Texas Cyber Summit II: Full Schedule

WELCOME TO THE TEXAS CYBER SUMMIT

8:30am CDT

BUSINESS EXPO CENTER OPENS

Thursday October 10, 2019 8:30am - 6:00pm CDT
Expo Business Center

Social

9:15am CDT

Opening Ceremony

Opening Ceremony, Special Guest - Deidre Diamond

Speakers

Deidre Diamond

CEO, Cyber Security Network

Talent and Technology Veteran, Deidre Diamond, Founder and CEO of CyberSN, created the largest cybersecurity talent acquisition service and technology firm in the U.S. Deidre's vision is to remove the pain from job searching and matching for cybersecurity professionals. This vision... Read More →

Thursday October 10, 2019 9:15am - 9:45am CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Introduction

10:00am CDT

Keynote - Dave Kennedy

Hacking Dave will discuss the "State of the Hack"

Speakers

Dave Kennedy

CEO, Trusted Sec

Experience:Prior to starting TrustedSec, David was the Chief Security Officer (CSO) for Diebold Incorporated, a Fortune 1000 company, with locations in over 80 countries. He developed a global security program that tackled all aspects of information security and risk management. Kennedy... Read More →

Thursday October 10, 2019 10:00am - 11:00am CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Keynote, Hacking

Company TrustedSec
Subject Digital Transformation

11:00am CDT

PT-1012 The Pentester Blueprint: A Guide to Becoming a Pentester

Same as BN-1012
Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

Speakers

Phillip Wylie

Security Solutions Specialist, CYE

Phillip is a passionate offensive security professional with over two decades of information technology and cybersecurity experience. His experience includes penetration, red teaming, and application security.When Phillip is not hacking, he educates others about pentesting and web... Read More →

Thursday October 10, 2019 11:00am - 12:00pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Training, PenTesting

Audience Beginner
Subject red team
Area Focused Talk

11:00am CDT

500 - Heimdall's Hamlet Learning Session

Welcome to Heimdall’s Hamlet, a combination workshop and threat hunting CTF open to everyone - no experience required!

Join us throughout the event for a relaxed experience of learning and hunting. Thursday is a pure learning and workshop day. We will have two scheduled walkthroughs on how to setup Elastic and moloch from the ground up. These will be held at noon and 4pm, where one of our instructors will do a guided walkthrough. All that is needed is a laptop with a virtualization software - and preferably come with Ubuntu 18! Don't want a guided walkthrough, or need more help? Then just come by throughout the day and stop, chat, and learn with us! As long as someone is available, we will help you with any issues you encounter! Don't have time to setup? Join us later and we'll provide a VM!

On Friday, join us for a relaxed day of hunting through various open source datasets we have available for you. We'll be hosting two additional walkthroughs - noon and 4pm, walking through how to use your newly setup elastic and moloch with some of these datasets. This is a great opportunity for anyone who needs a refresher, wants to share their knowledge, or just want some practice!

All ready? Then join us on Saturday for a quick paced CTF with advanced level datasets custom made for the event. Need a reason? Prizes include an Uber badge, hak5 gear and nostarch press vouchers! You must be present to participate, and must be present at the awards ceremony to win.

Look for live updates on twitter through @heimdallshamlet

Speakers

Robert Wilson

Trainer, Government

Robert is an elementary school teacher-turned-information security analyst. He holds certifications in network and host forensics and has been working with Moloch for almost two years.

Dr Chelsea Hicks

Computer Scientist, DoD

Dr. Chelsea Hicks is a computer scientist for the Department of Defense. Dr. Hicks brings her background in cybersecurity via competitions, participating in the local infosec community, academic career, and professional career to provide insights when possible at conventions such... Read More →

Thursday October 10, 2019 11:00am - 6:00pm CDT
REPUBLIC 4-C 600 E Market St, San Antonio, TX Floor 4

Training

Area moloch

11:00am CDT

10 - Capture The Flag

START: 11:00AM OCTOBER 10th, 2019
END: 1PM OCTOBER 12th, 2019
Rules:

register; https://texascyber.ctf.bi.zone
tasks will be available at the link; https://texascyber.ctf.bi.zone
those who earn more points wins the CTF
in case of equal points, the winner will be the one who earned them first.

It's forbidden to:

attack the organnizers infrastructure;
generate large amounts of traffic (DDoS);
attack computers of the jury or other participants;
share flags with other participants.

The amount of points that every team gets for each task depends on how many times this task was solved by all teams.
Submit this flag to solve the welcome task: flag{4760227a29364a3b7eca0491457e77e2}
Each task is marked as easy, medium or hard. This difficulty level doesn’t affect scoring formula of the task, which only depends on the amount of teams that has submitted the flag.
Default flag format: flag{[a-f0-9]{32}}
The organizers reserve the right to disqualify participants for violating the rules.
Located on the 4th Floor: Seguin A

Thursday October 10, 2019 11:00am - Saturday October 12, 2019 1:00pm CDT
SEGUIN A - 4th Floor

Competition, Hacking

Company BI.ZONE
Audience Advanced
Subject Hacking
Area Hands-on

11:00am CDT

100 - OpenSoc Blue Team CTF

Is your Incident Response team ready for a worst case scenario? Are you sure?
OpenSOC is a Digital Forensics, Incident Response (DFIR), and Threat Hunting challenge meant to teach and test practical incident response skills in an environment that's as close to "the real thing" as it gets. This isn’t just another CTF. We’ve built this platform to train real-world responders to handle real-world situations.

1st Prize - Black (UBER) Badge [Lifetime access to the Texas Cyber Summit]
2nd Prize - $200 Cash, Swag,
3rd Prize - $50 Cash, Swag

Speakers

Whitney Champion

Cyber Architect, Recon Infosec

Eric Capuano

CTO, Recon InfoSec

Eric Capuano injects his passion for forensics into every facet of his life. "There is nothing dull or boring about studying advanced adversarial tactics in an effort to become a highly effective defender," he says, comparing this work to a never-ending game of chess where the impacts... Read More →

Thursday October 10, 2019 11:00am - Saturday October 12, 2019 2:00pm CDT
REPUBLIC 4-A 600 E Market St, San Antonio, TX Floor 4

Competition, Blue Team

Company ReconInfoSec

11:00am CDT

300 - CyberWraith

https://www.cyberwarriornetwork.com/

Cyber Warrior NetworkYoti is a distributed identity verification application and allows you to control what information you share. You can choose not to upload an ID in Yoti initially.

Speakers

Nigel LeBlanc

CEO, CWN

Military Veteran and Entrepreneur. I've served in USAF, and have completed multiple tours in both Operation Iraqi Freedom and Operation Afghani Freedom. I have a passion for all things startups and self-improvement. My goal is to build meaningful relationships and bring value to... Read More →

Thursday October 10, 2019 11:00am - Saturday October 12, 2019 3:00pm CDT
TEXAS BALLROOM - D Hackers Lair 600 E Market St, San Antonio, TX Floor 4

Challenge, Hacking

Audience Beginner, midlevel

11:00am CDT

400 - ThreatGEN Red vs. Blue "CTF" Challenge

ThreatGEN®: Red vs. Blue Challenge

Which side will you choose? The hackers (red team) or the cyber defenders (blue team)? Hint: You get to take turns doing both! Battle head-to-head in turn-based cyber warfare, where the fate of a company's computers, network, information, and even critical industrial control systems hang in the balance.

It's the CTF (Capture the Flag) FOR EVERYONE!

Traditional cybersecurity CTFs involve solving a variety of (often technical) challenges, which earn the players points. ThreatGEN Red vs. Blue brings capture the flag back to what it was historically meant to be… team-on-team, infiltration style, competition!

Game Play

ThreatGEN®: Red vs. Blue is a turn-based strategy game played much like popular global domination board games. Rather than a world map, the "game board" consists of a computer network, which players compete for control over. It’s simple and easy to learn. Instead of simulated computer terminals, players choose and commit actions using "action cards" similar to a trading card game.

It's Not Just a Game: Learn Real-World Cybersecurity! Sharpen your knowledge!

Developed by Clint Bodungen and Aaron Shbeeb, authors of Hacking Exposed: Industrial Control Systems and experienced cybersecurity professional Matthew Anderson, ThreatGEN®: Red vs. Blue is the first ever multiplayer computer game designed to actually teach real-world cybersecurity! Players compete against each other, head-to-head, to take control/maintain control of a computer network. Learn how hackers think, operate, and attack systems by playing the part of the red team (no prior skills necessary)! Play the part of the blue team and learn about real cybersecurity controls, technology, methods, and strategies! ThreatGEN®: Red vs. Blue is also the only training tool in the world that exercises practical application of “higher-level” and more strategic concepts such as building cybersecurity programs, risk mitigation strategy, and more.

Speakers

Clint Bodungen

President & CEO, ThreatGEN

Clint is a recognized industrial cybersecurity expert, public speaker, and lead author of the book “Hacking Exposed: Industrial Control Systems”. He is a United States Air Force veteran, has been an INFOSEC (now called “cybersecurity”) professional for more than 20 years... Read More →

Thursday October 10, 2019 11:00am - Saturday October 12, 2019 3:00pm CDT
TEXAS BALLROOM - D Hackers Lair 600 E Market St, San Antonio, TX Floor 4

Challenge, Scada

11:15am CDT

BT-1016 Stop accepting risk. Resolve every alert!

Stop accepting risk. Resolve every alert!
Organizations are moving to more sophisticated endpoint technologies to help improve their security posture and decrease their risk profile. However, the fundamental issue of alert fatigue remains, and three solutions have risen to the top as answers for the “noise”. Alerts can be ignored due to time and resource constraints, the noise can be turned down by disabling feature sets within the tools themselves, or third party MSSPs can be leveraged to address the alert overload. Each of those solutions are accompanied by either intentional or unintentional risk acceptance. By ignoring alerts or disabling feature sets within a security tool set, organizations are intentionally accepting the risk to their business that those alerts that were or would have been created were not IOCs. Third party MSSPs can provide tremendous value to Organizations that lack the proper resources to address security.

Speakers

NIck Anderson

MDR Account Manager, Critical Start

Nick is Critical Start’s MDR service covering Texas, Oklahoma, Louisiana, and Arkansas. He has 4 ½ years in the network and cyber security industry after graduating from Texas Christian University with a degree in Strategic Communication and a minor in Energy Technology and Management... Read More →

Thursday October 10, 2019 11:15am - 12:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Intermediate, Blue Team

Company Critical Start
Audience midlevel, Beginner
Subject blue team
Area Monitoring

11:15am CDT

TH-2025 Hunting: How to start, go down a rabbit hole, and get out without relying on your tools

Hunting is one of the hottest buzzwords when it comes to cyber security - especially in defensive oriented realms. As a result, there are hundreds of tools, articles, and books on how to hunt. Yet, if it was that simple - why are we still having issues doing this successfully - even if we ignore advanced threat actors? There are so many tools that may be able to report that something is happening on a network, but the blue teams themselves are unable to interpret these results in a timely manner, which results potentially missing something critical.

Therefore, rather than introduce a new tool, this talk will focus on how people can improve themselves to be better hunter, and how to better structure teams to also hunt more effectively. The tools that blue teams use cannot always be controlled - as tools are restricted by policy, money, and availability. Instead, what we can control is how we operate, how we educate ourselves, and overall how do we function during a hunt.In this talk, I’ll focus on how to improve yourself with technical skills and soft skills . However, it is impossible for just one person to always find the bad guy. As a result, I will also concentrate on how team structure, dynamics, and other skills are also important and how to improve these.

This talk is aimed for beginners and intermediate blue teams who are looking to further improve themselves and how they function, so that we can work on being effective.

Speakers

Dr Chelsea Hicks

Computer Scientist, DoD

Thursday October 10, 2019 11:15am - 12:00pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Introduction, Hunting

Subject Hunting

11:15am CDT

SE-1001 I PWN Thee, I PWN Thee Not - Social Engineering

Legendary Social Engineering expert, Jayson E. Street walks you through the latest social engineering hacks on and off computer scams. What you should be doing to keep yourself off the predator lists

Speakers

Jayson E. Street

Vice President, SphereNY

Jayson E. Street is the VP of InfoSec at SphereNY ... He is also DEF CON Groups Global Ambassador. Jayson battled a dragon during the Fire Run in Barcelona Spain. He 'accidentally broke into a shark tank in the Dominican Republic and climbed the pyramid of Giza (until the guards carrying... Read More →

Thursday October 10, 2019 11:15am - 12:15pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Social Engineering, Hacking

Company SphereNY
Audience Beginner, midlevel
Subject Business
Area Focused Talk

11:15am CDT

BN-1011 Intro to NMAP

Intro to Nmap Description: Have you heard of Nmap but don’t really know where to start? Maybe you have run a few scans but don’t feel like you know what you are doing? Have you been told Nmap is the tool you need, but you don’t understand how or why? Nmap 101 is here to help you. We will start from the installation (quick), to the first run of Nmap, to more complex scans, output, fingerprinting, Nmap scripts, and more. This is the perfect place to get started or to understand better why Nmap can do what it is doing.

Speakers

Lee 'MadHat' Heath

Security Mercenary, Unspecific

Lee Heath is a prolific Information Security Mercenary with almost 25 years of industry experience, Lee is an information technology and security subject-matter expert in cardholder data, network, and general information security.   Lee Has worked closely with the Payment Card... Read More →

Thursday October 10, 2019 11:15am - 2:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Briefing, Red Team

Audience Beginner, midlevel
Area Focused Talk

12:00pm CDT

Lunch On your Own - Thursday

Lunch on your own.
Check out all the restaurants downtown at street level, or check-out all the river walk restaurants. Map of the area will be provided.

Thursday October 10, 2019 12:00pm - 1:00pm CDT

LUNCH ON YOUR OWN

1:00pm CDT

FL-1105 - 100% Cloud Based Analytics

100% Cloud based Analytics.
Fluency provides limitless access to data, even as the volume data scales. Fluency Cloud is a process composed of messaging nodes that parse, index, correlate, enhance, fuse, score and store log messages. For our largest customer, Fluency processes eight to twelve billion messages a day, with spikes of half a million events per second. All done in a three-system cluster.
All messages are parsed into fully indexed JSON documents
High-Availability
Data Enhancement
Patented Correlation
Events of Interest
Fast

https://www.fluencysecurity.com/

Speakers

Al Wissinger

Fluency

https://www.fluencysecurity.com/

Thursday October 10, 2019 1:00pm - 1:30pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

1:00pm CDT

BT-2043 Large Scale Botnet Analysis

Large Scale Botnet Analysis – Massive botnet spreader campaign that we have dissected and are actively tracking.

Carbon Black's Threat Analysis Unit (TAU) uncovered various new and otherwise previously unknown components of a prominent cryptocurrency mining campaign. The botnet overseeing the operation leverages unique attack patterns that are designed to bypass application whitelisting, provide remote access, collect and exfiltrate sensitive information, and likely sell access to hundreds of thousands of compromised hosts. This multistage campaign highlights the need to remain vigilant in protecting your organization, as threats that may start off as commodity malware may transform and evolve into complex attacks over time.

We'll dive deep into this campaign and present findings which: 1) demonstrate the weaponization of commodity threats, 2) highlight the potential hidden impacts of commodity malware, and 3) show how attribution models can be misleading in an active threat economy.

Speakers

Greg Foss

Principal Threat Researcher, Carbon Black

Greg Foss is a Senior Principal Researcher with Carbon Black's Threat Analysis Unit (TAU) where he focuses on detection engineering, security efficacy, and bypasses across the diverse product line. In previous roles, Greg led a Threat Research team, built and ran a Global Security... Read More →

Thursday October 10, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

1:00pm CDT

RT-2002 The Carder's Opsec: A Practical Approach to Anti-forensics

Staying just out of reach of LEO and LEA is stressful. Having the mindset, skills, and technology to run a criminal carding enterprise takes patience, guts and charisma. This talk introduces beginners to tradecraft techniques such as setting up anonymous IDs, finding safe burner phones and laptops. Dispels some myths about the DARKNET, TOR and TAILS then finally wraps up with the recruitment of human assets and running counter-surveillance.

Speakers

Tim Leonard

Security Researcher, DETSEC

Tim Leonard is a security researcher and has spoken at both state and national conventions concerning IT infrastructure, management and information security (InfoSec). His presentations consistently score high marks and his style is a fantastic mix of high energy, humor, and heart... Read More →

Thursday October 10, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Advanced, Forensics

1:00pm CDT

IR-2014 Leveraging Osquery for DFIR at scale

Why is DFIR at scale imperative in today’s threat landscape?
* When responding to a potential Security Incident, time is the essence
* While pulling memory image from an endpoint and using Forensic tool like Volatility is the most comprehensive methodology, it is also very time and resource intensive.
* In this talk, we’ll try to explore if we can leverage an agent that’s already running on endpoints to kickstart initial triage and investigation
* Osquery is a popular Open Source Project with more than 5000+ commits from 264 contributors
* The Osquery framework exposes the Operating System as a relational database and we can run SQL queries to pull specific artifacts e.g. logged on users, process tree, docker containers etc
* Two parallel methodologies : (1) Stand-Alone to collect data one-off (during a forensic/reactive investigation (2) Running as a service for periodic data collection for anomaly detection/proactive threat hunting
* Attack Scenarios based on MITRE Attack Framework- e.g. Detecting Meterpreter Reverse Shell
* More use-cases: Detecting Docker Container Exploit attempt , Detecting malicious Crypto-mining, Scoping a Supply Chain Attack etc.
* Power of osquery Evented tables, File Integrity Monitoring etc.
* Custom Extensions and plugins
* Interesting Projects and ongoing research from the Open Source Community

Speakers

Andres Martinson

Sr. Security Engineer, Adobe

Andres Martinson is a Sr. Security Engineer on the Adobe Digital Experience team focusing on host security monitoring. Previously Andres has worked as a Network and Systems Engineer. When weather permits, he uses any chance he gets to head out on cross-country skis.

Thursday October 10, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Forensics

1:00pm CDT

RE-1012 Ghidra for the begineer reverse enginering

The open-source release of the NSA's Ghidra disassembler gives software reverse engineers a free option for high-capability interactive analysis of binary code. Many software reverse engineering (SRE) practitioners have been spending time since the release learning about Ghidra and bringing it into their workflow. It also gives those new to SRE a toolset to learn with that is not restricted by commercial license costs or "demo" limitations.

The goal of this session is to expose attendees with no prior reverse engineering experience to the Ghidra disassembler. Ghidra will be used as an environment in which the basics of reading, navigating, and analyzing executable code will be demonstrated. Dr. McGrew will demonstrate how to install and configure Ghidra, and then load a series of sample programs that he will use to illustrate:
Strategies for analyzing unknown programsLinking and loading in WindowsData typesC code constructs in assembly
All of these concepts will be discussed in the context of the iterative process of reverse engineering unknown code--using what we know about the program based on its API calls and overtly documented information to deduce the types and purposes of undocumented variables and functions.

Attendees who wish to follow along should bring a laptop with Ghidra installed (http://ghidra-sre.org). A link will be provided in-class to samples that will be used. Following along is not required! Attendees who simply observe and ask questions will still gain a useful exposure to reverse engineering and Ghidra. Resources for continuing to learn reverse engineering will be recommended.

Speakers

Wesley McGrew

Director of Cyber Operations, HORNE Cyber

Dr. McGrew serves as director of cyber operations for HORNE Cyber. Known for his work in offense-oriented network security, Wesley specializes in penetration testing, vulnerability analysis, reverse engineering of malicious software and network traffic analysis. Wesley is the author... Read More →

Thursday October 10, 2019 1:00pm - 3:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Hands-On, GHIDRA

Audience midlevel
Subject Reverse Engineering
Area Hands-on

1:00pm CDT

BT-2020 20/20 Enterprise Security Monitoring: Seeing Clearly with Security Onion

This presentation will discuss how teams can employ enterprise security monitoring (for free!) to better assess security controls and protect their computer networks. Various data types will be discussed, as well as their value to an investigation, and how that data can provide greater overall context to events occurring within computer networks.
Description: In this day and age, network breaches and security incidents are all but uncommon. As a community, we have begun to shift away from the age-old "magic box" approach of simply relying on the perimeter firewall to keep bad guys out, and have moved towards a stance in which we assume that at some point, the bad guys will make their way into our network. At such point, we must be able to quickly identify and take action in regard to such activity. As network defenders, this requires us to understand our networks. This means gaining perspective around normal network behavior, abnormal behavior, and the overall scope of an event. How do we do that? With Security Onion, of course! Security Onion is a completely free, open-source distribution used for enterprise security monitoring that can be easily deployed in your environment in minutes. This talk will highlight various ways in which Security Onion can be used to empower analysts, hunt for bad guys, and enhance overall organizational security posture. Topics discussed will include use cases, current and planned capabilities and integrations, as well as a typical investigative workflow.

Speakers

Wes Lambert

Director of Support and Professional Services, Security Onion Solutions

Wes Lambert is the Director of Support and Professional Services at Security Onion Solutions, where he helps companies to implement enterprise security monitoring solutions and better understand their computer networks. He is a huge fan of open source software projects, and loves... Read More →

Thursday October 10, 2019 1:00pm - 3:00pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Monitoring, Intrusion Detection

Subject blue team
Area Focused Talk

1:00pm CDT

TH-3011 Passive DNS & pBGP in Depth Lab

Passive DNS in Depth
Passive DNS (pDNS) data is a treasure trove of information for security teams, intelligence teams, network operations teams, and security research teams alike. By keeping an historical record of DNS results of time this data empowers many different teams to enrich and produce intelligence information for a variety of purpose. Merger and acquisition teams can look for internet facing, and sometimes internal, IT resources that may not have been declared. Blue teams can monitor for mis-configuration of DNS, research malware, develop threat signatures, and in many cases monitor for shadow IT. Red teams can use this information to exploit DNS misconfigurations, find additional assets, and pattern match target IT infrastructure. Security researchers are limited only by their imagination and time.
Passive BGP (pBGP) data can enable network operations teams to quickly spot problems. pBGP data is also useful to help determine if problems were a result of a simple misconfiguration or a part of a more nefarious operation.
Understanding the architecture and methodology of pDNS and pBGP is critical to end users of this data. By having a deeper understanding of the architecture (collection, storage, and query methodologies), individuals and teams will be more able to fully capitalize on the enrichment and context building capabilities of the data. As well as architecture, this course will cover a variety of scenarios for organizations of all sizes and maturity to help enable the use and integration of pDNS and pBGP data as a part of security and network operations.

Speakers

Donald Mac McCarthy

Director of Field Operations, Open Source Context

Mac is a 17 year veteran of the IT industry. He has experience worked for organization ranging in size from 10 to 200,000+ employees. Mac has been involved in information security for the past 9 years with organizations in the academic, healthcare and financial, and public sectors... Read More →

Thursday October 10, 2019 1:00pm - 5:00pm CDT
CROCKETT 4-D ICS SCADA HAVEN 600 E Market St, San Antonio, TX Floor 4

Hands-On, Hacking

Audience midlevel, Advanced
Subject Threat Intelligence
Area Hands-on, Focused Talk

2:00pm CDT

High-Tea Afternoon Break

Afternoon Tea

Thursday October 10, 2019 2:00pm - 2:15pm CDT
Expo Business Center

Social, Adults

2:15pm CDT

HX-3014 Owning the Cloud through SSRF – Service-Side Request Forgery

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

What is Server-Side Request Forgery (SSRF)?
What can you do with it?
How do you prevent it?
SSRF via URI Schemes
JIRA CVE SSRF (CVE-2017-9506)
Jenkins SSRF (CVE-2018-1000600)
SSRF via Javascript (XSS)
SSRF via Styling
SSRF using <link rel="attachment"> (PDF Gen ‘0day’)
SSRF via DNS Rebinding
Bonus: RCE via ERB Template Injection
SSRFTest (Tool)

Speakers

Ben Sadeghipour

Manager, Hacker Operations, HackerOne

Ben is the Head of Hacker Operations at HackerOne by day, and a streamer and hacker by night. He has helped identify and exploit over 600 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense... Read More →

Thursday October 10, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Advanced, Hacking

2:15pm CDT

CS-2019 Big Pink Elephants: Speed, Scale and the CISO

“Every Company has assets in the Cloud” basically making it a cloud company at some level.
While providing unprecedented speed of delivery, and access to never-before scalability the era of cloud computing has put enterprise security teams once again in a reactive stance. There are a few simple truths that, once accepted, have the potential to revolutionize how enterprise security approaches innovation through cloud computing. This talk will discuss topics like asset inventory, deployment integration, standardization, compliance, and outcomes to give CISOs of cloud-curious enterprises a prescriptive path forward. We can all acknowledge there are far too many tools, not enough staff, and an overwhelming abundance of badguys – but complaining isn’t going to solve our problems. This talk addresses the pink elephants in the room and gives suggestions and strategies to drive meaningful change.

Speakers

Rafal Los

Vice President, Armor

Rafal Los serves as the Vice President of Security at Armor. He's responsible for leading the various technical functions associated with designing, developing and delivering next-generation cloud security-as-a-service solutions to our clients. Rafal is also the Founder & Producer... Read More →

Thursday October 10, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Intermediate, Webapps

Audience CISO

2:15pm CDT

DF-2011 How to build an effective malware protection architecture for file uploads in modern web apps

Web applications have traditionally accepted file uploaded via web portals, which had bot prevention controls to avoid bots uploading files vs user. With the boom of API economy, more and more applications have started accepting files over API, this allows uploading of file a programmatic approach available for good bots and vector for allowing numerous file uploads during a day. This convenience, also comes with security shortcomings - for example, files cannot be analysed manually for potential malware since the number is huge, there could be synchronous processing needed as business functionality in web app. This talk will look at a novel approach to build and operate a practical automated malware analysis platform and considerations for it to scale at enterprise level maintaining heavy performance needs of web apps, to effectively detect and discard malicious file uploads in web app.

Speakers

Ravi Krishnan Muthukrishnan

Senior Director, Application and Product Security, Babylon

Ravi is a technologist, and a security expert specializing in web application security, cloud security, data protection, risk management, and cybersecurity. He has 11+ years of global work experience in the cybersecurity industry. He currently heads-up application and product security... Read More →

Thursday October 10, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Webapps

3:00pm CDT

BN-1012 The Pentester Blueprint: A Guide to Becoming a Pentester

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.
There is another class at 11:00am PT-1012 if this one fills up.

Speakers

Phillip Wylie

Security Solutions Specialist, CYE

Thursday October 10, 2019 3:00pm - 4:30pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Briefing, Pen Testing

Audience Beginner
Subject red team
Area Focused Talk

3:00pm CDT

WS-3033 Hacking with IPv6 Network Tools

IPv6 Hacking Tools, IPv6 basics then some of the hacking/testing tools specifically designed for IPv6.

Speakers

Jeff Carrell

Network Consultant, Network Conversions

Husband, author, speaker, trainer, network guy, IPv6, learning Python Co-author Guide to TCP/IP 5th Ed, LEGO builder, diver, RPi. Work at HPE

Thursday October 10, 2019 3:00pm - 6:00pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Hands-On, Packet Captures

Audience midlevel, Advanced
Subject red team
Area Hands-on

3:30pm CDT

DO-2012 DevSecOps with emphasis on Container Security

Speakers

Jessica Deen

Cloud Developer Advocate, Microsoft

Jessica is a Cloud Developer Advocate for Microsoft focusing on Azure, infrastructure, containers, Linux and open source. Prior to joining Microsoft, she spent over a decade as an IT Consultant / Systems Administrator for various corporate and enterprise environments, catering to... Read More →

Thursday October 10, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Webapps

Company Microsoft
Audience midlevel
Subject DevOps

3:30pm CDT

FR-2016 Red Team BackdorOS, in-Memory

In this talk, come witness BackdorOS a new stealth malicious in-memory OS through a demo that will then be released directly in your hands. This malicious OS, just like a regular OS, provides a software platform on top of which application programs can run. Then I will explore already-existing applications that can run on top of it and how to develop new applications for BackdorOS. Wait for it! I then touch upon how to detect and remediate such threat
Notes: My company specializes in developing breach and attack simulation software. We’re focused on researching novel attack methods. This is one of the many projects that we publish. (Examples for past projects: “The Adventures of AV and the Leaky Sandbox” and “Crippling HTTPS with Unholy PAC”

Speakers

Itzik Kotler

SafeBreach

Thursday October 10, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Intermediate, Red Team

Audience Memory Agent
Subject red team

3:30pm CDT

MR-1011 Crawl, Monitor, Walk, Detect

As organizations combat threats across numerous vectors its forced defenders to rethink our tactics. Yes, attacks are crafty and slip past firewalls, SIEMS, and DLP solutions so why aren't we taking a more creative approach. We typically focus on incident response to drive detection and lessons learned to adjust monitoring. Let's discuss how to leverage incident response to foster successful threat hunting engagements. This session will demonstrate examples of tracing attacker movements, edging attackers out of your network, and creating countermeasures. The session will focus on important strategies, tools, and techniques to consider for your hunting engagements. We will highlight realities of the relationship between incident response and threat hunting, as well as provide real world examples of identifying attacker methodologies.

Speakers

O'Shea Bowens

Founder & CEO, Null Hat Security

O'Shea Bowens is the founder and CEO of Null Hat Security. He enjoys solving problems and establishing programs in the areas of incident response, security operations, lets just say he's blue team for life. He founded Null Hat Security as he believes in personalized training with... Read More →

Thursday October 10, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Introduction, Blue Team

Audience midlevel
Subject SIEM
Area Monitoring

4:00pm CDT

PD-1000 CISO Panel Discussion - Data Security & Privacy

Join this interactive session with

State RepresentativeGiovanni Capriglione

Thursday October 10, 2019 4:00pm - 5:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

4:30pm CDT

AI-2003 The benefits of separating ML process workflows

Model View Controller (MVC)is a software design pattern that decouples related program logic into three interconnected elements allowing for code reuse and parallel development
Support Vector Machine(SVM)are supervised learning models with associated learning algorithms that analyze data used for classification and regression analysis

MVC Components•Model•The central component of the pattern. It is the application's dynamic data structure, independent of the user interface. It directly manages the data, logic and rules of the application.•View•Any representation of information such as a chart, diagram or table. Multiple views of the same information are possible, such as a bar chart for management and a tabular view for accountants.•Controller•Accepts input and converts it to commands for the model or view

Speakers

Karl Rasmussen

Tech Advisor, MITRE

MITRE Technical advisor for ACC/A26 at Lackland AFB, Texas.Background in Machine Learning, Malware Triage and Cloud.

Thursday October 10, 2019 4:30pm - 5:30pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Intermediate, Analysis

Company Mitre
Audience midlevel, Advanced
Subject Model View Controller
Area Deep Walk-Through

4:45pm CDT

DT-1114 Your Wish is My Command: A Deep Dive into DirectTV’s Genie System

DirectTV is one of the largest satellite content providers in the nation, and their Genie system is their flagship line of products. In this talk, we will take a look at what that system is composed of, including device hardware, proprietary network protocols, and content protection mechanisms. We will demonstrate vulnerabilities in the system and ways to manipulate content as well as other fun things you can do. Magic lamp not included.

Speakers

Ricky “HeadlessZeke” Lawshae

Research, Trend Micro

Ricky Lawshae is an offensive security researcher for Trend Micro Research where he focuses mainly on finding and fixing vulnerabilities in embedded devices. He has been working in the industry for over a decade and his work has been featured in Forbes, Wired, Hackaday, and more... Read More →

Thursday October 10, 2019 4:45pm - 5:45pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Intermediate, Hacking DirectTV

Audience midlevel
Subject Exploits
Area Focused Talk

4:45pm CDT

IR-1005 CSA IoT Security Controls Framework

Cloud Security Alliance - CSA
The Internet of Things (IoT) Security Controls Framework introduces the base-level security controls required to mitigate many of the risks associated with an IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies. The IoT Security Controls Framework provides utility across many IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services. The Framework also helps users identify appropriate security controls and allocate them to specific components within their IoT system. I will review the following: How to Use the CSA IoT Security Controls Framework; typical IoT system components, understanding the Objectives, System Risk Impact Levels, Implementation Guidance, with discussion of many real life challenges at all 7 layers with a Security-by-Design approach.

Speakers

Mark Szewczul

Principal Embedded AppSec Consultant

Mark is a Principal IIoT Security Architect with over 20 years of experience mastering numerous aspects of hardware design, system integration, pentesting and SDLC. His passion entails implementing best practices of security, privacy and safety principles at all 7-layers and beyond... Read More →

Thursday October 10, 2019 4:45pm - 5:45pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, IoT

Company CSA
Audience Beginner, midlevel
Subject Embedded, IoT
Area Focused Talk

5:00pm CDT

TX-1001 From Zero to Hero - Dropout to Engineer

Speakers

Allie Barnes

Ops Engineer, Infocyte

Thursday October 10, 2019 5:00pm - 6:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Introduction, Privacy

6:00pm CDT

900 - Hacker Trivia "BSides SATX"

Everyone is invite to attend the game show host "Steve"

Thursday October 10, 2019 6:00pm - 7:15pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Competition, Adults

8:00am CDT

501 - Heimdall's Hamlet CTF

Welcome to Heimdall’s Hamlet, a combination workshop and threat hunting CTF open to everyone - no experience required!

Join us throughout the event for a relaxed experience of learning and hunting. Thursday is a pure learning and workshop day. We will have two scheduled walkthroughs on how to setup Elastic and moloch from the ground up. These will be held at noon and 4pm, where one of our instructors will do a guided walkthrough. All that is needed is a laptop with a virtualization software - and preferably come with Ubuntu 18! Don't want a guided walkthrough, or need more help? Then just come by throughout the day and stop, chat, and learn with us! As long as someone is available, we will help you with any issues you encounter! Don't have time to setup? Join us later and we'll provide a VM!

On Friday, join us for a relaxed day of hunting through various open source datasets we have available for you. We'll be hosting two additional walkthroughs - noon and 4pm, walking through how to use your newly setup elastic and moloch with some of these datasets. This is a great opportunity for anyone who needs a refresher, wants to share their knowledge, or just want some practice!

All ready? Then join us on Saturday for a quick paced CTF with advanced level datasets custom made for the event. CTF will run from noon to 3pm. Want to be there before or after? We'll provide help preparing for the CTF, or how recommendations on how you should have found the traffic. Need a reason to participate? Check out our prizes!

Prizes include:
1st Place: Uber Badge
2nd Place: Hak5 Gear and NoStarchPress vouchers
3rd Place: 1 Hak5 Gear Pcakage and NoPressVoucher

You must be present to participate, and must be present at the awards ceremony to win.

Look for live updates on twitter through @heimdallshamlet

Speakers

Dr Chelsea Hicks

Computer Scientist, DoD

Friday October 11, 2019 8:00am - Saturday October 12, 2019 6:00pm CDT
REPUBLIC 4-C 600 E Market St, San Antonio, TX Floor 4

Competition, Hunting

8:30am CDT

BUSINESS EXPO CENTER OPENS

Friday October 11, 2019 8:30am - 6:00pm CDT
Expo Business Center

Social

9:15am CDT

Friday Opening and Welcome

Speakers

Joseph Mlodzianowski

Founder, Texas Cyber Summit

Jayson E. Street

Vice President, SphereNY

Friday October 11, 2019 9:15am - 9:30am CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

10:00am CDT

Keynote - Dr. Chenxi Wang

"Cybersecurity in a Post-AI world".
Dr. Chenxi Wang is the founder of the Jane Bond Project, a Cybersecurity consultancy. She is a strategic partner at IT Security Planet and serves on the advisory board of various start-ups. Previously, Chenxi served as the Chief Strategy Officer at Twistlock, responsible for corporate strategy and thought leadership. Chenxi is the 2016 & 2017 program co-chair for Security & Privacy at the Grace Hopper Conference and named by SC Magazine as a 2016 Women of Influence. Prior to Twistlock, Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security, she led the ubiquity strategy that spans both hardware and software platforms. Chenxi started her career as a faculty member of Computer Engineering at Carnegie Mellon University. Chenxi is a sought-after public speaker and a trusted advisor for IT executives. She has been quoted/featured by New York Times, Wall Street Journal, Forbes.com, Fox Business News, Bloomberg, Dark Reading, and many other media outlets. Chenxi holds a Ph.D. in Computer Science from the University of Virginia.

Speakers

Chenxi Wang

Founder and General Partner, Rain Capital

Chenxi Wang, Women of Influence - SC Award 2016. Experienced technology/strategy executive with deep technical background (Ph.D. Computer Science), strong analytical skills (VP, Forrester) and extensive market know-how. Advocate for equality and diversity in the high tech field. Founder... Read More →

Friday October 11, 2019 10:00am - 11:00am CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Keynote, Artificial Intelligence

Audience Keynote

11:00am CDT

ET-1212 Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture

This presentation shows how to use Splunk to provide the analyst with a comprehensive vision of AWS/GCP/Azure security posture. Presenters will outline how to ingest the audit data provided by open source tool Cloud Security Suite into Splunk to analyze cloud vulnerability, harden multi-cloud deployments and visualize multi-cloud threat surface. Presenters will also demonstrate use cases based on Splunk knowledge objects (Tables, Dashboards, Alerts, Field extractions, Lookups, etc), in order to take advantage of the information provided by various supporting tools like Scout2 and G-Scout projects for cloud API auditing.

Outline

Introduction to security in the cloud
Cloud provider responsibilities vs customer responsibilities
Historic Cloud attacks (k8s, s3 buckets, etc..)
AWS Security baseline
GCP Security baseline
Azure Security baseline
Automated multi-cloud auditing (cloud security suite intro)
Logical Architecture for multiple cloud
SIEM setup (Splunk, ELK)
Deployment steps (Splunk setup, Cloud Security auditing instance)
Proactive alerting for audit failures
Cloud security posture dashboard and reports
Q&A

Speakers

Rod Soto

Principle, Splunk

Rod Soto has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEFCON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest... Read More →

Jose Hernandez

Principal Security, Splunk

José is a Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As an engineering co-founder of Zenedge Inc. (acquired by Oracle... Read More →

Friday October 11, 2019 11:00am - 12:00pm CDT
BONHAM 3-D | Expert 2 600 E Market St, San Antonio, TX Floor 3

Intermediate, Intrusion Detection

11:00am CDT

NA-1024 Network Traffic Analysis with Moloch

Moloch is an open-source tool for full network traffic capture and analysis.
https://molo.ch/

Trying to get a handle on what's happening on your network? Network defenders need a thorough understanding of traffic on their networks, and Moloch is an excellent way to get insight into what's happening on the wire.
Moloch is a free and open-source platform for full packet capture and analysis. It's scalable from small to very large applications and packages a whole bundle of handy tools, from connection maps to a built-in CyberChef instance for decoding and analysis.
Moloch makes an excellent threat hunting application. Analysts can pivot seamlessly from traffic metadata to raw capture analysis. Want to try another tool, or look at an old capture? Moloch ingests and exports standard PCAP files.
I'll walk you through the basics first. We'll talk about the Sessions, SPI, and Connections views. We'll talk about Moloch's customization options, where to find documentation, and how you can structure your workflow to chase down important artifacts quickly. Once we're comfortable with the bread and butter, we'll look at some of Moloch's advanced features. Hunts, recurring cron queries, and Moloch's powerful API will be the focus.
To cap things off, we'll take some time to walk through some publicly-available PCAP to apply our newfound skills. You should leave this talk with a solid understanding of how to leverage Moloch for your own investigations - sure to come in handy if you plan to compete in certain CTFs...

Speakers

Robert Wilson

Trainer, Government

Robert is an elementary school teacher-turned-information security analyst. He holds certifications in network and host forensics and has been working with Moloch for almost two years.

Friday October 11, 2019 11:00am - 12:00pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Intermediate, Packet Captures

Audience midlevel
Subject Packets

11:00am CDT

SC-1008 How to Avoid Supply Chain Pains for Financial Gains

Organizations rely heavily on third-party vendor relationships to provide their customers with various products and services. Mid-market companies, however, find themselves playing catch up to compete with the maturity of large organization risk assessment programs.

This talk will reflect on real-world examples of the speakers experience developing third-party risk assessment questionnaires and reviewing those provided to a number of Credit Unions and Healthcare institutions in various states (both geographically and maturity of their security programs). He will also discuss how to fold OSINT investigation techniques to perform detailed background checks on the partners and their employees.

Attendees will learn how to:
- Create and refine third-party risk quantification criteria for partners and vendors,
- The questions to ask your supply chain and discover the exaggerations, half-truths, and outright lies from respondents, and
- Extend their current risk assessment activities beyond simple documentation review using freely available OSINT tools and techniques.

Speakers

Andrew Hay

Chief Operating Officer, Lares Consulting

Andrew Hay is an experienced cybersecurity leader, data scientist, researcher, and international public speaker with decades of experience across multiple IT, security, and risk domains. He has authored several books on endpoint, network, cloud, and security management topics, has... Read More →

Friday October 11, 2019 11:00am - 12:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Intermediate, Supply Chain

Audience midlevel, CISO
Subject CIS

11:00am CDT

98 - Overcoming Workforce Retention and Recruitment Challenges

Talented professionals form the critical infrastructure of any successful business, but how do we ensure successful retention and recruitment in an industry facing talent shortage? The insights shared in this session offer methods to promote a flowing talent acquisition pipeline, supported by the findings from two recent industry surveys, which examine how security professionals search for jobs and the impact of supporting community activities.

In order to recruit tech talent, you first need to know where they search for jobs. However, our cyber security job search survey found discrepancies in the ways that job seekers search for jobs and how recruiters primarily search for candidates. In this session I will discuss the top four reported job search methods to help employers guarantee their positions are visible and accessible.

I will also discuss how to attract and retain talent by tapping into the leading motivators that draw job seekers to a company, spanning compensation, good working environments, career mapping opportunities, support of work life balance, a more transparent hiring process, and remote work.

Shrewd employers also value volunteerism, as they understand that having employees operate in the community is a positive reflection on their company, helping to support their employer brand and recruitment strategy. I will urge employers to re-examine their support of volunteer activities, as over 97% of survey respondents reported they would move to a company that supported their volunteerism.

As we assess the ways that candidates approach their job search, employers will gain valuable insights to increase visibility and interest. By leveraging these findings and supporting community involvement, employers stand to build their employer brand and sustain lucrative retention and recruitment.
Notes: In an industry facing talent shortage, it is more vital than ever that employers utilize the right strategies to locate and recruit prospective candidates. Having personally surveyed the cyber security community and also having coached thousands of job seekers and employers to achieve the mutual goal of employment, I am excited to further share my best practices with Texas Cyber Summit attendees.

Speakers

Kathleen Smith

Community Outreach Officer, ClearedJobs.Net

Moderator is Outreach Officer for a veteran-owned job board and job fair company focused on the security cleared community. She has coached thousands of job seekers and employers to achieve the mutual goal of employment. She has embarked on a journey to find out why cybersecurity... Read More →

Friday October 11, 2019 11:00am - 12:00pm CDT
BONHAM 3-X Common Area Stage *End of Hall 600 E Market St, San Antonio, TX Floor 3

Introduction, Career

Audience Career Search

11:00am CDT

BN-1014 - The Pentester Blueprint: A Guide to Becoming a Pentester

DescriptionPentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.
There is another class at 11:00am PT-1012 if this one fills up.

Speakers

Phillip Wylie

Security Solutions Specialist, CYE

Friday October 11, 2019 11:00am - 12:15pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Introduction, PenTesting

Audience midlevel, Beginner

11:00am CDT

99 Resume Reviews

Author of the 6 Second Resume and a local security consultant doing resume reviews from 11am to 3pm

Speakers

Bill Branstetter

Speaker, asggov.com

Bill is on a mission to rid the world of bad resumes. I teach job seekers how to think like recruiters, to expose red flags that tell recruiters you are a risk, and to eliminate the boring tedium on nearly every resume (I’m looking at you, results-oriented team players!). Upgrade... Read More →

Friday October 11, 2019 11:00am - 3:00pm CDT
BONHAM 3-X Common Area Stage *End of Hall 600 E Market St, San Antonio, TX Floor 3

Career Fair, Resume Review

11:15am CDT

RT-2030 Regulatory Trends in IoT Security and Coordinated Disclosure and impact on the research community

Regulatory Trends in IoT Security and Coordinated Disclosure and impact on the research community

Speakers

Amit Elazari

Director, Global Security Policy, Intel Corporation

Amit Elazari Bar On is a Director of Global CybersecurityPolicy at Intel Corporation and a Lecturer at UC Berkeley’s Schoolof Information Master in Information and Cybersecurity. She holds aJSD from UC Berkeley School of Law and graduated summa cum laude threeprior degrees. Her... Read More →

Friday October 11, 2019 11:15am - 12:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Intermediate

11:15am CDT

BN-1001 Introduction to Information Security

High level introduction to Information Security and its broad base of roles. This course will discuss ways to look at Information Security for those who want to get into the industry or options for those looking to make a change from one type of role into another. We will be talking about how in many organizations there are many roles that touch on Information Security that may not be labeled as so, as well as how to you prior experience outside of Information Security to move into a Information Security role.

Speakers

Lee 'MadHat' Heath

Security Mercenary, Unspecific

Friday October 11, 2019 11:15am - 12:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Introduction, Blue Team

Audience Beginner

11:15am CDT

DHS-1000 The Mission of the Cybersecurity and Infrastructure Security Agency

A discuss on the mission of the Cybersecurity and Infrastructure Security Agency and an overview of the no-cost cybersecurity resources available in support to the protection and security of the Nation’s Critical Infrastructure.

Speakers

George Reeves

Cybersecurity Advisor, CISA

George Reeves is a Cybersecurity Advisor with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.Mr. Reeves works to foster collaboration and coordination on cyber preparedness, risk mitigation and incident response, and to provide cyber... Read More →

Friday October 11, 2019 11:15am - 12:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Introduction

Audience Beginner, midlevel

12:00pm CDT

Lunch On your Own - Friday

Friday October 11, 2019 12:00pm - 1:00pm CDT

LUNCH ON YOUR OWN

1:00pm CDT

NA-2066 Exploiting Information Leaks for Amazing Network Discovery

Identifying assets on modern networks is more complicated than ever due to the adoption of software defined networks, virtual machine environments, container environments, hybrid clouds, and internet-connected smart devices. This presentation dives into original research and lesser-known techniques that can be used to quickly discovery devices across complex environments, without the use of passive traffic analysis or credentials.

Speakers

HD Moore

Developer, Critical Research Corporation

H D Moore is network security expert, open source programmer, and hacker. He is a developer of the Metasploit Framework, a penetration testing software suite, and the founder of the Metasploit Project.He served as Chief Research Officer at Boston, MA based security firm Rapid7, a... Read More →

Friday October 11, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Advanced, Packet Captures

Audience Advanced, midlevel
Subject Packets
Area Deep Walk-Through

1:00pm CDT

BT-2021 OWASP API Security Top 10

In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.

OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications. APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.

In this session we’ll discuss:

· What makes API Security different from web application security

· The top 10 common API security vulnerabilities

· Examples and mitigation strategies for each of the risks

Speakers

Dmitry Sotnikov

Chief Product Officer, 42Crunch

Dmitry Sotnikov serves as Chief Product Officer at 42Crunch – an enterprise API security company – and is curator of APISecurity.io, a popular community site with daily API Security news and weekly newsletter on API vulnerabilities, breaches, standards, best practices, regulations... Read More →

Friday October 11, 2019 1:00pm - 2:00pm CDT
SEGUIN 4-B AREA 51

Intermediate, Webapps

Audience midlevel
Subject OWASP

1:00pm CDT

CO-1111 Be an Inspirational Coach, Not an Oppressive Security Executive

Security executives are often seen by employees as oppressive heavy-handed dictators that demand strict and uncompromising adherence with the organization's security program. In amateur and professional sports, this “coaching style” is referred to as autocratic coaching. Often seen in football, baseball, and hockey, among other popular sports in North America, this coaching style may not be suitable for teams comprised of experienced and passionate athletes as it stifles creativity and can lower morale due to the restrictions it places on the players. To train and play to the best of their ability, players usually want to feel important to their team - a feeling not easily found when following a rigid and unappreciated plan.

Enter the athlete-centric coaching style, commonly seen in rugby and soccer, that enables athletes to perform at their best while enjoying all the benefits the game has to offer. Coaches who use this style encourage players to voice their opinions and thoughts in order to make the best decisions. This engagement usually results in a stronger relationship with the team as well as a closer inter-team bond. Similarly, the more players are forced to make decisions, the more coaches can adapt to a style that encourages this type of critical thinking, and the greater your athletes will perform.

Perhaps we, as security professionals, have been trying to communicate the security needs of the organization all wrong? Sure, there are times when we need to tell people how to do something, but maybe there is a better way. Maybe changing from the traditional autocratic coaching style to a more athlete-centric coaching style would resonate better with employees and peers? Athlete-centric coaching may be the answer to participation, engagement, and program alignment that we’ve been missing.

Using his experience as a certified coach (USA Rugby, World Rugby) and an experienced security executive, attendees will learn how to apply an athlete-centric coaching methodology to the delivery and operationalization of an organizational cybersecurity program. Attendees will learn:

- The differences between traditional security-oriented autocratic coaching and athlete-centric coaching,
- The application of the "coaching continuum” to empower the organization to collaborative understand and increase security, and
- How to run a “coaching session” to bring together a group of people around a key program aspect and turn them into an efficient team.

Speakers

Andrew Hay

Chief Operating Officer, Lares Consulting

Friday October 11, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Intermediate

Audience midlevel

1:00pm CDT

ID-2022 Multi-Persona Identity Management

Organizations from small to large deal with multiple personas for every user. From the way they expect to interact with their desktop, to social media, and to the more important aspect the enterprise IT landscape, users expect access to just work. Authentication is expected to be ubiquitous, authorization transparent, and access provisioned seamlessly. The best implementations of identity and access management solutions are completely transparent to end users. This sessions will discuss the components of a mature identity and access management solution and considerations for selecting a product or designing your own solution.
Notes: a lot of IAM "solutions" focus on one aspect or another, provisioning, governance, roles, etc. What is important, regardless of vendor selection, is to understand each of the critical components of an IAM solution, and how they fit into your enterprise. the biggest challenge today is the multiple personas that a person brings to an enterprise. consider healthcare where I may be an employee, a contracted Dr, and a patient. How does an IAM system handle these personas? Consider higher education, perhaps I'm an employee but also a post-doc student. Consider K-12, I'm a teacher, but also a parent. A mature IAM system can reconcile and apply these personas properly.

Speakers

Will Schneider

Identity Practice Manager, Fulcrum Technology Solutions

I'm currently the Identity Practice Manager for Fulcrum Technology Solutions in Houston, TX https://www.ftsc.com/I've been working in the IAM space for almost 20 years, since the early emergence in the marketplace of the space. My experience includes building the IAM infrastructure... Read More →

Friday October 11, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Intermediate, IDENTITY MANAGEMENT

1:00pm CDT

TH-3005 Host & Threat Hunting on a Budget

First 100 days, I wanted to make a positive impact on the organization. I get a lay of the land and notice it was a majority Windows shop with no endpoint visibility. I go over how I prove to management and IT Operations when an opportunity presents itself. There is a suspicious beaconing of a known malicious domain. I quickly deploy Sysmon with PowerShell, as WinRM is enabled everywhere. Bam! I find Kovter fileless malware and break down the analysis. Now that I have buy-in, I go over the methods to get quick wins by deploying technologies like Sysmon, OSqeury, turn on auditing and Windows firewalls. I go over the benefits of Sysmon, how to deploy in the environment on a budget I do a post-mortem assessment and what I would have done differently.

Speakers

Leo Bastidas

DFIR/Threat Hunter, Fujitsu

Leo Bastidas started his career as a troubled teen, it's how he ended up working at the local repair shop, fixing PCs. He then joined the military after high school as there were no other options at the time. That is where he started with the Military Police, then quickly pivoted... Read More →

Friday October 11, 2019 1:00pm - 2:00pm CDT
BONHAM 3-D | Expert 2 600 E Market St, San Antonio, TX Floor 3

Intermediate, Packet Captures

1:00pm CDT

RT-3021 Alternative C2 Frameworks Part 1 - Apfell

In the age of EDR products, Red Teamer's need to be able to customize everything on the fly - stock
Command and Control (C2) frameworks and agents quickly become insufficient. Why stop at simple
obfuscation or name changes for customization though? Red Teamer's can leverage operational data to
track artifacts created on target, create callback hierarchies, and even map operations to MITRE
ATT&CK. In this workshop, we'll present two C2 frameworks designed with customization and
collaboration in mind - Apfell and Covenant.
Students will navigate a series of labs to illustrate the advantages and use cases for when to use Apfell
and Covenant over other frameworks while in a simulated Active Directory enterprise environment. They
should expect to be able to install, customize, and leverage these frameworks within operational
environments when they get back to the office.

Workshop Outline (outline of teaching topics)

Intro to Apfell
Overview of lab scenario
Discuss install (but don't do it live)
Walk-through the lab, highlighting the following:
changing/tracking command modifications on the fly
Customized c2 traffic
Using modules (how it integrates with other tools people might use for macos/*nix, loading in safety checks/AD queries)
How to add a new command
How to add a new payload type/c2 profile
Reporting (artifacts and otherwise)

Speakers

Ryan Cobb

Consultant, SpecterOps

Ryan Cobb is an operator and red teamer at SpecterOps, who specializes in building offensive securitytoolsets. Ryan has contributed to several open source security projects, such as Empire and Invoke-Obfuscation, and is the author of PSAmsi, SharpSploit, and Covenant. Ryan has presented... Read More →

Cody Thomas

n/a, SpecterOps

Cody Thomas is a red team operator and developer focusing on macOS and *nix devices. He created theinitial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team atMITRE. Cody has spoken at a few conferences and works on his open source framework for macOS... Read More →

Friday October 11, 2019 1:00pm - 3:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Advanced

Company SpecterOps
Audience midlevel, Advanced
Subject Botnet
Area Focused Talk

1:00pm CDT

DK-1016 Docker Security Workshop

This will be a hands-on workshop exploring various Docker related
security issues. For each topic covered, attendees will learn about its
root cause, its impact, and the steps to remediate. A number of issues
will have the opportunity for hands-on exercises to practice
exploitation and detection techniques. The workshop is primarily aimed
at those starting off in Docker security. Topics discussed will include
various methods for breaking out of containers, generic security
guidance for images / running containers, and general tips and useful
network techniques within containerised and orchestration environments.

Prior docker knowledge is not a strict requirement, however, some
familiarity with Docker concepts would be beneficial.

Speakers

Mohit Gupta

Security Consultant, F-Secure

Mohit has been a Security Consultant at F-Secure Consulting, previously known as MWR InfoSecurity,for the past three years with a focus on containerisation and orchestration technologies. Mohit leads the delivery of security services in these areas and has been involved in a variety... Read More →

Friday October 11, 2019 1:00pm - 3:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Hands-On, Webapps

1:00pm CDT

CF-2003 Finding and Decoding Malicious PowerShell Scripts

Malicious PowerShell scripts are becoming the tool of choice for attackers. Although sometimes referred to as “fileless malware”, they can leave behind forensic artifacts for examiners to find. Learn how to locate and identify activity of these malicious PowerShell scripts. Once located, these PowerShell scripts may contains several layers of obfuscation that need to be decoded. Learn how to manually decode them, as well as some light malware analysis on any embedded shellcode through a series of hands on labs.
Requirements:

Windows system or Windows VM.
User must be able to turn off their AV.
Helpful if Python 2.7 is installed and added to the Path environment variable.

Speakers

Mari Degrazia

Forensics Expert, Kroll Cyber Risk

Mari DeGrazia is a Senior Vice President at Kroll Cyber Risk, which provides cyber security services on a global scale. Throughout her career, Mari has investigated high-profile breach cases, worked civil and criminal cases and provided testimony as an expert witness. She has written... Read More →

Friday October 11, 2019 1:00pm - 3:00pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Forensics

1:00pm CDT

RE-1080 Intro to Reverse Engineering with Ghidra: Taming the Dragon

The advent of Ghidra has lowered the bar in terms of price and skill gap for getting involved in software reverse engineering. In this workshop we shall go through getting spun up on Ghidra and utilizing it to reverse binaries and automate different portions of our analysis.

Outline:
1. What is Ghidra?
a. Software Reverse Engineering Tool with version management / decompiles
b. Talk about github/issue tracking
2. What is Reverse Engineering?
a. Compiled code -> ASM
b. Figuring out how binaries work
i. Malware, CTFs, etc
3. Introduction to reversing topics
a. Disassembling
b. Decompilation
c. IL / AST
4. Server Collaboration
a. Use cases
5. Useful features
a. Themes and configurations
b. Handling XREFs / Function Call Trees
c. Navigating the Symbol Tree
6. Useful Plugins / Github Repos
7. Getting Started with Ghidra
a. Building your first project
b. importing Binaries / Libraries
c. Structuring your project
8. Patching Binaries
9. Reversing Binaries
a. Guided reversing of several binaries

10. Introduction to P-Code
11. Scripting
a. Automating analysis of binaries using p-code (python/java)
12. Takeaways
13. Conclusion / Questions

Requirements: Attendees should bring their own laptops and have a linux distro installed in a virtual machine or on the host. Ghidra should be downloaded and unzipped prior to the class from https://ghidra-sre.org/. Currently the newest version is 9.0.4 however newer versions will be acceptable and supported.

A basic understanding of C and X86 ASM, Java, and Python are recommended. An installation of GDB, strace, and ltrace are also recommended.

Speakers

Christopher Doege

Cyber Software engineer, Raytheon

Christopher Doege is a Cyber Software engineer at Raytheon. In his free time he likes to CTF with Nasa Rejects and reverse engineer malware. Chris graduated from The University of Texas at San Antonio with a BS in Computer Science and is a local to the San Antonio area.

Friday October 11, 2019 1:00pm - 3:00pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Introduction, GHIDRA

2:00pm CDT

97 - Breaking Through the Boundaries of Cyber Security Job Search Challenges

Breaking Through the Boundaries of Cyber Security Job Search Challenges
We’ve all heard the old adage that finding a job is a full time job, but who has the time? With the right insights and resources in hand, you can maximize your job search efforts, turning them into successes. This presentation offers tools to take expert control of your cyber security career, by leveraging the findings from my two recent industry surveys, which examine the challenges of job search and the impact of volunteering in your professional community.When asked if they know how to find a job, 45% of survey respondents said no. In order to combat this problem, I will explore my top methods to help professionals evaluate, refine, and improve their job search strategy. These parameters span personally reflecting to know what you want to do, to developing the right career search products, understanding the different types of recruiters, and learning to utilize the right avenues for self promotion and networking.Volunteering in your professional community offers vast opportunities for building an expanded industry network. This is vital to continuous job search success, as 79% of survey respondents reported the most common way they find jobs is by asking their network of friends. Thus you can greatly progress your career by actively engaging in the external community to network, gain experiences, and create opportunities for continued learning.While career progression is typically seen as education, certification, and job moves, we need to build both technical and non-technical skills in order to continually advance and market our ever-expanding abilities. Volunteering provides a venue to learn essential skills that fuel your career trajectory by developing qualities spanning leadership, persistence, time management, problem solving, and more.Though the challenges that job seekers face are not unusual, they can be overcome with the right tactics in hand. By applying the guidelines presented in this session, more individuals in the community will have the tools they need to embark on the road to success in their cyber security careers.

Speakers

Kathleen Smith

Community Outreach Officer, ClearedJobs.Net

Friday October 11, 2019 2:00pm - 3:00pm CDT
BONHAM 3-X Common Area Stage *End of Hall 600 E Market St, San Antonio, TX Floor 3

2:00pm CDT

BT-2088 HoneyDB Community driven honeypot sensor data collection and aggregation.

Honeypots can be implemented to discover new threat information or detect intruders on a network. However, while there are numerous free honeypots available, many of them can be complicated to deploy or require additional engineering around them to consume log data. Are you curious to learn more about honeypots? Are you interested in deploying your own honeypots on the Internet? HoneyDB is comprised of a honeypot agent and data collection backend, which makes getting started with honeypots simple. In the HoneyDB honeypot workshop, you will learn about honeypots, configure and deploy a honeydb-agent in the cloud, and use HoneyDB tools to query honeypot data. This workshop is for beginner levels and up.
https://riskdiscovery.com/honeydb/workshop

Speakers

Phillip Maddux

Researcher / Advisor, Signal Sciences

Phillip Maddux is a Principal Application Security Researcher & Advisor at Signal Sciences and has over 10 years of experience in information security, with the majority of that time focused on application security in the financial services sector. In his spare moments he enjoys converting... Read More →

Friday October 11, 2019 2:00pm - 4:45pm CDT
BONHAM 3-D | Expert 2 600 E Market St, San Antonio, TX Floor 3

Hands-On, Forensics

2:15pm CDT

BT-1050 Shining a Light on Shadow IT in the Cloud

We all know about Shadow IT and the risks and dangers that come with that but what about Shadow IT in the Cloud –that’s a scary thought. Now you have data in the hands of others and NO ONE KNOWS about it which means there aren't any governance or controls around it either. How do we lock down data in the cloud and ensure we have everything in place to avoid data loss or breach while also giving the business and other teams the tools they need to do their work? How do we block these ‘scary’ cloud services like file stores, pdf merger sites, code beautifiers, etc. when cloud is quickly becoming the new normal? Or infrastructure in the public cloud that isn't secured, inventoried, patched, logged, or monitored? How do you know that your business users don't have a public S3 bucket for collaboration?

Shadow IT refers to technology that is procured outside of official channels, processes and/or procedures meaning they aren’t vetted or managed by the IT and Security organizations. These types of procurements can put a company at great risk. We’ve seen the number of cases related to this steadily grow in many companies. With many easy-to-use solutions out there and with Cloud becoming the next big thing, Shadow IT in the Cloud has become one of our top security risks.

Shadow IT Happens: Workers are using a diversity of applications at work, from note-taking applications to file sharing applications. According to a recent Stratecast survey, 80% of workers admit to using SaaS applications at work, in many cases without IT approval.

Security, The “NO” people
So why do we have so many users turning to these cloud solutions? No one likes processes that slowdown their work and with security being the infamous “No” group, they’ll do whatever they can to avoid having to obtain approvals they may not get. What these users don’t realize is that security professionals aren’t trying to stop you from doing what you’re doing we’re just making sure that the security of the company is priority number one. Yes, we want to make sure that you can go along with your day to day work and even plug in some great new tools that make that work even easier but it is our responsibility to ensure the security of our data and the highly sensitive data that our members trust us with every day.

With that fear of rejection, users will turn to the vast amount of consumer applications available in the cloud. File sharing apps, social media, data stores, collaboration tools –these users just want easier, more efficient ways to get their work done. What they may not realize is how available this information can be once it’s put out there. “But I put this information in the Cloud, so it must be secure, right?” Many don’t realize the risks involved with these tools and without any IT or Security knowledge of these tools being used, there’s no way to monitor, track or respond to any type of malicious behavior or data incidents. The fault doesn’t lie solely on our users, as security professionals we need to be more open to the needs of our users. Instead of always saying “no”, we can say “maybe, but let’s see how we can secure it”. If users aren’t afraid to ask for the approval, the amount of Shadow IT begins to decrease.

Fixing the issue
As we work to explore these emerging technologies and create opportunities that users want/need, what do we do about the technologies being used today without us knowing about it? There are many ways to approach this, but here’s some insight as to how we’ve tackled the issue.

First, there’s the approach that blends reviewing corporate card charges and purchase order billing and comparing those against contracts with cloud services/companies. Then blending that against DLP tools to find data being sent out/stored to ‘free’ cloud services that we wouldn’t necessarily see in a billing review. Many times, we see purchases and data sent out to cloud services we’ve never even heard of but it opens the door to more research and findings which leads to locking down potential risks.

Second, we can leverage CASBs currently in place to review any cloud service accesses that employees have, block any access that hasn’t been reviewed and send the user to a bump page redirecting them to our cloud governance process. Being able to monitor user behavior and alert on any unusual behavior shines a light on the types of actions being done by our users every day and having this information helps us see when something out of the ordinary takes place.

Finally, with this type of information in place and always learning more about Shadow IT in the Cloud, we can utilize auto-remediation tools to lock down known malicious sites or sites that have not been fully analyzed. These types of tools are always learning and growing, with less and less human intervention needed, tracking user behavior, malware, malicious sites, etc. and taking action. Tools like these are what help us sleep at night.

Infrastructure and Platform as a Service present their own challenges in terms of security controls. This presentation will also offer possible technical controls (preventive and detective) to address this risk.

What’s next?
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) outlines best practices and processes for security professionals to use to manage risk in their systems. The five pillars of the framework being Identify, Protect, Detect, Respond and Recover. Today, cloud technologies lean toward the last 3 of said pillars but our goals are to get our cloud technologies aligned with Identify and Protect. As cyber security professionals, we will be proactive rather than responsive.

OUTCOMES/CONCLUSION
Not everyone will be happy when you tell them they can’t do something they’ve become accustomed to or that there are new approvals they’ll need to obtain first. Not to mention all the work and resources needed for mitigation and remediation of any data incidents but it must be done. We need to work together with our users to find the best tools available that we can still manage and monitor. Our goal is to allow users to use the cloud services available to them, securely.

Notes: Co-presenters, Jessica Hazelrigg and Marisa Dyer, have extensive experience standing up and running a comprehensive cloud security program at USAA. Jessica is the director responsible for creating the cloud security team at the beginning of the cloud journey. Marisa joined the team and is a pivotal member of our remediation and enablement workstreams, working in AWS, Azure, and GCP.

Speakers

Jessica Hazelrigg

Director, Platform Threat Defense, USAA

Jessica is Director over the Platform Threat Defense team, whose purpose is to enable the security and availability of USAA’s platforms and endpoints to include web security, email gateways, antivirus, PKI and cloud technologies. She is also an Information Security Instructor with... Read More →

Marisa Dyer

Security Engineer, USAA

Marisa is currently a Cloud Security Engineer serving on the Platform Threat Defense team focusing on managing and securing accounts and resources within the different cloud technologies at USAA to include AWS, Google Cloud and Microsoft Azure. Her previous roles at USAA include Software... Read More →

Friday October 11, 2019 2:15pm - 3:00pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Introduction, Cloud Computing

Company USAA
Audience CISO

2:15pm CDT

CS-2058 Build an Inspiring Company Culture to Get Great Results

Did you know that a company’s culture is a key defense against cyber threat? Consider that toxic, disengage company culture produces unhappy people. Unhappy people are less vigilant and less engaged in protecting a company from cyber attack. Most companies focus on Technology, Processes, but leave People to chance. Building a vibrant culture left to chance. Devoting time and resources to cyber security strategy and technology, but leaving company culture to chance is detrimental. People and company culture must be a key pillar of focus.

In this dynamic, hands-on session, we will identify 3 leader habits, the 7 culture building blocks, and key steps to implement a magnetic culture.

RESULTS:
1. Identify the current company culture and how it supports or detracts from goal-achievement.
2. Establish the 3 leader habits critical for a great culture and how to consistently apply those habits.
3. Identify the 7 culture building blocks and steps to implement.

Notes: The IT and Cyber industry conferences often focus on technical, technology, or processes. A significant missing piece is the focus on people. People are the greatest vulnerability. From leaders under-prepared for their leadership role to dysfunctional company cultures that create environments where unhappy employees can create the conditions for significant cyber exploitation. This workshop will help leaders and decision-makers review where their company culture may be undermining their cyber security program.

Speakers

Jenny DuFresne

Chief Executive Officer, DuFresne Solutions Group

CEO of the DuFresne Solutions Group, a leadership training firm. The firm supports CEOs and mid-level managers to build great teams, reduce employee turnover, and create a thriving company culture. Jenny served 10-years in the United States Marine Corps. As a trailblazing leader... Read More →

Friday October 11, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

2:30pm CDT

HX-3015 Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy

Larry will walk you thorugh the technical details of building nimble Red Team infrastructure that
leverages cloud native orchestration frameworks such as Kubernetes and service meshes
such as Istio. Special attention will be paid to containerizing and developing deployment
artifacts in Helm for popular C2 frameworks. Automated Kubernetes cluster deployment will be covered for AWS, Google Cloud, and Azure. Details will be given on configuring the Envoy proxy as a redirector and filter in order to obfuscate the infrastructure from unwanted probing by defenders. Techniques for real time monitoring of implant communication will be addressed. The talk will also review the recipes currently available in the Kubered framework (https://github.com/cloudc2/kubred) and other resources helpful for cloud native Red Team operations.

Speakers

Larry Suto

Consultant, SDCI

Larry Suto is an independent security consultant based out of Oakland, CA. and spends a lot of time researching using cloud infrastructure for all types of security testing. He does Windows penetration testing as much as possible and seeks to enlighten people on advanced ways to deploy... Read More →

Jeff Holden

CISO, CCC Technology Center

Jeff Holden works for a large college system as an Information Security Manager/jack of all trades.His favorite part of the job though is in the penetration testing of the colleges in the system. He also contributes to open source projects and releases his own code

Friday October 11, 2019 2:30pm - 3:30pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Advanced, Red Team

Subject red team
Area Deep Walk-Through

2:30pm CDT

ES-2010 "Exploit” The State of Embedded Web Security in IoT Devices !

Threats in IOT space are increasing at an exponential scale. One of the stringent issue encountered in the IoT devices is the management and deployment of embedded web servers and security controls associated with them. A number of security flaws exist due to the inability of imposing strong authentication and authorization controls at the granular level. In addition, bad design practices result in giving birth to inherent vulnerabilities. This talk highlights the state of security in embedded web servers by presenting undisclosed vulnerabilities in IOT devices. Additionally, the talk unveils how the embedded web servers used in IOT devices are exploited by adversaries to trigger advanced cyber attacks. There will be demonstrations and associated proof of concepts codes will be released.

Speakers

Aditya K Sood

Director, Symantec

Dr. Sood is an information security practitioner and researcher by profession. Dr. Sood has research interests in malware automation and analysis, cloud security, secure software design and cybersecurity. He is also a founder of SecNiche Security Labs, an independent web portal for... Read More →

Friday October 11, 2019 2:30pm - 3:30pm CDT
SEGUIN 4-B AREA 51

Intermediate, IoT Emedded Devices

3:00pm CDT

WS2014 - Malware Traffic Analysis Workshop 1

This session is part one of a hands-on workshop presented across two separate sessions. The training provides a foundation for investigating packet captures (pcaps) of malicious network traffic from hosts running Microsoft Windows. Participants will review basic investigation concepts, set up Wireshark, and identify hosts and users in network traffic. The training provides several examples of infection traffic that focuses on mass-distribution commodity malware commonly seen from malicious spam. Pcaps for this workshop will be available online. For the best hands-on experience, participants should have a relatively current version of Wireshark (version 2.6 or better), preferably in a non-Windows environment.

You will be required to bring your own laptop, please install a virtual machine (VM) running Linux is recommended for participants using a Windows-based laptop.

Speakers

Brad Duncan

Threat Intelligence Analyst, Palo Alto Networks - Unit 42

isc.sans.edu. Brad routinely blogs technical details and analysis of infection traffic at www.malware-traffic-analysis.net, where he provides traffic analysis exercises and over 1,600 malware and traffic samples to a growing community of information security professionals.">After 21 years in the US Air Force, Brad transitioned to cyber security in 2010, and he is a currently a Threat Intelligence Analyst... Read More →

Friday October 11, 2019 3:00pm - 5:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Intermediate, Packet Captures

Subject Malware
Area Hands-on

3:15pm CDT

CC-100 Security Fabric enables customers to reliably manage and consolidate their security infrastructure

The Fortinet Security Fabric enables customers to reliably manage and consolidate their security infrastructure. A solution-based approach, rather than a point-product-based approach can save administrative costs and provide a more robust security posture.

Speakers

Christian Martinez

Security Expert, Fortinet

Cyber Security Professional and has been a trusted advisor to companies across multiple industries for well over a decade. He joined Fortinet as an Information Security Solutions Architect, where for the last 7 years he has lent his experience developing next-generation security... Read More →

Friday October 11, 2019 3:15pm - 3:25pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Sales Solutions Brief, Marketing

Company Fortinet
Audience CISO
Subject Architecture
Area Product/Services

3:15pm CDT

CO-1115 Cybersecurity in Today's Cyber Threat Environment.

Cybersecurity in Today's Cyber Threat Environment.

Speakers

Aaron Drake

Command, National Security Agency

Col Aaron Drake assumed command of the 659th Intelligence, Surveillance and Reconnaissance Group. The 659th ISR Group, within the 70th ISR Wing at 25th Air Force, conducts global integrated cyber ISR operations between Air Force, joint and intelligence community partners to detect, characterize and mitigate cyb... Read More →

Friday October 11, 2019 3:15pm - 4:15pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Introduction, Webapps

Audience CISO, midlevel

3:30pm CDT

RT-3019 The Power of Wedging

This talk presents "wedging" as the strategic insertion of one's presence either along or at the end of a workflow.
The purpose being to passively receive data or enable quiet enumeration of systems and operations.

Two examples:
1. In research at UpGuard, it has been noted that many large enterprises with unique cloud storage bucket names will juggle those names. Meaning they will register and deregister bucket names with the cloud operator fairly often, which is assumed to be necessary due to caps on the number of bucket names per account. This introduces risk if a malicious actor is monitoring the buckets and realizes the pattern of on/off name toggling. A malicious actor could register a bucket with one of the unique names as soon as it is dropped, but before it is re-registered and then enable universal read/write access. This could then cause the enterprise to assume they had internally registered the bucket yet again and lead to data being written to the bucket by them (which, of course the malicious third party could then access). Versioning controlled by the third party prevents deletion/overwrite attempts even if noticed.
2. Shady political organizations have a tendency to quickly deregister domain ownership when one of their sites is caught up in a scandal. By registering the domain (after the previous owners attempt to wash their hands of it quickly), a third party can set up a catch-all email address at that domain. Any mails directed to that domain, from previous political conspirators will land in the new domain owner's catch-all inbox. This also enables the ability to receive password-reset emails for any accounts which utilized the domain as an email address when registering.

Aspects covered will be the concept itself, how malicious actors can exploit it, how defenders can prevent it, as well as options in responding to incidents of wedging being utilized against your organization.

Speakers

Chris Vickery

Director of Risk Research, UpGuard

Chris is UpGuard's Director of Risk Research. He is cited as a cyber security expert by The New York Times, Forbes, Reuters, BBC, LA Times, Washington Post, and many other publications. In the course of his work Chris has assisted the MPAA, Thomson Reuters, Microsoft, Citrix, AARP... Read More →

tcs pptx

Friday October 11, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Hacking

Company UpGuard
Audience midlevel, Advanced
Subject Hunting
Area Focused Talk

4:00pm CDT

DO-3030 Anatomy of cloud hacking

Hack the Clouds, see it Rain !

Speakers

Dhruv Shah

NotSoSecure

Dhruv Shah Senior Security Consultant and Trainer Dhruv has been with NotSoSecure since 2017 and has worked on security issues with a broad range of clients, including major banking, finance and media companies. This work involves web and application penetration testing and network... Read More →

Friday October 11, 2019 4:00pm - 5:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Intermediate, Blue Team

Company NotSoSecure
Audience midlevel
Subject DevOps, DevSecOps
Area Deep Walk-Through

4:00pm CDT

CS-2013 DNS over HTTPS

Due to pervasive unpreparedness of users, applications, operating systems, and protocols, DNS has become an essential control point for “cyber” security. Most networks have a mix of legacy, modern, safe, and unsafe devices attached to them, and this condition won’t change as quickly as the Zerocorp initiative might suggest. However, DNS is also an important control point for authoritarian regimes, and so “bypass” innovation is continuous, rapid, and ambitious. Special attention will be paid to the new "DNS over HTTP" or "DoH" protocol now being strongly pushed by Mozilla, CloudFlare, and others. In addition, a brief mention will be made of Resolverless DNS.

Speakers

Dr. Paul Vixie

CEO / Chairman, Farsight Security

Dr. Paul Vixie is an internet pioneer. Currently, he is the Chairman, CEO and cofounder of award-winning Farsight Security, Inc. Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet... Read More →

Friday October 11, 2019 4:00pm - 5:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Introduction, Domain Name Services

Company FSI.IO
Audience CISO
Subject CIS

4:00pm CDT

TM-2002 Threat Modelling : Creating a feedback Model in agile environment

Threat Modeling is an art of foreseeing the threats associated with an application and getting them fixed in a very early stage. There have been various Threat Modeling frameworks developed over the course of years. Most of companies follow their own version of Threat Modeling. However, these frameworks lack one of the most crucial steps in order to produce the maximum result of Threat modeling. The aim of this presentation is to provide you with the last missing piece of the puzzle. We help you complete the full circle of Threat Modeling and create a feedback model to create overall Threat Landscape for any organization.

We will talk about how and when you should upgrade your threat modeling process in order to accommodate newly introduced Threat Vectors in the market. We will also talk about building a security mindset that would help in successful Threat Model with a case study.

Friday October 11, 2019 4:00pm - 5:00pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Introduction, Hunting

4:00pm CDT

WA-1005 - Intro to Web App Pentesting

Speakers

Phillip Wylie

Security Solutions Specialist, CYE

Friday October 11, 2019 4:00pm - 6:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Introduction, Webapps

4:45pm CDT

RT-2007 Red Team Tactics for Pentesters

What can a Penetration Tester gain from entering into the mindset of an Advanced Persistent Threat? Isn’t this what a Red Team is for? Imagine being able to connect your penetration testing actions with those of known APTs. Embrace your ability to help your client determine if their defenses are effective against potential APTs.

Traditional Penetration testing is a valuable asset to any organization. As a Penetration Tester it is our job to express how a weakness can affect an organization’s security posture. To go a step further and perform a Red Team engagement, an organization would get a solid understanding of how their security posture holds up to a simulated adversary. We know that these types of engagements are quite different in nature, but when it comes to penetration testing what if we could put a new spin on our actions and reporting? Now imagine that you’re conducting a penetration test and you utilize a covert method for persistence. After doing some research on ways to better maintain this persistence you discover that APT29 (Advanced Persistent Threat) actually uses this very TTP (Tactic, Technique, and Procedure). Whether the organization’s security team is able to respond accordingly or not, you can now provide a valuable piece of information to your client. Being able to connect the similarities of your penetration testing actions with known APT TTPs can really help improve the security posture of your client. If your client is in an industry targeted by APT29, then not only did you help determine their security posture but you may have just saved them from being an easy win for the adversary. By detailing your client’s response to actions taken, you’ll be able to help them determine if their defenses are adequate enough to defend against potential APTs. My goal is to help you blend both the traditional penetration testing methodologies with Red Team Tactics in order to become a more effective Offensive Security Professional.

Speakers

Samuel Kimmons

Adversary Emulation Lead

Adversary Emulation and training some of the best defenders in the world.

Friday October 11, 2019 4:45pm - 5:45pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Advanced, Red Team

4:45pm CDT

CH-2028 Tuning EntuneⓇ Exploiting hidden features of your car's computer

Infotainment systems have placed internet connected computers into the dashboards of modern vehicles. Consumers now consider the connectivity and functionality of these computers as one of the most important criteria for purchasing a new car. For other computing platforms, communities of hackers and developers have grown around the concept of providing new features, or fixes to bugs, that the original manufacturers denied their customers. These communities provide the ability for users to modify their device, install additional software, and expand the device from its original functionality. In this talk we present the results of our extensive reverse engineering effort on the Toyota Entune infotainment system.

Speakers

Dan Zentner

Sr Software Engineer, ICR

Dan currently works for a private security company focusing on IoT security. He has previously held positions working as an embedded software engineer and vulnerability researcher at Endgame, where he worked on Windows endpoints and released CVE-2013-3881. Before Endgame, he developed... Read More →

Friday October 11, 2019 4:45pm - 5:45pm CDT
BONHAM 3-D | Expert 2 600 E Market St, San Antonio, TX Floor 3

Car Hacking, Exploits

Audience midlevel
Subject Exploits
Area Focused Talk

5:15pm CDT

RT-3006 Red Teaming MacOS Environments

This talk is focused on red teaming techniques and tools against MacOS hosts in enterprise environments. Below is the outline of topics that will be discussed:

-Intro
-Agenda
-A Look at MacOS Enterprise Deployments (Common technologies, Remote management, Local admin rights, Misconfigurations)
-Phishing techniques (Payload types, Credential harvesting techniques)
-Gatekeeper (What is it?, How does it work?, Ways around it/limitations)
-Post Exploitation Methods and Examples
-Common patterns/detection techniques (Parent-child processes, Command line arguments, Network connections)
-Migrating to API Calls (How?, Why This is Harder to Detect, Examples)
-Defensive Recommendations (Host-based, Network-based)
-Q&A

Speakers

Brandon Dennis

CEO, RedTeam Nation

Brandon is an offensive security engineer who came from a jack of all trades background. Brandon has does everything from Development, Systems Administration, networking and Red Teaming. Brandon is the founder of RedTeam Nation. A company designed to bring individuals into Red Teaming... Read More →

Friday October 11, 2019 5:15pm - 6:15pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Advanced, Hacking

Company RedTeam Nation
Audience Advanced, midlevel
Subject red team, MacOS
Area Focused Talk

5:15pm CDT

RT-1053 Predictive Analytics using Aggregated Threat Intelligence

Talk Details:

In this talk I'll discuss how DHS is leveraging classified threat intelligence to monitor, track, and hunt foreign intelligence activity in US Based Critical Infrastructure. We'll also discuss how you can use the same techniques to label threat intelligence and begin to perform predictive analytics based on aggregated threat intelligence and historical metrics.

We'll cover:

Organizing threat intelligence into meaningful and useful data
Ingesting historical metrics into structured databases to provide calculable metrics
Processing databases through supervised learning data science algorithms to uncover patterns
Analyze uncovered patterns to develop cautionary predictions around industry based attack patterns
How to pair observed threat activity with MITRE ATT&CK TTPs to research potential attribution

This presentation is born out of the DHS ECS (Enhanced Cybersecurity Services) program that is designed to quickly bring actionable classified threat intelligence to all US Based Critical Infrastructure.

Details about the DHS ECS program can be found here.

Speakers

David Evenden

Exploitation Analyst, CenturyLink

David Evenden is an experienced offensive security operator & analyst with over a decade of experience working in the Intelligence Community where he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition... Read More →

Friday October 11, 2019 5:15pm - 6:15pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Introduction

Audience Beginner, midlevel
Subject Hunting
Area Focused Talk

6:30pm CDT

Social - Cy'Beer & Social Mixer

Crizzly Live
Free Food
Cash Bar

Speakers

Joseph Mlodzianowski

Founder, Texas Cyber Summit

Friday October 11, 2019 6:30pm - 8:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Social, Adults

8:30am CDT

BUSINESS EXPO CENTER OPENS

Saturday October 12, 2019 8:30am - 3:00pm CDT
Expo Business Center

Social

10:00am CDT

Keynote - Shannon "Snubs" Morse

Speakers

Shannon "Snubs" Morse

Host & Producer, Threatwire

Shannon Morse has been building computers since she was child-size, and discovered her love for theater early on. After college, Online Media felt like the perfect combination of both technology and entertainment. She has been podcasting since 2008 and is an influencer in consumer... Read More →

Saturday October 12, 2019 10:00am - 11:00am CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

11:15am CDT

PR-3021 Bypassing Python 3.8 Audit Hooks

In Python 3.8, which is scheduled to be released October 2019, a new security feature is being implemented called “audit hooks”. According to PEP 578 and PEP 551, the purpose of audit hooking is to allow transparency into Python’s runtime so that events can be monitored and logged just like any other process. While additional insight is great for defenders, it's likely to become another hurdle for attackers to deal with. I dunno about y'all but I'm trying to run scripts unabated, feel me? Y'all tryna bypass these audit hooks or nah? Come through.

Speakers

Leron Gray

Security Software Engineer, Microsoft

Leron (aka daddycocoaman) is a ten year Navy veteran and former NSA operator with several years of offensive security experience. He's currently works on the Azure Red Team at Microsoft, loves winning all the CTFs, and enjoys writing things in Python and Python-like languages. He's... Read More →

Saturday October 12, 2019 11:15am - 12:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Advanced, Python

11:15am CDT

BT-3082 Learning to Rank Strings Output for Speedier Malware Analysis

StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
In static analysis, one of the most useful initial steps is to inspect a binary's printable characters via the Strings program. However, running Strings on a piece of malware inevitably produces noisy strings mixed in with important ones, which can only be uncovered after sifting through the entirety of its messy output. To address this, we are releasing StringSifter: a machine learning-based tool that automatically ranks strings based on their relevance for malware analysis. In our presentation, we'll show how StringSifter allows analysts to conveniently focus on strings located towards the top of its predicted output, and that it performs well based on criteria used to evaluate web search and recommendation engines. We’ll also demonstrate StringSifter live in action on sample binaries.

Speakers

Philip Tully

Staff Data Scientist, FireEye

As a Staff Data Scientist at FireEye, Philip Tully builds predictive models for detecting and categorizing malware. He earned his joint doctorate degree in computer science from the Royal Institute of Technology (KTH) and the University of Edinburgh. His research concerning the intersection... Read More →

Saturday October 12, 2019 11:15am - 12:00pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Hands-On, Malware Analysis

Company FireEye
Audience midlevel, Advanced
Subject Malware
Area Deep Walk-Through

11:15am CDT

BT-2035 An application of differential privacy to security monitoring

Privacy and security auditing are always seen as opposing forces, but does it have to be like that? Differential privacy offers the mathematical tools to strike a balance between privacy and auditing. This is why I have started to develop DPLog a host based agent that implements state of the art DP-algorithms to enable SIEM-like queries with privacy constraints.

Speakers

Paolo Di Prodi

Software Engineer, Fortinet

Paolo is a software engineer with an academic research background in machine learning applied to multi agent systems for which I have received a Phd. After University I have focused my career in the commercial application of machine learning into medical devices and recently into... Read More →

Saturday October 12, 2019 11:15am - 12:00pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Privacy

11:15am CDT

BT-2034 Keeping Threat Intelligence in Pace with Continuous Monitoring

Cyber Threat Intelligence is a term that gets thrown around allot. But what does it look like to integrate it into your continuous monitoring program? What real world experience proven strategies and tactics can an organization adopt to start making intelligence driven choices? My talk covers what I think are the most appropriate parts of a threat intelligence program to start weaving into your operations depending on the maturity level of your organization. It is not threat intelligence 101, but it will cover fundamental items which an organization can start to use to be ready for a full Threat Intelligence team or engagement with an outside partner.

Description: Threat Intelligence remains elusive and mysterious to many organizations. There is often little in the way of true CTI in many organization, new and old, aside from subscription feed services. This can lead to both complacency in the sense of “oh we have threat intel” as well as misplaced dissatisfaction with regards to the “threat intel’ they think they have and the true benefits it can provide. If you can evangelize and integrate Threat Intelligence as an organization is just getting its continuous monitoring going (i.e. A SOC and all that goes with it) then the growth of the CTI program will always be in step with the organizations capabilities as opposed to lagging behind it, or worse, out pacing it. The organizations who ask for our help are often understaffed, under-resourced, and begging for help. The suggestions that follow will help maximize their efforts as well as put them in a position to help us help them.

Speakers

Michael Rodriguez

senior consultant, FireEye

Mr. Rodriguez is a Senior Consultant with the Government Security Programs group. In his role he provides security strategy and assessment services to public sector clients. Mr. Rodriguez assists on developing incident response processes and performing Cyber Defense Center transformations... Read More →

Saturday October 12, 2019 11:15am - 12:00pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Introduction, Blue Team

Company FireEye
Audience midlevel
Subject blue team
Area Monitoring

11:15am CDT

CW-1018 Insider Threats: Stories from outside the cubicle

Talk Details:
My talk will cover: Real vs. Hollywood insider threats. During the talk, I will show instances of insider threats from around the world including two specific cases I have worked over the years where I caught insider threats. We’ll talk about what they took, how they took it and how we were able to catch them. These examples will reinforce my talk with personal experiences. Case No. 1 will be the story of a rouge system administrator who was selling info to acquisition targets. Case No. 2 will review a case where an employee was trying to steal the formula for a manufacturing process and client lists, as well as trying to damage the employer by sending confidential info to employees.

Turn off your mobile phone, put down your tablet and learn about the real-world insider threats causing the greatest harm (not just the big ones that make the 5 o’clock news). How quickly could your organization be breached by malicious insiders? How can your team help find them? Threat hunters are often tasked with looking for attackers’ TTPs. But how can they look for malicious insiders? Please join our special guest, David Balcar a globally recognized security professional, as he shares his personal, real-world experience of sniffing out insider threats.

Speakers

David Balcar

Carbon Black, Security Strategist

David Balcar is a Security Strategist at Carbon Black. David is a security veteran with over 18 years’ experience in conducting Security Research, Network Penetration testing, Incident Response and Computer Forensics. David is a regular featured speaker at Security Conferences worldwide... Read More →

Saturday October 12, 2019 11:15am - 12:00pm CDT
BONHAM 3-D | Expert 2 600 E Market St, San Antonio, TX Floor 3

Introduction, Webapps

Company CarbonBlack
Subject incident response

11:15am CDT

ICS-2010 Holistic ICS Cybersecurity Assessments

The ICS Cyber Risk Assessment is key to establishing a robust Industrial Control System (ICS) cyber security posture. But where does the system owner begin? This session will present a detailed guide for executing risk assessments that will provide system owners with a valuable strategic plan for mitigating security and reliability vulnerabilities.

Speakers

David Grocott

Engineering Manager, Parsons Corporation

Saturday October 12, 2019 11:15am - 12:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Introduction, Scada

11:15am CDT

TH-2047 Winning Everyday at Threat Intel

Winning Everyday at Threat Intel provides information and ideas about attribution vs. TTPs, leveraging tactical threat intelligence for strategic decision making, and creating an adversary detection pipeline for various teams. This talk provides actionable information that people can implement in their organization TODAY!

Winning Everyday at Threat Intel is not an easy thing to do! There are many moving parts and departments that the threat intel team interacts with in order to meet the intelligence requirements. Regardless of your relationship to threat intel, you will walk away with information and ideas that you can put to use in your company! You’ll learn about adversary detection pipelines, TTPs vs. attribution, easy wins for actionable intelligence that you can give to various teams, how to go about engaging other teams that could benefit from tactical threat intelligence for decision making purposes, and more!

Speakers

Dr. Xena Olsen

CTI Professional, Fortune 100 Company

Dr. Xena Olsen is a cybersecurity professional focused on cyber threat intelligence at a Fortune 100 company. She enjoys discussing all things cyber threat intelligence and can be found in various threat intelligence sharing groups, such as Curated Intel. She is a SANS Women’s Academy... Read More →

Saturday October 12, 2019 11:15am - 12:15pm CDT
SEGUIN 4-B AREA 51

Briefing, Blue Team

Audience midlevel
Subject Threat Intelligence
Area Focused Talk

11:15am CDT

SH-1011 - The Hacker Hippocampus: Meet your brain on games

Always on the edge of your seat when it comes to new exploits and tricks.
From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers, blue teamers, and purple teamers.

But how did gamification come into play and in infosec?

This interactive talk shares the history of gamification in infosec, how our brains are stimulated by them, and how it’s transforming lives.

Speakers

Chloé Messdaghi

CEO and Founder, Global Secure Partners

For over ten years, Chloé Messdaghi has advised and developed impactful solutions that have driven growth and innovation while transforming security teams to become resilient. Her work has helped businesses unlock opportunities to enhance trust, mitigate risk, and become purpose-driven... Read More →

Saturday October 12, 2019 11:15am - 12:15pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Intermediate, Webapps

Audience Beginner

11:15am CDT

Cyber Threat Defender; the collectible card game

Speakers

Dr. Greg White

Director, UTSA/CIAS

Dr. Gregory B. White is the director of the UTSA Center for Infrastructure Assurance and Security. His career has spanned more than three decades in computer and network security, including 30 years in the Air Force and Air Force Reserves. He helped build the nation’s first undergraduate... Read More →

Saturday October 12, 2019 11:15am - 1:00pm CDT
TEXAS BALLROOM - D Hackers Lair 600 E Market St, San Antonio, TX Floor 4

Introduction, Privacy

11:15am CDT

The ABC’s of CTF’s

The ABC’s of CTF’s will teach the terminology used in InfoSec/Cyber Security CTF’s at a high level. This includes the Type of CTF’s and the tools for basic operations.
Goals

Talk terminology Technology, and learning,
Teach how to capture the flag
Capture all the flags!!

Forward
if you have never done or attended a CTF event before, it is ok, stay calm, dig in, hack, and learn. This is the exact process Hackers, Pentesters and Red Temers use to infiltrate, exploit and egress data or conduct offensive security assessments. If this is your first one EVER try and find a team, or work with experienced CTF’ers. If you can't find this its OK. Sit, dig in, hack, abd learn. It is important to keep that mantra in mind.
It is my experience, the InfoSec community is open, and willing to share their knowledge with anyone interested. Social media, and IRL mentors are great ways to connect, learn and find people with similar interests. Always good to learn and teach to keep the flow of knowledge, even if you don’t think what you know has value, i promise you I want to know what you know, come teach me!

Speakers

Joseph Brinkley

WoodWorker, VAwoodworking

The Blind Hacker is an InfoSec enthusiast, Mentor, Coach, Pentester, Hacker and more. He regularly mentors online and though streams and online comminutes. He has frequently volunteers time on workplace development for others and give resume reviews, job advice and coaches people... Read More →

Saturday October 12, 2019 11:15am - 2:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Hands-On, Hacking

1:00pm CDT

HX-3012 PErfidious: Make PE Backdooring Great Again!

PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode as input. Next, it transforms the shellcode into individual pieces of independent code that can be connected via jumps and calls and then converts the transformed code back into individual collection of bytes. These collections are then injected into appropriate locations in the .text section of the PE file. After injection, PErfidious performs all the recalculations required to incorporate the changes in the .text section. This makes sure that all the regular traces of code injection are gotten rid of. The only way for the endpoint detection system to verify that the program was injected is to calculate or read the hash/checksum of the PE file and compare it with the has/checksum provided by the original author of the benign application that was injected by us.
Apart from being a tool, PErfidious is also a Python3 library that can be used for inspecting, dissecting and injecting PE files. It extracts every data structure inside a PE file and convert it into an editable class file with appropriately nested subclasses(it even outputs the entire structure in XML so that a user can develop web applications around it). It aims at being a modern and extensible replacement for pefile package and the go-to library for working with anything related to PE32/PE32+/DLL type files.

Speakers

Shreyans Doshi

Malware Research Intern, Cybrary, Inc

Shreyans Devendra Doshi is a Cybersecurity Graduate Student at the University of Maryland, College Park. He has previously worked as a Malware Research Intern at Cybrary Inc., where he started developing PErfidious and researched other techniques that can be used to bypass modern... Read More →

Saturday October 12, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Advanced, Hacking

Subject Exploits
Area Deep Walk-Through

1:00pm CDT

CS-2024 The Risk Management Hydra and why you need multiple assessments

A risk assessment is a risk assessment is a risk assessment, right? Except that that isn’t really true at all. Organizations face a wide variety of risks every day, and even the most comprehensive risk assessments still typically only address one or more specific type(s) of risk - cyber risk, privacy risk, market risk, customer risk, enterprise risk, etc. This is exactly why it’s crucial for great risk management programs to address all these different components appropriately. Two examples include the business impact analysis (BIA) that guides business continuity planning and disaster recovery (BCP/DR) plan creation efforts, and the data protection impact assessment (DPIA) required for certain types of data processing activities under Article 35 of Regulation (EU) 2016/679 (General Data Protection Regulation [GDPR]).

This talk will walk the audience through the Business Impact Analysis Worksheet published by the Federal Emergency Management Agency (FEMA) and the Sample DPIA Template published by the Information Commissioner’s Office, the independent supervisory authority of the United Kingdom (which will still technically be a European Union member state at the time of this Summit). By taking this hands-on approach, the different information, thought processes, and goals of these two very different types of risk assessment will clearly demonstrate why a great risk management program must evaluate risk from a diverse set of directions.
Notes: It can be difficult for IT departments to get the funding and executive support they need to properly address information security and compliance concerns, especially when so many interventions may sound similar. By using my previous experience as an instructor while working on my PhD in criminal justice (in progress) at Temple University with the knowledge I have about these frameworks from my current position, I can walk people through these templates in a way that is simple but still nuanced, easy to understand, and can be brought back to their leadership to justify the resources required to build out a comprehensive risk management program that is appropriately suited to their organization’s needs. I’m a compliance consultant who designs many of the in-house tools used for Red Lion’s gap assessments with a variety of frameworks (e.g., HIPAA, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CCPA, PCI DSS). My role is to act as clients’ translator between the “legalese,” audit protocols, and technical controls and plain English explanations of where their program is, where they want it to be, and how to get there.

Speakers

Chelsey Donohoe

R&D Associate/ Operations Specialist, Red Lion LLC

Chelsey Donohoe is a social scientist-turned-compliance consultant who can translate complicated texts (e.g., academic sources, legal texts and regulations, and technical controls and frameworks) into practical, understandable, and actionable results that are easily communicated to... Read More →

Saturday October 12, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Compliance, CISO

Audience CISO
Area Focused Talk

1:00pm CDT

CI-2027 The Rise of Foreign Cybersecurity Threats to Smartphones

Learn about cybersecurity threats posed by Great Power Competition from adversarial countries such as China, Russia, Iran, and North Korea.
Learn cybersecurity and privacy threats posed by nation-state Chinese and Russian app developers that need to be addressed by the C-suite and Board, IT, and cybersecurity professionals.
Learn how to mitigate privacy, cybersecurity, and safety threats associated with smartphones, tablet PCs, connected products, IoT/IIoT devices, and PCs supported by the android OS, Apple iOS, and Microsoft Windows OS.
Learn how predatory apps can launch DDoS and Man in the Middle attacks on networks.
Learn best practices and policies associated with smartphones, tablet PCs, connected products, IoT/IIOT devices, PCs, and B.Y.O.D. programs.

Speakers

Rex M. Lee

Advisor, Blackops

Rex M. Lee, Privacy, Cyber Security, & Intelligence Advisor, My Smart Privacy. He is also an accomplished freelance tech journalist. Mr. Lee has over 35 years of tech and telecom industry experience, which includes enterprise platform and software development. He is currently a cybersecurity... Read More →

Saturday October 12, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Intermediate, Mobile

1:00pm CDT

SS-2048 FaaS track to serverless security

Security in FaaS isn’t what you’re used to with actual real servers. With enterprises quickly moving to the cloud and to serverless, there’s a need to address the topic of security.

Karthik Gaekwad shares what he’s learned in the application security sphere that still applies in the modern world of FaaS. Using lambhack, a sample vulnerable serverless application written in Go, Karthik explains how to think about security in the serverless world and details security strategies and pitfalls viewed through a serverless lens. You’ll leave with a solid understanding of how to approach security conversations about serverless applications in the enterprise.

Speakers

Karthik Gaekwad

Internal Developer Relations, Google

Karthik Gaekwad is a veteran engineer who enjoys learning and building software and software products using cloud and container technologies.He has worked in large enterprises and startups, with his career spanning companies like Signal Sciences, StackEngine, Oracle, Verica. He currently... Read More →

Saturday October 12, 2019 1:00pm - 2:00pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Intermediate, Webapps

Company Oracle
Audience midlevel, Advanced
Subject DevOps
Area Focused Talk

1:00pm CDT

RT-3022 Alternative C2 Frameworks Part 2 - Covenant

In the age of EDR products, Red Teamers need to be able to customize everything on the fly - stock
Command and Control (C2) frameworks and agents quickly become insufficient. Why stop at simple
obfuscation or name changes for customization though? Red Teamers can leverage operational data to
track artifacts created on target, create callback hierarchies, and even map operations to MITRE
ATT&CK. In this workshop, we'll present two C2 frameworks designed with customizability and
collaboration in mind - Apfell and Covenant.
Students will navigate a series of labs to illustrate the advantages and use cases for when to use Apfell
and Covenant over other frameworks while in a simulated Active Directory enterprise environment. They
should expect to be able to install, customize, and leverage these frameworks within operational
environments when they get back to the office.

Workshop Outline (outline of teaching topics)

Intro to Covenant
Overview of lab scenario
Discuss install (but don't do it live)
Walk through lab, highlighting the following:
Changing something on the fly
Customized C2 traffic
Using modules (how it integrates with other tools people might use now, like powershell scripts or other .net programs)
How to add a new module
Lateral movement (and intro to smb c2)
Reporting (artifacts and otherwise)

Speakers

Cody Thomas

n/a, SpecterOps

Ryan Cobb

Consultant, SpecterOps

Saturday October 12, 2019 1:00pm - 3:00pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Advanced

Company SpecterOps
Audience Advanced, midlevel
Subject Botnet
Area Focused Talk

1:00pm CDT

ES-2007 Introduction to Embedded Systems Exploitation

IoT isn't going away, so it's our job to break it down and force it to be rebuilt securely. This workshop will introduce people to the basics of embedded system exploitation and take them from 0 to 0day against a SOHO router.
Briefing Format: Workshop (120 minutes)
Audience Level: Intermediate
Description: A team of veteran Vulnerability Researchers will guide participants through the beginning stages of attacking an embedded system, including: disassembly of the target; discovery of hardware interfaces; establishing console communication; protocol discovery; attack vector enumeration; fuzzing; reverse engineering and vulnerability discovery; crafting a PoC. Students won't learn everything there is to know in a workshop, but by the time they leave, they should have the tools they need to cut a path through the jungle and start finding hidden treasures. All attendees will need to have a working understanding of the C programming language, as well as knowledge of assembly language in any architecture (x86, ARM, MIPS, PowerPC, etc.), or they will be lost in the sauce. We will provide targets and a custom Kali Linux ISO with tools included that will be needed for the workshop, including that one Ghidra thing everyone keeps talking about. Students will need to provide their own laptop that they can use to spin up the ISO provided, either via virtualization or booted from media.

Speakers

Martin Hodo

Shellcode Mercenary, Raytheon CODEX

Martin Hodo leads a team of vulnerability researchers at Raytheon CODEX with decades of combined experience sowing seeds of mayhem and causing chaos in embedded systems of all shapes and sizes. They believe the best things in life are seeing an instruction pointer read 0x41414141... Read More →

Saturday October 12, 2019 1:00pm - 3:00pm CDT
TEXAS BALLROOM - D Hackers Lair 600 E Market St, San Antonio, TX Floor 4

Hands-On, Workshop

1:00pm CDT

WA1015 - Web App Pentesting for Bug Hunters

Speakers

Phillip Wylie

Security Solutions Specialist, CYE

Saturday October 12, 2019 1:00pm - 3:00pm CDT
SEGUIN 4-B AREA 51

Introduction, Webapps

1:00pm CDT

WS-1023 - Malware Traffic Analysis Workshop 2

This session is part two of a hands-on workshop presented across two separate sessions. The training provides a foundation for investigating packet captures (pcaps) of malicious network traffic from hosts running Microsoft Windows. Participants will review basic investigation concepts, set up Wireshark, and identify hosts and users in network traffic. The training provides several examples of infection traffic that focuses on mass-distribution commodity malware commonly seen from malicious spam. Pcaps for this workshop will be available online. For the best hands-on experience, participants should have a relatively current version of Wireshark (version 2.6 or better), preferably in a non-Windows environment.

You will be required to bring your own laptop, please install a virtual machine (VM) running Linux is recommended for participants using a Windows-based laptop.

Speakers

Brad Duncan

Threat Intelligence Analyst, Palo Alto Networks - Unit 42

Saturday October 12, 2019 1:00pm - 4:00pm CDT
BONHAM 3-D | Expert 2 600 E Market St, San Antonio, TX Floor 3

Intermediate, Packet Captures

Company Palo Alto Networks
Audience midlevel, Advanced
Subject Malware
Area Reverse Engineering

2:00pm CDT

IR-3017 The ABCs of Containment, Eradication, and Recovery

In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent of the kill or capture in the physical world. Proper execution of this phase is necessary for a successful hunt, and it’s as easy as remembering your ABCs. You’ve stalked and located your prey, evil has been found, are you prepared to take it out?

Containment, Eradication, and Recovery is a key phase of the NIST Incident Response Lifecycle that often doesn't receive the attention it deserves. Focus is mainly placed on detection and analysis. After an incident, organizations are often left with a report detailing attacker activity with a few remediation suggestions at best, leaving them on their own to figure out what to do next. Any incident involving a determined human adversary (aka "advanced persistent threat") requires simultaneous disruption of three key areas known as "the ABCs" (Accounts, Backdoors, Command and Control). We'll cover a three-phased approached that addresses the ABCs and has been proven successful in use across many of the most high profile incidents over the last decade. Starting with a high level strategic overview of this methodology before getting into the technical details on how to address the ABCs during each phase of this approach using freely available tools.

Speakers

Josh Bryant

Director of Technical Account Management, Tanium

Josh Bryant is currently a Director of Technical Account Management at Tanium where he helps very large enterprise customers gain high speed visibility and control over their endpoints. As one of the Subject Matter Experts on Tanium’s Threat Response module, he helps customers quickly... Read More →

Saturday October 12, 2019 2:00pm - 3:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Incident Response, Hunting

Company Tanium
Audience midlevel, Advanced
Subject incident response
Area Focused Talk

2:00pm CDT

WG-1001 Cyber Wargames CTF

Workshop description:
New to CTFS? Always wanted to try but felt you were to "new"? Join us for Prevade's Cyber Wargame where you can experience the CTF with support and guidance of a community of mentors.Prevade's patent-pending cyber wargaming platform is comprised of ten subject domains, ten levels of difficulty, and more than fifty modules hosted in an on-demand, web-accessible, and dedicated tenancy cloud environment. Accessible from any device with a web browser and Internet connection, Metaform™ provides a unique, immersive, and hands-on experience using innovative gamification concepts and interfaces.

Speakers

Bryan McAninch

Founder & Executive Director, Prevade Cybersecurity

Saturday October 12, 2019 2:00pm - 4:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Hands-On, Blue Team

Audience Beginner
Subject blue team
Area Hands-on

2:15pm CDT

TH-2020 Rastrea2r: Collecting & Hunting for IOCs with Gusto and Style

Rastrea2r: Collecting & Hunting for IOCs with Gusto and Style
Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can easily integrate with AV consoles and SOAR tools, allowing incident responders and SOC analysts to collect forensics evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!

Source Code: https://github.com/rastrea2r/rastrea2r
Presentation: https://github.com/rastrea2r/rastrea2r/blob/master/presentations/BH%20Arsenal%20rastrea2r%202018.pdf

Speakers

Sudheendra Bhat

Security Architect, McAfee LLC

Sudheendra (Sudhi) Bhat is an Information Security Professional, currently holds the role of Cloud Security Architect in Security Operations Group at McAfee. Sudhi has been developing software for the last 12+ years and has worked for a variety of Software Corporations ranging from... Read More →

Saturday October 12, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Briefing, Hunting

Company McAfee
Audience midlevel
Subject blue team
Area Focused Talk

2:15pm CDT

CO-1009 How to Translate Tech Trends to CISO strategy

How to translate tech trends to CISO strategy & ops

Today's technology industry swims in a number of intersecting trends - digital transformation, vendor consolidation, automation, intelligence, to name a few - all drowning in scary exabytes of data; the purpose of this session will be to cover the big trends, how they intersect, what to pay attention to, and how to customize an analysis framework to your organization - so you can decide what to look at, and what to ignore; real organizations have practical concerns like security program planning, SOC management and talent management; on top of the day to day pressure that is cyber security; the question is how to look ahead and plan for which trends matter and how to practically integrate them into your strategy and operations to reap the benefits.

Speakers

Jill Orhun

VP, DEVO

Jill Orhun, VP of Strategy & Operations at Devo, began working in technology about 20 years ago; first writing HTML web pages for scientific web sites, then developing early web applications (Filemaker pro years old); her career includes over 10 years in management and technology... Read More →

Saturday October 12, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Intermediate, CISO

Company DEVO
Audience midlevel, CISO
Subject Digital Transformation
Area Focused Talk

2:15pm CDT

RT-1050 Calishing: A Red Team Approach to Phishing Google Calendar

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.
Briefing Format: Briefing (~45-60 minutes)
Audience Level: Beginner
Description: On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.

Speakers

Antonio Piazza

Offensive Security Engineer, Box, Inc

Antonio Piazza is an Offensive Security Engineer on the Box Red Team. Following his stint as a US Army Human Intelligence Collector he worked as a Defense contractor/operator on an NSA Red Team so he is intimately familiar with spies, hacking, and everything nerdy. Antonio is passionate... Read More →

Saturday October 12, 2019 2:15pm - 3:15pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Introduction, Red Team

3:30pm CDT

CS-1118 Everyone is an investor: A VC’s perspective on how to invest your time with security startups

Speaking from a point of authority, Will is involved with 4iQ, Appthority, Attivo Networks, Bayshore Networks, Bishop Fox, ID Experts, IronNet Cybersecurity, LoginRadius, Remediant, ReversingLabs, Uptycs and a stealth company. He is a board member/observer at 4iQ, Attivo Networks, Bayshore Networks, LoginRadius, Remediant, Uptycs and a stealth company.

Speakers

Will Lin

Partner & Co-Founder, ForgePoint Capital

Will is a Partner and a Co-Founder at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. He... Read More →

Saturday October 12, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Briefing, Business

Company Forge Point Capital
Audience midlevel, CISO
Subject Business
Area Focused Talk

3:30pm CDT

RT-3015 COModo - From Sandbox to SYSTEM

Its 2019, Application Containment is all the rage and various vendors implement it in different ways, but do they always do it correctly? You probably wouldn't be reading this if they did. Come join me as I walk through 5 CVEs I discovered this year affecting Comodo Antivirus and their Containment technology. This talk explain how we abuse COM, Signed Binary bypasses, LPC/ALPC, and chaining of various vulns to successfully escape the Comodo Sandbox Container and Privilege Escalate ourselves to SYSTEM.

Speakers

David Wells

Sr. Research Engineer, Tenable

David Wells is a former Malware Reverse Engineer with strong emphasis on Windows Internals. David currently works on Tenable’s Zero Day Research team, uncovering new 0-day vulnerabilities in targets ranging from routers to well known applications and Operating Systems.

Saturday October 12, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - F Track 2 600 E Market St, San Antonio, TX Floor 4

Containers, Hacking

3:30pm CDT

IT-2017 Next-gen IoT botnets - leveraging cloud implementations for shells

Traditional IoT botnets operate pretty much like shooting fish in a barrel. With an elephant gun. This "space", however, is getting crowded and botnet masters will start looking for alternatives. This talk will show one of the possible futures - leveraging cloud platforms to mass hack hundreds of thousands of devices. We'll start with a quick 'n dirty crash course for those just getting started with IoT hacking, a brief glimpse into the current status of IoT botnets and get down to business with showing our research on a few popular IoTs with demos for each finding.

Speakers

Alex Jay Balan

Chief Security Researcher, Bitdefender

Alex "Jay" Balan is the Chief Security Researcher and Spokesperson for Bitdefender. His career is focused on Information Security, Innovation and Product Strategy, fields in which he has so far accumulated over 15 years of experience. He drove the vision for Bitdefender's UNIX-based... Read More →

Saturday October 12, 2019 3:30pm - 4:30pm CDT
BONHAM 3-E | Expert 3 600 E Market St, San Antonio, TX Floor 3

Intermediate, IoT Emedded Devices

Company BitDefender
Audience midlevel
Subject Botnet

3:30pm CDT

RT-2018 REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure

GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Despite its popularity, this new approach to building APIs can leave organizations at risk. While it solves real-world problems, proper implementation is left up to developers who often don't fully understand how to secure their API. Security best practices are easily overlooked, and rushed development can leave cracks in the armor. These issues create a new attack surface for us to explore as well as new ways to exploit underlying infrastructure and code. From Queries and Mutations to Types and Fields, properly attacking a target requires that you understand it. We will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively.

Speakers

Matt Szymanski

OffSec Engineering Manager, n/a

Matt Szymanski is a Senior Security Engineer specializing in Offensive Application Security. Passionate about AppSec, he leverages over a decade of experience as a programmer to discover and help remediate vulnerabilities. He has developed and taught secure coding workshops, mentored... Read More →

Saturday October 12, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4

Intermediate, Exploits

Audience midlevel
Subject AppSec
Area Deep Walk-Through

3:30pm CDT

RT-2021 Today’s red team isn’t enough

Today’s red team isn’t enough. Because we want to move our defense and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail. How do we emulate an adversary? We will go through multiple considerations of the entire red team lifecycle including walking through open source toolsets. We will talk through in detail specific host and network activities for emulation. And, we will conclude with how we can work on these activities towards a purple team approach.

Speakers

Daniel LaVoie

Vice President, Operations, Scythe inc

Dan is SCYTHE's VP of Operations, where he leads the facilitation of sales, partnerships, alliances, and customer success departments. Prior to SCYTHE, Dan designed and managed the development and delivery of enterprise-class automated malware analysis and file triage capabilities... Read More →

Saturday October 12, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - C Track 1 600 E Market St, San Antonio, TX Floor 4

Intermediate, Red Team

3:30pm CDT

TH-1015 Finding the Rogue Node

This presentation is a low-medium level technical break down on how to find a rouge device inside a vast computer network with open source tools. This not only shows how to use these tools but equips the attendee on what tools for a specific incident. This presentation further covers the difference between "traditional forensics" and Incident Response. At the end of this presentation the attended should understand what tools during a hard drive forensic investigation, memory forensic investigation and a network forensic investigation.

Description: Ever wanted to know the difference between IR and traditional digital forensics? Let me guess, you have no budget but you need to defend your network! Well from this presentation you will not on learn how to defend if for free, but learn the methodology of how an attacker moves and where they hide.

Speakers

Donovan Farrow

Alias Forensics

Saturday October 12, 2019 3:30pm - 4:30pm CDT
BONHAM 3-C | Expert 1 600 E Market St, San Antonio, TX Floor 3

Introduction, Blue Team

4:00pm CDT

TI-1044 Threat Intelligence: How to Focus Fire on the Bad Guys

As a blue teamer or threat hunter, how many times have you been told to go “find evil”? How many times have you been expected to search for every adversary tactic until you MAYBE find the bad guy? NO MORE! This talk will examine what threat intelligence is and how it can be used to better inform defenders on prioritizing which bad guys to look for first.
Now when most people hear “threat intelligence” they have the same reaction as to hearing “blockchain”, “artificial intelligence”, or “synergistic management solutions”. It’s unfortunately true that threat intelligence has become a buzzword in the cyber security field. So how do we turn this buzzword into something that can be put into practice? Lucky for you, this very question will be answered here! You will see the process of discovering which specific adversaries are targeting your organization, all the way down to finding the tactics, techniques, and procedures the bad guys use to steal your data. Finally, we will close with a scenario-based story time, walking you through an example of how this threat intelligence process can be used in your organization’s regular hunt operations.

Speakers

Kyle Hubert

Cyberspace Operator, USAF

Kyle is a Network Analyst and Blue Team Lead for the USAF. Recently he has focused on how to improve the use of cyber threat intelligence, specifically looking to increase the effectiveness of smaller/newer threat hunter teams. Some of his other interests include IoT hacking, ICS... Read More →

Saturday October 12, 2019 4:00pm - 5:00pm CDT
BONHAM 3-B | Bee'ing New 600 E Market St, San Antonio, TX Floor 3

Briefing, Blue Team

Audience midlevel
Subject Threat Intelligence
Area Focused Talk

5:00pm CDT

Closing Ceremony

Closing Ceremony
Awards
Annoucements

Saturday October 12, 2019 5:00pm - 6:00pm CDT
TEXAS BALLROOM - A/B | Keynote - CISO 600 E Market St, San Antonio, TX Floor 4

Introduction