DoH! DNS over HTTPS: for Attackers and Defenders – Marcus W Tonsmann


DoH is coming. This talk will prepare you by covering the basics of the protocol, available tools for testers, and techniques being leveraged by real adversaries. Proactive defensive measures will also be discussed, with an eye towards the future.

Marcus works as a Detection Engineer at a national healthcare company. In his role, he spends a lot of time researching offensive techniques and how to detect and prevent them. Currently, he holds GPEN, GDAT and GNFA certifications. When not in front of a computer, Marcus loves to swim, climb, and ski.

Read More

Higher Ed and the Infosec Skills Gap – Heather Lawrence


Some 37% of the 2018 ISC2 Workforce Study indicated that they were concerned about the lack of skilled cybersecurity personnel while almost 60% indicated that their organization is at risk due to the staff shortage. This talk discusses the current availability and quality of infosec higher education, how few institutions are preparing their students with the skills they need, and effective training methods that organizations can use to bridge the gap in-house.

Heather Lawrence is a data scientist for the Nebraska Applied Research Institute who earned her undergraduate and masters degrees in Computer Engineering from the University of Central Florida. In previous lives she was a USN nuke, VA photographer, NCCDC winner, [email protected] mom, and darknet marketplace miner. Her current research centers on the application of machine learning to intrusion detection.

https://twitter.com/infosecanon

Read More

Be Evil: A Toolset for Tier 1 Threat Emulation – Matthew Toussain


Some intrusion sets are elite, top tier. Others… not so much. An emerging service in the information security community is the emulation of these threat groups in all their incarnations.

Proven security. The concept is as desirable as it is mathematically impossible. Given that cybersecurity risk is a facet of both threat and impact, proving security against a given threat actor requires more than traditional pentest and red team engagements. It requires a combined toolset of tactics and capabilities tailored to drive effects against the networks that we are tasked to defend. In this talk we explore real attack tactics and unveil an open source toolkit driven to enable advanced threat emulation.

Matthew Toussain is the founder of Open Security and an analyst with CounterHack. As an avid information security researcher, Matthew regularly hunts for vulnerabilities in computer systems and releases tools to demonstrate the effectiveness of attacks and countermeasures. He has been a guest speaker at many conference venues, including DEFCON. Matthew is an author of SEC460: Enterprise Threat and Vulnerability Assessment.

Read More

Abusing AWS Architecture and How to Defend It – Ryan Stalets


Amazon Web Services (AWS) offers many architecture features which improve application performance and make it easier to deploy applications. This talk will look at two AWS architecture features which can be abused to hide C2 traffic and compromise application code and infrastructure. We will also discuss these features from a “prevent, detect, respond” perspective with a special emphasis on detection and response actions for SOC/IR teams.

Ryan is an analyst on the security incident response team of a Fortune 100 global company. His focus areas include cloud threat detection/response and network intrusion detection. Ryan has a decade of experience in IT, with nearly five years as a CSIRT analyst, and holds several GIAC certifications including: Incident Handling (GCIH), Web Application Penetration Testing (GWAPT), Intrusion Analyst (GCIA), and Continuous/Network Security Monitoring (GMON).

Read More

Post Exploitation: Striking Gold with Covert Recon – Derek Rook


You’re on a covert penetration test focusing on the client’s monitoring and alerting capabilities. You’ve just established a foothold, maybe even elevated to admin, but now what? You want to know more about the internal network but careless packet slinging will get you caught. Join me on a mining expedition where you can’t swing your pick axe without striking gold. We’ll be mining logs, pilfering connection statistics, and claim jumping process network connections. Without leaving the comfort of your beachhead, you’ll be shouting “Eureka!” in no time.

Talk by Derek Rook

Read More

Incident Response is HARRRRRD: But It Doesn’t Have to Be – Michael Gough


So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that Bobs Windows box has some suspicious activity. Do you have the details you need to investigate or remediate the system? Can you quickly and easily investigate it? You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used. Let’s take a look at how we do Incident Response on Windows systems and what you can do to prepare for an inevitable event.

How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default Microsoft does NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable file types so users do not initiate the scripting engine when they double click, rather just open good ol’ Notepad?

Everything mentioned here is FREE and you already have it!

This talk will describe these things and how to prepare, and be PREPARED to do incident Response on Windows systems. A few tools will be discussed as well that you can use to speed things up. The attendee can take the information from this talk and immediately start improving their environment to prepare for the… inevitable, an incident.

Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also blogs on HackerHurricane.com on various InfoSec topics. Michael also is co-host of the “Brakeing Down Incident Response” BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.

Read More

Social Forensication: A Multidisciplinary Approach to Successful Social Engineering – Joe Gray


This presentation outlines a new twist on an existing social engineering attack. In the past, we have worked on getting users to plug in USB devices to drop malicious documents and executables. While this attack sometimes proves our point, it is the tip of the iceberg that can be done. Enter Social Forensication.

This is a two-pronged attack, consisting first of collecting a memory image for offsite offensive forensic analysis, the second being a rogue Wi-Fi access point attack. During this presentation, we will walk through the steps to perform each attack. Since defense is just as (if not more) important as the attack itself, we will also discuss mitigations (technical and procedural) and relevant windows detections for these attacks.

Read More

Kerberos and Attacks 101 – Tim Medin


Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We’ll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation.

Tim Medin is the founder and Principal Consultant at Red Siege, a company focused to adversary emulation and penetration testing. Tim is also the SANS MSISE Program Director and a course author. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. He gained information security experience in a variety of industries including previous positions in control systems, higher education, financial services, and manufacturing. Tim is an experienced international speaker, having presented to organizations around the world. Tim is also the creator of the Kerberoasting, a technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts. Tim earned his MBA through the University of Texas.

https://www.redsiege.com/

Read More

Hack Apart Your Career: How to Fund Doing What You Love – John Grigg


Our field is full of extremely creative people who have a lot to offer the industry. But often we lose focus because we are working for a company that has their own goals and competing priorities. This leads to long hours of work, a declining quality of life, and various other troubles. In this talk I focus on the tidal wave of DOD-related opportunities that exist to fund novel research and cutting edge technology, all while allowing autonomy of the individual. I’ve personally used these sources to transition to running my own company and have helped a lot of folks in the industry do the same. I’ll discuss why people should consider this as a career path, where to find these resources, and walk through exactly how to apply.

I have 12 years of experience within the Navy, the Intelligence Community, and in the corporate cyber security world with focuses on building and maturing SOCs, SIEM/IDS/IPS engineering, malware analysis, and cyber operations.

https://twitter.com/Sk1tchD

Read More

Hacking Pioneers, Breaking Through the Stigma of Influential Advertising – Kelly Whitaker


This presentation will challenge the way you think about those who are in the computer science industry.

Kelly Whitaker is the Information Technology Officer for the National Weather Service Rapid City forecasting office where she is a Jill of all trades – coding, security, setting up VMs, configuring servers, putting out fires, and making forecasters happy. She’s worked on many national software projects and is currently coding for the National Ocean Service as well. In 2004 she retired from the Air Force where she cut her teeth on Sperry and Honeywell mainframe computers. Her experience spans academia, manufacturing, satellite systems (GPS & DMSP), and the B1-B trainer.

Read More