Loading…
Attending this event?

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, October 23
 

3:00pm

Conference Registration
Conference Registration runs from 3pm - 8pm on Wednesday.  Talks, labs (most) and the Welcome Party start on Wednesday night!

Wednesday October 23, 2019 3:00pm - 8:00pm
Conference Floor

4:00pm

S1/E3: Do you C2? If you do, ICU.
Wherein an Evil Agent does what an Evil Agent has to. We will run it down once more...

Yayyyy Deadwood again! So many new scary things to learn about! Wicked Wizards and 0days! Almost certain @HackingDave and @DeviantOllam and @MalwareJake and so many others are going to shift how you think about everything!

Meanwhile, back at the office, Steve Secretary clicks a link. Then a browser goes pop. A new Evil thread emerges in the world. It doesn’t know what to do! Halp! It needs a meeting! It needs to call Mom. And when it does…

When it does, I will see it. Without spectacularly expensive tools. Without dark skills. I will see it just by looking.

Speakers
avatar for Jonathan Ham

Jonathan Ham

Jonathan is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO (and an emphasis... Read More →


Wednesday October 23, 2019 4:00pm - 4:50pm
Main Stage

5:00pm

Offensive GoLang
Tools such as Metasploit, Mimikatz, and Netcat are household names amongst penetration testers and red teamers. They have been used for many years to get shells, dump creds, and move laterally with fanfare and impunity; however, times change. Network defenses are improving, and they are increasingly blocking the tools we rely on for successful penetration tests (good job vendors!).

So how can you as a penetration tester deliver value to your clients when your essential tools are blocked?

The short answer is you can “live off the land”, modify existing tools, or roll your own. But this is easier said than done. Our device ecosystem is growing rapidly. On a single engagement you may face systems including Windows, Mac, Linux, mobile, IoT, and more. You don’t have time to learn 6 programming languages. You can’t expect needed runtime environments to be present on all targets. And you need solutions that are easy to create, maintain, and deploy.

Enter GoLang. The Go programming language (GoLang) was built by computing pioneers from Google. They set out to create a language that is simple to read and write, easy to deploy, and able to scale. And it happens that Go has wondrous offensive capabilities.

Offensive GoLang will provide an overview of the Go programming language, highlighting how it can be applied to penetration test and red team engagements. Attendees will enjoy several demos showcasing Go’s awesome offensive applications including creating cross platform executables, injecting A/V resilient shellcode, payload hardening, and more. At the conclusion of this presentation, viewers will have a strong understanding of how Go can be used to create simple, reliable, and scalable offensive tools.

Outline:
-Intro / Agenda
-Overview of Go
-Pros/Cons of Go versus other solutions (Python, PowerShell, C#, etc.)
-Attack all the things with cross compilation
-Easily create Windows DLLs with Go
-How to model advanced threats with A/V resilient shellcode injection
-How to use Goroutines to speed up password cracking
-Getting low level with W32
-Defense Evasion with Go
-Popular open source projects (Merlin, Egesploit, goBuster, and more!)
-Conclusion / Q&A

Speakers
avatar for Michael C. Long II

Michael C. Long II

MITRE Corporation
Michael Long is a Senior Cyber Adversarial Engineer with the MITRE Corporation and a former U.S. Army Cyber Operations Specialist. Michael has over 10 years of experience in information security disciplines including adversary threat emulation, red teaming, threat hunting, and digital... Read More →


Wednesday October 23, 2019 5:00pm - 5:50pm
Main Stage

6:00pm

Welcome Party
Wednesday October 23, 2019 6:00pm - 8:00pm
Conference Floor
 
Thursday, October 24
 

7:30am

Conference Registration
Thursday October 24, 2019 7:30am - 6:00pm
Conference Floor

8:30am

Welcome to WWHF
Speakers
avatar for John Strand

John Strand

Black Hills Information Security
John has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing.  He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry shaping Penetration Testing Execution Standard and 20... Read More →


Thursday October 24, 2019 8:30am - 8:50am
Main Stage

9:00am

Keynote
Speakers
avatar for Ian Coldwater

Ian Coldwater

Ian Coldwater is a DevSecOps engineer turned red teamer, who specializes in breaking and hardening Kubernetes, containers and cloud native infrastructure. In their spare time, they like to go on cross-country road trips, capture flags and eat a lot of pie. Ian lives in Minneapolis... Read More →


Thursday October 24, 2019 9:00am - 9:50am
Main Stage

10:00am

Social Forensication: A Multidisciplinary Approach to Successful Social Engineering
Abstract
This presentation outlines a new twist on an existing social engineering attack. In the past, we have worked on getting users to plug in USB devices to drop malicious documents and executables. While this attack sometimes proves our point, it is the tip of the iceberg that can be done. Enter Social Forensication.

This is a two-pronged attack, consisting first of collecting a memory image for offsite offensive forensic analysis, the second being a rogue Wi-Fi access point attack. During this presentation, we will walk through the steps to perform each attack. Since defense is just as (if not more) important as the attack itself, we will also discuss mitigations (technical and procedural) and relevant windows detections for these attacks.


Speakers
JG

Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys... Read More →


Thursday October 24, 2019 10:00am - 10:50am
Track 2

10:00am

What's hiding on your networks
Speakers
avatar for Bob Hillery

Bob Hillery

Bob Hillery is a founder and Chief Operations Officer with InGuardians, Inc. He is anexperienced consultant in Information Systems Security Management and has an extensivebackground in computer networks gained through the Navy and R&D labs. Bob has workedon National Institute of Justice... Read More →


Thursday October 24, 2019 10:00am - 10:50am
Track 1

11:00am

Breaking Into Your Building - A Hacker's Guide to Unauthorized Physical Access
During this presentation, we’ll discuss proven methods of bypassing popular physical security controls and employees, using only publicly available tools and social engineering. You'll hear war stories from assessments that we have performed, and the frightening simplicity of gaining unauthorized physical access to many things from server rooms to Top Secret Ops rooms. These assessments will be broken down to discuss the various social engineering and physical security bypass methods and tools used, as well as remediation recommendations.


Speakers
avatar for Brent White

Brent White

NTT Security
Brent is a Sr. Security Consultant at NTT Security as well as a Trusted Advisor for the Tennessee Department of Safety and Homeland Security on the topics of Physical and Cyber Security. He is also the founder of the Nashville DEF CON group (DC615), and is the Global Coordinator for... Read More →


Thursday October 24, 2019 11:00am - 11:50am
Track 2

11:00am

Hacking a Security Career
Prominent and very wise individuals in INFOSEC have published blog posts and offered wisdom to those who seek to enter our industry.  One of the best sides of our community is on display when venerable types extend a hand to the next generation.  These amazing guides and collections of links and training resources can help guide many hopefuls on the path toward knowledge and perhaps their first of many rewarding jobs.  

However, what if you aren’t just focusing on your first new job, but instead you want to take a broader view and help plot out your entire career? What if you don’t simply want to work for an INFOSEC business but instead you aim to run a security business? Deviant has started (and still runs) several successful security firms… and he believes there are some very specific points and considerations that don’t get brought up in the discussion. With the hope of saving countless new employees from failure and many new businesses from bankruptcy, Dev will discuss the key element that many people fail to bring to the table when starting a security career… and the secret to the success of so many INFOSEC individuals who came before us.

Speakers
avatar for Deviant Ollam

Deviant Ollam

The CORE Group
While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom... Read More →


Thursday October 24, 2019 11:00am - 11:50am
Track 1

12:00pm

Automating Social Engineering for the Anti-social Engineer
While modern technical controls and protections can thwart basic phishing attempts, phone communication remains a lucrative avenue for would-be attackers. This is a typical route used to gain a foothold into an environment via an unsuspecting employee. However, this time-consuming manual process makes documenting and utilizing your social engineering results difficult.

Fortunately, existing interactive voice response (IVR) technology can help solve this problem. While these systems are typically used to assist people, we could also leverage them to attack.

The abundance of cloud-based services makes this easy to accomplish and even easier to expand upon with your own custom scenarios, all while capturing respondent information. This presentation will cover how to take existing, off-the-shelf tools and configure them to build your own social engineering “robot”.

Speakers
avatar for Patrick Sayler

Patrick Sayler

NetSPI
Patrick Sayler is approaching ten years of experience in the information security industry with more than six years dedicated to penetration testing. During this time, he has worked across a wide range of industries, including aerospace, financial services, manufacturing, healthcare... Read More →


Thursday October 24, 2019 12:00pm - 1:45pm
Main Stage

1:00pm

Hack (Apart) Your Career - How to Fund Doing What You Love
Our field is full of extremely creative people who have a lot to offer the industry. But often we lose focus because we are working for a company that has their own goals and competing priorities. This leads to long hours of work, a declining quality of life, and various other troubles. In this talk I focus on the tidal wave of DOD-related opportunities that exist to fund novel research and cutting edge technology, all while allowing autonomy of the individual. I've personally used these sources to transition to running my own company and have helped a lot of folks in the industry do the same. I'll discuss why people should consider this as a career path, where to find these resources, and walk through exactly how to apply.

Speakers
avatar for John Grigg

John Grigg

I have 12 years of experience within the Navy, the Intelligence Community, and in the corporate cyber security world with focuses on building and maturing SOCs, SIEM/IDS/IPS engineering, malware analysis, and cyber operations.@Sk1tchD... Read More →


Thursday October 24, 2019 1:00pm - 1:50pm
Track 2

1:00pm

We’ve Got A Lot To Learn: Building threat models to support innovation and save the world
The thought of building a network rife with IoT devices and remotely-accessible critical control systems is enough to bring most infosec professionals to tears. When that same network promises to reduce urban potable water demands by 70% while still supporting commercial and residential irrigation, it is probably worth wiping away the tears and rolling up our sleeves. Innovation is all around us, working to protect natural resources, provide opportunities for better lives, and ideally doing it in a way that ensures the availability, confidentiality, and integrity of the networks supporting these efforts.

Following a year-long, collaborative research project into network security in some of the most innovative areas of wastewater reclamation and treatment, this talk will focus on how to engage with and support industries with real needs for complex networks and with even more complex threat profiles. You will come away with an understanding of why asking questions and relying on experts outside of security is critical, learn how to identify and adapt industry-specific risk frameworks, and how to apply threat-based recommendations when the stakes are high and existing data is hard to come by.

Speakers
avatar for Rebekah Brown

Rebekah Brown

Rebekah Brown has helped develop threat intelligence programs at the highest levels of government and has had some exciting experiences along the way. She is a former National Security Agency network warfare analyst, U.S. Cyber Command training and exercise lead, and crypto-linguist... Read More →


Thursday October 24, 2019 1:00pm - 1:50pm
Track 1

2:00pm

Finding a Domain’s Worth of Malware
Are you tired of demonstrations of products that take months or years to get effective data from? How many products have you seen half-implemented (but fully paid for!) that didn’t ever deliver any real value to your organization? Here, I’ll discuss multiple free products that you can use next week to find evil inside your organization. Some techniques will find less advanced adversaries, and some will trip up even some of the most advanced ones - but they’ll all deliver value in less than a week of implementation, and I’ll discuss how you can integrate them and find the malware you already have in your environment. “Assume breach”...then find it!

Speakers
avatar for Jeff McJunkin

Jeff McJunkin

Jeff McJunkin @jeffmcjunkin is a senior staff member at Counter Hack Challenges with more than nine years of experience in systems and network administration and network security. His greatest strength is his breadth of experience - from network and web application penetration testing to digital/mobile forensics... Read More →


Thursday October 24, 2019 2:00pm - 2:50pm
Track 1

2:00pm

Microsoft Azure: Dark Clouds and Weaponized Skies
Abstract:
Reduced costs, scalability, and improved collaboration are among many of the reasons corporations are offloading infrastructure and application stacks into the cloud but not everything is a bright summer day in the wild wild west. While service providers do an amazing job at providing a huge selection of point-and-click deployments, there’s a new sheriff in town.
While we are seeing a range of exploitable conditions with all cloud deployments, this presentation focuses on compromising and weaponizing Microsoft Azure as an old western outlaw would. By walking the audience through stages of a red team engagement we will systematically compromise, persist, and pivot using Microsoft Azure .
By the end of the talk, attendees can expect to:
  • Find out how you probably already use Microsoft Azure and didn't know
  • Learn how some cloud security providers miss the mark
  • Sharpen your red team tradecraft to incorporate cloud infrastructure
  • Receive automated PowerShell scripts for mapping Microsoft Azure
  • Learn a novel technique for establishing an Azure C2 channel


Thursday October 24, 2019 2:00pm - 2:50pm
Track 2

3:00pm

Adversarial Emulation
Today’s Red Team isn’t enough

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?
- Target Corporation Use Case
- Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK)
- Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation - what’s done today vs what should be done

To white box or black box

Threat Intelligence
- Such a disappointment = static identifiers, but no way to machine read for emulation
- Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
- Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response


MITRE ATT&CK - what it can and can’t do for you.
- Common mistakes - rigid adherence, signature-based

Open Source Options:
- CALDERA - APT3 example (although, they didn’t really use CALDERA for this…)
- Powershell - great. Seen in the wild. But, not hard to defend… so limitations.
- Empire - based on… Powershell.
- Living off the Land - https://lolbas-project.github.io/

Host Activities
- Destruction: ransomware, wiper
- Escalation
- Persistence
- Credential Theft


Network Activities
- Communication/Traffic
- C2 infrastructure

Lateral Movement
- Combination of host/network
- Mapping

Going Purple
- Combined visibility and reporting
- How do you technically do this - SIEM/Analytics, red team strings/tagging
- Program strategy and direction - shared gap analysis

Speakers
avatar for Bryson Bort

Bryson Bort

SCYTHE
Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute... Read More →


Thursday October 24, 2019 3:00pm - 3:50pm
Track 2

3:00pm

Selfies of the Mind: Confessions of an Extreme Diarist
Hacking your own mind — everybody does it to some extent, but some mind hacks are more useful and more extreme than others.  Since I was a kid, I’ve devised various mind hacks that have helped me throughout life. But just three years ago, I embarked on another extreme mind hack designed to improve my perception, memory, and understanding of the world around me.  In this deeply personal talk, I’ll share my technique, the tools that support it, and the adventures and insights that it has inspired.  It’s gonna get a little weird too.

Speakers
avatar for Ed Skoudis

Ed Skoudis

CounterHack
Ed Skoudis has taught cyber incident response and advanced penetration testing techniques to more than 12,000 cybersecurity professionals. He is a SANS Faculty Fellow and the lead for the SANS Penetration Testing Curriculum. His courses distill the essence of real-world, front-line... Read More →


Thursday October 24, 2019 3:00pm - 3:50pm
Track 1

4:00pm

Architecting Secure ICS Environments
Criminals are hacking Industrial Control Systems (ICS). Their motivations are as diverse as the environments where ICS solutions and devices are found. Businesses are taking notice and asking the hard question: "how do we secure systems that are intended to run continuously?" The personnel operating these environments need to understand IT security as much as IT security professionals need to understand the concepts and requirements of an ICS implementation. The purpose of this presentation will be to, briefly, introduce the concepts and security considerations for ICS devices and solutions. It will brush on common devices and implementations while providing an overview of the methodologies used to architect and secure ICS environments. Attendees will walk away with an excellent starting point for assisting with the security of a business' ICS deployments in a manner that facilitates safety and business-centric decisions.

Speakers
avatar for Don C. Weber

Don C. Weber

Cutaway Security
Don C. Weber has devoted himself to the field of information security since 2002. His most recent experiences include providing penetration assessment, architecture review, detailed hardware security assessment, wireless and radio implementation analysis, and incident response management... Read More →


Thursday October 24, 2019 4:00pm - 4:50pm
Track 2

5:00pm

Burpsuite Team Server - Collaborative Web Pwnage
During large scale engagements against multiple applications teams often split the workload across many testers. Currently, sharing Burpsuite sessions requires exporting large files that cannot be merged with a running state restricting the ability for teams to collaborate on an application. With this new plugin, coupled with a lightweight server, multiple testers can share traffic in real time across multiple applications allowing for quick collaboration! Have a repeater payload your team needs to see? Simply right click the request and select share to populate their repeater tabs! Come listen and see how this plugin can help your teams hack collaboratively!



Speakers
TB

Tanner Barnes

Tanner is a full scope penetration tester for Protiviti providing red team, social engineering, physical security, and source code review consulting for a myriad of clients in diverse industries. As a software engineer, he discovered the cyber security world through his first job... Read More →


Thursday October 24, 2019 5:00pm - 5:50pm
Track 2

5:00pm

The Security of DevSecOps
The current trend for DevSecOps has revolutionized the way applications are built and deployed, with developers having the ability to push a change from their desktop and have it running on a live server within hours, sometimes even minutes. The key to making all this possible is automation, with code changes running through build and test scripts and infrastructure being span up by lines of code rather than humans.

The downside to this automation is that the machines must now hold secrets that were previously only available to their human masters. Config files hold database credentials for structural updates, roll-out scripts can access SSH keys for production, and source code repositories never forget anything. In this new world, compromise of a single host can mean compromise of the whole process, affecting both the end product and the business itself.

This talk will look at the DevSecOps process and point out a number of key areas where we can look during reviews in a hope to plug as many of these potential holes as possible and ensure the Sec stays in DevSecOps.


Speakers
avatar for Chris Truncer

Chris Truncer

Christopher Truncer (@ChrisTruncer) is a co-founder and red team lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing tools, WMImplant, EyeWitness, and other... Read More →
avatar for Robin Wood

Robin Wood

Hacker, coder, climber. Co-founder of UK conference SteelCon, freelance tester, author of many tools. Always trying to learn new things.


Thursday October 24, 2019 5:00pm - 5:50pm
Track 1

6:00pm

Incident Response is HARRRRRD… but it doesn’t have to be
So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that Bobs Windows box has some suspicious activity.  Do you have the details you need to investigate or remediate the system?  Can you quickly and easily investigate it?   You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used.  Let’s take a look at how we do Incident Response on Windows systems and what you can do to prepare for an inevitable event.

How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default Microsoft does NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable file types so users do not initiate the scripting engine when they double click, rather just open good ol’ Notepad?

Everything mentioned here is FREE and you already have it!

This talk will describe these things and how to prepare, and be PREPARED to do incident Response on Windows systems. A few tools will be discussed as well that you can use to speed things up.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the… inevitable, an incident.

Speakers
avatar for Michael Gough

Michael Gough

IMF Security
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic.  Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for.  Michael is a primary contributor to the... Read More →


Thursday October 24, 2019 6:00pm - 6:50pm
Track 2

6:00pm

TBD
Thursday October 24, 2019 6:00pm - 6:50pm
Track 1
 
Friday, October 25
 

9:00am

TBD
Speakers
avatar for Tim Medin

Tim Medin

Red Siege
Tim Medin is the founder and Principal Consultant at Red Siege, a company focused to adversary emulation and penetration testing. Tim is also the SANS MSISE Program Director and a course author. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. He gained information secu... Read More →


Friday October 25, 2019 9:00am - 9:50am
Track 1

9:00am

Be Evil | A Toolset for Tier 1 Threat Emulation
Some intrusion sets are elite, top tier. Others... not so much. An emerging service in the information security community is the emulation of these threat groups in all their incarnations.

Proven security. The concept is as desirable as it is mathematically impossible. Given that cybersecurity risk is a facet of both threat and impact, proving security against a given threat actor requires more than traditional pentest and red team engagements. It requires a combined toolset of tactics and capabilities tailored to drive effects against the networks that we are tasked to defend. In this talk we explore real attack tactics and unveil an open source toolkit driven to enable advanced threat emulation.

Speakers
MT

Matthew Toussain

Matthew Toussain is the founder of Open Security and an analyst with CounterHack. As an avid information security researcher, Matthew regularly hunts for vulnerabilities in computer systems and releases tools to demonstrate the effectiveness of attacks and countermeasures. He has... Read More →


Friday October 25, 2019 9:00am - 10:00am
Track 2

9:00am

Campfire Stories - 15 minutes each
9:00am - Branden Miller - Email header analysis... the hard way
There is a treasure trove of data that one can get from email headers. Many tools provide this data in easy to read formats automatically, but, to fully understand what is going on, one must understand the types of data. This talk will introduce the data, help the user synthesize the data, and turn it into intelligence.

9:20am - Frank Vianzon - Anatomy of a phishing attack
Per the Verizon Breach Report of 2018, phishing is on the rise. In this talk we will look at a few really good phishing e-mails that I received and break down how to recognize it, how to protect yourself against it and how to perform a basic analysis of what the phishing e-mail is doing using the Burp Proxy Suite

9:40am - Heather Lawrence - Higher Ed and the Infosec Skills Gap
Some 37% of the 2018 ISC2 Workforce Study indicated that they were concerned about the lack of skilled cybersecurity personnel while almost 60% indicated that their organization is at risk due to the staff shortage. This talk discusses the current availability and quality of infosec higher education, how few institutions are preparing their students with the skills they need, and effective training methods that organizations can use to bridge the gap in-house.

10:00am - Bob Hewitt - Our Adventure with an Awareness Training Escape Room
Are you as tired of Annual Awareness Training as your users are? It might be time to change up your approach to Security Awareness Training with some gamification. Escape Rooms can be fun and a great opportunity for team building while demonstrating your Information Security Awareness objectives. Participants are faced with a series of scenarios that require actions that reflect your organizations policies, procedures and best practices.

10:20am - Josh Fu - The Real Deal about AI
Artificial Intelligence(AI) is impacting our world in previously unimaginable ways and vendors love to say they use it. But how does it really work? If you are looking for the real deal about this industry buzzword, this is the talk for you. We will cover the history of this incredibly innovative technology, what it is and what it is not, the steps required to produce a solution, the subfields that make up AI, how various industries are using it, and at the end of the presentation provide the reference list for you to dive deeper into this next generation field and get started for yourself.

10:40am - Bronwen Aker - URL Hacking - How to Cut the Tracking Cruft
Have you ever read a web page and wondered what all that weirdness in the URL means? It’s not rocket science, but there is madness behind the method of how those URLs are put together, and you can learn how to use it to your advantage. Hidden in plain view are the tracking codes companies like Google, LinkedIn, Amazon, and others use to track where you go online and how you got there. Trimming those codes from your URLs is easy, makes your links friendlier, and prevents would-be online trackers and their marketing masters from keeping tabs on you. Come along as we hack some URLs so you can clean that marketing malware from the links you use and share with others.

11:00am - Edward Ruprecht - When logging everything becomes an issue
Discussing potential issues with logging Sysmon and PowerShell logs. Potential sensitive data leakage, best practices, and scalability issues.

11:20am - Josh Rykowski - Gamification and Andragogy - A Match Made for Workforce Empowerment
In this talk I discuss the series of trials and tribulations faced when developing a programming competition aimed at energizing a large (approximately 700 individuals) existing employee population within our organization and trying to stoke their excitement about learning how to script and program.

1:00pm - Heath Adams - What I Learned After a Year as a Cybersecurity Mentor
Cybersecurity professionals are life-long learners. We put in our 40+ hours a week at work, but it never ends there. The field is constantly changing. Every day, something new comes out. A new exploit. A new patch. New software. A tactic that worked yesterday might no longer work today. Because of this constant state of metamorphosis, a cybersecurity pro is always studying. We are reading news articles. We are catching up on Twitter. We are working on certifications, on a CTF, or whatever it is that keeps our endorphins escalated. We never stop.

Many people come in seeing the sexy, only to bail when they realize the level of effort needed to succeed. In my belief, this is why we have (and always will have) a shortage in the field. This talk will provide guidance and resources available to network, find jobs and succeed in the field of cybersecurity.

1:20pm - Bruce Norquist - STRIDE Threat Model of a Cloud Application & Associated Cloud Baggage
This presentation is on a generic SAAS application and associated Cloud Stack’s Threat Model.
The central theme of this discussion uses VISIO drawings of the SAAS, PAAS, and IAAS and the related STRIDE set of threats.

STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft for identifying computer security threats. It provides a mnemonic for security threats in six categories.
The threats categories are:
•    Spoofing of user identity
•    Tampering
•    Repudiation
•    Information disclosure (privacy breach or data leak)
•    Denial of service (D.o.S)
•    Elevation of privilege





Speakers
BN

Bruce Norquist

Bruce Norquist has been hooked and working security since he touched his first B3 level Compartmentalized Mode Workstation in 1994. He retired from the Army National Guard after 24 years as an Information Operations and Combat Engineer officer at NORAD/USNORTHCOM. His first Cloud... Read More →
avatar for Bronwen Aker

Bronwen Aker

Bronwen Aker has played with computers since elementary school when she was introduced to FORTRAN programming using bubble cards. She worked for twenty years in web development, and as a technical trainer, before entering the world of cybersecurity. Today she is a graduate of the... Read More →
avatar for Branden Miller

Branden Miller

Branden Miller retired from the US Navy in 2011 after 20 years as a Cryptologic Technician. He has held several jobs within Computer Network Operations including those of a Computer Network Defense Analyst and a Computer Network Exploitation Analyst. After retirement, he has enjoyed... Read More →
FV

Frank Vianzon

Frank Vianzon works in Corporate Risk Management during the day but also writes and teaches classes at the local colleges and is a Board Member at OWASP. Frank currently holds three SANS certificates for GPEN, GCWN and GISP.
avatar for Bob Hewitt

Bob Hewitt

Bob works for a Software as a Service provider that services charitable foundations and financial institutions where he is responsible for program management, compliance, SOC operations, penetration testing, and privacy. He consults several organizations on beginning and managing... Read More →
avatar for Josh Fu

Josh Fu

Cylance
Josh Fu (Twitter @jfusecurity) is a security professional at Cylance and was the founder of the west coast chapter of the International Consortium of Cybersecurity Professionals (ICMCP). His ability to turn technical concepts into easy-to-understand plain English has led him to present... Read More →
ER

Edward Ruprecht

Lead Cyber Security Engineer at FM Global
avatar for Heather Lawrence

Heather Lawrence

Heather Lawrence is a data scientist for the Nebraska Applied Research Institute who earned her undergraduate and masters degrees in Computer Engineering from the University of Central Florida. In previous lives she was a USN nuke, VA photographer, NCCDC winner, Hack@UCF mom, and... Read More →
avatar for Josh Rykowski

Josh Rykowski

Josh Rykowski @ryko212 currently serves as a Cyberspace operations officer for the US Army where he has lead a Cyber Protection Team and worked to develop specialized training for those same teams. On his convoluted path to cybersecurity he obtained a Bachelors of Science in Electrical... Read More →
avatar for Heath Adams

Heath Adams

Heath Adams is a Senior Penetration Tester. He has a strong background in network administration and information security, including penetration testing, network design and implementation, and network security. Heath currently holds multiple cybersecurity related certifications, including... Read More →


Friday October 25, 2019 9:00am - 2:00pm

9:00am

Conference Registration
Friday October 25, 2019 9:00am - 6:00pm
Conference Floor

10:00am

Elevating your Windows privileges like a boss!
Local privilege escalation on Windows is becoming increasingly difficult. Gone are the days when you could just easily exploit the Windows kernel. Multiple controls (KASLR, DEP, SMEP, etc.) have made kernel mode exploitation of the bugs that are discovered much more difficult. In this talk, we'll discuss multiple opportunities for privilege escalation including using COM objects, DLL side loading, and various privileges assigned to user accounts. Bring a Windows 10 VM. We'll have instructions available for recreating the scenarios demonstrated in the talk.

Speakers
JW

Jake Williams

Rendition InfoSec


Friday October 25, 2019 10:00am - 10:50am
Track 1

10:00am

Post Exploitation: Striking Gold with Covert Recon
You're on a covert penetration test focusing on the client's monitoring and alerting capabilities. You've just established a foothold, maybe even elevated to admin, but now what? You want to know more about the internal network but careless packet slinging will get you caught. Join me on a mining expedition where you can't swing your pick axe without striking gold. We'll be mining logs, pilfering connection statistics, and claim jumping process network connections. Without leaving the comfort of your beachhead, you'll be shouting "Eureka!" in no time.

Speakers

Friday October 25, 2019 10:00am - 10:50am
Track 2

11:00am

"First-try" DNS Cache Poisoning on IPv4 and IPv6
DNS fragmentation attacks are a more recent series of attacks that take advantage of the consistent composition of fragmented DNS responses by sending a crafted (malicious) second fragment to be reassembled with a legitimate first fragment at the IP layer. Even if DNSSEC is fully implemented, an attacker can still poison unsigned "glue" records.

These types of attacks are difficult, and have really only been considered remotely feasible over IPv4. Most nameservers use "per-destination" IP-layer ID (IPID) counters, and the IPID in the IPv6 Fragment Extension Header cannot be easily guessed blindly, as the number of bits in the field has been comparatively doubled to 32 bits (making blind-guessing even in ideal conditions take an average 34 million iterations).

Unfortunately, as part of optimizations made to Linux. The IPID counter is no longer truly "per-destination" and the IPID for a given destination can be inferred consistently enough to facilitate an attack. This allows DNS poisoning on IPv4 and IPv6 with equal consistency and precision, and makes poisoning on the first attempt "thousands" of times easier.

This talk will cover how this attack is carried out, how consistent it really can be, and mitigations that can be put in place by operators of both DNS nameservers and resolvers to limit its effectiveness.

Speakers
avatar for Travis Palmer

Travis Palmer

Travis (Travco) Palmer is a Security Research Engineer at Cisco. Travis is a certified OSCP and OSCE who has been getting paid to either fix or break something for over seven years. He is a fan (and sometimes-contributor) of a number of simulator/sandbox video games, and keeper of... Read More →


Friday October 25, 2019 11:00am - 11:50am
Track 2

11:00am

Consent, Alignment, and Cooperation in the Internet Era
Much of the spectrum of human action and human custom translates more or less obviously from the real world ("meat space") into the Internet ("cyber space"). Yet, some pieces of the human puzzle do not have an obvious place in the Internet game board, and this has wrought unconsidered change to human society through its digital nervous system, the Internet. Is this merely the post-Westphalia era, or as many claim, the post-national era? Let's discuss.

Speakers
avatar for Paul Vixie

Paul Vixie

Farsight Security
Dr. Paul Vixie is an internet pioneer. Currently, he is the Chairman, CEO and co-founder of award-winning Farsight Security, Inc. Dr. Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet... Read More →


Friday October 25, 2019 11:00am - 11:50am
Track 1

1:00pm

Active Defense Web Edition: Web apps dripping with honey!
In this talk, Mick will show you how to honey *every single thing* in your web app stack to become the nastiest, meanest, and downright most painful web app to attack. From client side, through servers, all the way to your data... everything will become a sensor. Even better, attendees will walk away with multiple response options to confuse, frustrate, and drive the attackers to tears!

Speakers
MD

Mick Douglas

Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor's degree in communications from Ohio State University. He is the managing partner for InfoSec Innovations.


Friday October 25, 2019 1:00pm - 1:50pm
Track 1

2:00pm

Assumed Breach: A Better Model For Penetration Testing
The current model for penetration testing is broken. The typical scan and exploit model doesn’t reflect how real attackers operate after establishing a foothold. At the same time, most organizations aren’t mature enough to need a proper red team assessment. It’s time to start adopting the assumed breach model. In this talk, I’ll discuss techniques for assumed breach assessments that provide a better model for emulating the techniques attackers use once they’re they’ve established a foothold inside a typical network.

Speakers
avatar for Mike Saunders

Mike Saunders

Red Siege
Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike has been... Read More →


Friday October 25, 2019 2:00pm - 2:50pm
Track 2

2:00pm

Py2k20 - Transitioning from Python2 to Python3
It’s time to talk about the 2020 End of Life for Python2. We’ll address what the short, and medium term impacts will likely be. Key language differences will be highlighted with techniques to modify your code to be forward compatible.

As a SANS instructor teaching SEC573: Automating Information Security with Python, over the past three years, I have steadily moved my teaching materials, examples, demonstrations and personal coding to Python3. In this process, I have had to break habits and learn new habits to write Python3 compatible scripts. I also spend considerable effort showing people how to write Python2 scripts which are forward compatible with Python3 in order to ease the transition.

The largest barrier that most people struggle with is the idea that Python3 has changed the default string encoding to UTF-8 rather than simple byte encoding. Once you learn how to manage your string objects, the remaining transition issues are mostly modern improvements to the language which most people consider advantageous to adopt.

Since Python2 will no longer have active releases after 2020, it is important to embrace the change and move forward with the Python scripting community.

Speakers
avatar for Joff Thyer

Joff Thyer

Joff has over 20 years of experience in the IT industry as an enterprise network architect, network security defender, information security consultant, software developer and penetration tester. He has extensive experience covering intrusion prevention/detection systems, infrastructure... Read More →


Friday October 25, 2019 2:00pm - 2:50pm
Track 1

3:00pm

The Hackers Apprentice
I turned my house into an escape room! In this talk I’ll show you how I used IoT devices and open source software to turn my house into an escape room. Topics will include HomeAssistant, the HA AppDaemon, Alexa, Python coding and puzzles.

Speakers
avatar for Mark Baggett

Mark Baggett

Mark Baggett is the owner of Indepth Defense, an independent consulting firm that offers incident response and penetration testing services.  Mark has more than 28 years of commercial and government experience ranging from Software Developer to Chief Information Security Officer... Read More →


Friday October 25, 2019 3:00pm - 3:50pm
Track 2

3:00pm

The Nerdlist: The Totally Not 1337 Bad Idea's That Gives Infosec Noobs A Foot In The Door
Let’s face it: hacking things is boring as hell, and until Eliot Alderson, no one made command-line fu anything other than the setup for the first act while we waited for Mr. Anderson to become Neo. What do we do while staring at 1s and 0s? Watch movies, tv, YouTube, old memes, and rehash terrible jokes on IRC and then Slack and in Twitter memes. See—here’s the thing. That means that those of us who are like Razor and Blade (“they’re elite!”) can sometimes let our love of bad inside jokes get the better of us…and into our passwords.

The Nerdlist is a collection of self-reported or accidentally discovered anecdotally in-use administrator and system passwords. Let HaveIBeenPwned collect statistics and give us the top 1000, and let RockYou.txt be the dancing broken washing machine in the background. The Nerdlist has become the place where at least fifteen people who have never publicly contributed to an infosec project have made their first commits, because it’s funny, and nonthreatening. We now have interesting geometric shapes and patterns…and one of those unlock gesture codes is in the shape of the Harry Potter spell “Alohomora!"

Anecdotally, when asked to pick a number between 1-100, graduate students in computer science or engineering or complex systems will choose *42* approximately 18% of the time. That’s not a coincidence: it’s the answer to Life, The Universe, and Everything. That’s why the Nerdlist can help us find and fix bad leet passwords, and be a welcoming project for noobs at the same time. Listeners will get an update on the project, hear some startling insights, and see where the Nerdlist will go in future, as well as being welcomed to participate with specific instructions and the formation of collaborative partnerships.
Give us your puns, your wit, your searing humor, your correct horse battery staple.


Speakers
avatar for Tarah Wheeler

Tarah Wheeler

Tarah Wheeler is Chief Information Security Officer at Setec Astronomy. She holds a PhD in Horribleness from Pacific Tech, N.E.W.T.s in Herbology, Charms, and Defence Against The Dark Arts, and yes, she would like to play a game.


Friday October 25, 2019 3:00pm - 3:50pm
Track 1

4:00pm

TBD
Speakers
avatar for David Kennedy

David Kennedy

Trusted Sec & Binary Defense
Prior to starting TrustedSec, David was the Chief Security Officer (CSO) for Diebold Incorporated, a Fortune 1000 company, with locations in over 80 countries. He developed a global security program that tackled all aspects of information security and risk management. Kennedy started... Read More →


Friday October 25, 2019 4:00pm - 4:50pm
Main Stage

5:00pm

Chuckwagon Dinner & Awards
Just a steak dinner cooked over an open flame for all conference attendees...NBD.

Friday October 25, 2019 5:00pm - 6:30pm
Main Stage

8:00pm

After Party
Includes performances from DualCore, Ohm-I, John Strand and Beau Bullock!

Friday October 25, 2019 8:00pm - 10:00pm
TBA