Below are the accepted talks abstracts
Last Update: 5/7/2022
Last Update: 5/7/2022
| Title | Speaker | Abstract |
| Online Privacy & Risk Management | Ritu Gill (@OSINTtechniques) |
This
presentation covers the online privacy mistakes people make and then I
recommend ways to do better. Here is the agenda: - What is OSINT? What is OPSEC? - What is your threat model? - Sharing content - Poor OPSEC - Tips to stay secure - Browser fingerprinting - Useful sites - Data removal |
| Strategies of a World-Class CSOC: Whats’s New? | Carson Zimmerman |
Cybersecurity Operations
Centers (CSOCs/SOCs) have been around for over twenty years—they are the
beating heart of almost every enterprise’s cybersecurity apparatus. Yet SOCs
new and old, large and small, continue to face new challenges. Data, tools,
processes, expertise, organizational structure, situational awareness, and
external support are sources of constant struggle. Eight years have elapsed
since the publication of Ten Strategies of a World-Class Cybersecurity
Operations Center. In this talk, the author will present what’s new and
changed in the recently-released second edition, Eleven Strategies of a
World-Class Cybersecurity Operations Center, including: - Three new strategies on the role of the SOC as a business enabler: - Understanding the digital landscape - Prospering with a thoughtful metrics program - Communicating and collaborating inside the SOC, with stakeholders, and with the community - Evolved thinking on adversaries and risk: - Illuminating adversaries with threat intelligence - Balancing the need to protect the SOC with the need to partner with constituents - A fourth new strategy: integrating advanced techniques like proactive hunt, exercises, and deception - Integration of technologies not covered in first edition, including EDR, TIP, UEBA, SOAR, BAS, and non-traditional approaches to SIEM, plus: - Moving the SOC into the cloud and learning how to monitor and defend cloud resources - Shift in focus from network to host + service monitoring and detection - Diversification of SOC operating constructs and tackling tough topics like outsourcing, hiring, and staff retention - Sustaining operations while at the same time infusing the spirit of innovation across the SOC in a way that doesn’t lead to burnout or stagnation |
| Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices | Brian Contos (@BrianContos) |
Enterprise
Internet of Things (IoT) security today is analogous to IT security in the
mid 1990s. It was a time when security awareness was limited, countermeasures
and best practices weren’t broadly applied, and attackers explored,
compromised, controlled, and exfiltrated data from systems with minimal
resistance. In short, enterprise IoT security sucks as bad today as that
unpatched Windows NT 3.51 server with an RS-232 connected modem that IT
forgot about. Working globally with Fortune 500 enterprises and government agencies we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow. Security issues are compounded by the quantity of IoT devices. Our analysis indicates that most organizations have about five IoT devices per employee. The global IoT market has grown from $100 billion in 2017 to over $1 trillion in 2022. There are over 46 billion connected devices today and 30 billion (65%) of those devices are IoT. We are increasingly dependent on consumer, enterprise, industrial, and military IoT devices for cost reduction, supply chain logistics, productivity gains, security, and everything in between. Despite the criticality of IoT, our security hasn’t kept pace. In the enterprise, we’ve identified that we simply don’t know: - What IoT devices we have - guesses based on legacy asset discovery solutions are consistently off by at least 50% - When our firmware was last updated - in many cases the firmware is end of life and the average IoT firmware age is six years - If our credentials follow organizational policies - passwords that are default, low-quality, don’t have scheduled rotations, and lack centralized management are the norm - How vulnerable our IoT devices are - at least half of the IoT devices we’ve interrogated have known, high to critical level CVEs While enterprise IoT security currently sucks, it doesn’t have to be that way. By evaluating the security risks and the inherent limitations of IoT, you can leverage tactics that will have a rapid and positive impact on security. Attendee takeaways: - Discover your IoT devices, diagnose their security, and define their limitations - Employ tactics to improve your IoT security and communicate their status to stakeholders - Restate key findings derived from the interrogation of two million production IoT devices |
| United in paranoia: If I don’t see it maybe you will |
Rebecca (@codexiady) Jessica |
Attackers may only need to discover and exploit one vulnerability to gain a foothold in your organization. How do you find it before they do? Threat modeling can be a critical preventative step, but oftentimes it's not set up to bring the collective voice to the table, causing a lot to be missed. In this talk, we’ll introduce you to threat modeling, exemplify why diverse perspectives are a critical input, and showcase how intentional representation can set in motion changes that benefit the security posture of an entire organization. Join two Google blue team security engineers in doing what we love: being paranoid and making people think. |
| My data in your signed code | @alexivkinx | Could a signed Windows executable be modified, but still have a valid signature? Everyone told me "no", so I built a set of tools that does exactly that. Lets talk Authenticode, PE/COFF and a trivial Microsoft limitation that allows one to inject data without breaking signatures or triggering Defender and EDR warnings. Then, see what you can do with that "feature". |
| Log4J and the Software Supply Chain or: How I Learned to Stop Worrying and Love the BoM | Sid Keene |
In recent years, there has been a flurry of talk about securing Software Supply Chains - the interconnected web of software, hardware, and platform dependencies that underpin today’s apps and infrastructure - but what does this look like in practice? How can a variety of stakeholders in SaaS, IT, and Development leverage information such as the Software Bill of Materials (BoM), and what other pieces of the puzzle should they consider? In this presentation, I provide an overview of the key-concepts behind Software Supply Chains. I use these key-concepts as a framework in a case study of the Apache Log4J vulnerabilities disclosed in late 2021. I finish by discussing best practices and considerations to apply to existing threats, as well as within the Software Development Lifecycle and proactive security processes. |
| Hacking Back Scammers |
Ryan
Dinna (@s0merset7) Jacob Abraham Joshua Pardhe |
The scammer epidemic is
ever-present in our connected world and shows no sign of slowing down anytime
soon. Our team is currently researching infrastructures commonly used by
scammers and creating our own malware to hack in and monitor scammers without
their knowledge, allowing us to preemptively warn victims and gather enough
intel to report the scammers. In this talk, we'll break down our approach to a project of this scale as students, along with the progress we have made and lessons we've learned. Join us for a dive into the world of scams, malware, and ethical hacking! |
| Detection Engineering at MSTIC - Lessons Learned |
Pete Bryan
(@MSSPete) Ajeet Prakash |
One of the
biggest challenges for today’s security teams is keeping up with the
constantly evolving adversarial techniques of modern attackers. An effective
detection engineering framework is the key to tackle these adversaries and a
core component of every security operations and security vendor organization.
It’s a complex task that requires a blend of research, technical engineering,
and an understanding of people and organizations. At the Microsoft Threat Intelligence Center (MSTIC) we conduct detection engineering work for the millions of Microsoft customers across a range of technology solutions including Microsoft Defender for Cloud and Microsoft Sentinel. In this talk we will discuss how MSTIC goes about this challenging detection engineering process, the specific challenges we face (and tackle), the areas we are improving. This will cover procedural and technical aspects of conducting detection engineering at scale. This includes discussions about how we build our pipeline of detection ideas in the first place, how we effectively prioritize them in the current threat landscape, how we research complex threats and understand them fully, how we develop and test the detections, how we manage, update and ultimately deprecate detections. We will have examples of specific detection and walk the audience through the process for each of them. This talk will provide audiences with a set of tools and processes they can take away and incorporate into their own detection engineering programs, regardless of their size or scale, as well as an understanding of the common pitfalls to avoid. |
| The Silent Scream of Every Network: The Horror that is Active Directory Security | Derek Melber | Lying deep in every network is Active Directory. The legacy network operating system that just will not die! It is like a Frankenstein, connected to nearly every application, service, IAM, and device. The beast is always changing, which makes it more hideous every day. Owners keep it buried, so it is rarely give the attention that it needs to withstand the onslaught from attackers, both inside and outside. The mind of AD is simplistic, allowing anyone that makes a request to see the roadmap and full details within. Everyone knows it needs attention, but one wrong setting could stop its heartbeat, causing total destruction of the network. Let Derek Melber, 17X Microsoft MVP show you how to operate on the beast, making it capable of withstanding the constant attacks. |
| TPM Carte Blanche | Chris Fenner | Please see: https://www.dlp.rip/tpm-carte-blanche |
| How machine learning can help you achieve Zero Trust for your application identities |
Bailey Bercik (@baileybercik)
Kalyan Krishna |
While many organizations
have been focused on user account security, recent cyberattacks show that
adversaries are turning their attention toward cloud application identities.
Supply chain compromise, OAuth consent phishing campaigns, and
credentials-in-code compromise all share one common factor: Adversaries
exploit an application identity to gain initial access to a victim
environment. These kinds of attacks are on the rise and require a different
defense approach than that of users. A key part of that defense strategy is the ability to detect indicators of compromise and respond quickly, but there is too much log data to reason over it all relying on humans alone. Machine learning and automation play a key role here in highlighting anomalies that a human cannot spot, to give insights on potential account compromise, lateral movement or data collection. While the basic attack vectors will be familiar to defenders, the approaches to building ML that detects and protects identities are slightly different when dealing with an application instead of a person. As app-based attacks continue to increase, defenders need to know what to look for and how to utilize automated threat response to scale their efforts. With this approach, they can apply a Zero Trust access model to application identities. What will attendees gain from the session: - Overview of the categories of attacks against application identities - Proactive security controls for these accounts and the resources those account target - Detecting these attacks in your environment - Incident response best practices for when an account is compromised |
| Hey! A Little Privacy Please | Jatin Bhatt (@jatinhbhatt) |
According to a
poll conducted in June 2019, 67% of internet users in the US are not aware of
their country’s privacy and data protection laws. Since Privacy Risk
Management requires compliance with privacy regulations and customer trust
obligations, this can be a major issue. Make it Google-scale and you get a
unique problem to solve! During this session, I will share major challenges
and driving factors in privacy risk management and remediation strategies. You will have a deeper understanding of the following approaches: +Understand the risk landscape Identify privacy risks as early as possible +Plan, manage, and execute the work required to reduce the impacts of these risks at scale +Monitor and communicate findings +Navigate a culture of compliance and risk management Let’s not just come up with problems—let’s come up with solutions, too! |
| Healthy Posture and you are in the Clouds | Marina Segal |
Cloud Security Posture
Management (CSPM) space has evolved and matured, however misconfigurations
are still one of the biggest unsolved risks in the cloud. It's about time to come up with the CSPM Maturity Model to help companies to get to the ultimate cloud posture state. Join this session to learn how we can mature the security processes and secure our cloud environments during uncertain times, why DevOps support is important and how to ensure you have the right security expertise and foundation. |
| Demystifying Capture The Flags (CTFs) | Barrett Darnell (@pwneip) | Capture the Flag (CTF) competitions range in style and difficulty but each and every CTF offers a wealth of knowledge for any participant. In the talk: Demystifying CTFs, Barrett Darnell will provide an overview of CTF formats, the skills they require and the experience they develop, and conclude with a plethora of CTF resources for those wanting to participate. The main focus of the talk will be relating how both technical and non-technical skills learned through CTF participation can be applied to real world information security challenges. The target audience for this talk are those who are interested in playing CTFs and would like to maximize the value from them. |
| Outside looking in: How public records can be used to research a ransomware attack | Derek Held (@derekheld) |
In September 2019 the
Northshore School District was hit by a ransomware attack. While it was
briefly reported in a limited capacity, much of what happened was never
discussed by the district. Unlike private companies that get hit by
ransomware, public organizations present a unique research opportunity due to
public records laws, and Washington State in particular has very strong
public records laws. Get a view into a district crippled by a ransomware attack with a look at communications and documents turned over in public records requests. Get an introduction into Washington State public records law, including what kinds of redactions you can expect and when to push back on inappropriately redacted information. See what kinds of actions were taken by the incident responders and what the district did to regain operational capabilities. You'll also see how public records requests can lead you to information you didn't know to look for and can even lead you to discover a still vulnerable system. |
| Surviving a compromise of your favorite package repository | Hayden Blauzvern |
We put a lot of
implicit trust in the software repositories that we depend on for open source
software: we trust that they’ve verified who can publish to a given project,
that they’re securely delivering the right artifact when we request it, and
that publishers are as protected as possible from compromise. But what if
this fails? In this talk, we’ll explore what the effect of an unlikely, but high-impact, compromise of popular software repositories would be, and how we can use new technologies for developer-signed artifacts to protect against such an attack, to maintain trust in the software we’re consuming and the identities that have produced it. This talk will cover a threat model for package repositories. To mitigate these threats, we'll discuss how to create artifact signatures using key-based and identity-based (OIDC) signatures and how to use verification policies. This talk will discuss the latest signature generation tooling, such as Sigstore or Notary V2, and will provide a roadmap with upcoming projects and proposed standards within various package ecosystems, including PyPI and RubyGems. After this talk, open-source producers should understand how to create signed artifacts, package repository maintainers should understand how to integrate support for signed artifacts, and consumers should understand how to verify artifact signatures. |
| I had a quarter of a million Office users, and so can you - some subdomain takeover techniques you may not have tried. | Alun Jones |
In February 2020, I gave a
talk at the RSA Conference on subdomain takeovers (SDTOs), with the emphasis
on how we're stopping them. My focus at the time was CNAME SDTOs, and I
briefly mentioned other kinds - using DNS A records and NS records, and 2nd
Order SDTOs. In this talk, I'll go into more detail on those kinds of SDTO, and how to demonstrate and report them, and give you some tools you can build on. Hopefully you'll be as fortunate as I was in July, when I captured the sessions of over 250,000 Microsoft Office users - and we'll also discuss why you shouldn't. |
| Overview of how Spectre attacks changed the web security model and available mitigations | Apoorv Munshi | The fundamental security boundary on the web known as Same Origin Policy no longer holds true due to Spectre attacks, first revealed in 2018. Spectre attacks target vulnerabilities in modern CPU behavior and remediating them completely is not possible at system level. Although exploiting web applications using Spectre needs use of side channels, researchers have shown it is practical in real world via JavaScript running in modern web browsers and operating systems. In this talk, we will take a brief look at how Spectre attacks work but focus mainly on how security of web is affected and how new application level mitigations coupled with browser sandboxing can prevent such attacks. Join me for a fun ride in the interlaced world of modern web security. |
| How to Build Trusting Teams When You Trust No One | Jeff (@jeffreycady) |
Security
Professionals have a very low trust-default. In this, there are implicit
inter-personal obstacles to overcome, both personally & professionally. How do we establish trusting relationships and build trust with our companies when it runs counter to our nature? |
| Low Budget Home Lab | Morgan Adams (@_morgan_adams_) |
Ever wanted a home lab, but
never had the budget or even an idea of where to start? The good news is that
you can get started for free! Not only that, but the options for services to
run in your lab are virtually endless and give you an opportunity to hone
your infosec skills. For those interested in infrastructure, AWS, GCP, Oracle, IBM, fly.io, Heroku, and many other providers have some form of free service you can explore. If you get more advanced you can even build out a network and run your own services for your benefit and learning. If you like to code as well, there are an endless supply of APIs than you can utilize to build your own projects. In this talk, we'll take a look at some of these resources that are available, example projects from gaming to Kubernetes to networking, and how you can use these projects to enhance your infosec skills. As a systems engineer turned security engineer, I like to dig into new things and experiment. Some of these projects are how I've developed my skill sets over the years and helped me land my current principal security engineer role. |
| Hype and Reality: Practical advice for implementing and evaluating AI/ML for Cybersecurity | Edward Wu | For a long time, AI/ML has been portrayed as the magic "silver bullet" that would solve everything in cybersecurity. However, as evident in the last few years, the promises of AI/ML haven't materialized. Cyber defenders and practitioners today are still faced with increasingly sophisticated attackers, the rapidly growing complexity of modern cyber infrastructures, and persistent talent shortage. In this talk, I will separate the hype from reality, present real-world examples of where the application of AI/ML is feasible and beneficial, and highlight challenges and limitations. At the end of the talk, I will also provide concrete advice on how to best implement and evaluate AI/ML technologies. No prior data science knowledge is required. |
| Anatomy of an IoT Third Party Risk Management Program | Aparna Ash Himmatramka |
Did you know that about 40%
of the companies worldwide are deploying IoT products today? COVID-19
Pandemic has only increased the Enterprise Investments in IoT and IoT
solutions. And now, time for some reality-check: 1. Fewer than 42% of these organizations can identify insecure IoT devices. And to make matters worse, when they do identify those devices, only 14% step up to replace them immediately. 2. FIVE Minutes. That’s the average amount of time that it takes for an IoT device to be attacked once connected to the Internet, according to NETSCOUT’s report. 3. 98% of the IoT Traffic Isn't Encrypted! Well, that kind of number should wake you up faster than a cup of coffee. 4. 55% of companies don’t require third-party IoT provider security & privacy compliance. Crazy, isn't it? IoT-based attacks are on the rise, more than ever. But the actual number may be greater than reported because many organizations fail to account for the risk that is introduced by IoT devices that they procure from external vendors. Moreover, most Third-Party Risk Management (TPRM) programs do not include IoT risks and lack basic level of maturity to adopt a strong multi-layered defensive approach instead of a reactive or ad-hoc approach. In this presentation, we will explore what kind of challenges are introduced in each phase of the IoT Third-Party Risk Management process. We will dive into the kind of security assessments needed to ensure that the IoT solutions are in their best shape and to what depth should those assessments go. We will also learn how an acceptable end-to-end IoT device procurement process should look like and what elements to introduce to further strengthen the entire risk evaluation process. |