Schedule

  • Constitution Hall
    7:55 - 8:00
    Opening Remarks
    8:00 - 8:50
    Keynote- Innovating for 21st Century Warfare
    Presented by Ernest "Cozy Panda" Wong What the Demi-Gods at NSA have Gotten Wrong! Since the origins of the Republic, the American people have shown a strong speculative knack that lead to novel ideas for tackling tough problems. From the first American colonists who made do with limited resources, to NASA astronauts who boldly explored space with minimal supplies in order to break free of gravity, Americans have a proud history of advancing new and effective ways of getting the job done. However, the Internet’s rapid growth has meant that the tools for operating in cyberspace are constantly changing. In such a fluid environment, does America still have the capacity to gain the advantages necessary to out-hack those who attack us in the cyber domain? This talk analyzes what innovation really means and highlights differences between revolutionary, evolutionary, sustaining, and breakthrough innovations. Through this framework, we gain tremendous insights that help to progress how our nation can develop more effective tactics, techniques, and procedures for defending (as well as attacking) in the cyber domain.
    9:00 - 9:50
    Your Facts Are Not Safe With Us: Russian Information Operations As Social Engineering
    Presented by Meagan Keim: Over the past few years, Russia has proven itself to be an undeniable master of information operations. The techniques vary, but the majority of them focus on creating new realities and subverting Western values. This makes response efforts much more challenging, and Russia’s info ops strategies have become a key part of the arsenal the country draws upon in achieving its aims both at home and abroad. By describing personal experience with a steady diet of state-sponsored propaganda while studying abroad in Russia, and by examining the country’s annexation of the Ukrainian peninsula of Crimea as a case study, I will give you an in-depth look at Russia’s info ops and why they’re so effective. I will explain why it’s useful to frame Russian information operations as large-scale social engineering and the implications that has for mitigating the resulting security problems.
    10:00 - 10:50
    Supercharge Your SOC with Sysmon
    Presented by Christopher Lee: "Our SOC was ready for an endpoint detection and response solution, but we couldn't justify the spend before we clearly understood the value. We set out on a year-long journey to build our own solution around Sysinternals Sysmon. Using Sysmon, Windows Event Collection, SIEM, scripts, and a custom database app, we've created a solution that gets most of the value of a commercial solution at practically no cost. Our presentation is a case study for deploying Sysmon to thousands of endpoints, collecting the log data using native Windows features, and sending it to our SIEM in real-time. We'll detail our Sysmon and WEC infrastructure and config, while giving recommendations and pointing out pitfalls. We will share our favorite SIEM rules to detect evil on our endpoints, and how we present the data back to our analysts for effective investigations. Finally, we'll show how we're enriching the logs with third-party threat intel, and hunting with the data using more advanced analytics."
    11:00 - 11:50
    Disinformation and Hiding Your Personal Information
    Presented by James MacReady: If the Equifax breach has taught us anything, it's that our personal information is no longer in our control. Now is the time to utilize counter-intelligence techniques such as disinformation to maintain our personal privacy. This talk will explain why disinformation is important, but also give real world tips and techniques for spreading false information with the aim to protect your privacy.
    12:00 - 12:50
    Lunch
    13:00 - 13:50
    Threat Hunting: Defining the Process While Circumventing Corporate Obstacles
    Presented by Kevin Foster, Matt Schneck and Ryan Andress: Threat hunting is a hot topic spurred on by the thought that it’s not a matter of if, but when, your organization will be breached. Mature security organizations are shifting in their approach from solely relying on reactive response and black box security tools to proactive hunting. This shift in approach requires large amounts of network and endpoint data to tie together attacker tools, tactics, and procedures. Security teams often have their hands tied due to limited budgets, politics and their ability to affect change with what information gets logged (just try getting a DNS admin to check a box that says “Debug” in prod). Hypothesis driven data acquisition can be used to overcome environmental challenges, provide a specific goal, and reduce analysis paralysis. This presentation will discuss hypothesis driven threat hunting using free and commercial tools for organizations which face common corporate roadblocks.
    14:00 - 14:50
    Put up a CryptoWall and Locky the Key - Stopping the Explosion of Ransomware
    Presented by Erich Kron, CISSP-ISSAP: Ransomware is spreading at an alarming pace and infecting networks across all industries and company sizes, primarily though phishing attacks. The cyber criminals behind the attacks are furiously innovating and keeping ahead of the defenses. In this session we will have an interactive discussion related to the latest in ransomware threats and how to best protect your organization and yourself against this growing threat. Erich Kron, Security Awareness Advocate for KnowBe4 will educate attendees about the newest features of ransomware strains designed to evade detection and spread in new and creative ways. He will also discuss recent attacks and how the organizations could have better protected themselves. The session is intended for an intermediate experience level and will examine: • Current phishing trends • Ransomware and how it is infecting networks • Effective mitigation strategies • Recovering from an attack How would you like to be credited as the speaker and author of the talk? Erich Kron, CISSP Speaker Bio Erich Kron is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in Information Security.
    15:00 - 15:50
    Web Hacking 101 Hands-on with Burp Suite
    Presented by David Rhoades: This is a half-day hands-on training course. Let me know if this is something you can offer your attendees. If not perhaps we can just offer a normal sized talk on a sub-topic. A high-energy demo-laden caffeine-laced session that will introduce the student to the techniques needed to remotely detect and validate the presence of common vulnerabilities in web-based applications using Burp Suite, the industries’ most popular toolkit. Testing will be conducted from the perspective of the end user (as opposed to a source code audit). This is a hands-on session. Attendees are REQUIRED to bring a PC, Mac, or Linux box running either Oracle VirtualBox or VMware Player (both are free). All of the tools and targets used during the session will be available to the attendees in a single virtual machine file. To prepare: wait until the day before the event then grab the latest version of the Web Security Dojo from here: https://www.mavensecurity.com/web_security_dojo/ NOTE: It’s best to wait until the day prior to the event to be sure you have the latest version of “the Dojo” since that is the version we will use during the session. Time permitting the following topics will be covered: Web Primer (HTML, HTTP, Cookies; just the basics) Introduction to Burp Suite Threat Classification Systems (OWASP Top Ten & WASC Threat Classes) Vulnerability Category: A1 - Injection (SQL, XML entity, etc.) Vulnerability Category: A3- Cross-Site Scripting (XSS) Vulnerability Category: A8 - Cross-Site Request Forgery (CSRF) NOTE: Since the student will have all of the tools and targets in a single virtual machine, they are free to continue the learning after the session in the privacy of their own localhost. No network required. The Web Security Dojo includes various PDF walk-through guides for some of the targets.
    16:00 - 16:50
    Pack your Android: Everything you need to know about Android Boxing
    Presented by Swapnil Deshmukh: Android malware authors may enforce one or a combination of protection techniques like obfuscators, packers and protectors. This additional step just before publishing the app adds complexity for Android Bouncers and various static, and dynamic code analysis tools. Along with these protection techniques a combination of features such as emulation detection, anti debugging, root detection, tampering detection, anti runtime injection enables malicious application practically makes malicious app go undetected. As a result we have seen a steady increase in the malicious apps published in various Android app stores. ZDNet reported around 1000 spyware mobile apps are published in the official Google Play Store this year alone. These apps may have the capability to monitor almost every action on an infected device. Actions such as taking photos, recording calls, monitoring information about Wi-Fi access point and inspecting user’s web traffic. Talk would focus on all three commonly used Apk protection techniques and how they operate under the hood. For obfuscation, we will demo a tool designed to remove switch case injection, dead code injection, and string encryption and get a readable code. In case of packer talk will showcase avenues to unpack the packer by first finding the algorithm, hooking into libc before packer opens DEX file, dumping DEX from memory. Protectors such as DexProtector mangles code by modifying entry point to loader stub and perform anti-emulation, anti-debug and anti-tampering checks. Protector are easy to patch, one can by attaching cloned process or dump odex and get readable code. By adding these techniques an ethical hacker or Android bouncer can identify many a malicious application published in app store. Previous talks on this topic Android Hacker Protection Level 0 [Defcon 22] The Terminator to Android Hardening Services [HITCON 2015] Unboxing Android [Defcon 25] Live Demo: Yes Code share: Yes on Github Tools that would be inspected in this talk: Obfuscator and Optimizer: Proguard, Dexguard, Arxan Protector: DexProtector Packer: Bangcle, Baidu
    17:00 - 17:50
    Hacker Mindset
    Presented by David Brown:Throughout the history of information security people have asked a simple question; why do people do these things? Incidents ranging from unauthorized access to crafting of sophisticated malware are all the results of an array of motivations, and mindsets. This presentation will cover some of the top drivers for the “hacker” mentality and touch on the approaches they use that align to their end goals. Presentation outline: •Hackers then and now, how has the moniker changed over time •Threat ranges from the mundane to the advanced and persistent •Common traits among historical greats •An application of psychology to an incident investigation •The sources of all evil may not be what we think •The next generation of hackers and where they are headed
    18:00 - 18:05
    Closing Remarks
  • Congress Hall
    7:55 - 8:00
    Opening Remarks
    8:00 - 8:50
    Keynote - Innovating for 21st Century Warfare
    Since the origins of the Republic, the American people have shown a strong speculative knack that lead to novel ideas for tackling tough problems. From the first American colonists who made do with limited resources, to NASA astronauts who boldly explored space with minimal supplies in order to break free of gravity, Americans have a proud history of advancing new and effective ways of getting the job done. However, the Internet’s rapid growth has meant that the tools for operating in cyberspace are constantly changing. In such a fluid environment, does America still have the capacity to gain the advantages necessary to out-hack those who attack us in the cyber domain? This talk analyzes what innovation really means and highlights differences between revolutionary, evolutionary, sustaining, and breakthrough innovations. Through this framework, we gain tremendous insights that help to progress how our nation can develop more effective tactics, techniques, and procedures for defending (as well as attacking) in the cyber domain.
    9:00 - 9:50
    MFA, It’s 2017 and You’re Still Doing Wrong
    Presented by Dan Astor and Chris Salerno. We can all agree that having single-factor remote access gateways (VPN, Citrix, Remote Apps, etc.) exposed on the internet is a poor decision and a large security risk. These portals, can allow for a direct connection into the internal corporate environment. Once there, an attacker can begin to identify internal vulnerabilities, move laterally, escalate privileges, persist, and hoover out all the data they want. Fortunately, these portals are increasingly behind a multi-factor solution (phone call, hard/soft token, certificate, etc.). While this does help to reduce the attack surface from a direct brute force (username and password), there are often overlooked options or misconfigurations that can allow an attacker to bypass this solution or directly disrupt business operations. In this talk we’ll be covering methods that we’ve used to bypass MFA solutions to obtain internal network access from the internet.
    10:00 - 10:50
    Out With the Old, In With the GNU
    Presented by Leslie A:In our field and related subsections, we typically don’t learn from scratch. Instead, we learn from those who have been around longer — through books, online resources, and person-to-person training. That said, when is “tribal knowledge” harmful? Can we improve (or remove) commands we use for a single purpose for something better? Why do people confine their use of `awk` when it can be as flush as Perl? This talk will review some simple ways we can streamline command line, by stripping down to the bare essentials. Most examples will be for Linux, however it will touch on BSD and other command line-friendly OS'.
    11:00 - 11:50
    IoT devices are one of the biggest challenges
    Presented by Charles Sgrillo: IoT devices are one of the biggest challenges for security professionals now and will continue to be in the future. The security of these devices is critical as more of these insecure devices come to market. As professional we need to have an idea how these devices effect our organization. In this talk we will explore the basic principles of IoT PenTesting, how to build an effective toolset, reverse engineering, and analyzing wireless signals with SRD.
    12:00 - 12:50
    Lunch
    13:00 - 13:50
    Evading C2 Detection with Asymmetry
    Presented by Andrew Johnston and Anthony Motto: Detecting callouts to command-and-control (C2) servers used to be straightforward, but attackers in your network have found ways to communicate with the outside world even under the heaviest of scrutiny. In this talk, we discuss ways to use popular websites as means of getting commands and exfiltrating information. We examine the applications of asymmetric communication, from Internet-accessible computers to embedded devices to air-gapped systems. Finally, we give some suggestions to defenders, and discuss how to detect and mitigate risks that enable asymmetric malware.
    14:00 - 14:50
    Abusing Normality: Data Exfiltration in Plain Site
    Presented by Aelon Porat: As a defender, you can recognize a potential compromise when a new WMI class appears on an endpoint that constantly connects to mflzwsyimbwkrlnvhrp.xyz. But how likely are you to notice a regular-looking Symantec virus definition file, placed in its designated folder, on a machine that’s communicating with a Wikipedia-based C&C, about once a week and only after previous, legitimate visits to the site? Or a malware saving keystrokes to a Word dictionary file, reading it five days later using Outlook, embedding the captured data in an email header to a legitimate-looking recipient? This talk will cover common and uncommon channels attackers can use to communicate and hide information. From prefetch files and Search Index to event logs and Recent Documents, free disk space, Excel templates, and many otherwise inconspicuous objects, the goal of this talk is to show that a clever attacker can hide anywhere that is considered too normal and noisy to monitor.
    15:00 - 15:50
    Smarter ways to gain skills, or as the DoD puts it
    Presented by Dr. P. Shane Gallagher and Evan Dornbush: Smarter ways to gain skills, or as the DoD puts it: Leveraging the right learning model and embedded analytics for outstanding results in cyber operator training. With the increasing threat of cybercrime and national security issues, growing the number of qualified cybersecurity professionals has become a national imperative. Addressing this problem and specifically developed to enhance the efficacy and efficiency of cyber-operator development and education, the Cyber Operations Academy Course (COAC) is occured as a public-private partnership between City Colleges of Chicago and the Department of Defense (DoD). In two previous iterations, COAC learners with little if any cyber or college experience using an authentic problem-based approach incorporating cooperative and collaborative learning models produced very large positive effects (Cohen’s d=1.34) in pre/post assessments and group comparison. The key to achieving such compelling results is strongly believed to be the mix of an authentic problem strategy, learning “fire” teams, and fire team leaders highly experienced in both cyber operations and teaching. Understanding more deeply how students interact with each challenge and their use and discovery of external resources in solving them has been elusive. This presentation discusses the COAC learning model, the underlying technical platform (ESCALATE) and the incorporation of the Experience API (xAPI) facilitating robust learning analytics were used for summative assessment and continuous course improvement.With the increasing threat of cybercrime and national security issues, growing the number of qualified cybersecurity professionals has become a national imperative. Addressing this problem and specifically developed to enhance the efficacy and efficiency of cyber-operator development and education, the Cyber Operations Academy Course (COAC) is occured as a public-private partnership between City Colleges of Chicago and the Department of Defense (DoD). In two previous iterations, COAC learners with little if any cyber or college experience using an authentic problem-based approach incorporating cooperative and collaborative learning models produced very large positive effects (Cohen’s d=1.34) in pre/post assessments and group comparison. The key to achieving such compelling results is strongly believed to be the mix of an authentic problem strategy, learning “fire” teams, and fire team leaders highly experienced in both cyber operations and teaching. Understanding more deeply how students interact with each challenge and their use and discovery of external resources in solving them has been elusive. This presentation discusses the COAC learning model, the underlying technical platform (ESCALATE) and the incorporation of the Experience API (xAPI) facilitating robust learning analytics were used for summative assessment and continuous course improvement.
    16:00 - 16:50
    Game of the SE: Improv comedy as a tool in Social Engineering
    Presented by Danny Akacki - Security Monkey: No scene is ever about the words being spoken. - Del Close What do improv comedy and Social Engineering have in common? Whether the average person knows it or not, life prepares us for both every day. We don't wake up every day with a script to read or cues to hit, we're improvising everything we do every hour of every day. In this talk I'll describe how studying improv comedy can be a useful learning tool for both novice and seasoned Social Engineers. As an aspiring social engineer, I'm always looking for new ways to compliment my studies. During a panel talk at the SE Village of Derby 2017 one of the speakers mentioned improv comedy being a tool some used to sharpen their SE skills. Early in 2017 I embarked on several levels of improv comdey training with the comedy troupe ManDudeBro in Bethlehem, PA. It quickly became evident to me how much SE and Improv have in common. I found improv to be an excellent practice ground in lieu of professional SE gigs. Through this talk I intend to map several core tenants of improv comedy to crucial SE skills and principles of influence such as: Play to the top of your intelligence. Whether engaging the target of an SE gig or pretending you're a doctor during an improv scene, if you don't believe what you're saying, nobody else will either. Accommodating Non Verbals. One of the godfathers of improv, Del Close, once said "No scene is ever about the words being spoken." This maps to the non verbal principles of influence and building rapport. An audience won't believe a scene you're trying to create without passion and honesty. Recognizing how to craft those skills in yourself is key to recognizing them in others during a social engineering engagement. There are many others including listen and respond vs active listening, the principle of "Yes, And" and it's ability to teach a novice SE how not to negate a frame and the principle of "gift giving" in a scene and an SE "quid pro quo". I think this talk will be a fun and eye opening session on how Improv and SE are perfect scene partners.
    17:00 - 17:50
    File Polyglottery; or, This Proof of Concept is Also a Picture of Cats
    Presented by Evan Sultanik: A polyglot is a file that can be interpreted as multiple different filetypes depending on how it is parsed. While polyglots serve the noble purpose of being a nifty parlor trick, they also have much more nefarious uses, e.g., hiding malicious printer firmware inside a document that subverts a printer when printed, or a document that displays completely different content depending on which viewer opens it. This talk does a deep dive into the technical details of how to create such special files, using examples from some of the recent issues of the International Journal of PoC||GTFO. Learn how we made a PDF that is also a valid NES ROM that, when emulated, displays the MD5 sum of the PDF. Learn how we created a PDF that is also a valid PostScript document that, when printed to a PostScript printer, produces a completely different document. Oh, and the PostScript also prints your /etc/passwd file, for good measure. Learn how to create a PDF that is also a valid Git repository containing its own LaTeX source code and a copy of itself. And many more!
    18:00 - 18:05
    Closing Remarks