• Day 1
    June 7th
    8:00 - 8:45
    8:45 - 9:00
    April C. Wright Headshot
    9:00 - 10:00
    April Wright - The Insecure Software Development Lifecycle: How to find, fix, and manage deficiencies within an existing methodology.
    As security practitioners, we know what "secure software" is, but we do not always know how to actually achieve software assurance in the way we want it. Many valid questions arise when trying to fix a development function that does not think it has time or resources to create securely: How should you evaluate an existing software development program? What do you do once you’ve identified deficiencies in a process? How do you inject security into the organization’s framework? When insecure methods for creating and maintaining software have already been established, but the program does not include security or compliance, there are practical techniques you can use to elicit change, such as obtaining buy-in from stakeholders and closing process gaps. Any existing software development methodology can be updated to ensure security becomes a mandatory consideration at every step of the SDLC.
    10:00 - 10:20
    Morning Break
    Cliff Smith
    10:20 - 11:20
    Cliff Smith - The Sky Isn't Falling, But the Earth May be Shifting: How GDPR Could Change the Face of InfoSec
    The General Data Protection Regulation is upon us, and it's more than just another privacy law. It might lead to seismic shifts in technology and information security spheres. This talk will begin with a primer on GDPR, including its broad scope and compliance requirements, and explore what the regulation may mean for security practitioners across the globe.
    11:20 - 11:30
    A message from our sponsors...
    Kevin Johnson
    11:30 - 12:30
    Kevin Johnson - Gulliver's Travels: Security Exploits and Vulnerabilities Around the Globe
    Security is more and more important, but most people aren't sure what it looks like or how the attacks work. In this presentation. Kevin Johnson of Secure Ideas will walk through a variety of real world attacks that travel through the internet and target all of our organizations. Attendees will learn how the attacks work and how they can improve their security to prevent them.
    12:30 - 1:30
    1:30 - 2:00
    Freetime - Sponsors, Networking & More
    David Liebenberg Headshot
    2:00 - 2:50
    David Liebenberg - From DDoS to Mining: Chinese Cybercriminals Set Their Sights on Monero
    Following the dramatic increase in the values of various cryptocurrencies in recent years, malicious actors have begun increasing their focus on cryptocurrency-related cyber attacks. Monero remains one of the most valuable cryptocurrencies that can still be mined through common systems. Monero’s privacy-focused features also make it appealing to cybercriminals. Because of this, malicious actors have been using a variety of means to install Monero miners on victim machines. These miners have the potential to negatively impact a victim's resources. This type of attack is becoming increasingly popular among Chinese cybercriminals. This represents a shift, as some Chinese actors leverage infrastructure and tools that were originally intended for DDoS purposes to mine Monero. This shift is reflected by chatter in Chinese underground forums, tools offered in hacking marketplaces, and payloads dropped by malicious campaigns. This presentation will take an in-depth look at illicit cryptocurrency mining activity conducted by Chinese cybercriminals. It will begin by examining the trend toward cryptocurrency attacks in general. Then it will focus on China, looking at the country’s cryptocurrency environment, and examining how some Chinese actors are transitioning from DDoS to mining-focused attacks. Then it will analyze tools and techniques, looking at Monero mining and hacking tools purchased on Chinese forums as well as malware samples collected through honeypots and Chinese social media platforms. Finally, it will address ways to mitigate the threat, through blacklisting, collecting samples, and using human intelligence.
    Nathan Sweaney Headshot
    2:00 - 2:50
    Nathan Sweaney - Who’s Watching the Watchers?
    Do you outsource security services to an MSSP? Do you know if they're really providing the service they claim? Or if you have an internal SOC, have you measured how well they perform? If you get some alerts, are they catching them all? If you get no alerts, does that mean you're not being attacked? Did alerts stop because you've improved security or because they've let some analysts go to save money? In this talk I’ll walk through some practical ways that you can test and verify your MSSP or even internal tools, to make sure you’re getting the protection you’re paying for. We'll discuss specific types of validation you can perform, tips and tricks to automate the process, and outline some of the tools available to simplify the process.
    Michael James Headshot
    2:00 - 2:50
    Michael James - ANTI-OSINT AF: How to become untouchable
    Let’s talk a bit about privacy... In this talk, we look into the benefits of online privacy. We will set up sock puppet account, answer why blue/red teams might want to start doing it, how to automate the accounts when you are not using them to help in the future and opting out of some PII sites while opting into others for misinformation campaigns and the fun that can earn. Whether it’s to test the social media guidelines your company has put out, or to protect your family’s identity from abusive people in your past, everyone can learn a bit more about online privacy and some simple things and tools we can use to aid us.
    2:50 - 3:10
    Afternoon Break
    Arnar Gunnarsson Headshot
    3:10 - 4:00
    Arnar Gunnarsson - We don't have to worry about that, It's in the cloud
    During these last few years more and more companies move their products and offerings to hosted cloud solutions. We've never before seen such an amount of brand new service offerings that we didn't knew we needed and everything is cloud based. Why is it that we are so accepting of cloud providers and we're sure that they have everything in order? When choosing a new hosting partner for On-Premise equipment we have them go through so many hoops (background checks, vendor surveys, etc). Then when we're choosing a cloud partner it's like the only thing that matters is that it's new, cool and cheap. During the last couple of years when choosing a new cloud provider, I started asking them the hard questions and asked to see more behind the scenes and asked about internal processes and procedures and the results shocked me. In this talk I’ll show you just how bad the security practice really is for a couple of big providers. (without naming any names)
    Paul Coggin Headshot
    3:10 - 4:00
    Paul Coggin - SS7 for INFOSEC
    SS7 is to the PSTN what BGP is for the Internet. In this presentation Paul will explain the fundamentals of the SS7 protocol and telecommunications architecture. An overview of how SS7 is utilized by large enterprises, mobile networks and service providers will be discussed. Security issues with the SS7 protocol will be covered with real world examples of how SS7 is attacked to defeat SMS two-factor authentication.
    Matthew Rogers Headshot
    3:10 - 4:00
    Matthew Rogers - Getting Newcomers into Infosec: The Tribulations of the Auburn University Hacking Club
    This talk will highlight the ups and downs of trying to run a hacking club at Auburn University. For the past 3 years the club has adapted to the diverse audience of a college campus. Initial attempts for a CTF competition team fell to a broad security lecture series, which eventually became a lab for the members to play around in. Whether your goal is to encourage people to be security conscious, or to become future security professionals, the Auburn University hacking club has seen it all, as it grew from 3 to 70 members. This talk will cover the pitfalls inherent in teaching cyber security to others, and how to best avoid them depending on your end goals. Unlike a college club most teaching attempts do not get a fresh start every 18 weeks to try new things, so make the first step your best step for your target audience.
    Timothy De Block
    4:10 - 5:00
    Timothy De Block - Exploring Information Security Q&A Panel
    For this panel we'll have a variety of infosec pros on to answer questions from the audience. The audience become the host of the podcast. Ask the panel anything related to infosec. Nothing is off limits. In lieu of questions the panel will discuss things relevant to the current climate of the infosec field and community. Come contribute or listen to this unique conversation at a fantastic conference.
    Josh Rickard Headshot
    4:10 - 5:00
    Josh Rickard - Securing Windows with Group Policy
    Group Policy exists in almost every modern business environment. Many organizations either do not use it or do not use it as extensively as they should. We all face problems with securing our environment, but most do not realize they have the perfect tool to lock down and protect their organization. Do you understand Group Policy processing? Did you know you can manage both Active Directory groups and user rights? What about running Scheduled Tasks and do you even Manage Services, bro? Why do all your Administrative accounts have extra permissions like Debug Programs? And why the hell are you afraid of AppLocker? Remember, Group Policy is an ENTERPRISE scale registry editor.
    ll3N1GmAll Headshot
    4:10 - 5:00
    ll3nigmall - ATAT: How to take on the entire rebellion with 2-3 stormtroopers
    This talk is about the Attack Team Automation Tool (ATAT). ll3nigmall wrote this tool to create repeatability and increase efficiency in large scale penetration tests. Are you feeling Vader's impending choke hold when large scopes are handed down with numerous targets and a large number of duplicate exploits to be handled across several disparate targets? Do you receive incomplete vulnerability reports from Qua..I mean, your vulnerability scanners that require you to identify which port each target has the identified service running on? Does your team have to accomplish high volume and high value repeatable penetration tests with industry standard tools at a fraction of the time it would normally take? If the answer to any of these questions is yes, maybe, or just a defeated; then it is time to fire up your brand new ATAT and charge those shield generators like Greedo in a speedo! Yeah, I'm not really sure what that last line was supposed to mean either. Just git clone ATAT. You'll see what I mean! :)
  • Day 2
    June 8th
    8:00 - 9:00
    Jon Clark Headshot
    9:00 - 9:50
    Jon Clark - How Hyperbolic Discounting is Keeping Your Security Program from Succeeding
    Hyperbolic discounting is a concept from the relatively new field of behavioral economics. It seeks to understand the cognitive bias we have toward choosing a lower-reward “sure thing” over being willing to take a risk on something better that will only pay out in the future. This talk seeks to understand how this bias works, and to explore how this bias is causing senior decision makers to not place the appropriate value on identified risks. Finally, Jon will discuss how to use knowledge of this bias to develop methodologies to overcome objections for funding security initiatives.
    Raul Alvarez
    9:00 - 9:50
    Raul Alvarez - Hijacking the Boot Process - Ransomware Style
    Have you ever wondered how a boot process works? How a computer detects which operating system it needs to load? Or what is the impact if that single sector in your harddisk is compromised? In this presentation, we are going to look into how Petya, a ransomware, can overwrite an MBR (Master Boot Record), both in MBR- and GPT-style disk, with its malicious code. Then, we are going to follow the code in the MBR and show how a simple malicious kernel code can take control of the boot process until you pay the ransom. I will show a demo on how to debug the MBR to see how the actual native code executes without any API. We are also going to see how we can use a combination of different tools to figure out how a ransomware can infect the very first sector of a harddisk. Tools, such as, Disk Management, DISKPART, WinObj, Process Monitor, and HDHacker. And of course, x64dbg and ollydbg for debugging the ransomware in application-level. And finally, we are going to see how to use Bochs debugger to analyze the malware while it runs its own kernel code.
    Robert Guiler Headshot
    9:00 - 9:50
    Robert Guiler - Building a Cyber Training Range on a Budget
    Want to hone your packet analysis, blue team, or pentesting skills at home? Don't have the budget to afford a server, let alone cloud training services? This talk will explore the options you have available on a single computer capable of hosting 2-3 virtual machines. Emulating hundreds of hosts, building a replica internet, and generating pseudo-random traffic are all a few scripts away! By utilizing virtual interfaces, existing packet captures, and even free internet connected training resources, anyone can build a massive, custom training range within a few hours. To get the most out of this talk, attendees should have a basic understanding of bash or python scripting, virtual machines, and the linux operating system.
    9:50 - 10:10
    Morning Break
    Jared Phipps Headshot
    10:10 - 11:00
    Jared Phipps - Lessons Learned from Development and Release of Blacksmith (The Meltdown Defense Tool for Linux)
    At the end of 2017, security researchers identified flaws in architecture and the speculative execution implemented in various chips, resulting in the Meltdown and Spectre vulnerabilities. Security researchers at SentinelOne used behavioral detection methods to develop a tool that is capable of detecting any Meltdown exploits and attempts on Linux machines. SentinelOne released this tool for free as "Blacksmith". The development process required interfacing and collecting from chip manufacturers, industry partners like Microsoft, as well as the security research community in general. Insights from this process will be shared in hopes that lessons learned can be passed on to the greater community.
    Sean Peterson Headshot
    10:10 - 11:00
    Sean Peterson - How to Train Your Kraken - Creating a Monster Out of Necessity
    Ahoy Adventurers! Join our crew and set sail on a high seas adventure as we discover the salty truth about password hashes and protocol responses, and dispel the myths that frighten off all but the heartiest of adventurers. Finally, when you’ve learned enough to captain your own crew, you’ll hear a story about the mythical Kraken, and how you can bend this beast to your own purposes. Let’s take a deep dive into the journey of hash cracking, the observations made, the discoveries, and perhaps most importantly, how to assemble your own crew of scurvy dogs, adept at cracking and eager to plunder hashes with abandon. Whether you plan on building a Kraken of your own, or are just along for the ride, this talk is designed to entertain and help chart the dark waters of hash cracking. Hop aboard, raise the anchor, and let’s learn how to go from blunders to plunder.
    10:10 - 11:00
    Michael Gough - PowerShell Exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, PowerShell Empire, The Empire Has Fallen, You CAN Detect PowerShell Exploitation
    PowerShell is all the rage for the Red Team and the criminals. There are many tools or frameworks now available to Pentesters and the criminal elements. Utilizing PowerShell in attacks and exploit systems without requiring the addition of malicious binaries, rather live of the land and use the built-in Windows PowerShell functionality to get the job done is the Red Teams goal, so what about the Blue Team? PowerShell attacks CAN be detected, and everyone should be moving to configure their systems to record what is needed to capture PowerShell attacks and all the Fu that goes along with it. Because by default, Windows does NOT enable what you will need to detect PowerShell exploitation. This talk will show a few examples of PowerShell exploitation that can be caught, what and why it can be detected, what you need to configure, what kind of queries you will need to build to capture malicious activity, and of course some examples queries you can use to build your own reports and alerts to detect and hunt for malicious PowerShell.
    Thomas Smith Headshot
    11:10 - 12:00
    Thomas Smith - This Job is Making Me Fat!
    Thomas understands the challenges you face and in his talk "This Job is Making Me Fat!", he tells you the top reasons why it's becoming easier to pack on the extra weight, harder to lose it, and he will share with you some industry secrets that can get you in best shape of your life.
    Trenton Ivey Headshot
    11:10 - 12:00
    Trenton Ivey - Offensive Cartography
    Understanding the operational environment is an important part of any offensive operation. This can be a daunting task during Computer Network Exploitation (CNE) and Computer Network Attack (CNA) operations because the target environment is often complex, abstract, and constantly changing. However, by consuming the output of common offensive tools and storing information in a normalized, graph-based database, it is possible to create a detailed map of the target environment that both humans and automated tools can efficiently leverage. This talk will discuss the challenges and benefits of mapping the operational environment, and will provide examples of how both offensive and defensive teams can leverage the resulting maps to increase their chances of success.
    Bobby Kuzma
    11:10 - 12:00
    Bobby Kuzma - The Wrong Kind of DevOps Talk - Now with Extra Badness!
    DevOps seems to be where all the cool kids in IT are hanging out these days. While not all of us in get to work in DevOps shops, we can steal some of the toolset to up our game for lab and skills development purposes. In this talk, you'll learn about DevOps-y tools like packer, and vagrant, and ansible, and how you can use them to make it easier to build and share lab environments for testing, training, and more. For the first time we'll release the full library used by the speaker to generate VMs for abuse to the public.
    12:00 - 1:00
    1:00 - 1:30
    Freetime - Sponsors, Networking & More
    Summer Lee Headshot
    1:30 - 2:30
    Summer Lee - Getting Physical on a Human Pentest
    The mantra of any good red teamer is, “Hope for the best, but plan for the worst.” In this talk, we will cover tactics and approaches that can be leveraged to achieve client goals and provide value, even when having to operate within tight logistical constraints. Various stories will be used to provide examples of merging social engineering with physical and logical access during physical red team assessments to ultimately achieve success. The talk will follow a network pentest theme to help bridge the gap between logical and physical pentesters and also provide examples of how these two types of skills can complement each other, especially in more physically locked down environments. We will start off with covering the planning process for three different scenarios: brute force, insider attack, and planned attack. Next, we will review “needed” vs. “nice-to-have” tools (for achieving both physical and logical access, as well as persistence) and the prep work once a methodology has been agreed upon with the client. We will then provide tips on what a red teamer should know and do while conducting the assessment, such as identifying cameras, sweeping the office before sitting at a computer, and preparing hiding areas to avoid after-hours security patrols. This talk will also cover more in-depth tactics, such as tips for achieving logical access and what to focus on once you obtain domain administrator or other high-level privileges within the network. Finally, we will cover worst-case-scenarios and provide tips for moving forward with an assessment when nearly all hope of reaching the final objective is lost.
    2:30 - 2:35
    Message from SentinelOne
    Amanda Berlin HeadshotDavid Cybuck Headshot
    2:35 - 3:35
    Amanda Berlin & David Cybuck - You'll understand when you are older
    Growing up, we've all had older wiser people in our lives bestow wisdom upon us. Whether it was a parent, grandparent, other relative, mentor, or some other person, they were able to use their experiences and use idioms passed down to them to potentially help you out with whatever situation you were in. These idioms sometimes work really well in the context of information security. Not only do they cover different social aspects of the infosec community, but in our day to day lives working away in the trenches or in the board rooms, so many of them can be reused from our childhood. We'll work through these and explore how the idioms you've heard a million times before, or maybe never knew about, can help us focus, learn, and succeed as professionals.
    3:35 - 3:40
    Message from Optiv
    3:40 - 4:00
    Afternoon Break
    Richard Dennis Headshot
    4:00 - 5:00
    Richard Dennis - Bitcoin - The generation of private keys based on public keys, a live demonstration
    We will demonstrate the ability, to calculate the private keys of a Bitcoin wallet based on just the public key. This is a unique vulnerability that exposes some users of exchanges to this attack, which would allow an attacker the ability to calculate the private key and then spend a user’s Bitcoins. We show in detail how the poor implementation of cryptography is to blame and show results from the potentially the largest ever analysis of public / private key data on Bitcoin, showing the impact of this attack, and able to show this attacks effectiveness from 2012. In addition, we also reveal the results of 4 years’ worth of data collection on the Bitcoin network, deanonymizing users before combining this data with the attack above, which demonstrates our ability to target a person for the purpose of stealing their bitcoins. A solution will be provided against these attacks before concluding the talk.
    5:00 - 5:15
    Closing Remarks
    6:00 - 9:00
    Friday Night Party! Theme: Retro Tech (Dress to Impress)