An Introduction to Malware Classification
With more than 1 million new pieces of malware released every day, security vendors are turning toward machine learning to automate threat detection. This talk aims to give new researchers the background they need for contributing to this field. We'll talk about sources for malicious PE files, consistently top-performing machine learning algorithms, extracting features, and how to prevent overfitting. (20 minute)
Speaker: John Seymour
Bio: John Seymour is a Ph.D. student at UMBC researching machine learning for malware classification. He's mostly interested in avoiding and helping others avoid some of the major pitfalls in machine learning, especially in dataset preparation (seriously, do people still use malware datasets from 1998?) In 2014, he completed his Master’s thesis on the subject of quantum computation applied to malware analysis (later presented at DEFCON23). He currently works at ZeroFOX, Inc. as a Data Scientist.
Attacking Automation: Hacking For The next Fifty Years
Let’s face it, technology is moving along, almost too quickly. The next big thing is automation. Automation is expected to change the way the modern world works. We see changes happening around us; driverless vehicles, banking systems, healthcare systems, and now fast food is being automated. Sadly, many of these industries are poorly prepared for the challenges that lay ahead for them. In the end, the cat and mouse game of security and anti-security will continue. This talk will focus on the changing world and how those designing and implementing automated systems will need to adapt. Critical flaws will be found, but preparation will be the key to success and in some situations can mean the difference between life and death. (50 minute)
Speaker: Mike Spaulding
Bio: As a well-seasoned professional with more than 20 years of experience in Cyber Security and 15 years as a senior security decision maker, Mike has seen it all. He is a respected IT/Security leader within organizations focused on building success by understanding the needs of both the external/internal customer and applying security in a manner that can fit within the organization. He has a strong technical background, combined with financial experience. He is often sought after to help rebuild and restructure security teams in order to bring a positive change within organizations. In his spare time, he helps organize the Columbus, Ohio BSides event and mentors younger security professionals through leadership and training.
Avoiding the Pitfalls of Hunting
Blue teams across the world suffer from the lack of resources, short staffing, and immature tools and policies. Immature and insufficient defensive postures lead to reactive security where catching an intrusion is, at best, discovered hours after it occurs. Based upon years of experience in incident response with a major defense SOC, and performing IR across the commercial realm, this presentation highlights the classic failures and pitfalls that are continually found within networks targeted for attacks. These pitfalls are easily mitigated using best practices such as the Critical Top 20, and we’ll explore how these problems come to exist and how to secure them. Learn how to move from being reactive to being proactive and better your network’s defenses! (50 minute)
Speaker: Tony Cook
Bio: Tony Cook, a Navy veteran, has worked at Langley NASA, Joint Forces Command, Naval Cyber Operations Command, and the SPAWAR Network Security Operations Center. He has years of experience in pursuing unique targeted attacks against government assets and critical infrastructure and currently works to protect clients as an Incident Responder on the RSA Security IR team. He has numerous security certifications and is a bourbon connoisseur.
Beyond Automated Testing
Beyond Automate Testing provides a brief overview of how to properly perform an assessment by refusing to rely solely on automated tools. Topics covered include how to read between the lines of scan reports, finding the things that are missed by tools commonly used, and how to look for things that an automated tool may never see. A series of common vulnerabilities and PenTest findings are discussed, including how they were identified, why a scanner is unable to find them, and resources are provided to help the audience learn and develop the skills for themselves. (50 minute)
Speakers: Zack Meyers & Luke Hudson
Bio: Zack Meyers (@b3armunch) is a business oriented guy that then became a motivated InfoSec geek after getting started as a continuous monitoring vulnerability analyst. Shortly after, he took an interest in the offensive side of security work and currently works as an Offensive Security Engineer at BreakPoint Labs. Today he is always looking to learn about new techniques and tools that can help him identify his next big vulnerability finding. He is currently a member of Primal Security Blog | Podcast and holds several security certifications including OSCP, CISSP, GWAPT, GPEN, GCIH, etc.
Luke Hudson (@3z5tuff) is a security engineer who is currently working to sharpen his skills in the offensive security domain while acting as a web application penetration tester for numerous private and public organizations. He is one of the founders and lead authors of Primal Security Blog | Podcast, and currently works as an Offensive Security Engineer at BreakPoint Labs. He is focused on learning and creating useful information aimed at fellow security professionals who are passionate about their industry
Binary Reverse Engineering for Beginners
Binary reverse engineering is a critical skill in the infosec world, from verifying crypto algorithms to finding and analyzing vulnerabilities and writing exploits. This often requires a balance of experience and intuition that only comes from practice. Our workshop will delve into the dark art of disassembly and provide participants with the tools and techniques required to practice it and develop the percieved ""sixth sense"" that accompanies expert reverse engineers.
All examples in the workshop will be implemented in 32-bit x86 assembly, and some experience programming in a high-level language is assumed (preferably C/C++). Examples will be performed on the Linux operating system, although many techniques will convey to any platform. It is also assumed that participants understand the legal risks associated with reverse engineering. (8 hour training)
Speaker: Ben Demick
Bio: Ben Demick is a Senior Lead Engineer at Booz Allen Hamilton with over 6 years of experience reversing embedded systems and doing embedded development. He holds a B.S. in Electrical Engineering and Physics from Clarkson University, an M.S. in Electrical and Computer Engineering from Johns Hopkins University, and has been an instructor with Booz Allen's internal software reverse engineering program for the last 3 years.
Building Blocks: An Introduction to Security Analysis
There’s a mantra often repeated in the sports world: “Defense Wins Championships.” While there are no trophies to be won in cybersecurity for having a champion-caliber defense; to help build a strong defense it’s important to have a good, solid understanding of security analysis.
This workshop is designed for security analysts with less than three months' experience; or for those interested in a security career; who wish to fully immerse themselves in a mock-up of a SOC (Security Operations Center) environment and learn about various tools that are typically found in said environment, how to use them in a monitoring situation, how to use digital forensics when performing a security analysis, how to respond to a security incident; and why having a security audit plan as part of a defensive strategy is important. (8 hour training)
Speaker: Kerry Hazelton
Bio: Alpha Geek. Gamer. Husband. Father. Cybersecurity enthusiast. While all these terms accurately describe Kerry, what motivates him the most is anything and everything involving cybersecurity. Whether it’s a new exploit, tool, news article, or an opportunity to learn or to share with others his experiences, he possesses and maintains a strong passion and devotion to the industry.
Having been involved in IT since 1998, Kerry chose to narrow his area of expertise over five years ago and sharpen his security skills by focusing on four key areas: digital forensics, incident response, security analysis, and security auditing. He is currently employed with DB Consulting Group, Inc. in Silver Spring, Maryland as a Computer Security Specialist; his prior positions have included Security Analyst and Remediation Security Specialist. Kerry is married to his wife of thirteen years, and has one child. In his spare time, if he’s not spending time with his wife; he’s either reading up on the latest trends in cybersecurity, playing games, putting together puzzles with his son, or teaching his son the art of hacking.
Cyber Vulnerabilities of America's Pipeline Systems
Unknown to most people, America's pipeline systems are extremely vulnerable to cyber attacks. My talk is going to be on the cyber vulnerabilities of America's pipeline systems and how they are attacked. Pipelines are a major part of many people's lives and protecting them from cyber attack is important. I will also be discussing how pipelines have become more susceptible to cyber attacks over the years and the impact socially of what would happen to America. Also being discussed will be how to prevent these attacks, and what tools can be used to stop them. (20 minute)
Speaker: Paul Vann
Deserialized to Life: The Story of My January CVEs
We have identified multiple remote code execution vulnerabilities in the most popular Java serialization libraries. These libraries are used in popular frameworks like Struts 2, Spring, and Groovy, as well as popular apps like Bamboo, Jenkins, and more.
A language-neutral framework for analyzing serializers will be discussed along with a deep-dive into the most interesting individual CVEs. (50 minute)
Speaker: Arshan Dabirsiaghi
Bio: Arshan is
an accomplished security researcher, having presented original offensive and
defensive research at BlackHat, OWASP, and others.
Draining the AppSec Pond - A Developer's Perspective
When it all comes down to it, pretty much every CyberSecurity or InfoSec [or insert your own favorite term] breach or issue has a common component ... code! And despite plenty of cautionary examples and lessons learned, we see the same or similar issues over and over. These play out to the tune of millions with credit monitoring, stolen IDs and worse (think non-update-able, vulnerable pacemaker firmware) on the horizon.
The problem is akin to a stagnant pond that needs to be drained. There is an ancient Chinese proverb which is intended to assess an individual's sanity by giving them a bucket to address the issue of a stream flowing into a stagnant pond.
In this presentation, we will discuss the importance of AppSec in the world of InfoSec/Cybersecurity. We will look at it from the perspective of a security-minded developer who has seen how the water flows and stagnates in the pond. How do we create or shift incentives? How do we find common ground for the security community and the development community to sanely drain the pond?(50 minute)
Speaker: Jason White
Bio: Jason is an experienced developer with approximately 15 years of experience building applications (mostly web) in a variety of languages & platforms and in a variety of industries. Back in the day, he slung Perl CGI. Now, he primarily works on RESTful/single page web applications with Java/Spring on the backend. In the way of security, Jason is an active contributor and co-lead on (the resurrection of) OWASP WebGoat. He always makes it a point to break stuff on his professional projects and to beat the paranoia drum.
Failure to Warn Might Get You Pwned: Vulnerability Disclosure and Products Liability in Software
Which manufacturers have legal threats? Why can’t the consumer that bought defective product use legal system?"" -@weldpond, Oct. 4, 2015
This talk will address the second question in that tweet, by exploring how product liability suits might help consumers who suffer harm from vulnerabilities in software that vendors are aware of but do not patch. It will discuss legal concepts but in a non-legalese manner, and explain how product liability suits might someday help protect consumers. (20 minute)
Speaker: Wendy Knox Everette
Bio: Wendy spent 14 years working as a software engineer at Amazon.com, Google, and Meetup where she primarily worked on test automation and continuous deployment systems. She is currently a 3L at George Mason School of Law, where she is focusing on computer security as part of the National Security Law program.
Fun with Network Packet Analysis!
This workshop is geared for audiences of all levels. We'll start with the basics of traffic flow, i.e. OSI model and TCP/IP stack, and from there dive into the fun part -- looking at custom PCAPs to examine various security issues. We will end up with carving files from hex, which is easier than you might think! (4 hour training)
Speaker: Marcelle Lee
Bio: Marcelle has a fancy bio and a bunch of certs and degrees but none of that really matters for this workshop. The only important thing is that she loves packet analysis and hopes you will too!
Getting to the Bottom of the Cloud -- File Syncing Forensics
Cloud-based services are one of the biggest trends in IT over the past decade, and file sharing/sync is one of the most popular such applications. These applications are widely used in organizations and companies, sometimes with official sanction and sometimes not. Either way, there are security concerns and implications, including insider data theft, intruder data exfiltration, and accidental over-sharing. To assist with investigating incidents, these client apps leave behind various records of files added, deleted, updated, downloaded, etc.
The talk will cover the forensic artifacts associated with a number of popular file sharing/sync services and what can be determined from them. I will also be demonstrating Unbox, a set of Python scripts to search Windows-based computers for artifacts associated with cloud-based file share/sync services and create a timeline analysis of events associated with these services. (50 minute)
Speaker: Matt Harvey
Bio: Matthew Harvey has twenty years of IT industry experience across a wide variety of roles. With Anchor Technologies, he performs security assessments, incident response, and penetration tests for mid-sized firms in the mid-Atlantic region. Matt also served as an Army officer in the infantry and military intelligence fields for a total of 12 years.
Matt earned his Master's degree in Computer Systems Management from the University of Maryland University College and holds multiple industry certifications. He is an experienced consultant, trainer, and presenter specializing in making complex technical topics clear and compelling for all audiences.
How Hackers Look at a Web Site
When we build a web site, we think of it being used a certain way and even if security is baked in, there may be more ways a hacker can break that site. In this talk, Patrick will show many of the ways that hackers attempt to break in to sites. Because as defenders, we need to be correct 100% of the time, but hackers only need a single door to gain a foothold and then often they may be able to go deeper. This talk will show many of those footholds that the hackers try to use and ways to defend against them as well. This is a great overview of things to think about when defending your own web sites. (50 minute)
Speaker: Patrick Laverty
Bio: Patrick is a security analyst/pentester for Rapid7’s Global Services team. His first love is web application security and CSRF in particular. He founded the Rhode Island chapter of OWASP, the first ever BSides Conference in Providence and is the speaker chair for BSides Boston this year.
In Case of Emergency: Anonymity - A Technical Guide
At some point in your life you may have to hide yourself. Whether it’s from an oppressive government, consumer data collection, or your arch nemesis, knowing how to operate securely in our era is a valuable skill. This talk will serve as a start to finish technical guide on how to acquire the materials and configure a system for anonymity, online and off. It will also cover some known attacks and the countermeasures to those attacks. (50 minute)
Speaker: Douglas Goddard
Bio: Douglas Goddard is an Analyst at Independent Security Evaluators where he audits and exploits a variety of systems. He holds 1.5 degrees in computer science and spends a considerable amount of his spare time programming. Prior to joining ISE he did malware research and reverse engineering. Douglas has recently been learning about graphics programming in hopes that he can one day make some sick demos.
Managing Audits: A Human Interaction Perspective
Everyone goes through audits, risk assessments and various reviews. It's time we teach our people how to manage the auditors and the situation. In this presentation, you will learn how to live through an audit and, possibly, enjoy the "game". (50 minute)
Speaker: AJ Stambaugh
Bio: IT Security and Compliance professional with over 10 years of experience. He has been in IT Security, either in a technical or risk management role. His background includes various security roles in the Department of Defense and in the financial technology sector, and has been a member of the Air National Guard for over 14 years.
Next Gen Social Engineering
As Financial Institutions and other organizations have continually improved upon their security protocols, procedures and technologies the Cyber Criminal community has responded by adapting their attack methods to counter and circumvent any security barriers that stand between them and their goal of illegal financial gain. Due to the fact that nearly all Financial Institutions and organizations that conduct business online have either hired a vendor or developed an internal security team to monitor, detect and respond to online cyber attacks i.e. Phishing, Malware etc. the response time to these types of attacks have increased dramatically reducing the effectiveness and the amount of monetary gain that can be realized from obtaining credit card credentials. This has resulted in the Cyber Criminals developing new Social Engineering techniques that are more clever and advanced than any that we have seen before (50 minute)
Speaker: Jack Johnson
Bio: Jack Johnson Manager of the MarkMonitor Security Operations Center (SOC) has over 20 years of experience in the Enterprise Systems Engineering and Security space. ... Jack is a recognized subject matter expert in Cyber Security and Enterprise level System Administration and Security best practices. He is currently working on multiple projects developing new and improved Phishing and Malware detection, analysis and mitigation systems.
PowerShell Security: Defending the Enterprise from the Latest Attacks
PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have quickly learned over the past few years that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.
With the industry shift to an ""Assume Breach"" mentality, it's important to understand the impact on the defensive paradigm. Simply put, don't block PowerShell, embrace it. Blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like the recently released PowerShell Empire become more prevalent, it's more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate standard PowerShell attack methods.
The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. Some Active Directory recon & attack techniques are shown as well as potential mitigation. This journey ends showing why PowerShell version 5 should be the new baseline version of PowerShell due to new defensive capability.
This talk is recommended for anyone tasked with defending an organization from attack as well as system administrators/engineers. (50 minute)
Speaker: Sean Metcalf
Bio: Sean Metcalf is founder and principal security consultant of Trimarc, an information security consulting firm focused on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences.
Sean has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3
Ranger – It just takes one account to take down an enterprise!
This presentation will capture the development and deployment of the tool called Ranger. This Python based tool can be installed on Kali distributions using a simple Bash script. We will demonstrate how Ranger allows for automated extraction of credentials, validation of domain details, determination of group memberships, and the injection of payloads directly into memory on Windows based systems through native protocols and services. This tool has been well tested and used on a variety of engagements proving that current defensive tools do not currently stop it, but also do not detect it, even the marketed next generation solutions. In essence we have been able to cut down significant swathes of time during an engagement in an effort to demonstrate true risk to clients.
Ranger was the brainchild of Chris Duffy with support and help of a great group of friends and penetration testers who asked for a variety of features. We looked to fill a major gap in single tool capability, which has historically been filled by a larger tool catalog. As such, this tool leverages highly desired capabilities, to include ease of use, execution by command line, lightweight, simple parseable outputs, logging support for traceability, ability to support Nmap XML imports, and capable of resolving both passwords and multiple hash formats. (50 minute)
Speakers: Christopher Duffy, Jonathan Fallone, & Dev Patel
Bio: Christopher Duffy is currently a Cybersecurity & Privacy specialist in the D.C. Metro area. Where he current helps lead Threat and Vulnerability Management services nationally such as, advanced technical testing.
Jonathan’s areas of specialty in targeted technical testing, which includes risk focused password cracking and security control weaknesses.
Dev is a penetration tester with a strong background in Windows, UNIX, mobile application development, and SIEM solutions. He specializes in network penetration testing, and has led assessments across multiple Fortune 500 clients in a variety of industries.
The Open Source Malware Lab
The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.
For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation. (50 minute)
Speaker: Robert Simmons
Bio: Robert Simmons is the Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert is also the author of PlagueScanner, an open source virus scanner framework.
Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.
The Value of Deceiving Attackers
The most common defensive strategy used to defend networks is to detect threats and respond accordingly. Given that attackers can continuously change behavior, detection is an inherently flawed defensive strategy that results in the cost of defense being far greater than the cost of attack. Deception technology can greatly increase the cost of attack. The talk covers a simplified version of the attack lifecycle, types of static defenses and possible countermeasures, categories of deception techniques, and how deception techniques can be employed in network operations to influence attacker behavior. (50 minute)
Speaker: Thomas Phillips
Bio: Thomas Phillips is the Chief Technical Officer and Vice President of Engineering at Ridgeback Network Defense, Inc., with responsibility for new product development and overall technical strategy. At Ridgeback he merges over 35 years of programming and hacking experience, over 15 years of contract work for NSA in both technical and managerial roles, and the experience of three prior startups. He has served as a Russian linguist in the U.S. Marine Corps and performed electronics repair in the Maryland Army National Guard.
Using Bro IDS to Detect X509 Anomalies
In a resource constrained environment, the ability to detect malicious or anomalous activity can be challenging – especially when malicious actors utilize legitimate cryptographic protocols. This talk covers a simple technique to detect anomalies in X509 certificates using Bro IDS that does not rely on external data sources (ie. 3rd party vendors, custom database, ...) The talk will also cover real world examples where this technique would have been successful in detecting modern exploit kits that leverage TLS/SSL. (20 minute)
Speaker: Will Glodek
Bio: Mr. William Glodek is currently Senior Network Security Engineer at BreakPoint Labs. He previously served as a computer scientist and Network Security Branch Chief at the US Army Research Laboratory. Creator and developer of Dshell, a Python-based network forensics analysis framework. Mr. Glodek's research includes network forensics, digitial forensics and incident response, and the application of machine learning methods in the cybersecurity domain.
Using open source SSL/TLS data to hunt threat actors and defend networks
This presentation will go over how net defenders and threat intel analysts can use TLS/SSL data from sources like scans.io and censys.io to defend their networks and hunt threat actors that use TLS/SSL either for communication in their malware or for their infrastructure. (20 minute)
Speaker: Mark Parsons
Bio: Mark Parsons is a net defender that has slowly turned into a small time developer and occasional threat analyst. Over the past 4 years he has worked at a civilian federal agency doing incident response and threat intelligence. He has spent the past few years working on creating solutions that allow threat analysts and net defenders to spend more time looking at data rather than collecting it.
Who Watches the Smart Watches?
Wearable technology use has accelerated over the past 18 months, to the point of where even most fitness devices now have notification capabilities to allow users to use the device as an extension of their mobile phone. This talk will explore two mobile operating system-independent devices: a Pebble Time and Microsoft Band 2. The talk will highlight functionality and the data that is stored on the device, as well as data stored on the mobile phone with which the wearable technology is associated. (20 minute)
Speaker: Brian Moran
Bio: Brian is a digital forensic analyst currently residing in the Baltimore, Maryland area. He has approximately 15 years of experience in the cyber security field, with 10 of those years focusing on digital forensics/incident response (DFIR), both in the United States Air Force and the private sector. His initial exposure to the DFIR field occurred during a 6 month deployment to Mosul, Iraq in 2004-2005, when he served on a team that provided mobile device analytic information in support of tactical military operations. During his tenure in the Air Force, he has worked with numerous DoD entities and been invited to speak and share information at several intelligence community events. After his military service ended he entered the private sector and has worked (globally) on a wide range of cases. His favorite aspect of this DFIR field is that it is always changing and evolving; and every case has unique problems, questions, and solutions.