2023 Talks

A Hacker’s Guide for Changing The World (and Where do we go from Here?)

I Am The Cavalry, 17:00 Wednesday

The Capstone event for the IATC Track! We started with inclusion and empowerment. In that spirit we want to share of the less obvious difference makers and tools, to equip future change agents to be successful… Beau and Josh often joked that our book would be called: “We have no idea what we are doing, but it seems to be working”… A decade later, maybe we have a few ideas. We would like to democratize, empower, and enable you with successful recipes to change the world. Special guests will contribute to some of the following collective works: Empathy, Storytelling, Soft skills/media training, Cyber-civics 101, Theory of Constraints, Stone Soup, etc.

Josh Corman, Beau Woods

Actions have consequences: The overlooked Security Risks in 3rd party GitHub Actions

Ground Floor, 14:30 Wednesday

After reviewing the build logs of public CI pipelines, I noticed security issues related to permissions and build integrity. To investigate the extent of the problem, I analyzed the build logs of the top 2,000 starred repositories on GitHub, and the results surprised even me. In this talk, I will share my findings on the prevalence of the world’s most popular repositories that fail to manage their build permissions. Such failure can lead to severe consequences, such as creating tokens to access cloud resources or introducing malware to repository code and artifacts. Next, I will uncover the existence of “unpinnable actions.” We will challenge a highly recommended countermeasure for protecting against compromised third-party actions: pinning. Pinning assures that the action’s code cannot be tampered with. However, even when pinned, new malicious code can still sneak into your pipeline. I will share the conditions that make an action unpinnable and reveal the significant percentage of the world’s most popular actions that we all use and pin, but are actually unpinnable.

Yaron Avital

Adding SAST to CI/CD, Without Losing Any Friends

Training Ground, 15:00 Tuesday

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this learning lab we will discuss multiple options for adding static application security testing (SAST) to your CI/CD, in ways that won’t compromise speed or results, such as learning which results can be safely ignored, writing your own rules, company-specific checks, scanning PRs instead of commits, splitting blocking scans versus deep audit scans, etc. We will also cover ways to continuously find vulnerabilities.

Tanya Janca, Colleen Dai, Enno Liu

All You Need is Guest: Beyond Enumeration

Breaking Ground, 17:00 Tuesday

Azure AD guest accounts are widely used to grant external parties limited access to enterprise resources, with the assumption that these accounts pose little security risk. As you’re about to see, this assumption is dangerously wrong.

In this talk, we will show how guests can leverage undocumented APIs to bypass limitations and gain unauthorized access to sensitive business data and capabilities including corporate SQL servers, SharePoint sites, and KeyVault secrets. Furthermore, we will reveal how guests can create and control internal business applications to move laterally within the organization. All capabilities presented in the talk work will be demonstrated with the default Office 365 and Azure AD configuration.

Next, we will drop PowerGuest, a powerful tool designed to uncover the true scope of guest access in your tenant. PowerGuest can automate limitation bypass, enumerate and dump all accessible data, and allow for interactive non-read actions by the researcher.

Finally, we will make up for shattering the illusion of guests having limited access by sharing concrete steps to harden your Azure AD and Office 365 configurations to prevent such attacks and suggest detection logic to catch them if a change in configuration is not possible.

Michael Bargury

An Everything Is On Fireside Chat with Jen Easterly, Director of US C.I.S.A.

Breaking Ground, 13:30 Wednesday

Keren Elazari of the Interdisciplinary Cyber Research Center at Tel Aviv University holds a fireside chat with Jen Easterly, Director of the United States Cybersecurity and Infrastructure Security Agency (CISA) on how we can all help build a more resilient cyber ecosystem internationally, and how hackers can be part of driving the conversation and the solutions that arise from it.

Keren Elazari, Jen Easterly

And Together We Crossed the River…

Breaking Ground, 09:30 Tuesday

a decade of change

Josh Corman

Are We too Early for the Party? (the perils of Baking Cyber in from the Beginning)

Common Ground, 17:30 Wednesday

A common cybersecurity trope often stated during/after security design and testing is “we/they should have built cyber in from the beginning.” BUT….How many of us have actually built cyber in from the beginning? The presenters have an uncommon perspective on this matter, and are living the build cyber in dream/nightmare right now. We discuss the perils: product teams unwilling to incorporate cyber, lack of business processes incorporating good cyber design, the reluctance to develop secured designs during demonstration phases versus “certification-only” focus. We discuss the benefits (obvious & not so obvious): requirements documentation, identifying cybersecurity controls, interfacing with product teams, and building a value chain from the start. Just don’t expect being involved early to be the easy button.

Steve Bichler, Lillian Ash Baker

Are your secrets safe - How mobile applications are leaking millions of credentials

PasswordsCon, 14:00 Tuesday

Secrets like API keys, security certificates, and other credentials are the crown jewels of our applications. They give access to our most sensitive information and systems like databases, cloud infrastructure, and third-party services. Despite being highly sensitive, these secrets are being leaked in our source code and compiled mobile applications.

Research shows that after reverse engineering 50,000 android apps hosted on the PlayStore, nearly 50% contained plain text credentials. We review this research to show the most common types of secrets found, where they were found, and the industries they appear within. But how exactly do secrets end up in applications? To answer this we explore research from GitGuardian which every year scans every single public contribution to GitHub (over 1 billion commits) for secrets. The 2023 report showed 10 million credentials leaked publicly on GitHub. Here we break apart mobile applications’ public code and see exactly how secrets leak through code history. We explore the connection between the two research projects (from code to applications) and reveal how many mobile applications are leaking secrets and of course how to keep your secrets secure.

Mackenzie Jackson

Authentication Proxy Attacks: Detection, Response and Hunting

Breaking Ground, 10:30 Tuesday

Over five years ago, evilnginx was released, demonstrating the ease of stealing authentication session tokens from MFA-enabled logon processes with a simple reverse proxy. Despite being a well-known technique, few of these attacks were seen in widespread use among cybercrime threat actors, until recently.

The advent of the EvilProxy and similar platforms has given attackers the ability to compromise targets with strong authentication without resorting to burdensome SIM swapping or noisy push fatigue attacks. With nascent adoption rates of phish-resistant MFA outside government-aligned sectors, organizations need to know how to detect and respond to these attacks.

In this talk, we will provide an in-depth look at the tactics, tools and procedures used in MFA-enabled account takeover. We’ll demonstrate how the ingenuity of this attack has a fatal flaw at its core, allowing us to hunt, detect, mitigate and block this type of attack.

Chris Merkel

BSides Las Vegas Pool Party

Middle Ground, 22:00 Wednesday

It’s not BSides Las Vegas without the pool party! Drink, eat, and float around the Tuscany’s fantastic pool while listening to artfully curated jams by Jackelope, An Hobbes, and DJDead. Don’t forget your swimsuit and conference badge!

BSides Organizers Meet-Up

Middle Ground, 19:00 Tuesday

The Security BSides Las Vegas Meet-Up for current organizers of existing Security BSides events is a wonderful opportunity to share stories and get to know each other. Come meet and mingle with your fellow security cultists!

Daemon Tamer

Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

Ground Floor, 18:00 Tuesday

Batman once said, “you either die a hero or live long enough to see yourself become the villain.” What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by “becoming the villain.” Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.

Cat Self, Kate Esprit

Beyond the Perimeter: Uncovering the Hidden Threat of Data Exfiltration in Google Cloud Platform

Breaking Ground, 15:00 Wednesday

Google Cloud Platform (GCP) is a cloud computing platform that has gained immense popularity due to its scalability, flexibility, and advanced features for data analytics, machine learning, and application development.

GCP audit logs provides valuable information for detecting and investigating security incidents. By analyzing audit logs, security professionals can identify suspicious activities and detect potential breaches, allowing for timely and effective incident response.

In this talk, we will discuss the numerous ways attackers can steal data from Google Cloud Platform (GCP) resources with minimal chance of detection. It explores five different methods an attacker can use to exfiltrate data in the popular services: Google Cloud Storage, Cloud SQL and BigQuery. For each method we will show a short demo and describe the generated log events and what to look for to detect malicious behavior.

Overall, the lecture highlights the importance of proactive security measures and recommends best practices such as preparing for security incidents by enabling audit logs of data activity and implementing access controls to prevent unauthorized data exfiltration. By following these best practices and leveraging the insights gained from audit logs, the participants can better protect their GCP resources and respond quickly to potential security incidents.

Or Aspir

Big SIEM Energy at micro-SIEM cost

Common Ground, 15:00 Wednesday

What if you’ve got a major need to, well, manage security incidents and events in your AWS infrastructure but you’re just not feeling the GuardDuty vibes?

There’s a million reasons why you may have specific security monitoring requirements that aren’t fulfilled with heavy-duty solutions. GuardDuty comes with an assortment of pre-built rules for detecting traditional threats to your infrastructure that are specifically tuned for AWS and the average usage of AWS, but what if that’s too much for your use cases or your budget? One-size-fits-all but rarely does it do so well.

This talk will provide a detailed template for a micro-SIEM tuned to your specific needs, using cost effective AWS services such as EventBridge, CloudTrail, SNS, and ChatBot. Discover how to replicate this approach in your own environment or scale similar concepts to a CSP of your choice.

Kenneth Kaye

Breaking Business as Usual: Attacking Android Enterprise Solutions

Breaking Ground, 14:00 Wednesday

On the BYOD bandwagon, it’s more important than ever to understand how to secure the Android enterprise ecosystem. However, managing the security of this solution entails understanding how the ecosystem is designed and its threat model from the point of view of the three main stakeholders - the IT administrator, the Enterprise Mobility Management (EMM) service provider and the work apps developer.

In this session, we will explore Android Work Profiles which provide platform-level separation of work apps and data, giving organizations full control of the data, apps, and security policies within a work profile. We will address the questions of personal apps querying work app data, the possibility of IT admins expanding their privileges, and how rootkits, and malicious apps installed within either the work or personal profiles can violate security assumptions. We will demonstrate this research via proof of concept (PoC) walkthroughs and exploits.

We close our talk by supplying actionable steps anyone can follow, providing a cheat sheet for work profile security configurations offered by any EMM Service (Microsoft Intune, MobileIron, Samsung Knox, etc.)

Join us for a thought-provoking discussion on the balance between security, control, and privacy in the rapidly changing mobile security landscape.

Priyank Nigam

Breaking In: Unleashing the Power of Physical Offensive Security

Proving Ground, 12:00 Tuesday

Do you know SPY×FAMILY? It is Japanese anime in which a brilliant SPY plays an active role. The SPY can easily infiltrate a company building. But in fact, even if you’re not that skilled of a SPY, you can easily infiltrate.

Physical security is often overlooked when companies consider cybersecurity. Insufficient physical security measures allow attackers to physically intrude into restricted areas and even break into cyberspace by hacking LAN ports in offices. And indeed we were able to conduct evaluations against several companies and subsequently break into their corporate networks and take files that imitated confidential information.

In this presentation, we will explain and demonstrate attack methods such as intruding into a building by impersonating an external company, breaking through security gates by duplicating RFID using the latest technology, and bypassing MAC address filtering by LAN port hacking. We hope to help the audiences understand how easy physical attacks are and to help companies strengthen their physical security measures.

Tetsuya Takaoka

Breaking Windows with your ARM

Underground, 17:00 Tuesday

Our research aims to shed light on the current state of Windows on ARM (WoA) rootkits.

Although we have yet to find Windows malware targeting the ARM (or ARM64 aka AARCH64) architecture, and more specifically rootkits are yet to be discovered for this platform, we know that the arms race has begun and its only a matter of time until a rootkit for WoA will emerge.

In our research we looked for ways to implement a rootkit using known mechanisms such as different hooking techniques and callback functions and developed a tool to detect rootkit infections on the WoA platform by looking for in-consistencies in critical kernel structures.

ARM64 architecture provides mobile devices with better battery life while maintaining great performance, and we believe that the future of mobile devices running Windows is in ARM. As WoA gains popularity among users, including those using Apple Silicon devices, it is essential to prepare for the inevitable emergence of rootkits.

Using our tool we hope to lay the groundwork for IR and malware analysts that would have to reverse engineer the malware of the future.

Rotem Salinas

Build Your Own Cat-Shaped USB Hacking Tool!

Training Ground, 15:00 Wednesday

Want to learn how hackers exploit computers in seconds? This beginner-friendly workshop walks you through assembling your own cat-shaped hacking console, which you’ll use to try out fun hacking demos! You’ll learn to solder, write your own USB attack scripts, and learn the techniques hackers use with your new cat companion!

Alex Lynd

Build hybrid mobile applications like a security pro!

Ground Floor, 10:30 Tuesday

Hybrid mobile applications, unlike native ones, primarily function through a set of external, generally open source, libraries that help access the mobile operating system’s native capabilities. But what does this mean in terms of security? Mobile applications come with their own set of security loopholes and attack vectors. Does this approach pose new challenges or exacerbate existing ones? In this talk, instead of discussing a known set of secure libraries, the attendees will understand the mobile threat model and learn how to vet a library by themselves.


Building Your Own AI Platform and Tools Using ChatGPT

Ground Truth, 15:00 Tuesday

Artificial Intelligence (AI) is taking the world by storm. There seem to be so many new platforms popping up daily. AI platforms for red and blue teams already exist, but are they custom tailored to your organization’s environment? If not, then maybe it is time to create your own.

This talk explores the basics of creating your own AI platform using TensorFlow and how it gives adversaries an advantage in the AI sphere. Topics covered will be the use and benefits of using TensorFlow, collecting, cleaning, and training the data using modeling algorithms, working with TensorFlow .H5 files and bringing everything together into a basic working platform using a command-line interface (CLI). Working with additional .H5 files to test data sets to add to the platform will also be included. Pre-made tools will be demonstrated if time and technology restraints allow for it. If you are interested in learning about building your own AI platforms and learning the basic steps and components involved in creating your own, then this talk is for you.

Peter Halberg

Building a Culture of Cybersecurity: A Case Study Approach to Enhancing Risk Management

Proving Ground, 12:00 Wednesday

Risk Management Culture is a critical component of a comprehensive cybersecurity strategy, yet it can be challenging to cultivate and sustain. The most effective way to build a risk-aware culture is to educate and engage both technical and non-technical staff. This presentation will explore the benefits of a risk management culture, and provide a case study-based approach to training security staff and educating non-technical executives. The presentation will draw on real-world examples to illustrate the importance of effective risk management, and provide practical strategies for promoting a risk-aware culture within an organization. The audience, consisting of a highly technical crowd, will appreciate the depth and detail of the content, as well as the focus on real-world applications. This presentation is a must-attend for anyone looking to deepen their understanding of risk management culture and build a more secure organization.

Lewis Heuermann

Closing Ceremony

Breaking Ground, 19:00 Wednesday

Closing Ceremony

Daemon Tamer

Cognitive Security and Social Engineering: A Systems-Based Approach

Ground Truth, 14:00 Wednesday

Cognitive Security is differentiated from more traditional security domains in three ways. First, cognitive security is concerned with protecting cognitive systems not necessarily humans; second, cognitive security considers multiple dimensions of system interaction, and third cognitive security considers multiple scales of operation. Adopting a “systems” perspective considers the interconnectedness of system elements, the function of the system, and scalability; systems-of-systems which may result in one system influencing another. This can be problematic from a security perspective because an effect might be induced in one system that causes an effect in another system, without the effected having visibility into the original cause. Three scales of engagement: the tactical level (single engagements), the operational level (multiple engagements), and the strategic level (traditional security concerns in addition to political and economic levers); combed with an extended OSI Model which includes Layers 8, 9, and 10 to describe human factors, describes a full stack for cognitive security. In order to successfully launch a cognitive attack, threat actors must achieve the objectives of four phases of a Cognitive Security Attack Cycle: Collection, Preparation, Execution, and finally Exploitation. Each phase of the implies points of vulnerability at which an attack might be disrupted.

Matthew Canham, Dr. Ben D. Sawyer

Comprehensive Guide to Runtime Security

Training Ground, 15:00 Tuesday

The adoption of containers and orchestration systems skyrocketed over the last few years. The popularity of these platforms makes them common targets for cybercriminals. Kubernetes combats this risk with built-in controls (such as Admission Controllers and RBAC authorization), but what if you want to observe the behavior of pods at runtime to detect intrusions? In this hands-on training, instructors will depict the cloud-native security landscape, dive into cloud detection and response and show how to detect unexpected behavior and intrusion.

This training is a comprehensive guide to Falco, the de facto CNCF open-source threat detection standard for Kubernetes environments. From using the default rules to customizing existing rules, and writing new Falco rules, attendees will walk away confident they can protect their environment against runtime threats, the last line of defense. Every participant will use a web browser to access their own lab environment, in which they will use Falco to identify and notify intrusions.

This session is for security practitioners who are new to cloud-native and want to expand their knowledge of runtime security, as well as those who are familiar with Falco and want to customize its detection capabilities by writing new rules.

Pablo Musa

Conti Leaks and CARVER Analysis for Threat Intel Analysts

Common Ground, 11:30 Wednesday

In 2022, the Conti ransomware group’s inner chat room discussions were leaked by a dissenting member of the group due to the Russian invasion of Ukraine. As a former intelligence officer of 20 years, I applied the CARVER vulnerability assessment model to the leaked data to rapidly assess the potential risk posed to my large financial firm’s enterprise model. This talk will share the methodology applied and the steps taken to maximize the intelligence value of this rare event;

will baggett

Could Passwordless be Worse than Passwords?

PasswordsCon, 11:30 Tuesday

The use of passwordless technologies has increased lately, and more companies are providing their support for it; this includes big names such as Microsoft, Apple, and Google. Passwordless is a no-brainer for increasing account security since passwords are one of the most common targets of attacks still in 2023. While Passwordless technologies are inherently more secure than traditional password-based authentication, there seems to be an overall idea of this technology being unhackable, and a perception that account takeover and user impersonation are not even possible when using it.

This talk will cover real-world risks and vulnerabilities of passwordless solutions for Web applications and how a faulty implementation can lead to a more significant security breach than when using passwords alone. We will see how as a consequence of an attacker managing to compromise the passwordless authentication, users will not have that tiny piece of protection preventing other people from accessing their details: ironically, a password.

This talk will also cover the best practices for developers looking to integrate a passwordless mechanism (WebAuthn) into their Web application. Recommendations will be included for pentesters, enterprises, and end-users, too.

Aldo Salas

Cyber Crash Investigations: Seizing the Opportunity to Learn from Past Crises

Common Ground, 10:30 Wednesday

In this talk, Julia and David discuss their work in cyber crash investigations, delving into what they’ve learned about opportunities to avoid incidents, minimize their impact, and respond to them effectively, underlined by real-life case studies. The objective of the talk is not to provide a comprehensive checklist for imperviousness to attacks, but to prompt attendees to enquire about their organization’s readiness in less-obvious areas. Just as aviation experts learn from accidents to improve safety, Julia and David hope to provide recent and constructive insights from responding to significant cyber crises.

David Stocks, Julia Wighton

Cyber Threat Hunting (CTH) – Day 1

Training Ground, 10:30 Tuesday

Understanding and practicing Cyber Threat Hunting activities

Bruno Guerreiro

Cyber Threat Hunting (CTH) – Day 2

Training Ground, 10:30 Wednesday

This is the second day of the 2-Day training

Bruno Guerreiro

Cyber risk: How does cyber events become so costly?

Ground Truth, 10:30 Wednesday

Cyber security incidents are costly. Quantifying cyber risk is problematic because it requires deep understand of technology, asset and knowledge of business functions. Data on actual losses is not available, and public information is only partial data. Many top companies have leverage our cyber risk models to quantify their risk. This session will show attendees on a high level, how we quantify cyber risk & what to look out for.
Some of the components of that cost such as ransom payment and business interruptions are making headlines. This presentation identifies and describes other costs that may be less well-known but may be equally, if not more important, and explains how to model these costs.

Wendy Hou-Neely

Defense-in-Depth engineering

Training Ground, 10:30 Wednesday

The 2021 OWASP Top Ten introduced a category “Insecure Design” to focus on risks related to design flaws. In this training, we will focus on building defense-in-depth software. What can we do to proactively architect software to be more resilient to attacks? What type of findings may not be discovered via automated static analysis? How can we design our software to be more friendly during incident response scenarios?

This one-day training is perfect for engineers as well as security practitioners that have some familiarity with the OWASP top 10. During this training, we will focus on identifying often-overlooked architectural anti-patterns and vulnerabilities to be on the lookout for. We will utilize source code review to analyze patterns for improvement in both real-world applications as well as intentionally vulnerable applications. Every interactive exercise will involve discovering concerns and writing code to engineer solutions. The course will wrap up with real-world vulnerability analysis of open-source software with an effort to help provide more secure architectural recommendations for these projects.

John Poulin, Michael McCabe

Do you know where your secrets are? Exploring the problem of secret sprawl and secret management maturity

PasswordsCon, 15:00 Tuesday

Do you know what Uber, CircleCI, and Toyota all have in common? They had hardcoded credentials in plaintext somewhere in their environments, which led to either a public leak or enabled an attacker to expand their footprint during a breach.

It is easy to understand why hardcoding secrets is a problem, but do you know how widespread this problem is or how fast it is escalating? Do you know how it keeps happening? Do you know what you can do about it?

Dwayne McDaniel

Double Entry Accounting for Security

Ground Truth, 11:30 Wednesday

Double entry accounting is a practice that forms the foundation of present-day bookkeeping and accounting. When the methodology was discovered, it revolutionized finance. Could a similar practice work for cybersecurity? This session will walk through ways that you can (and unknowingly already have) implemented a form of double entry accounting that can help you revolutionize your security program.

Sounil Yu

EMBA - From firmware to exploit

Breaking Ground, 12:00 Tuesday

IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.

Michael Messner

Email Detection Engineering and Threat Hunting

Training Ground, 10:30 Wednesday

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.

In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.

Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.

Josh Kamdjou, Alfie Champion

Emulation, PowerPC, and Transition

Breaking Ground, 15:00 Tuesday

One part self discovery, one part technological innovation, this talk follows one hacker’s journey to create a new framework for baremetal emulation while simultaneously realizing and learning to accept fundamental truths about the very core of who she is.

The talk will delve into the details of what an emulator is and why both DARPA and industry giants needed one so badly for the PowerPC architecture. There will be educational background provided into how emulation works and how it can be used to enhance efforts at reverse engineering and security.

There will be a discussion of both the technical and logistical development of the framework and how it can be used to test or reverse engineer industrial systems. This will also includes the technical nuances and challenges of working with PowerPC while making it accessible and user-friendly. The tool will be demonstrated by emulating an engine controller that is actively transmitting messages.

Interspersed throughout the discussion of the projects technical timeline will be photos, stories and anecdotes from both Erin’s transition towards womanhood, as well as insights into the lives and humanity of her and her team.

Erin Cornelius

Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention

Ground Floor, 10:30 Wednesday

In “Enemy Within: Leveraging Purple Teams for Advanced Threat Detection & Prevention,” attendees will learn to bridge the gap between Cyber Threat Intelligence and Offensive Security.

We’ll explore the importance of cross-functional collaboration with Detection Engineering and Red Team operations, examining challenges in Threat Intelligence and Purple Team operations.

Addressing common challenges faced by offensive security and threat intel teams, such as securing buy-in from management and improving testing efficiency, we’ll discuss how our teams collaborate to execute realistic operations, fostering a positive relationship between offensive security and threat intel resources.

The presentation will include live demos of real-world adversary examples, like web shells and EvilGinx, and showcase open-source tools for streamlining efforts. By focusing on shared problems, we aim to demonstrate the importance of security investment and gain support from key stakeholders with financial resources and decision-making authority.

We’ll address limitations of existing frameworks that haven’t effectively kept pace with real-world threats and conclude with a showcase of open-sourced tooling created by Meta’s Purple Team to tackle the issue.

Jayson Grace, Adam Bradbury

Enemy at the Gate, and Beyond: Detecting and Stopping Account Takeover

Proving Ground, 11:00 Tuesday

Account Take-Over is about more than just getting authenticated. Access acquisition has many faces, including for MFA-enabled accounts. Access leverage can have many faces as well, and having authenticated no longer guarantees you’re indeed who you say you are. We present a novel methodology for analyzing IAM and infrastructure access logs for detecting the various attack scenarios.

Yuval Zacharia

Energy Poverty and Potential Impacts to Other Critical Infrastructures & Powerful Paths to Progress

I Am The Cavalry, 11:30 Tuesday

Energy delivery for all utility sizes is undergoing disruptive change with unprecedented levels of federal and state funding. In this talk I will describe how that’s evolved over the past 20 years, and how we are trying to make it equitable, secure, resilient, affordable and clean in one swoop. Dealing with both historical injustice, climate threats, and international turmoil. Its an impossible proposition. How do we do it better? Is it too late? Can we communicate this in a better way and get social buy in from those who profit? I will also discuss if we are asking the right questions, and if we have already gone past the point of being able to get people to care about death and destruction….

Emma M Stewart, David Batz

F*** Your ML Model

Ground Truth, 10:30 Tuesday

Yeah, Machine Learning is cool, but have you ever curled up with Logic Programming on a rainy day? Ever watched a baby AI Planner take its first steps? Ever ditched work early on a Friday and roadtripped to Vegas with an Optimization Solver?

In this session we’ll take a step back from all the machine learning gigahype and look at the wider world of AI. We’ll explore how NASA drives robots on Mars, how video games create intelligent agents, and how Google interrogates its massive Knowledge Graph.

In each case we’ll see how the same AI methods can be adapted to tackle hard security problems, like tool orchestration and attack surface minimization, and we’ll build out small-scale versions of these problems and show how to solve them using open source libraries.

Colt Blackmore

Failing Upwards: How to Rise in Cybersecurity by finding (and exploiting) your weaknesses

Hire Ground, 10:30 Tuesday

One day as an sysadmin I was asked to just deal with the WAF one day and now I’m a CSO, 18,000 miles, 5 countries and 6 years later. How did this happen?!

Full disclosure: I’m a mediocre sysadmin, an okay engineer, an acceptable architect, and a reasonably good infosec officer. What links them, and my rise through the corporate layers, is that at one point or another my hard work hit a wall and they said “you know what? You’ve done well but how about you head upward while the more apt people finish what you started?”

So here I am, rising far too quickly, doing just enough to keep the Imposter Syndrome at bay, and somehow succeeding at (cybersec) business without really trying. Come find out how!

Wes Sheppard

Farm to Fork(ed): The Forces Fueling Food Chain Risk

I Am The Cavalry, 15:00 Tuesday

Building on the prior session, Paul will lead a discussion on the broader risks from Farm to Factory, and from Factory to Fork. Independent of cyber disruptions, dangerous concentrations of market power in the hands of a small number of large corporations increase the brittleness of the food supply chain. Add to that the risks posed volatile weather patterns, regional conflicts and the fact that the food supply chain is one of the most dependent on other sectors such as: water, chemical, ground transportation, rail, cold chain and cold storage, and electricity. As the industry slow walks its response to growing cyber risk, cyber adversaries are increasing their forays, targeting key food supply chain players. Assuming that we all like to eat, we have our work cut out for us. Paul will be joined by Sick.Codes for this discussion.

Sick.Codes, Paul F. Roberts, Steve Kelly, Casey J. Ellis

Follow the white rabbit down the rabbit hole

PasswordsCon, 18:00 Tuesday

Password cracking is all about patterns, behavior, understanding, and adapting. New technologies and password policies may mandate specific password generation patterns but they also drive a “culture” of wider adoption of phrases, l33t5p34k, and pseudo randomness. When one runs out of techniques and exhausts all the wordlists, rulesets and masks but still only reaches the 98%-mark, new techniques become essential to improvise for handling the remaining 2% of the hashes. The elusive 2% are those which benefit from the new techniques which will be discussed in this talk. Complex and multidisciplinary techniques usually drive cracking sessions down rabbit holes. With the only feedback being a single successfully cracked complex password, is impossible to use these techniques for cracking ‘mainstream’ passwords. And this is why mainstream tools and ethical hackers won’t waste time testing or using these techniques. However, the few remaining uncracked passwords normally contain privileged and/or advanced user accounts. In this talk, I will therefore cover non-traditional password cracking techniques that (through trial and error and randomness) produced good results and yielded interesting passwords.


For Intel and Profit: Exploring the Russian Hacktivist Community

Underground, 18:00 Wednesday

It is not common for analysts to have the opportunity to study the social circles of criminal organizations, but occasionally, a threat group that is more transparent than others emerges. Since the Russian invasion of Ukraine, the security community has had the opportunity to examine several threat groups that are part of the growing Russian hacktivist community, gaining valuable insight into the structure, operations, relationships, and connections between its members and the community around them. These interactions over the last year have taught us about the social and financial backing of the Russian hacktivist community and shown us what the future of hacktivism will look like.

Daniel Smith, Pascal Geenens

Friends Of Bill W Meet-Up

Middle Ground, 20:00 Tuesday

Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Tues and Wed, 20-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door.

Friends Of Bill W Meet-Up

Middle Ground, 20:00 Wednesday

Not a formal 12-step meeting. Rather, a supportive gathering for folks taking Summer Camp one day at a time. Tues and Wed, 20-21:30 in G103. Look for the sign on a patio on the pool side of building G and enter through the patio door.

From LLM Obstacles to Open Doors: A Tale of Three CISOs

Breaking Ground, 09:30 Wednesday

When it comes to GenAI and LLMs, there are three concerns and three corresponding opportunities.

Reknowned security researcher and executive Sounil Yu discusses solving for all three of these concerns, and provides specific frameworks and models that allow us to understand the necessary guardrails for each.

Sounil Yu

Gang Gang: Assembling and Disassembling a Ransomware Gang

Underground, 14:00 Wednesday

Ever wonder what goes into a ransomware gang startup? Take this trip with me as I share with you my journey into the ransomware world. Listen to how I struggled to gain acceptance, engaged in a small romance and worked my way up the wobbly ladder.


Good Doesn’t Always Win: Understanding technical and enterprise tradeoffs in Cybersecurity

Common Ground, 18:00 Wednesday

You have just started a new job, and, after settling in, find a huge cybersecurity gap. The great news is you have the perfect solution! The bad news is the company said no thanks. You are taken back and try to explain that this is simple cybersecurity basics, but the company has any number of reasons why they don’t feel it’s a good solution: money, time/effort of implementation, “we have never had a problem before”, or maybe your own IT department is saying that it won’t work. What do you do to make sure your company stays secure? Cybersecurity has arguably reached the point where most organizations understand its necessity, at least in concept. But that doesn’t mean that everyone is open to hearing about the latest threats and all the work (and money) that needs to be spent reducing your risk. This talk is designed to be an open discussion on understanding human behavior, and some tools that could help a cyber professional be more successful, particularly when it comes to negotiating better decision making.

Vanessa Redman

Google Workspace Forensics – Insights from Real-World Hunts & IR

Breaking Ground, 14:00 Tuesday

Google Workspace is now the core IT infrastructure for many organizations, according to Google’s “2021 Year in Review”, 3 billion people use Google Workspace, drawing hackers to directly attack GWS users and resources. Forensics investigators may struggle identifying threats in GWS logs efficiently because of the complexity and the uniqueness of the logs.

In this talk, we share our knowledge & expertise on how to hunt and perform IR investigation over Google Workspace logs based on real-world threat hunt focused on data exfiltration from Google Drive. In this presentation, we will show the work of forensic investigator in Google Workspace (formerly G Suite) domain.

We believe this knowledge is necessary for those who want to investigate Google Workspace logs.

Ariel Szarf, Doron Karmi

Got Hashes. Need Plains | Hands-on Password Cracking

Training Ground, 15:00 Tuesday

A condensed, but nonetheless still very effective version of our commercial training on password auditing, recovery and cracking techniques.

Cracking passwords is a critical skill for today’s information security professionals. With the increasing amount of sensitive information and systems relying on passwords, protecting against unauthorized access is more important than ever. Whether you are looking to crack passwords to gain access to systems, or auditing systems for weak passwords to make them more secure – you will gain a deeper understanding of what various common hashing algorithms are, and how to effectively crack passwords using those hashing algorithms. By the end of this training, you will have a solid foundation of password cracking techniques and be equipped with the knowledge to use password cracking for offence and defence that will allow you to grow your skills and research. We will cover creating powerful wordlists and rules (and why you need them), the tools used to crack hashes and advanced techniques. This training will give you a strong baseline to get you started in your password cracking experience. See the description for the full outline.

Dimitri Fousekis, Ethan Crane

Hiding in Plain Sight - The Untold Story of Hidden Vulnerabilities

Breaking Ground, 18:00 Tuesday

In today’s software development landscape, vulnerability scanners and SCA tools play a vital role in identifying potentially vulnerable software components and mitigating associated risks. However, their effectiveness remains questionable due to differences in implementation, coverage, and performance, as well as inherent blindspots that make them oblivious to critical vulnerabilities in real-world scenarios.

In this talk, we will present the results of a groundbreaking benchmark and root cause analysis research that evaluated leading commercial and open-source vulnerability scanners and SCA tools. We will showcase the main causes of scanner misidentifications, including blindspots created by common build and deployment practices, and thousands of hidden vulnerabilities we identified in real-world applications, many of which are known to be exploited in the wild.

Our findings expose a significant gap in the effectiveness of these tools and raise awareness about the need for objective evaluation criteria. Attendees will leave with a better understanding of the limitations of vulnerability scanners and SCA tools, as well as the importance of adopting more holistic approaches to software security.

Yotam Perkal, Ofri Ouzan

High Stakes HIDe-N-SEEK

Underground, 15:00 Tuesday

Phishing attacks and weak passwords aren’t the only things that are keeping Blue teams up at night. Imagine a nearly undetectable device in the user’s keyboard stealthily leaking out information or acting as a malicious user. Welcome to the nightmare game of HIDe-N-SEEK.

In our public talks about the Injectyll-HIDe project, we were limited by our fear of showing our real capabilities. Unlike our other talks about this implant, in this Skytalks presentation we will go off the record and take a candid deep dive into why the Injectyll-HIDe project is the thing of nightmares. We will be taking an uncensored look at the inner workings that make it so dangerous and why you might need to start walking your enterprise halls with bug sweepers. Audience participation is highly encouraged.

Audiences will leave with a deeper understanding of how the project works, a new platform to use for future Red Team operations, some fun stories, and even some nightmares.
Warning, I am not to blame for any loss of sleep after this talk.

Jonathan Fischer

Home Labs for fun and !profit (Put your home lab on your resume!)

Hire Ground, 13:30 Wednesday

Oh sure, you read all those posts about “My Home Lab” with all the pictures of 19” racks in a garage or basement. But seriously, how can you truly utilize your home lab, not just to learn, but to boost your career and help you get noticed as being that “Unique Individual” that a company really wants to hire!

Come join this talk to learn about building a Home Lab on a budget AND using it to really get ahead. Your lab should be an advantage and a fun learning experience without breaking the bank. Let’s build some systems, run some demos and see how to use all of this to NAIL that next job interview!!

Kat Fitzgerald

How I Met Your Printer

PasswordsCon, 14:00 Wednesday

Often on penetration tests I encounter printers. Lots of printers. The smarter the printer the more likely I’ll gain access to your entire organization by making it do things that will make your IT admins gasp in fear! Come watch as I demonstrate how you too can get your printers to give up all of its secrets.

Tom Pohl

How to Handle Getting Dumped: Compromised Passwords

PasswordsCon, 11:30 Wednesday

Your company has a strong password policy, awareness campaigns, and established a culture of good password hygiene. None of it seems to matter in that soul crushing moment when a malware operator dumps passwords that include one of your company’s accounts. I’ll step you through renewing hope after a password dump including where they come from, what to do with them, and what the best value and pitfalls can be.

Susan Paskey

How to build a security awareness strategy that works!

Training Ground, 10:30 Tuesday

I created this training as a short, invigorating course that should help you whether you are established in your career in awareness, or want to break into the sector. Or just curious about how to make awareness more than phishing and posters. We will go over key themes of trust building, inclusion and accessibility, qualitative data instead of dashboards and how to evaluate vendors. Full resource packs are given to all attendees.

Michelle Levesley

How to communicate with non-security specialists to drive action

Common Ground, 11:00 Tuesday

How many times have you let someone know about a critical issue, only to be dismissed? Or maybe you see a significant improvement to a process that can be made, but no one senses the urgency or understands why they need to change their way of working?

So much of the work in security today is persuading people to act - to fix, to change, to update, to communicate.

Technical prowess is often the starting point of many careers, but the ability to communicate and persuade people to act is what will fuel career growth and influence change within an organization.

In this talk, security practitioners of all levels learn the valuable pieces of communication to resonate with others and drive action.

Ashleigh Lee

How to have perfect vulnerability reports and still get hacked

Common Ground, 18:00 Tuesday

What vulnerabilities are really lurking in a given application? The assumption that we can answer that question undergirds US government mandates both recent and decades-old. Hackers, of course, know that this is absurd: attackers have 0days and aren’t afraid to use them. But even a much-humbler goal, “free of known vulnerabilities,” isn’t as feasible as we’ve been led to believe. In this talk, we’ll see the pitfalls of common tools—software composition analysis (SCA) and software bills of material (SBOMs)—commonly brought up as silver bullets for this issue. We’ll see the vulnerability reporting ecosystem, including databases and manual triage of vulnerabilities in your application.

Nonetheless, we’re hopeful: these tools are stronger together and can do a good job in many scenarios. Further, we’ll see what the future holds for bringing us closer to “free of known vulnerabilities” status, from open-source tooling to better government policy.

Attendees to this session will learn about:

  • automated security tools that miss what’s right in front of them,
  • empirical research exposing vulnerability management challenges,
  • the fight against security by obscurity, and
  • the daily commitment to keep applications free of known vulnerabilities.

Zachary Newman, Luca Guerra

How to prioritize Red Team Findings? Presenting CRTFSS: Common Red Team Findings Score System Ver. 1.0

Ground Truth, 14:00 Tuesday

Robust red team practices generate multiple findings gradually; defenders struggle to keep up with remediations and detections. All red team findings are critical, but if everything is a priority, then nothing is. Organizations cannot feasibly defend against all ATT&CK techniques. They have more findings than they can optimally assign resources to and focus on the critical ones; they need a system to help them make this task manageable. This talk introduces CRTFSS: A methodology to prioritize red team findings using adversary behaviors observed in real-world threat intelligence and mapped to the MITRE ATT&CK based on the most frequent TTPs that score each finding based on the complexity of remediation and exploitability.

Sure, not all findings can be categorized through this methodology, but it's a start. Whether you work in a security team, need help prioritizing the red team findings that resulted from external assessments or BAS tools, are in an internal red team helping blue teams address critical outcomes, or work as a consultant needing support when reporting to clients, come learn how to prioritize your red team findings better and improve categorizing, tackling the critical ones first, and feel less overwhelmed with this daunting task.

Guillermo Buendia

Hungry, Hungry Hackers: A Hacker’s Eye-view of the Food Supply

I Am The Cavalry, 14:00 Tuesday

Sick Codes has dazzled Hacker Summer Camp and the world for the last few years - most recently with last year’s Doom on a Deere. His last several years of research and engagement with the food supply and it’s vulnerable equipment extends beyond tractors. He will share some of what he has found, how others can get involved, and some of the increasing risks and stakes for the food we put on our table. This hacker perspective will feed into the subsequent session that will further cultivate the risks to the larger food supply ecosystem.

Sick.Codes, Casey J. Ellis

Hunting Cryptoscam Twitter Bots: Methods, Data & Insights

Underground, 15:00 Wednesday

“Having issues with your crypto wallet? send a DM! contact us at!” This is the kind of message anyone mentioning specific crypto-brands in a tweet is receiving. Our talk will deep dive into the bots spreading these fraudulent tweets and its operators. We will use a dataset collected over several months to educate about what triggers bots and deduce about the infrastructure behind it. We will also demonstrate how this data can be used effectively to not only hunt bots at scale but also detect unknown trigger-words and monitor fraud trends (guess for example what happened after certain exchanges collapsed?). As a bonus, we will share our multiple correspondences with fraudsters, pretending to be “innocent victims” and how we leveraged social engineering to track them down.

Gal Bitensky

Hyper-scale Detection and Response

Ground Floor, 15:00 Tuesday

Are you tired of paying exorbitant fees for your current SIEM platform? Are you looking to improve your organization’s Threat Monitoring and Detection capabilities without breaking the bank? Look no further! Our session will provide insights on how you can avoid the rising licensing costs of a third party SIEM and build near real-time detections on logs at a hyper-scale of 45TB+ per day! You won’t want to miss this opportunity to learn about cutting-edge open source technologies that can transform your security operations. Get ready to say goodbye to expensive SIEM solutions and hello to cost-effective, highly scalable, and efficient security monitoring.

Neerja Sonawane, Kiran Shirali

Introduction to IATC Day Two

I Am The Cavalry, 10:30 Wednesday

Intro to IATC Day 2

Josh Corman

Introduction to the Track, Reflections on a Decade of IATC

I Am The Cavalry, 10:30 Tuesday

A decade ago, Josh and Nick brought passion and provocation: The Cavalry isn’t coming… So what are YOU willing and able to do?? “Our dependence on connected technology is growing faster than our ability to secure it… in areas affecting public safety and human life.” Using empathy, trust building, teamwork, and tenacity this crazy mission has profound impact on safety and public policy… and yet there is so much more to do! A decade later, the world is in a very different place. To adapt to the world ahead we need a fresh and sober assessment of what worked, what didn’t, what is sustainable, and what is most missing. Longstanding Cavalry leadership will close a decade of public service and articulate a vision for the next decade and generation.

Josh Corman, Beau Woods

It’s all about Talent

Hire Ground, 12:30 Wednesday

Two truths and lie: Cybersecurity jobs are more resilient in an economic downturn. At any given time there are over 500,000 open jobs in cybersecurity. Making a career in cybersecurity is easy.

This talk will cover the landscape of cybersecurity hiring with tips and tools for a successful job hunt and advancing your career. Cybersecurity is a broad industry with many avenues to pursue based on an individual’s interests and curiosity. We’ll cover best practices to interview and stand out from the competition along with preparation for how to advance career opportunities once you’re hired.

Barry Maclaughlin SHRM-SCP

It’s not the end of the world but you can see it from here.

Underground, 17:00 Wednesday

I will discuss real-world equipment hacks caused by nation-state actors attacking humans and ways to mitigate similar impacts. Examples will cover a range of laboratory equipment, including research labs and industrial manufacturing facilities. In this talk, we will explore the common causes of laboratory and OT equipment breaches caused by human error, including misconfiguration, misuse, and malicious actions. We will examine the potential consequences of such failures, including data loss, damage to equipment, and even injury. I will also present a range of strategies for preventing such issues, including implementing standard operating procedures with a security focus, using equipment monitoring systems, and adopting best practices for equipment architecture.

Nathan Case

Jumping from cloud to on-premises and the other way around

Training Ground, 10:30 Tuesday

The use of the cloud is becoming more and more predominant in large companies. However, transitions from legacy infrastructure are sometimes done through “brutal” strategies (migration of 80% of the IS in 2 years). In fact, not all teams are properly trained to the new paradigm of security in the public cloud, leading therefore to blind spots in IS security.

This workshop aims to reintroduce the main principles of the public cloud (shared responsibility model, managed services, RBAC rights model), and to highlight the possible ways of elevating privileges within CSPs and lateralization between the management plane (CSP) and the data plane (AD).

Through a combination of theoretical lectures and hands-on exercises on dedicated labs, participants will gain a practical understanding of these concepts. No prior knowledge of cloud security or AD security is required.

Arnaud PETITCOL, Raymond CHAN

Lies, Telephony, and Hacking History

Ground Floor, 11:30 Tuesday

Who’s ready for some “Show & Telecom”? This talk takes attendees on a historic retrospective journey through time. Learn when Social Engineering first intersected with Technology, following previous advancements in Telecommunications. Our expedition highlights the technological origins of Phone Phreaking, Computer Hacking, Social Engineering, and how these activities relate to modern times. The speaker brought numerous hardware relics from the past to show the crowd throughout this presentation. Come learn about what the underground phone phreak and early computer hacker scenes were like before there was a Cybersecurity industry and associated career paths.

Matt Scheurer

Linux Digital Forensics: a theoretical and practical approach

Training Ground, 10:30 Wednesday

As hardening and monitoring of Windows systems is becoming more mature in corporate environments, cybercriminals and APTs increasingly turn to Linux hosts to conduct their campaigns.

Whether you are new to incident response (IR), or a tailored responder looking to improve your Linux forensics skills, this workshop aims to provide you with the necessary knowledge and tools to investigate compromised Linux systems.

This workshop will cover the different steps of Linux IR, from data acquisition to TTPs analysis, while introducing Linux malware analysis fundamentals. Participants will be able to practice their newly acquired abilities on a hands-on exercise, which consists of a triage collection and a disk image from a compromised system. Inspired by several IR engagements of the CERT-W, this challenge will give insight on real-life attacks of Linux systems.

Thomas DIOT, Maxime Meignan, Axel Roc

Linux Privilege Escalation

Training Ground, 10:30 Tuesday

Attackers never stop at initial compromise; there is always an end goal objective which often requires privileged access to specific devices or systems. Identifying the correct privilege escalation vector can often feel like looking for a needle in a haystack, however with the right approach and understanding of the various controls in play, gaining full control can often be a safe assumption in many instances following initial foothold.

This workshop aims to equip those likely to find themselves with an initial foothold, with the skills to practically exploit a given privilege escalation vector on the target Linux system.

Troy Defty, Andrew Suters

Machine Learning for Insider Threats: At the Intersection of Security and Privacy

Ground Truth, 11:30 Tuesday

Your boss is watching! While employee supervision isn’t a new idea, electronic monitoring and vetting using machine learning is relatively new. At the same time, consumer privacy law is being extended to employees. What are the hazards, and is bossware worth it?

Susan Lindberg

Mainframe Hacking for CICS and Giggles

Breaking Ground, 11:30 Wednesday

Mainframe systems continue to drive global economic activity despite the “legacy” label they are often associated with. In fact, mainframes are responsible for business-critical functions across 70 percent of Fortune 500 companies. If you have ever withdrawn cash at an ATM, done your taxes online, or booked a flight for your next holiday, you have likely interacted with a mainframe application. As with all business-critical systems, ensuring they are secure is imperative. This talk is designed for anyone interested in the security of these mainframe applications.

We will go over how mainframe systems work, why they are so important, how the applications work, how they are used, and how the researchers were able to exploit a number of vulnerabilities in real world mainframe applications.

Jay Smith, Jan Nunez

Management Hacking 102: Personalities, Empathy, and Difficult Conversations

Hire Ground, 10:30 Wednesday

Why do some employees act and communicate very differently than others? Could you have been more empathetic with a challenging employee? How does your team deal with change and why do we avoid difficult conversations? No matter how long you’ve been a leader, eventually you’ll be faced with these situations and unfortunately they don’t get any easier to deal with.

Last year in Management Hacking 101 we discussed the fundamentals of managing and leading teams such as coaching, hiring, evaluating performance, and understanding emotional intelligence. In this talk we’ll dive deeper into four of the most important areas that all leaders need to know more about: understanding the personalities, relationships, and motivations of our employees, how we can be more empathetic with the people we lead, guiding employees through the change cycle, and how to have difficult conversations.

Join Tom Eston, VP of Consulting & Cosmos at Bishop Fox, as he shares his personal lessons and stories from years of leading teams on these topics so you can become a better manager and leader.

Tom Eston

Ground Floor, 15:00 Wednesday

In this talk, we will share our firsthand experience and practical insights from having done over a dozen acquisitions. We will walk through playbooks that we developed to scale the pre acquisition security evaluation process and post close integration steps. The talk focuses on minimizing risk to the parent org without slowing down the business. By attending this talk, the audience can walk away with a comprehensive framework to do M&A securely.

Murali Vadakke Puthanveetil, vinay prabhushankar

Negotiating Compromise: How to avoid being labeled a “Chicken Little” while promoting better security decision making

Ground Floor, 17:00 Tuesday

Even though businesses know that cybersecurity is important (most of the time), cybersecurity professionals still have a challenge convincing business leaders -and sometimes even IT- of good cyber hygiene practices. FUD (fear, uncertainty, and doubt) can be an easy temporary actic to get teams to take you seriously, but it must be tempered. This presentation discusses common (and sometimes under utilized) negotiation techniques to help cyber professionals escape from being the physical manifestation of the doomscroll and facilitate better security decisions enterprise wide.

Vanessa Redman

Next Generation Enterprise Security

Ground Floor, 18:00 Wednesday

The single best way Humans transfer knowledge is through stories. We are a social species and there are no better stories than Star Trek episodes. Nearly every episode of Star Trek involves some sort of security incident. Everything from someone stealing data (or Data), insider threats, APT, malware, and more.

Even though the stories are fictitious, we can use them to help tell a story. We can start to ask questions like who is the biggest insider threat the ship faces: Data or Wesley? Why is security so terrible, does Worf ever do his job? Have these people ever heard of two factor authentication? Maybe the holodeck should be sandboxed!

Our industry is one of very serious questions and discussions, but sometimes you can be too serious. Rather than focus on serious security lessons, let’s have some fun. There are a lot of lessons to be learned in Star Trek TNG episodes.

In this session we are going to break down the security themes in Star Trek. Who are threat actors. Who are defenders. What are some mitigations that could be applied. There are many examples of recurring incidents because nobody fixed the problem the first time.

Josh Bressers

OH-SINT: Merging OSINT Into RE Workflows to Simplify Analysis

Proving Ground, 11:30 Tuesday

Anti-analysis features are becoming more prevalent as developers gain skills and spread knowledge amongst themselves. Adding in the increasing use of crypt services, it’s making RE more challenging when you need to get information out of malware quick and dirty. We look at leveraging more OSINT into the process to track down information, sometimes straight from the developers including occasionally scoring gold with full developer docs, and how this can be reincorporated into the analysis workflow to potentially speed up time to value when the hunt is on.

Nicholas Carroll

Oops, I Leaked It Again - How we found PII in exposed RDS Snapshots

Breaking Ground, 18:00 Wednesday

The Amazon Relational Database Service (Amazon RDS) is a Platform-as-a-Service (PaaS) that provides a database platform based on a few optional engines (e.g., MySQL, PostgreSQL, etc.).

A Public RDS snapshot is a useful feature that allows a user to share public data or a template database to an application, but when wrongly used, may accidentally leak sensitive data to the world, even when using highly secure network configuration.  

We at Mitiga, discovered hundreds of databases being exposed monthly, with extensive Personally Identifiable Information (PII) leakage.

In this talk we cover the main aspects of RDS snapshots and how easy it is to accidentally expose sensitive data widely to the world. Our research process is based on extensive investigation of the RDS service, its configurations, and limitations.

In the session the participants will get relevant knowledge about RDS snapshots, including real-life examples of the risk of using this service, and recommendation of how to prevent, detect and remediate the risk of accidentally sharing RDS snapshots publicly. We will share an in-depth description of our automated process, which includes procedures to constantly monitor for public snapshots, and remove any if found.

Ariel Szarf, Doron Karmi

Open Source GitOps for Detection Engineering

Ground Floor, 11:30 Wednesday

Detection engineering is a key aspect of modern security operations, but implementing effective detection strategies can be complex and time-consuming.

This talk will introduce an open-source GitOps framework that enables security teams to manage their detection rules and policies efficiently. GitOps is a methodology that streamlines the management of infrastructure and applications using configuration files managed in Git as the source of truth. With GitOps, teams can version control their entire detection infrastructure, including detection rules, alerts, and remediation workflows.

The open source GitOps framework we will discuss offers several advantages for detection engineering. First, it allows security teams to collaborate and manage their detection infrastructure in a more agile and effective manner. Second, it provides greater transparency and auditability, enabling teams to track changes to their detection infrastructure over time. Third, it enables automated deployment of detection rules and policies, reducing the risk of human error and improving the speed of response to security threats.

Live demos and configuration samples will be provided to demonstrate the implementation of this framework with osquery, Fleet, and Matano.

Zach Wasserman

Opening Remarks - Day One

Breaking Ground, 09:00 Tuesday

Opening Remarks - Day One

Daemon Tamer

Opening Remarks - Day Two

Breaking Ground, 09:00 Wednesday

Opening Remarks - Day Two

Daemon Tamer

Overcoming Barriers in Security DSLs with BabbelPhish: Empowering Detection Engineers using Large Language Models

Ground Truth, 12:00 Wednesday

The rise of detection-as-code platforms has revolutionized threat detection, analysis, and mitigation by leveraging domain-specific languages (DSLs) to streamline security management. However, learning these DSLs can be challenging for new detection engineers.

In this talk, we introduce BabbelPhish, an innovative approach utilizing large language models to bridge the gap between natural language queries and security DSLs. We demonstrate its application to MQL, Sublime Security’s free DSL for email security, and its potential extension to other DSLs. BabbelPhish enables users to harness the full potential of detection-as-code platforms with familiar natural language expressions, facilitating seamless transitions from triage to querying and coding.

We will discuss BabbelPhish’s architecture, training process, and optimization techniques for translation accuracy and MQL query validity. Through live demonstrations and user interviews, we will showcase its real-world applications and implementation options, such as a VSCode plugin.

Join us as we explore how large language models can integrate natural language capabilities with the precision of security DSLs, streamlining security management and threat hunting, and making detection-as-code platforms accessible to a wider range of security professionals.

Bobby Filar

Password911: Authentication Adventures in Healthcare

PasswordsCon, 17:00 Tuesday

Healthcare is a tricky field when it comes to cyber security. It’s a bad day if your anesthesiologist gets locked out of their account mid-surgery. Likewise, when you have a medical emergency halfway around the world you might not be in any condition to give local caregivers authentication credentials. This talk will cover some of the challenges with providing authentication in clinical settings as well as current approaches to tackling this issue.

Matt Weir

Passwords: Policies, Securing, Cracking, and More

PasswordsCon, 10:30 Wednesday

We can’t get rid of passwords, no matter what you read. They are essential for service accounts, dev accounts, and more. So, how do you secure them in AD and AAD? We will cover that and more. We will cover the basics and the complex. We will cover how to create a more-secure password and how attackers can crack passwords that are weak. You must understand that MFA can’t be used everywhere, so passwords are essential in every environment!

Derek Melber

Penetration Testing Experience and How to Get It

Hire Ground, 13:00 Tuesday

There are many resources to learn how to become a pentester but the lack of experience can be an obstacle when getting that dream role in pentesting. The Pentester Blueprint coauthor Phillip will share ways to get experience and demonstrate the experience and skills that are helpful in getting started in a pentesting career.

Phillip Wylie

Pentesting ICS 101

Training Ground, 10:30 Wednesday

Do you want to learn how to hack Industrial Control Systems? Let’s participate in the one and only CTF in which you really have to capture a flag, by hacking PLCs and taking control of a robotic arm! We’ll start by explaining the basics of Industrial Control Systems : what are the components, how they work, the protocols they use… We’ll learn how PLC work, how to program them, and how to communicate with them using Modbus, S7comm and OPCUA.

Then we’ll start hacking! Your goal will be to take control of a model train and robotic arms to capture a real flag! The CTF will be guided so that everyone learns something and gets a chance to get most flags!

Arnaud SOULLIE, Alexandrine Torrents

Playing Games with Cybercriminals

Ground Truth, 17:00 Wednesday

Up to this point in time, the primary law enforcement strategy used to fight cybercrime has been the “hammer”. Given a core function of policing has been to arrest criminals, it is no surprise that offenders involved in digital crimes like hacking, online fraud and malware have also faced prosecution. Alongside arrests, has been the takedown of cybercriminal infrastructure, such as marketplaces or botnets. This has been carried out by law enforcement, with industry also playing a role. But questions have been raised about the long-term impact of such operations, and whether new players or infrastructure simply emerge with the cybercrime threat continuing unabated, or even growing.

This talk moves beyond the law enforcement hammer, and examines whether there are softer approaches which might also be used to reduce the threat of cybercrime. In particular, it focusses on the underlying economics of cybercrime and the levers which could be pulled to damage the efficiency of cybercriminal markets and disrupt illegal operations. In short, can law enforcement, and their partners in industry, play games with cybercriminals?

Jonathan Lusthaus

Public Service Journeys (To and From Hacking Culture)

I Am The Cavalry, 18:00 Tuesday

From an Air Force combat pilot into the loving arms of the helpful hacker community and ultimately co-founding the Aerospace village, “Spanky” has found common cause and common purpose with this motley crew and community… From an intern and Cavalry Force of Nature organizing the first Congressional Delegation to Hacker Summer Camp, Ayan is now serving in the White House Office of National Cyber Director (ONCD). These journeys and pathways both run through the mission of I am the Cavalry, the Aerospace Village, and culminated in intense collaboration in the CISA COVID Taskforce. Part of the strength of this decade of making the world a safer place draws from the diversity of skills and experiences.

Our differences have made us stronger and we have asked these two to reflect on their origin stories and different teammates and skills that have helped to protect the public.

Steve Luczynski, Ayan Islam

QueerCon Pool Mixer

Middle Ground, 20:00 Tuesday

Join QueerCon at the Tuscany pool. Don’t forget your swimsuit and BSides conference badge!

Registration - Day One

Middle Ground, 07:30 Tuesday


Registration Re-Opens

Middle Ground, 08:00 Wednesday

Registration Re-Opens

Regular expressions are good, actually: A technical deep-dive into an ideal infosec regex implementation

Ground Truth, 17:55 Wednesday

Regular expressions are everywhere in information security, but are often seen as opaque, academic, and boring. Regular expressions are anything but boring! This talk starts by explaining what regular expressions are (from a theoretical perspective) and why they’re such a good fit for Infosec. The talk then proceeds to explain how common implementations aren’t designed for Infosec use, sometimes even to the point of creating security risks. A brief survey of desired features is then given, and finally a technical dive (including code and benchmarks) is presented on how an ideal regular expression engine for Infosec might be implemented.

While this talk has some math, it is designed to be accessible to anyone with a background in Infosec, including newcomers to the field.

Rob King

Resume Review & Career Coaching (Day 1)

Hire Ground, 15:00 Tuesday

Resume Review & Career Coaching

Resume Review & Career Coaching (Day 2)

Hire Ground, 15:00 Wednesday

Resume Review & Career Coaching (Day 2)

Rockstar Role: Security TPM

Common Ground, 15:00 Tuesday

The Security Technical Program Manager is probably one of the most misunderstood roles today. If you ask five people what TPMs do, you will get wildly different answers, which makes it hard for folks to break into the role as well as recruit for the role. This talk will dive into what the role is, what the role is not (and what to do if you find yourself doing these things), what makes someone successful in this role, common (and uncommon) paths to securing your first TPM role, how to hire for this role, and why we think this is one of the best roles in security.

Lea Snyder

Saving Lives in Healthcare: Trust, Teamwork, Tangible Outcomes (Decade of Change) with special government teammates

I Am The Cavalry, 14:00 Wednesday

Part 1 - Hour 1-Dr. Suzanne Schwartz will share her perspective on how IATC has impacted medical devices and health care in the United States. She will be joined by Jessica Wilkerson (OST) Monroe Molesky(OST), Arvin Eskandarnia (OST), and Matthew Hazelett (OPEQ/IO) as well as Beau Woods to talk about a decade of progress. Part 2 Hour 2 Blueprint for Changing the World

Dr. Suzanne Schwartz

Security Data Science Teams: A Guide to Prestige Classes

Ground Truth, 17:00 Tuesday

As more of security becomes driven by data, a menagerie of job titles have cropped up across the industry. Data Scientist, ML Engineer, Data Engineer, AI Researcher, and more have become de rigeur job titles – but the lines between each role remain blurry, especially for early career and non-data folks.

In this talk, we talk about where the skills of these roles overlap, how to pursue a security data career, and crucially, offer some hot takes on why maybe we need some clearer lines.

Erick Galinkin

Separating Fact from Fiction: The Realities of Working in Government

Hire Ground, 11:30 Wednesday

Working for the government is great…

When you read that did you think, “I doubt it, no way…” or “Maybe, I guess it could be…”?

There are plenty of stereotypes and misperceptions about working in government from the endless bureaucracy, outdated tech, and more acronyms than anyone can handle. This is your opportunity to hear directly from those who know best the good and the more frustrating aspects of working for Uncle Sam.

Our panel of policy and technical experts will address the rumors and dispel the myths. They will share their firsthand experiences working in a variety of government agencies to support veterans, secure air travel, and protect critical infrastructure. Most importantly, you will learn why they choose to deal with red tape for the rewards of serving in their roles.

Join us for a candid discussion to learn more and answer your questions at the easiest Spot the Fed opportunity ever!

Steve Luczynski, Ayan Islam, Arun Viswanathan, Chris Paris, Tim Weston

Shining a light into the security blackhole of IoT and OT

Proving Ground, 11:30 Wednesday

The Internet of Things (IoT) and the rise of Operational Technology (OT) networks have brought about a significant increase in the number of connected devices in modern networks, creating new challenges for blue teams in terms of inventorying assets, identifying and mitigating vulnerabilities, and verifying security controls coverage. This presentation will explore the unique challenges that IoT and OT pose for network scanning and provide solutions for effectively addressing these challenges while ensuring the safety and availability of these systems. The presentation will cover topics such as identifying IoT and OT devices on a network, understanding the context of vulnerabilities associated with these devices, and implementing appropriate security controls to mitigate these risks while ensuring the safety and availability of these systems. Attendees will also learn about best practices and tools for IoT and OT network scanning, such as using automated asset inventory, performing regular vulnerability assessments, and testing the changes in a controlled environment before implementing them. This presentation aims to equip blue teams with the knowledge and skills they need to effectively protect their organizations’ networks in the IoT and OT era while ensuring these systems’ safety and availability.

(void *)Huxley Barbee

So Who’s Line Is It Anyway? Recruiter Panel

Hire Ground, 11:30 Tuesday

Conversations with recruiters are always challenging. What do you say? What do they say? Who goes first? Who should follow up? This panel is made up of two amazing recruiters who are long time volunteers in the community who know how to coach hackers in their job search but also how to navigate the hiring process. Come to listen to a frank discussion about recruiting and job search. More importantly, come to ask questions!

Kirsten Renner, Kris Rides, Lauren Scheer

Social Engineering: Training The Human Firewall

Ground Truth, 14:30 Tuesday

Phishing is one of the leading cyber attacks worldwide, resulting in numerous social engineering training exercises to train average users to defend against these attacks. This discussion focuses on research that took a pool of users with three different phishing campaigns, each of these campaigns focused on a different threat. The purpose of the study is to find the psychological reasoning as to why users click phish. The results will teach the audience how to measure risk, improve security education, and understand the users in their business.

Reanna Schultz

Strategies for secure development with GraphQL

Common Ground, 14:00 Tuesday

Join me for a tour through what I have learned developing, testing, and operating a GraphQL API in the real world.

This talk will discuss how to build security into your GraphQL API from the ground up. We will cover how to approach security as a core feature of your graph, how to build the tools developers need to construct secure applications, and how to log GraphQL requests in a way that fits your use case.

Mister Glass

Sure, Let Business Users Build Their Own. What Could Go Wrong?

Common Ground, 17:00 Wednesday

Business professionals are tired of waiting for IT to address their needs. Instead, they are building their own applications with low-code / no-code platforms. Recent surveys show that most enterprise apps are now built outside of IT by business professionals who hold no previous experience in building software.

Enterprises are placing developer-level power in the hands of 100x new business developers.. What could go wrong? In short, everything.

In this presentation, we will share extensive research on the security of low-code / no-code applications based on scanning >100K applications across hundreds of enterprise environments. We will demonstrate how most applications get identity, access and data flow wrong, cover a wide range of security issues found in real environments, and share their backstories and implications.

Finally, we will share the OWASP Low-Code / No-Code Top 10, the first-ever security framework for categorization and mitigation of common security issues with business-led development. We will illustrate why the involvement of AppSec teams is desperately missing from business-led development, and share stories about organizations that got it right.

Michael Bargury

System Dynamics in Risk Management: A Primer

Ground Truth, 15:00 Wednesday

Systems thinking is a mental model from engineering disciplines. Its sub-discipline called system dynamics visualizes the world in terms of stocks, flows, and feedback loops. In system dynamics, systems represented as a set of stocks and flows are constrained through balancing feedback loops, or they can enter compounding spirals (virtual or vicious) through reinforcing feedback loops. The goal is to identify leverage points where a small change can cause big and beneficial changes throughout a system. This way of thinking, analysis, and problem-solving can be applied to almost any field, yet information security education programs typically don’t cover systems thinking and system dynamics.

This primer will introduce systems thinking and walk attendees through creating causal loop diagrams with stocks and flows for information security and risk management scenarios, identifying balancing and reinforcing feedback loops, and understanding how delays and oscillations can affect complex systems. Consultants as well as risk management and infosec practitioners who are internal to companies may benefit from this session, which introduces a different approach that can become part of their toolset.

Stephanie Losi

The Art of Letting Go: Secure delegation of permissions in AWS environments

Ground Floor, 17:00 Wednesday

This talk will tell the story on how we used SCPs (service control policies), IAM permission boundaries and IAM policies across our AWS Organization to set up the necessary guardrails to allow our engineering teams to use privileged IAM actions in AWS environments, enabling them to move fast without the need for manual approval workflows for the creation of resources. Additionally, we used an event based solution powered by EventBridge and Lambda to analyse for compliance, perform automated remediations and send notifications, which increased our visibility without adding to our workload. Cloud service providers forever changed how engineering teams work. Many companies have moved, or are starting to move, away from maintaining and operating cold and unforgiving server rooms, allowing that to be someone else’s problem. The time and effort required to have a server up and running went from weeks or days to seconds or minutes. Infrastructure as Code elevated that, allowing teams to have consistent working environments thus enabling the business to support as many customers or features as they wish to, reliably. Security teams’ need to find comfort in flexibility to empower engineering teams. Identity and access management, are a vital part of that journey.

Sara Perez

The Birds, the Bees, and the CVEs: Understanding the Novel Vulnerabilities in Critical Infrastructure

Proving Ground, 10:30 Wednesday

During this talk, Iain Deason will describe the difficulties and the techniques used to understand the impact of product vulnerabilities to different sectors to critical infrastructure. When new and novel vulnerabilities are disclosed, especially in control systems and medical devices, it can be difficult for asset owners to understand the potential impacts to the larger ecosystem or the affected critical infrastructure sector. The audience can learn of different strategies that have been utilized to understand the risk with new and novel vulnerabilities and potentially a new perspective on when vulnerabilities enter the ecosystem and coordinated vulnerability disclosure.

Iain Deason

The Brazillian DeepWeb. How Brazilian fraud groups work on Telegram and WhatsApp

Proving Ground, 11:00 Wednesday

Many investigative agents talk about cybercrime on Deep and Darkweb, but in Brazil the reality is a little different. The study shows an insight into how groups act, the main scams and especially how the use of counterintelligence can help in gathering information about targets.

Thiago Bordini

The British are Coming! (To Talk IOT Secure By Design)

I Am The Cavalry, 10:45 Wednesday

Representatives from the UK will be present to discuss the Department for Science, Innovation & Technology: Major Goals: -positioning the UK at the forefront of global scientific and technological advancement -driving innovations that change lives and sustain economic growth -delivering talent programmes, physical and digital infrastructure and regulation to support our economy, -security and public services

  • R&D funding

Charlie Gladstone, David Rogers MBE, Peter Stephens

The Dark Playground of CI/CD: Attack Delivery by GitHub Actions

Breaking Ground, 11:30 Tuesday

GitHub provides an official CI/CD feature called GitHub Actions. While this feature is convenient for developers, it may also offer an attractive attack vector for attackers, motivating us to research the potential for attacks using GitHub Actions.

This study investigates known attack techniques already used by attackers and includes unknown attacks not yet observed in the wild. Attacks abusing the features of custom action and self-hosted runner have not been previously used by attackers nor published by researchers; our research has uncovered new attack vectors.

In this presentation, we will demonstrate the attack techniques we developed, “Malicious Custom Action” and “GitHub Actions C2”, including code explanation and demos, and share our research findings on threats “Free Jacking”, “Malicious Public PR&Fork” and “Theft of Secret”. Furthermore, we will discuss the systematization of these attacks based on two perspectives: GitHub’s features and threat levels.

Other CI/CD services have similar features to GitHub, which means these attacks could be abused other than GitHub. By discovering threats in CI/CD, we hope to enhance the overall security of these services. Regarding this research, we have been in contact with GitHub and are taking steps towards information disclosure and countermeasures.

Yusuke Kubo, Kiyohito Yamamoto

The Ever-shifting Habits of Cloud-focused Malware Campaigns

Breaking Ground, 17:00 Wednesday

Cloud-focused malware campaigns have continued to evolve as adoption of cloud technologies increases. After observing a shift away from solely targeting cloud compute resources, and on to serverless environments and containers, it’s clear that cloud services are an increasingly attractive target for malware campaigns pursuing a variety of objectives.

In this session, Matt will discuss analysis of recent cloud-focused malware campaigns, including those which have diversified from the common objective of cryptojacking. TTPs, including persistence mechanisms and defence evasion techniques specific to cloud environments will be discussed. Matt will also provide an overview of recent trends in proprietary telemetry of cloud attacks, including an increase in the use of cloud services themselves to support malware attacks.

Matt Muir

The Evolution of Magecart Attacks

Common Ground, 17:00 Tuesday

The talk provides an overview of the evolution of Magecart attacks and how threat actors have become more sophisticated in their techniques over the years. The main focus of the talk is the attacker side of Magecart attacks, with an emphasis on the techniques used to bypass protections and conceal activities. The talk explores the different methods used by attackers to infiltrate websites, including exploiting vulnerabilities in third-party scripts and supply chain attacks. It covers the various techniques used by attackers to conceal their activities, such as obfuscating JavaScript code, disguising malicious code, using known vendors to inject and exfiltrate data, hiding sensitive information within images through steganography, using unusual methods to send network requests, and more.

Gal Meiri, Roman Lvovsky

The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree

Underground, 16:00 Tuesday

How wide can a GitHub Actions worm spread? In this talk, I’ll demonstrate how a worm can crawl through actions and projects, infecting them with malware. We will explore the ways in which actions are loosely and implicitly dependent on other actions, and create a graph-based dependency tree for GitHub actions. This map will set the path for our worm, that is searching its way to infecting as many action dependencies and target as many GitHub projects as possible. Join this talk to learn about the methods our worm uses to make its way towards other actions, to get familiar with the high profile open source projects we could hijack, and to see this worm in action over a demo.

Asaf Greenholts

The History of Malware- From Floppies to Droppers

Common Ground, 11:30 Tuesday

Modern malware, such as ransomware, has become synonymous with some of the most devastating cyber attacks of our time.. But it hasn’t always been so. Not too long ago, malware was considered a myth. The first ransomware, for example, was created over 30 years ago as a wild scheme, devised by a man armed with 10,000 floppy disks and a virus. Since then, malware has evolved in many different ways, as technology changes and evolves. Looking back and analyzing this history gives us an unusual perspective- what elements of malware have changed throughout the years, and what has remained consistent? How has this evolved into the most impactful form of cybercrime today, and what can this surprising, untold history teach us about our present and future?

Eliad Kimhy

The Importance of Engineering Privacy From the Get Go

Ground Floor, 15:30 Tuesday

The software we build has a human impact even if at surface level it doesn’t seem that way. We as engineers are the stewards of our users’ data so it’s important to know how users are expecting us to protect their identity because it is the right thing to do even if it takes a little more time and effort to build in. This talk will cover the current challenges to securing user data and provide tips on how to protect it.

Christina Liu

The Telenovela of Latin America Banking Trojans: A Dramatic story about Cybercrime

Ground Floor, 14:00 Tuesday

Get ready for a thrilling ride as we dive into the Telenovela of Banking Trojans! This talk is not your average cybersecurity talk, it’s a drama-filled story of bad threat actors and their relentless attacks.

Join us as we uncover the twists and turns of one of the most insidious threats to the world of cybercrime. We’ll be exploring the dramatic rise of Latin American banking malware families and how it’s making its way across the world.

We’ll delve into the anatomy of some malware families, and their sneaky modus operandi, and explain why they’re so darn hard to get rid of. Think of it like trying to get rid of a bad ex, except this one is actually damaging your bank account.

As the world battles with cybercrime, banking trojans have emerged as one of the most persistent threats. So, grab some popcorn and join us for this riveting drama of cybercrime.

Cybelle Oliveira

The attackers guide to exploiting secrets in the universe

PasswordsCon, 17:00 Wednesday

Secrets like API keys and other credentials continue to be a persistent vulnerability. This presentation sheds light on the methods used to discover and exploit such secrets in various environments, including public and private git repositories, containers, and compiled mobile applications.

Recent research has shown that git repositories are a treasure trove of secrets, with 10 million secrets discovered in public repositories in 2022 on GitHub alone. Private repositories are also an issue as they regularly contain large numbers of secrets in their history. The presentation’s first segment delves into discovering and exploiting secrets in both public and private repositories through various methods such as abusing GitHub’s public API, discovering exposed .git directories on networks, and exploiting misconfigurations in git servers. The second segment of the presentation discusses how attackers can discover secrets inside compiled applications. We review how almost 50% of mobile applications hosted on the Google Play Store and nearly 5% of docker images hosted on contain at least one plain text secret.

This presentation offers valuable insights and information on how to identify and address exposed secrets, one of the most persistent vulnerabilities in application security.

Mackenzie Jackson

Threat Modeling 101 - Burn risks, not hope

Training Ground, 10:30 Tuesday

Threat Modeling is the best way to discover and remediate threats in your system before they are even created. If done correctly, it is one of the most impactful security programs that you can run within your organization.

In the Security Industry, threat modeling has been misunderstood and many security folks are afraid to carry out a threat model. While it is commonly performed by Application Security or Cloud Security professionals, threat modeling can be done by anyone.

This hands-on workshop will cover the threat modeling workflow and common classes of vulnerabilities in a way that is easy to understand. You will also walk through many hands-on threat modeling examples to ensure that you will be empowered to discover threats in your systems.

Jeevan Singh

Towards Effective & Scalable Vulnerability Management

Common Ground, 10:30 Tuesday

While the security landscape is constantly changing, our approach toward vulnerability management hasn’t changed much over the last couple of decades.

The increasing reliance on third-party code, the growing number of vulnerabilities being discovered, as well as the increased visibility into our software stack in the advent of Log4Shell and the adoption of SBOM, make a more effective and scalable vulnerability management paradigm a necessity.

What would such a paradigm look like?

Join me in this interactive discussion as we’ll explore the challenges of vulnerability management and highlight potential solutions. We’ll discuss current frameworks and standards that can help address this issue, such as CSAF and VEX, and demonstrate how once adopted, they can be used towards automating many aspects of vulnerability management which today are manual and extremely time-consuming.

We’ll explore how to use exploitability as a strong signal for prioritization, and how automation can play a crucial role in making vulnerability management more effective and scalable. By the end of this talk, you’ll have a deeper understanding of vulnerability management and practical insights on how to improve your organization’s security posture. Let’s explore the future of vulnerability management together!

Yotam Perkal

Trusted Devices: Unlocking a Password Manager without a password

PasswordsCon, 18:00 Wednesday

How do you unlock a password manager without a password? How do you get a decryption key from an SSO sign-in or a passkey? In this talk, we’ll discuss how we approached the problem, and the fundamental changes to password manager design needed to make good on the promise of passwordless.

Rick van Galen, James Griffin

Unveiling the Hidden: Discovering RDP Vulnerabilities using PDF Files

Breaking Ground, 14:30 Tuesday

In our latest research, we explored innovative approaches in uncovering security vulnerabilities within the RDP protocol. Rather than leveraging the conventional reverse engineering tools, we exclusively utilized Open-Source Intelligence (OSINT) techniques, leading us to discover significant security shortcomings, including instances of remote code execution, as well as bypasses of security mechanisms. Our presentation will introduce the RDP protocol and its various use cases, in addition to detailing the motivations behind our adoption of an unconventional research methodology. We will delve into how protocol specifications, open-source implementations, and other publicly accessible resources can be used to reveal hidden vulnerabilities. We will give a comprehensive overview of the vulnerabilities discovered and an in-depth analysis of the most significant ones.

Dor Dali

Volunteer Appreciation Poolside Karaoke

Middle Ground, 20:00 Tuesday

Volunteer Appreciation Poolside Karaoke

Vulnerability Intelligence for All: Say Goodbye to Data Gatekeeping

Common Ground, 12:00 Wednesday

Vulnerability management is only as effective as the data driving its prioritization, but critical disparate threat feeds are just out of reach for many. Discover how the Exploit Prediction Scoring System (EPSS) consolidates some of the industry’s best threat intelligence so teams can accelerate their vulnerability management maturity and make better decisions faster.

Jerry Gamblin

Water, Water Everywhere: The Krakens, Kelpies, and Mermaids in today’s Water Sector

I Am The Cavalry, 17:00 Tuesday

Water is life…and increasingly exposed to accidents and adversaries. There are over 150,000 water systems in the United States alone. Further, water is critical path for the resilient functioning of Health, fossil and nuclear power plants, food production, living populations. Dean will be discussing some of the existing security challenges of the water system, and how they can impact other critical infrastructure sectors.

Dean Ford

What the Yandex Leak Tells Us About How Big Tech Uses Your Data

Common Ground, 18:30 Wednesday

In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee. While the leak itself did not contain user data, it reportedly contained the source code for all major Yandex services, including Metrika, which collects user analytics through a widely used SDK, and Crypta, Yandex’s behavioral analytics technology. While there has been lots of speculation about what big tech companies can do with the massive amounts of data they collect, this is the first time outsiders have been able to peek behind the curtain to confirm it, and what we’ve found is both fascinating and deeply unsettling.

Kaileigh McCrea

Wolves in Windows Clothing: Weaponizing Trusted Services for Stealthy Malware

Breaking Ground, 10:30 Wednesday

Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably already see where this is going..

In this talk, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.

We will go behind the scenes exploring how this service works, what attack surface it exposes on machine and cloud, and how Microsoft managed to enable it without explicit user consent. We will demonstrate how Office cloud services can be harnessed to act as a C2 server making detection and attribution extremely difficult.

Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.

Michael Bargury

Wrangling Cats: How We Coordinate Red Team Testing

Common Ground, 17:30 Tuesday

Cybersecurity testing can be a challenging endeavor for an organization and managing this effort can add an additional layer of complexity due to the collaboration and administration that is required. Having a dedicated resource that can provide this level of coordination for an organization’s Red Team is vital to ongoing success, freeing them to do the research. During this presentation we will explore an end-to-end process that can be utilized to coordinate Red Team testing, how we leverage Jira to enhance the organization of assessments and connecting with our business partners for solution engineering.

The coordination of Red Team assessments includes the initial onboarding of the request, prioritization, scoping, resource allocation, training, account provisioning, removing obstacles, and tracking and communicating status is involved throughout the duration of the engagement. By sharing an end-to-end process that a dedicated resource can use to coordinate an organization’s Red Team, the attendees of this conference will be provided with the knowledge and tools that they can adopt in their companies to enhance their Red Team.

Jennifer Traband

You CAN get there from here!

Hire Ground, 14:00 Tuesday

This talk covers fundamentals of how to effectively search and land your next best opportunity, both internally, or with a new organization, through the perspectives of two seasoned recruiting colleagues in the cleared space. At every chapter of their career journeys, Kirsten and Drake had different perspectives that will impact how they progressed. Most factors along the way we can’t control, but we can respond as if every factor is an opportunity.

3 Learning Objectives:

Searching Strategically (beyond the posting) then connecting meaningfully (volunteering, contributing, engaging) Standing out as a candidate - Getting seen and responded to Taking that leap (into a new role, either internally or at a new company)

This discussion breaks their experience into requirements and techniques that candidates can arm themselves with at each stage they find themselves in, to find and obtain the position that fits best for them.

Kirsten Renner, Jamal Drake

Your Ad Here: Helping your organization build their security brand

Common Ground, 14:00 Wednesday

Have you ever read a blog, listened to a podcast, or watched a conference talk and thought “I’d like to be able to do that someday?”

Are you a security leader that wants to help your team share their amazing work with the community but isn’t sure how to get started?

Maybe you’re one of the few people at your company that presents at conferences and want to help others?

If you want to help transform your security team’s public persona, this talk is for you!

In this presentation we’ll cover:

  • The benefits of having a team that’s engaged with the community
  • Tips for helping others write blogs and speak at events
  • How to create a culture at your company where folks are encouraged and rewarded for presenting their work
  • How to promote your team’s work to extend its reach

Leif Dreizler, Coleen Coolidge

You’ve Gained +2 Perception! Leveling Up Your Red Team with a New Maturity Model

Ground Floor, 14:00 Wednesday

The Red Team, helps an organization know itself. It asks questions. It challenges assumptions. It pokes holes, not just in ideas but also in an organization’s technology so that the organization gets quantitative information about how well its security is doing.

But how does a Red Team know itself? Red Teams need to possess a lot of different skills, cover a lot of different attack surfaces, and are often small in the personnel world. How can the team know that it’s up to the task, and how can the team communicate that readiness to leadership so they have confidence in the data the team generates?

This presentation will cover a new, first of its kind Capability Maturity Model to help solve that exact problem. It may not be the sexy new tool to pwn all the things, but if we as offensive security practitioners cannot relate to and support the business-side of the organization, we’re not much better than actual hackers. We’ll discuss how we got to this point and spend the bulk of the time discussing how new and established teams can employ the model to help plan for and report on continued maturity.

Brent Harrell, Garet Stroup

ZuoRat: Home (not) Alone

Underground, 14:00 Tuesday

Black Lotus Labs (Lumen Technologies), has tracked elements of a sophisticated campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest, by selecting key individuals working from home. This campaign remained undetected for nearly two years.

We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain a foothold.

This talk will outline the elements of the advanced campaign based on our current understanding, with particular focus on the first-stage RAT core functionality (including LAN enumeration, pcap of network traffic, and deployment of the HTTP/DNS hijacking ruleset), the fully functional custom agents CBeacon/GoBeacon including their functionality. Lastly analysis of the segmented and rotating C2 infrastructure that leverages 3rd party services such as Yuque in addition to Tencent servers for C2.

I’ll wrap it up with a discussion on monitoring and discovery methodology, host logs generated by the attacker, and how to identify and secure your own environment from this class of attack.

Danny Adamitis