TALKS

All talks are inside the Blue Team Village, Savoy Ballroom, Flamingo

A Theme Of Fear: Hacking The Paradigm

Friday 14:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@investigatorchi is a security researcher, speaker, and Senior Information Security Analyst at University at Buffalo with over 20 years of highly technical experience. In her current role, Cathy is a data forensics and incident response (DFIR) specialist, performing incident management, intrusion detection, investigative services, and personnel case resolution in a dynamic academic environment. She additionally builds security awareness amongst faculty and staff via a comprehensive department-wide program which educates and informs users about how to prevent and detect social engineering threats, and how to compute and digitally communicate safely. Cathy has presented at numerous prestigious information security conferences including DEF CON and Hacker Halted. In her (minimal) spare time, she enjoys visiting her adopted two-toed sloth Flash at the Buffalo zoo, researching death and the dead, and learning more about hacking things to make the world a more secure place.

The InfoSec industry was born out of fear. Initially it was fear from virus infections and later, external attacks. We capitalized on that fear to build more secure environments. But fear is hard to manage: too much fear breeds paralysis, and too little fear breeds complacency. This talk will take a look at the history of fear in InfoSec, explore how its impact has shaped the industry, and how it is now getting in the way. Fortunately, we can provide the next generation a new paradigm to affect change. This talk presents some ideas on what the new security paradigm could be, and most importantly - how to enable a security-minded culture without using fear.

Detection At Google: On Corp And Cloud

Friday 15:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@fryx0r is a Security Engineer on Google's detection and response team. He works out of the Sydney office, having previously worked for the Department of Defence, FireEye and Commonwealth Bank. He enjoys writing Golang and making memes, and in his spare time travels around the world running Magic the Gathering tournaments.

@JSteeleIR is a Security Engineer with 6+ years of experience in Detection, Response, Forensics, Reverse Engineering, and Automation. Some of that's been at Google. Some has been in the cloud. Some of it was good. When not sparring in the cyberspaces, he can be found camping, collecting odd input devices (possibly using those to reimplement the less PAGER in Golang) or attempting (and failing) to sleep on a normal schedule.

An overview of detection at Google: An introduction to Google's Blue team and its technologies, and how we use currently available tools to investigate on Google Cloud (GCP). We will cover the structure and setup of our team; give a detailed explanation of the main tools and services we use (with an emphasis on the ones that are open source, so you can use them yourself); and delve deeply into how to do detection on GCP - going beyond finding simple misconfigurations and instead detailing how to use available tools and logs to increase visibility and find badness.

Blue Team Guide For Fresh Eyes

Friday 16:30, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@sopooped leveraged her development background, Christine builds tools to automate security for cloud environments as a Security & Tools Engineer. She's relatively new to the industry, so she provides a fresh pair of eyes. And with her colossal appetite to learn and execute, she's rapidly conquering the world!

The life of a blue-teamer is daunting. There are logs to sift through, tasks to automate, incidents to triage, vulnerabilities to manage, meetings to attend, coffee to drink, etc. Scenarios have moving parts, procedures might not be documented, and solutions can vary. At times, the responsibilities can be compared to an ever growing fire, and all there is a pail of water. How do you put out the flames if you're not a seasoned professional? This talk lays out existing challenges for those trying to break into the fast-moving world of defensive security and ways to tackle them. Included are anecdotes, highlights, and pro-tips.

The Cyber Threat Intelligence Mindset

Friday 17:00, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@ch33r10 works for a Financial Services Fortune 500 Company. She is a graduate of the SANS 2017 Women’s Academy, has an MBA in IT Management, and currently holds the CFR, GSEC, GCIH, GCFE, GMON, GDAT, and GPEN certifications. She is a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), Yara Exchange, and FuzzySnugglyDuck. @ch33r10 serves as an Advisor for a Cybersecurity Apprenticeship Program in Chicago and she is on the Advisory Board of SANS EMEA CyberThreat 2019 with the National Cyber Security Centre in London and SANS Purple Team Summit.

Serverless Log Analysis On AWS

Friday 17:30, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@gkapoglis an Incident Responder at Verizon Media where I have the chance to work on complex problems at scale! I am originally from Greece and have been living in the US for the past 4 years. Got my Master’s in Cybersecurity from Stevens Institute of Technology in Hoboken NJ and hold GCIH and GNFA from GIAC.

In this talk we will go over traditional log analysis methods for AWS Cloudtrail logs and why we needed to find a better way of performing such investigations. We will then dive into AWS Athena which is essentially a serverless hive on the cloud “too many buzzwords alert” and how we use it to perform log analysis on the cloud under a centralized, efficient and transparent framework. We will go over use cases and examples of investigations, showcase investigations and showcase how Athena helped us perform more efficiently than the traditional methods mentioned before. Additionally, we will mention use cases for other type of log analysis like apache access logs, ELB and ALB logs, etc. Lastly, we will demo AWS Athena and analyze over 50GB of logs in under 1 minute, all done on the cloud serverless without the need to spin up any instances or servers. In the end, we will describe the countless possibilities for future work which include, automation, threat hunting and continuous monitoring of your AWS environment.

Anatomy Of A Megabreach: Equifax Report

Saturday 14:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@uncl3dumby is enamored with defense and protective thinking. My career has focused on security operations, but I love understanding the way systems operate. I'm passionate about investigating root cause of incidents, or how things came to be the way they are. Security is a full-stack, cross discipline field and I love learning about and digging into it all!

Following testimony in Congress and a lengthy investigation of the Equifax breach in 2016, U.S. House of Representatives drafted a report. The report is AMAZING! It includes details of Equifax corporate structure, IT infrastructure, and covers timelines and minutiae of the breach itself. It has information that is extremely interesting and useful for security practitioners, but we might not all have the time or interest to wade through 97 pages of deep information. I did that for you! My talk is a comprehensive review of the report that covers everything I considered interesting or important.

Memhunter - Automated Hunting Of Memory Resident Malware At Scale

Saturday 15:00, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@marcosd4h is an experienced, self-motivated, and results-driven software architect who loves to program not only to create code but to create value. He has had extensive experience with heterogeneous technologies and computer architectures. Over his years of professional work experience, computer security has long been his passion - whether it has been around designing exploit prevention capabilities of an endpoint security solution, or doing vulnerability research on carrier-grade telco charging software, or analyzing an exploit/malware to create a detection signature, or just participating on CTFs for fun. Marcos is currently working at McAfee as a Software Architect, leading the development of the exploit-prevention technology components which are part of the company's next-generation flagship product called Endpoint Security (ENS). This product is currently deployed over millions of endpoints worldwide. Marcos also led the organization of the first-ever BSides conference in Cordoba, Argentina.

@chgaray is an experienced infosec analyst who drives strategic initiatives and provides thought leadership and insights regarding the ever-changing global threat landscape at Claro America Movil offices in South America. He organized the 1hackparaloschicos local security conferences in the past, and now he is working on the organization of the first-ever BSides conference in Cordoba, Argentina.

Memhunter is an endpoint sensor tool specialized in detecting memory-resident malware. The detection process is performed through a combination of endpoint data collection and memory inspection scanners. Memhunter automates the detection of memory resident malware at scale. The tool is a standalone binary that, upon execution, deploys itself as a windows service. Once running as a service, memhunter starts the collection of ETW events that might indicate code injection attacks. The live stream of collected data events is feed into memory inspection scanners that use detection heuristics to down select the potential attacks to the one that represents actual fileless threats. The entire detection process does not require human intervention, neither memory dumps, and it can be performed by the tool itself, at scale, improving the threat hunting analysis process and remediation times.

When A Plan Comes Together: Building A SOC A-Team

Saturday 16:30, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@markaorlando started his security career in 2001 as a Security Analyst, and since then has been both fighting for blue team resources and trying to automate them out of a job. He has built, assessed, and managed security teams at the Pentagon, the White House, the Department of Energy, global Managed Security Service Providers, and numerous financial sector and Fortune 500 clients. Short on patience and attention, Mark is constantly working on new projects to improve defensive security through automation and other short cut-y things so defenders can be more agile and creative. While Director of Operations at Foreground Security, he designed and launched a Managed Detection and Response (MDR) service offering and helped to invent an automated cyber threat hunting technology, both of which were later acquired. He enjoys teaching and learning from others but spends far more time doing the latter.

The security industry is facing a severe talent shortage, but the threats are growing in number and sophistication. Finding talent, honing it to meet your specific mission, and retaining it have become immense challenges for modern operations teams. In this talk, we’ll explore these challenges and discuss creative ways to find, train, and equip a security operations “A-Team”.

Extending Zeek For ICS Defense

Saturday 17:00, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@v4tl4 currently works as a security engineer. He has spent the last three years developing signatures for detecting threats on the network. Prior to that he was a SOC analyst.

@jamesdickenson has worked as a security engineer for five years focusing on detection engineering, threat intel and network security monitoring.

Industrial Control System(ICS) protocols are often neglected in the realm of network security monitoring. Detecting, parsing, and finding malicious activity can be frustrating and time consuming. In this session we will share our learning experiences building detections and protocol parsers in Zeek. We will discuss how ICS protocols can be parsed by using Zeek network security monitor to hunt for malicious patterns and generate detections for your Security Information and Event Management(SIEM) tools. This talk is for those that have ICS protocols in their environments and want greater insight into ICS network traffic.

Killsuit - How The Equation Group Remained Out Of Sight For Years

Saturday 17:30, Savoy Ballroom, Flamingo (Blue Team Village) (30M)

@connormorley is a Threat Hunter at Countercept, a 24/7 manager Threat hunting service by MWR Infosecurity. A keen investigator of malicious TTP’s, he enjoys experimenting and dissecting malicious tools to determine functionality and developing detection methodology. As a threat hunter as well as holding OSCP accreditation he is experienced with traditional and “in the wild” malicious actors behaviour.

@laciefan is a Threat Hunter at Countercept, a 24/7 managed Threat hunting service by MWR Infosecurity. Previously an Incident Response investigator, she carries a deep interest in forensics investigations and attack detection. Having knowledge in both offensive and defensive security, she currently holds both CPIA and OSCP accreditation.

When the shadow brokers released a large number of Equation Group tools in 2017, many researchers jumped on the analysis of EternalBlue, FuzzBunch etc. The exploits of the leak have now been thoroughly analysed and mostly patched, but the works of its persistence tool (Danderspritz) is still widely unknown. In our talk, we are going to break down the Killsuit modules of Danderspritz. Killsuit (KiSu) is a modular post-exploitation persistence and capability mechanism employed in various hacker frameworks including Danderspritz (DdSz).

Evaded MicrosoftATA? **But** You Are Completely Exposed By Event Log

Sunday 09:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@9ian1i is a security researcher, core member of 0keeTeam, Information Security Department of Qihoo 360 Technology Company. He specializes in the construction of Blue Team and security architecture, especially the auto-detection of security vulnerabilities.

Due to internal environment of Windows domains is always too tolerant, and enterprises are more concerned about border defenses than internal security, the penetration behavior based on Windows Active Directory has become more and more popular and aggressive. The emergence of MicrosoftATA allows BlueTeam to perceive and discover most domain penetration activities, however, there are many bypassing techniques for MicrosoftATA recently, and the detection dimension of MicrosoftATA is not comprehensive enough, especially the persistence part. It's a compelling problem whether the Red Team can ensure their behaviors not to be detected after bypassing the detection of MicrosoftATA. In my recent research, the security event log of domain controller details the activity of entities in the domain. Most AD Attacks leave traces in the logs. These logs can be collected and analyzed in real time, helping you quickly detect attacks before an attacker compromises the domain controller. I will detail how to find exceptional behavior from a large number of domain controller security event logs and use a variety of analysis approaches to determine attacks, while taking into account false alarm rate. It's worth mentioning that we don't collect security event log of all computers, only domain controllers. As a result, these ideas are applicable in a large-scale intranet environment, helping Blue Team build its own Advanced Threat Analytics.

Who Dis? Who Dis? The Right Way To Authenticate

Sunday 10:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@Lak5hmi5udheer is a Security Researcher at Adobe. She holds a Master of Science in Information Security and has been in the security industry for about four years now. At Adobe, she works on reviewing architectures and providing security guidelines to various product teams. Prior to Adobe, she was at a startup doing all things Application Security and has experience with security consulting at Bishop Fox. She has also spoken about her open source projects at security conferences like RSA 2018, Appsec USA & AppSec Cali.

@dhivus is a Security Researcher at Adobe. She received her master’s degree in Information Security and Information Technology from Carnegie Mellon University in 2017. At Adobe, she provides proactive security guidance to key product teams, develops security automation tools and enjoys reviewing security of new technologies. She loves talking about her open source projects at conferences, most recent being Girls Who Code, DefendCon and CISO summit.

In today's ecosystem, verification of identity is no longer applicable just to the user; extending to microservices, cloud providers, IoT devices and many other emerging systems as well. 81% of discovered breaches are due to broken authentication, indicate it as a prevalent issue. Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often lose context on best practices. In this context, we talk about popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed in disclosed reports related to these schemes. Finally, we will conclude with actionable solutions to correct these flaws realized in the form of practical guidelines. These would be security design patterns that developers or designers could refer to in their daily tasks.

Atomic Threat Coverage: ATT&CK In Action!

Sunday 11:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@yugoslavskiy is leading Threat Detection team at Tieto Security Operations Center (SOC) in Czech Republic, Ostrava. Before that, he was responsible for processes and systems architecture development of Informzaschita SOC in Moscow, Russia. Daniil spent more than six years in Practical Computer Security and Network Monitoring domains. He holds OSCP, CCNP Security, GCFA and GNFA certifications. He had talks at Code Europe, CONFidence, Amsterdam FIRST Technical Colloquium, x33fcon, EU MITRE ATT&CK community workshops, presenting Intelligence-Driven Defence approach implementation and MITRE ATT&CK operationalization. Daniil is also member of GIAC Advisory Board, Krakow 2600 Meetings coordinator and creator of Atomic Threat Coverage project.

We will present our project which allows to automatically generate actionable analytics, designed to combat threats (based on the MITRE ATT&CK adversary model) from Detection, Response, Mitigation and Simulation perspectives. This way Atomic Threat Coverage represents a Core of Security Operations Center, creating analytics database with all entities, mapped to all meaningful, actionable metrics, ready to use, ready to share and show to leadership, customers and colleagues.

An Introduction To Malware Analysis

Sunday 12:00, Savoy Ballroom, Flamingo (Blue Team Village) (1H)

@Understudy77 is an obsessive clicker of links, Shawn is a current Paranoid and Head of Security Operations at Verizon Media with a past history of Incident Response, threat hunting, and malware analysis.

A mostly live demo of base concepts of malware analysis using a multitude of tools on a Dridex sample pulled from a phishing campaign from PDF attachment to executable installation. The main point is to show people some base tools to dive headfirst into analysis of suspicious files.