Top red teamers are good at defense. The best blue teamers know offense. To up your game, you have to know the tools and techniques of your counterpart. In this talk, we’ll discuss simple, yet powerful tools and techniques used by red teamers with a focus on making the blue teamers more effective… and more purple.
Subjective reputation is a staple of our industry. Lists of “good” or “bad” indicators are the fuel behind many defensive strategies. The more advanced tools such as machine-learning, deep-learning, and artificial intelligence are often leveraged to add or remove indicators from these reputation lists. Differing expectations and use-cases can result in wild variations in efficacy and value of a reputation source. This discussion will look at subjective reputation, the challenging environments where it is created, and look at alternate approaches worth considering.
There has been tremendous growth in the percentage of network traffic that is encrypted over the last decade. With this comes many challenges for incident responders. Decrypting the traffic is often hard, if not impossible. The rise of encryption has undoubtedly increased privacy for users, but we know that threat actors take advantage of it as well. As network defenders our visibility is impacted, and traditional network monitoring detection will not always work.
In this talk we will discuss the problem of encrypted traffic as it pertains to network detection and response, educate you on new developments in SSL/TLS, and demonstrate how you can still hunt for and detect badness in encrypted traffic.
In this talk I will explain the 3 techniques that will apply to 90% of commercial buildings (canned air trick, under the door tool, tricky hallpass variations). I will explain the techniques via a single engagement I had where I utilized all of them to break into bank branches and the bank headquarters. Additionally, I will walk through several much lesser-known, but highly effective, bypass techniques to enter high security buildings.
Whether it’s productivity applications, infrastructure, or platform migrations, security teams are often caught catching up to what the development and operations teams have already done. In this talk, I’ll highlight some of the things that I overlooked when reacting to the move to the cloud from the CISO perspective. Things I look back on and have the “Oh \$H1T” moments and ways to plan for, react to, and overcome them even if you’re past the migration.
The fun part of pentesting is the hacking, clearly. But the part that makes it a viable career is the reporting. You can develop the most amazing exploit for the most surprising vulnerability, but if you can’t document it clearly for the people who need to fix it, then you’re just having fun.
Which is fine! Have fun!
But if you want to make a career out of it, you should spend as much effort on a useful report as you do on the actual testing.
I will show you some common mistakes I see in reports. Then I’ll show you simple things you can do to make your reports clear, useful, and brief. You’ll see some before-and-after examples of a bad report made good, with clear explanations of what makes the difference. Those things will be useful no matter what tools you use to create reports, but if we have time, we’ll look at a few Microsoft Word hacks that will save you time and improve consistency.
This is the presentation that I would have given myself 10 years ago. Every day we get distracted from what we should be focused on by the latest breach notification, the latest glittery and sparkly product, vendor promises, or just the latest information security squirrel that runs by our desk. Having a defendable network depends on a foundation of solid (sometimes boring) controls that are easy to implement, but hard to stick to. This is how my team (blue) won our last red team engagement.
Artificial Intelligence (AI) technology as we know it is neither good nor bad. But it seems like you can’t go anywhere these days without hearing about how every company is using the power of AI, which is often actually machine learning (ML). As ML becomes a more ubiquitous tool for problem solving purposes, it will inevitably lead to its abuse in the form of adversarial ML, which can either be algorithms created for malicious purposes or neutral algorithms used for bad. This presentation discusses and provides examples of the differences, but also presents how someone could theoretically take existing neutral ML tools and hack them together with other tools to create their own adversarial ML solution using neural networks to break captchas and steal Bitcoin, all for less than \$100 and no data science background. I will also show and explain how people are breaking captchas today. What I’m looking to do here is raise awareness, not fear, of this likely outcome. The application of malicious intent to technology is a lot closer than we think.
The current model for penetration testing is broken. The typical scan and exploit model don’t reflect how real attackers operate after establishing a foothold. At the same time, most organizations aren’t mature enough to need a proper red team assessment. It’s time to start adopting the assumed breach model. In this talk, I’ll discuss techniques for assumed breach assessments that provide a better model for emulating the techniques attackers use once they’re they’ve established a foothold inside a typical network.
After reviewing over 10 billion botnets records, a lot of unusual records come to mind. Unlike much of stolen data, botnets do a great job in record keeping who, when, where, what and even sometimes how and why questions get answered. Let’s try connecting credentials stolen by a botnet and an unattributed breach and we may be able to tell who was breached, and even when. This presentation which is based on research and practical examples will lift a veil off the botnets and will make mining data significantly more actionable.
The Internet of Things (IoT) is a phenomenon which has penetrated the global market in virtually all devices capable of connecting to the internet. Smart Toys are one such emerging devices which enables one to have the toy experience and provides various internet features, such as playing and interacting with one’s child. Worldwide, smart toy sales in 2017 reached 5 billion and is expected to exceed 15 billion by 2022 by the IoT marketplace in 2017. Though useful, exposure to the internet also provides exposure of risk and vulnerabilities. Due to a lack of common knowledge of IoT functionality, home IoT devices pose a serious concern for users across the world. Our research investigates smart toy vulnerabilities and performs penetration testing on toy products. In our presentation, we will present a summary of the risks & vulnerabilities and provide users employable mitigation practices to secure the private spaces, data, and members of the home. 1030-1100: Tigran Terpanddjian - Becoming a Human nMAP! Cultivating a Renaissance Approach for the Social Engineer As a security analyst with an atypical entry into the information security world, one of my research questions posed in social engineering is why reading a diverse array of topics is beneficial to the social engineer, be it something they are passionate about or not. In building upon Defcon 24 presentation at the Social Engineering Village by Tomohisa Ishikawa: “Does Cultural Differences become a barrier for social engineering?” cultural differences presented by different countries place emphasis on different genres; therefore, what one person from a certain country holds dear, the other may not. Therefore, your reconnaissance, pretexts and elicitations and the support required must be able to adapt.
From the doctored motherboard chips on our servers that have been corrupted along the supply chain to compromised peripheral devices, mobile phones and USB drops, hardware vulnerabilities represent a target rich environment for cyber criminals leveraging a variety of threat exploits.
We encounter short links daily. Many platforms allow us to shorten URLs—making them easier and cleaner. While mostly used in marketing departments, their application is often cast wider, causing security leaks along the way. Focused on findings from an ongoing research project, this session will take an inside and in-depth look at the security (or lack thereof) of short links: what they are, what they do, what their intended use is, how they’re actually being used, and how uses of the tools have the potential to leak tons of sensitive data. As the household name in link-shortening, bit.ly is a buffet for comprisable data.
Power-Response is an open source incident response framework that I developed with a few pals. We wanted a better, faster, and more thorough way to collect data during incident response scenarios and have some analysis done without having to type a whole bunch more commands. Some call us lazy, I say we are efficient. Power-Response is a sweet menu-based framework that allows analysts to make their own plugins (or use the ones we have made) to gather data and respond to incidents quickly. During this talk, we will focus on how to improve incident processes using a tool like Power-Response and what that means for the overall response effort. This is our way of taking incident response knowledge and passing it to the community to go forth and forensicate. Check out Power-Response at https://github.com/Asymmetric-InfoSec/Power-Response.
Bug bounties are hard, and I will walk you through my personal journey of designing and building a high-profile bug bounty that went viral and the fight to keep ahead of the curve. This talk is very much a I wish that I knew then what I know now. I will go through the basic steps, the common hurdles, and what you absolutely must do before you even consider staring a program.
Safety, as a field of study, has long been a part of creating organizational cultures that protect people and processes from harm. Let’s explore lessons from safety that might improve information security.
This talk relates and aligns concepts in safety culture which have the potential to benefit information security culture. Proposed is that security culture alone is not enough to protect people and organizations from the potential harm caused by security-related incidents. The difference is not merely semantic, safety culture is responsible for the most reliable organizations the world has to offer.
As organizations adopt DevSecOps, security professionals interact more and more with pure development teams. If you’ve ever explained why security is important to a developer, you’ve probably run into a language barrier. This talk is given by a developer/casual hacker that wants to help infosec communities understand communication pitfalls; some common language we can all use; and what developers need from security to succeed.
60% of hackers do not report vulnerabilities due to the fear of prosecution. This talk provides insights about the past, present, and future of safe harbor, along with sharing stories of what happens when there is a lack of safe harbor when conducting ethical hacking. To ultimately share why we need to work together within the infosec community to encourage instead of discourage vulnerability submissions.
OpenVAS is a well-known open source vulnerability scanning system with an easy to use web interface and good quality tests. Unfortunately, it’s got some performance challenges in large environments. I’ll show how I investigated OpenVAS performance and share technical hints to deploy it on a 10,000+ node network without hating your life.
A series of ‘worst practices’ for data privacy and security. Examples include poor password hygiene, hiding corporate security policy, etc.
You can’t always choose the tools you work with. Not a vendor talk, just working with what we were given to use. Use Nessus Pro, Tenable Security Center or TenableIO? Don’t settle with stock CIS audit files and limitations with working with TenableIO’s API. Showing how there are gaps that we’ve worked with overcoming with CIS audits to meet an organization’s baseline scanning efforts, Gabe used PowerShell scripting to craft checks that can ensure true pass or true fail. In similar fashion, working with TenableIO can be challenging to get something that you want. TenableIO’s API is a primary means to get data from scanning. Eric created custom python scripts that can help you get the information that is useful to you and your organization.
5G networks leverages modern technological paradigm such as software define networking (SDN) and network functions virtualization (NFV) to meet the requirements of broadband access everywhere. SDN and NFV leverages the advances in cloud computing such as mobile edge computing to meet ease of integration requirements. However, securely using these technologies and providing user privacy in future wireless networks are common concerns that are not talked about. This talk provides an overview of the security challenges in clouds, software defined networking, and network functions virtualization, and the challenges of user privacy and provide solutions to these challenges and build roadmap for secure 5G systems.
Come and witness the world’s fastest password cracking solution. With new research performed, and a platform created I have created a distributed system to crack passwords at the speed of one trillion guesses per second. My research into password cracking started with the 2012 LinkedIn password dump and I have continually perfected my techniques. Let’s first talk about the tools and techniques, then we can talk about cloud performance vs DIY vs commercial solutions, and finally let’s get to the point where we can stop saying “How long would it take to crack this password”, but rather how MUCH does it cost to crack this password.