Texas Cyber Summit II

Opening Ceremony, Special Guest - Deidre Diamond

Hunting is one of the hottest buzzwords when it comes to cyber security - especially in defensive oriented realms. As a result, there are hundreds of tools, articles, and books on how to hunt. Yet, if it was that simple - why are we still having issues doing this successfully - even if we ignore advanced threat actors? There are so many tools that may be able to report that something is happening on a network, but the blue teams themselves are unable to interpret these results in a timely manner, which results potentially missing something critical.

Therefore, rather than introduce a new tool, this talk will focus on how people can improve themselves to be better hunter, and how to better structure teams to also hunt more effectively. The tools that blue teams use cannot always be controlled - as tools are restricted by policy, money, and availability. Instead, what we can control is how we operate, how we educate ourselves, and overall how do we function during a hunt.In this talk, I’ll focus on how to improve yourself with technical skills and soft skills . However, it is impossible for just one person to always find the bad guy. As a result, I will also concentrate on how team structure, dynamics, and other skills are also important and how to improve these.

This talk is aimed for beginners and intermediate blue teams who are looking to further improve themselves and how they function, so that we can work on being effective.

As organizations combat threats across numerous vectors its forced defenders to rethink our tactics. Yes, attacks are crafty and slip past firewalls, SIEMS, and DLP solutions so why aren't we taking a more creative approach. We typically focus on incident response to drive detection and lessons learned to adjust monitoring. Let's discuss how to leverage incident response to foster successful threat hunting engagements. This session will demonstrate examples of tracing attacker movements, edging attackers out of your network, and creating countermeasures. The session will focus on important strategies, tools, and techniques to consider for your hunting engagements. We will highlight realities of the relationship between incident response and threat hunting, as well as provide real world examples of identifying attacker methodologies.

Talented professionals form the critical infrastructure of any successful business, but how do we ensure successful retention and recruitment in an industry facing talent shortage? The insights shared in this session offer methods to promote a flowing talent acquisition pipeline, supported by the findings from two recent industry surveys, which examine how security professionals search for jobs and the impact of supporting community activities.

In order to recruit tech talent, you first need to know where they search for jobs. However, our cyber security job search survey found discrepancies in the ways that job seekers search for jobs and how recruiters primarily search for candidates. In this session I will discuss the top four reported job search methods to help employers guarantee their positions are visible and accessible.

I will also discuss how to attract and retain talent by tapping into the leading motivators that draw job seekers to a company, spanning compensation, good working environments, career mapping opportunities, support of work life balance, a more transparent hiring process, and remote work.

Shrewd employers also value volunteerism, as they understand that having employees operate in the community is a positive reflection on their company, helping to support their employer brand and recruitment strategy. I will urge employers to re-examine their support of volunteer activities, as over 97% of survey respondents reported they would move to a company that supported their volunteerism.

As we assess the ways that candidates approach their job search, employers will gain valuable insights to increase visibility and interest. By leveraging these findings and supporting community involvement, employers stand to build their employer brand and sustain lucrative retention and recruitment.
Notes: In an industry facing talent shortage, it is more vital than ever that employers utilize the right strategies to locate and recruit prospective candidates. Having personally surveyed the cyber security community and also having coached thousands of job seekers and employers to achieve the mutual goal of employment, I am excited to further share my best practices with Texas Cyber Summit attendees.

DescriptionPentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.
There is another class at 11:00am PT-1012 if this one fills up.

High level introduction to Information Security and its broad base of roles.  This course will discuss ways to look at Information Security for those who want to get into the industry or options for those looking to make a change from one type of role into another.  We will be talking about how in many organizations there are many roles that touch on Information Security that may not be labeled as so, as well as how to you prior experience outside of Information Security to move into a Information Security role.

A discuss on the mission of the Cybersecurity and Infrastructure Security Agency and an overview of the no-cost cybersecurity resources available in support to the protection and security of the Nation’s Critical Infrastructure.

The advent of Ghidra has lowered the bar in terms of price and skill gap for getting involved in software reverse engineering. In this workshop we shall go through getting spun up on Ghidra and utilizing it to reverse binaries and automate different portions of our analysis.
 
Outline:
1.      What is Ghidra?
a. Software Reverse Engineering Tool with version management / decompiles
b. Talk about github/issue tracking
2. What is Reverse Engineering?
a. Compiled code -> ASM
b. Figuring out how binaries work
i. Malware, CTFs, etc
3. Introduction to reversing topics
a. Disassembling
b. Decompilation
c. IL / AST
4. Server Collaboration
a. Use cases
5. Useful features
a. Themes and configurations
b. Handling XREFs / Function Call Trees
c. Navigating the Symbol Tree
6. Useful Plugins / Github Repos
7. Getting Started with Ghidra
a. Building your first project
b. importing Binaries / Libraries
c. Structuring your project
8. Patching Binaries
9. Reversing Binaries
a. Guided reversing of several binaries

10. Introduction to P-Code
11. Scripting
a. Automating analysis of binaries using p-code (python/java)
12. Takeaways
13.  Conclusion / Questions

Requirements: Attendees should bring their own laptops and have a linux distro  installed in a virtual machine or on the host. Ghidra should be downloaded and unzipped prior to the class from https://ghidra-sre.org/. Currently the newest version is 9.0.4 however newer versions will be acceptable and supported.
 
A basic understanding of C and X86 ASM, Java, and Python are recommended. An installation of GDB, strace, and ltrace are also recommended.

We all know about Shadow IT and the risks and dangers that come with that but what about Shadow IT in the Cloud –that’s a scary thought. Now you have data in the hands of others and NO ONE KNOWS about it which means there aren't any governance or controls around it either. How do we lock down data in the cloud and ensure we have everything in place to avoid data loss or breach while also giving the business and other teams the tools they need to do their work? How do we block these ‘scary’ cloud services like file stores, pdf merger sites, code beautifiers, etc. when cloud is quickly becoming the new normal? Or infrastructure in the public cloud that isn't secured, inventoried, patched, logged, or monitored? How do you know that your business users don't have a public S3 bucket for collaboration?

Shadow IT refers to technology that is procured outside of official channels, processes and/or procedures meaning they aren’t vetted or managed by the IT and Security organizations. These types of procurements can put a company at great risk. We’ve seen the number of cases related to this steadily grow in many companies. With many easy-to-use solutions out there and with Cloud becoming the next big thing, Shadow IT in the Cloud has become one of our top security risks.

Shadow IT Happens: Workers are using a diversity of applications at work, from note-taking applications to file sharing applications. According to a recent Stratecast survey, 80% of workers admit to using SaaS applications at work, in many cases without IT approval.

Security, The “NO” people
So why do we have so many users turning to these cloud solutions? No one likes processes that slowdown their work and with security being the infamous “No” group, they’ll do whatever they can to avoid having to obtain approvals they may not get. What these users don’t realize is that security professionals aren’t trying to stop you from doing what you’re doing we’re just making sure that the security of the company is priority number one. Yes, we want to make sure that you can go along with your day to day work and even plug in some great new tools that make that work even easier but it is our responsibility to ensure the security of our data and the highly sensitive data that our members trust us with every day.

With that fear of rejection, users will turn to the vast amount of consumer applications available in the cloud. File sharing apps, social media, data stores, collaboration tools –these users just want easier, more efficient ways to get their work done. What they may not realize is how available this information can be once it’s put out there. “But I put this information in the Cloud, so it must be secure, right?” Many don’t realize the risks involved with these tools and without any IT or Security knowledge of these tools being used, there’s no way to monitor, track or respond to any type of malicious behavior or data incidents. The fault doesn’t lie solely on our users, as security professionals we need to be more open to the needs of our users. Instead of always saying “no”, we can say “maybe, but let’s see how we can secure it”. If users aren’t afraid to ask for the approval, the amount of Shadow IT begins to decrease.

Fixing the issue
As we work to explore these emerging technologies and create opportunities that users want/need, what do we do about the technologies being used today without us knowing about it? There are many ways to approach this, but here’s some insight as to how we’ve tackled the issue. 

First, there’s the approach that blends reviewing corporate card charges and purchase order billing and comparing those against contracts with cloud services/companies. Then blending that against DLP tools to find data being sent out/stored to ‘free’ cloud services that we wouldn’t necessarily see in a billing review. Many times, we see purchases and data sent out to cloud services we’ve never even heard of but it opens the door to more research and findings which leads to locking down potential risks. 

Second, we can leverage CASBs currently in place to review any cloud service accesses that employees have, block any access that hasn’t been reviewed and send the user to a bump page redirecting them to our cloud governance process. Being able to monitor user behavior and alert on any unusual behavior shines a light on the types of actions being done by our users every day and having this information helps us see when something out of the ordinary takes place.

Finally, with this type of information in place and always learning more about Shadow IT in the Cloud, we can utilize auto-remediation tools to lock down known malicious sites or sites that have not been fully analyzed. These types of tools are always learning and growing, with less and less human intervention needed, tracking user behavior, malware, malicious sites, etc. and taking action. Tools like these are what help us sleep at night. 

Infrastructure and Platform as a Service present their own challenges in terms of security controls. This presentation will also offer possible technical controls (preventive and detective) to address this risk.

What’s next?
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) outlines best practices and processes for security professionals to use to manage risk in their systems. The five pillars of the framework being Identify, Protect, Detect, Respond and Recover. Today, cloud technologies lean toward the last 3 of said pillars but our goals are to get our cloud technologies aligned with Identify and Protect. As cyber security professionals, we will be proactive rather than responsive. 

OUTCOMES/CONCLUSION
Not everyone will be happy when you tell them they can’t do something they’ve become accustomed to or that there are new approvals they’ll need to obtain first. Not to mention all the work and resources needed for mitigation and remediation of any data incidents but it must be done. We need to work together with our users to find the best tools available that we can still manage and monitor. Our goal is to allow users to use the cloud services available to them, securely.

Notes: Co-presenters, Jessica Hazelrigg and Marisa Dyer, have extensive experience standing up and running a comprehensive cloud security program at USAA. Jessica is the director responsible for creating the cloud security team at the beginning of the cloud journey. Marisa joined the team and is a pivotal member of our remediation and enablement workstreams, working in AWS, Azure, and GCP.

Cybersecurity in Today's Cyber Threat Environment.

Due to pervasive unpreparedness of users, applications, operating systems, and protocols, DNS has become an essential control point for “cyber” security. Most networks have a mix of legacy, modern, safe, and unsafe devices attached to them, and this condition won’t change as quickly as the Zerocorp initiative might suggest. However, DNS is also an important control point for authoritarian regimes, and so “bypass” innovation is  continuous, rapid, and ambitious. Special attention will be paid to the new "DNS over HTTP" or "DoH" protocol now being strongly pushed by Mozilla, CloudFlare, and others. In addition, a brief mention will be made of Resolverless DNS.

Threat Modeling is an art of foreseeing the threats associated with an application and getting them fixed in a very early stage. There have been various Threat Modeling frameworks developed over the course of years. Most of companies follow their own version of Threat Modeling. However, these frameworks lack one of the most crucial steps in order to produce the maximum result of Threat modeling. The aim of this presentation is to provide you with the last missing piece of the puzzle. We help you complete the full circle of Threat Modeling and create a feedback model to create overall Threat Landscape for any organization.

We will talk about how and when you should upgrade your threat modeling process in order to accommodate newly introduced Threat Vectors in the market. We will also talk about building a security mindset that would help in successful Threat Model with a case study.

Talk Details:

In this talk I'll discuss how DHS is leveraging classified threat intelligence to monitor, track, and hunt foreign intelligence activity in US Based Critical Infrastructure. We'll also discuss how you can use the same techniques to label threat intelligence and begin to perform predictive analytics based on aggregated threat intelligence and historical metrics.

We'll cover:

• Organizing threat intelligence into meaningful and useful data
• Ingesting historical metrics into structured databases to provide calculable metrics
• Processing databases through supervised learning data science algorithms to uncover patterns
• Analyze uncovered patterns to develop cautionary predictions around industry based attack patterns
• How to pair observed threat activity with MITRE ATT&CK TTPs to research potential attribution

This presentation is born out of the DHS ECS (Enhanced Cybersecurity Services) program that is designed to quickly bring actionable classified threat intelligence to all US Based Critical Infrastructure.

Details about the DHS ECS program can be found here.

Cyber Threat Intelligence is a term that gets thrown around allot. But what does it look like to integrate it into your continuous monitoring program? What real world experience proven strategies and tactics can an organization adopt to start making intelligence driven choices? My talk covers what I think are the most appropriate parts of a threat intelligence program to start weaving into your operations depending on the maturity level of your organization. It is not threat intelligence 101, but it will cover fundamental items which an organization can start to use to be ready for a full Threat Intelligence team or engagement with an outside partner.

Description: Threat Intelligence remains elusive and mysterious to many organizations. There is often little in the way of true CTI in many organization, new and old, aside from subscription feed services. This can lead to both complacency in the sense of “oh we have threat intel” as well as misplaced dissatisfaction with regards to the “threat intel’ they think they have and the true benefits it can provide. If you can evangelize and integrate Threat Intelligence as an organization is just getting its continuous monitoring going (i.e. A SOC and all that goes with it) then the growth of the CTI program will always be in step with the organizations capabilities as opposed to lagging behind it, or worse, out pacing it. The organizations who ask for our help are often understaffed, under-resourced, and begging for help. The suggestions that follow will help maximize their efforts as well as put them in a position to help us help them.

Talk Details:
My talk will cover: Real vs. Hollywood insider threats. During the talk, I will show instances of insider threats from around the world including two specific cases I have worked over the years where I caught insider threats. We’ll talk about what they took, how they took it and how we were able to catch them. These examples will reinforce my talk with personal experiences. Case No. 1 will be the story of a rouge system administrator who was selling info to acquisition targets. Case No. 2 will review a case where an employee was trying to steal the formula for a manufacturing process and client lists, as well as trying to damage the employer by sending confidential info to employees.


Turn off your mobile phone, put down your tablet and learn about the real-world insider threats causing the greatest harm (not just the big ones that make the 5 o’clock news). How quickly could your organization be breached by malicious insiders? How can your team help find them? Threat hunters are often tasked with looking for attackers’ TTPs. But how can they look for malicious insiders? Please join our special guest, David Balcar a globally recognized security professional, as he shares his personal, real-world experience of sniffing out insider threats.

The ICS Cyber Risk Assessment is key to establishing a robust Industrial Control System (ICS) cyber security posture. But where does the system owner begin? This session will present a detailed guide for executing risk assessments that will provide system owners with a valuable strategic plan for mitigating security and reliability vulnerabilities.

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.
Briefing Format: Briefing (~45-60 minutes) 
Audience Level: Beginner 
Description: On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.

This presentation is a low-medium level technical break down on how to find a rouge device inside a vast computer network with open source tools. This not only shows how to use these tools but equips the attendee on what tools for a specific incident. This presentation further covers the difference between "traditional forensics" and Incident Response. At the end of this presentation the attended should understand what tools during a hard drive forensic investigation, memory forensic investigation and a network forensic investigation.

Description: Ever wanted to know the difference between IR and traditional digital forensics? Let me guess, you have no budget but you need to defend your network! Well from this presentation you will not on learn how to defend if for free, but learn the methodology of how an attacker moves and where they hide.

• Closing Ceremony 
• Awards
• Annoucements