Assumed Breach: A Better Model For Penetration Testing

Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020:

The current model for penetration testing is broken. The typical scan and exploit model doesn’t reflect how real attackers operate after establishing a foothold. At the same time, most organizations aren’t mature enough to need a proper red team assessment. It’s time to start adopting the assumed breach model. In this talk, I’ll discuss techniques for assumed breach assessments that provide a better model for emulating the techniques attackers use once they’re they’ve established a foothold inside a typical network.

Mike Saunders has over 25 years of experience in IT and security and has worked in the ISP, financial, insurance, and agribusiness industries. He has held a variety of roles in his career including system and network administration, development, and security architect. Mike has been performing penetration tests for nearly a decade. Mike is an experienced speaker and has spoken at DerbyCon, BSides MSP, BSides Winnipeg / The Long Con, BSides KC, and the NDSU Cyber Security Conference. He has participated multiple times as a member of NCCCDC Red Team. Mike holds the GCIH, GPEN, GWAPT, GMOB, OSCP, and CISSP certifications.

Read More

WWHF 2019 Keynote

Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020:

Wild West Hackin’ Fest 2019 – Opening Keynote

Ian Coldwater is a DevSecOps engineer turned red teamer, who specializes in breaking and hardening Kubernetes, containers and cloud native infrastructure. In their spare time, they like to go on cross-country road trips, capture flags and eat a lot of pie. Ian lives in Minneapolis and tweets @IanColdwater.

Read More

Hacking a Security Career

Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020:

Prominent and very wise individuals in INFOSEC have published blog posts and offered wisdom to those who seek to enter our industry. One of the best sides of our community is on display when venerable types extend a hand to the next generation. These amazing guides and collections of links and training resources can help guide many hopefuls on the path toward knowledge and perhaps their first of many rewarding jobs.

However, what if you aren’t just focusing on your first new job, but instead you want to take a broader view and help plot out your entire career? What if you don’t simply want to work for an INFOSEC business but instead you aim to run a security business? Deviant has started (and still runs) several successful security firms… and he believes there are some very specific points and considerations that don’t get brought up in the discussion. With the hope of saving countless new employees from failure and many new businesses from bankruptcy, Dev will discuss the key element that many people fail to bring to the table when starting a security career… and the secret to the success of so many INFOSEC individuals who came before us.

Deviant Ollam: While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing’s best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a GSA certified safe and vault technician and inspector.

At multiple annual security conferences Deviant runs the Lockpick Village workshop area, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Read More

Elevating Your Windows Privileges Like a Boss!

Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020:

Local privilege escalation on Windows is becoming increasingly difficult. Gone are the days when you could just easily exploit the Windows kernel. Multiple controls (KASLR, DEP, SMEP, etc.) have made kernel mode exploitation of the bugs that are discovered much more difficult. In this talk, we’ll discuss multiple opportunities for privilege escalation including using COM objects, DLL side loading, and various privileges assigned to user accounts. Bring a Windows 10 VM. We’ll have instructions available for recreating the scenarios demonstrated in the talk.

Rendition InfoSec:

Join our mailing list HERE for up to date information!

Read More

Adversarial Emulation

Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020:

Today’s Red Team isn’t enough.

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?

  • Fortune 50 Retailer Use Case
  • Bounded Attack Space Philosophy – the atoms of an attack (different way to look at ATT&CK)
  • Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation – what’s done today vs what should be done

To white box or black box

Threat Intelligence

  • Such a disappointment = static identifiers, but no way to machine read for emulation
  • Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
  • Neutered malware – awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response

MITRE ATT&CK – what it can and can’t do for you.

  • Common mistakes – rigid adherence, signature-based

Open Source Options:

  • CALDERA – APT3 example (although, they didn’t really use CALDERA for this…)
  • Powershell – great. Seen in the wild. But, not hard to defend… so limitations.
  • Empire – based on… Powershell.
  • Living off the Land –

Host Activities

  • Destruction: ransomware, wiper
  • Escalation
  • Persistence
  • Credential Theft

Network Activities –

  • Communication/Traffic
  • C2 infrastructure

Lateral Movement

  • Combination of host/network
  • Mapping

Going Purple

  • Combined visibility and reporting –
  • How do you technically do this – SIEM/Analytics, red team strings/tagging
  • Program strategy and direction – shared gap analysis

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute Fellow and an Advisor to the Army Cyber Institute. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain.

Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.

Read More

Finding a Domain’s Worth of Malware

Join us at Wild West Hackin’ Fest in Deadwood in September 2020:

Are you tired of demonstrations of products that take months or years to get effective data from? How many products have you seen half-implemented (but fully paid for!) that didn’t ever deliver any real value to your organization? Here, I’ll discuss multiple free products that you can use next week to find evil inside your organization. Some techniques will find less advanced adversaries, and some will trip up even some of the most advanced ones – but they’ll all deliver value in less than a week of implementation, and I’ll discuss how you can integrate them and find the malware you already have in your environment. “Assume breach”…then find it!

Jeff McJunkin @jeffmcjunkin is Founder of Rogue Valley Information Security with more than nine years of experience in systems and network administration and network security. His greatest strength is his breadth of experience – from network and web application penetration testing to digital/mobile forensics, and from technical training to systems architecture. Jeff is a computer security/information assurance graduate of Southern Oregon University and holds many professional certifications. He has also competed in many security competitions, including taking first place at a regional NetWars competition and a U.S. Cyber Challenge capture-the-flag competition, as well as joining the Red Team for the Pacific Rim Collegiate Cyber Defense Competition. His personal blog can be found at

Read More