Ground, 14:00 Tuesday
This talk covers fundamentals of how to effectively search and land your next best opportunity, both internally, or with a new organization, through the perspectives of two seasoned recruiting colleagues in the cleared space. At every chapter of their career journeys, Kirsten and Drake had different perspectives that will impact how they progressed. Most factors along the way we can’t control, but we can respond as if every factor is an opportunity.
3 Learning Objectives:
Searching Strategically (beyond the posting) then connecting meaningfully (volunteering, contributing, engaging) Standing out as a candidate - Getting seen and responded to Taking that leap (into a new role, either internally or at a new company)
This discussion breaks their experience into requirements and techniques that candidates can arm themselves with at each stage they find themselves in, to find and obtain the position that fits best for them.
Your Ad Here: Helping your organization build their security brand
Common Ground, 14:00 Wednesday
Have you ever read a blog, listened to a podcast, or watched a conference talk and thought “I’d like to be able to do that someday?”
Are you a security leader that wants to help your team share their amazing work with the community but isn’t sure how to get started?
Maybe you’re one of the few people at your company that presents at conferences and want to help others?
If you want to help transform your security team’s public persona, this talk is for you!
In this presentation we’ll cover:
- The benefits of having a team that’s engaged with the community
- Tips for helping others write blogs and speak at events
- How to create a culture at your company where folks are encouraged and rewarded for presenting their work
- How to promote your team’s work to extend its reach
You’ve Gained +2 Perception! Leveling Up Your Red Team with a New Maturity Model
Ground Floor, 14:00 Wednesday
The Red Team, helps an organization know itself. It asks questions. It challenges assumptions. It pokes holes, not just in ideas but also in an organization’s technology so that the organization gets quantitative information about how well its security is doing.
But how does a Red Team know itself? Red Teams need to possess a lot of different skills, cover a lot of different attack surfaces, and are often small in the personnel world. How can the team know that it’s up to the task, and how can the team communicate that readiness to leadership so they have confidence in the data the team generates?
This presentation will cover a new, first of its kind Capability Maturity Model to help solve that exact problem. It may not be the sexy new tool to pwn all the things, but if we as offensive security practitioners cannot relate to and support the business-side of the organization, we’re not much better than actual hackers. We’ll discuss how we got to this point and spend the bulk of the time discussing how new and established teams can employ the model to help plan for and report on continued maturity.
ZuoRat: Home (not) Alone
Underground, 14:00 Tuesday
Black Lotus Labs (Lumen Technologies), has tracked elements of a sophisticated campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest, by selecting key individuals working from home. This campaign remained undetected for nearly two years.
We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain a foothold.
This talk will outline the elements of the advanced campaign based on our current understanding, with particular focus on the first-stage RAT core functionality (including LAN enumeration, pcap of network traffic, and deployment of the HTTP/DNS hijacking ruleset), the fully functional custom agents CBeacon/GoBeacon including their functionality. Lastly analysis of the segmented and rotating C2 infrastructure that leverages 3rd party services such as Yuque in addition to Tencent servers for C2.
I’ll wrap it up with a discussion on monitoring and discovery methodology, host logs generated by the attacker, and how to identify and secure your own environment from this class of attack.