Rene Kolga

Rene Kolga

Ransomware And How It Evades Our Defenses

Remember WannaCry – the ransomware attack that infected Windows devices across 150 countries? What is often forgotten is that WannaCry was completely preventable. Microsoft had issued a patch two months prior to the attack. If you think WannaCry was bad, how about a ransomware that we don’t have any protection from?

This talk will cover a Windows evasion technique called “RIPlace” that, when used to maliciously alter files, bypasses most existing anti-ransomware technologies. In fact, even Endpoint Detection and Response (EDR) products are blind to this technique, which means these operations will not be visible for future incident response and investigation purposes.

The technique leverages an issue with error handling of an edge-case scenario by filter drivers of security products. While not a vulnerability per say, the technique is extremely easy for malicious actors to take advantage of with barely two lines of code. RIPlace abuses the way file rename operations are (mis)handled using a legacy Windows function.

The talk will include a live demo of RIPlace bypassing a number of anti-ransomware technologies as well as the release of a RIPlace testing tool for the community to leverage in your own organizations.


Rob Carson

Rob Carson

Guerillia Warfare for the Blue Team

Blue teamers in the trenches need to stop living groundhog’s day. Time to punch Bill Murray in the face and change the game in our favor. The game has changed but the basics are the same.

Coined in the 90’s by General Krulak, the three-block war is described as full-scale military action, peacekeeping operations (PKO) and humanitarian aid within the space of three contiguous city blocks.

How does this compare to starting your morning activating your incidence response (IR) plan due to a suspected credential breach, Change management meetings (Compliance), and handing out hugs while CXO’s change their passwords for the first time.

1. No one is shooting at you.
2. Not much else

Just as methods of warfare have changed, so too has the way we must run security programs. What does takes to prepare and execute your own 3 block Blue team war?


Kat Sweet

Kat Sweet

Knock Your SOCs Off: Modernizing Security Operations

The model still in wide use for security operations – the tiered SOC in a windowless room staring at a single glass of pain – is a product of technological environments in rapid decline. As infrastructure and organizational structures evolve, so too must the teams responsible for keeping the lights on evolve their people, process, technology, and culture. So what does this look like for those on the ground?

 

From the brain of a former security analyst building out operations in a cloud-first and zero-trust environment (buzzword bingo cards not provided), we’ll reflect upon what problems we’re trying to solve in security operations and how to reimagine our solutions for the environment in front of us, whether it’s a distributed workforce, shiny new cloud infrastructure mixed with old servers in the basement, or a fleet of unmanaged endpoints. Attendees will gain practical approaches to adapting our own processes and tooling, revisiting our sources of truth, and turning our focus outward to engagement and visibility within the larger org.


Trenton Ivey

Trenton Ivey

KEYNOTE: Make(){Break()};Break(){Make()};

By definition, hackers make things work in unexpected and unintended ways. To many outside this community, hacking seems like a destructive process. However, anyone that has ever created or utilized an exploit in an imaginative way knows that, at its heart, hacking is all about making something new. This talk, full of technical examples taken from opposing disciplines in information security, shows how healthy competition between makers and breakers drives progress.


Josh Bressers

Josh Bressers

Next Generation Enterprise Security

The single best way Humans transfer knowledge is through stories. We are a social species and there are no better stories than Star Trek episodes. Nearly every episode of Star Trek involves some sort of security incident. Everything from someone stealing data (or Data), insider threats, APT, malware, and more. There is a lot of content we can use as examples to help teach and learn.
What would the Star Trek lessons look like if we break them down into their core components? Even though the stories are fictitious, we can use them to help tell a story as a way to teach others about security and why it matters. We can start to ask questions like who is the biggest insider threat the ship faces: Data or Wesley? Why is security so terrible, does Worf ever do his job? Have these people ever heard of two factor authentication? Maybe the holodeck should be sandboxed? No the Romulans aren’t telling the truth this time.
Our industry is one of very serious questions and discussions, but sometimes you can be too serious. It can be a challenge to explore security topics even inside of the industry, sometimes we need a new way to think about a problem. Rather than focus on serious security lessons, let’s have some fun made up security stories. There are a lot of lessons to be learned in Star Trek TNG episodes.
In this session we are going to break down the security themes in Star Trek. Who are threat actors. Who are defenders. What are some mitigations that could be applied. What are some proactive ideas that should have been put in place. There are even some examples of recurring incidents because nobody fixed the problem the first time.
You will walk away from this one not just having a lot of fun because Star Trek is awesome, but learning some new ways to look at common problems. Sometimes a little perspective can really get the creative juices flowing.

Daniel Creed

Daniel Creed

Stop, think about the psychology of the hack and hacker FIRST!

We are by nature technologist, and far to often when we see something suspicious on the network, we immediately jump to a technological solution without stopping to think about the psychology of what we are seeing, and what that can mean in the form of an attack/breach.


Robert Lerner

Robert Lerner

418 I’m a Teapot – And other headers

What happens when you overshare HTTP headers and how to check if your’s are “up to code”


Melanie Ensign

Melanie Ensign

Why Should Anyone Listen? Practical Advice for Security Pros to Build Influence & Impact

This talk is about earning influence and becoming a trusted advisor inside and outside a security organization. It is for everyone who wants to effectively advise business leaders, technical managers, and decision-makers. It’s also for anyone yearning to be heard by their boss or peers.


Byron Franz

Byron Franz

The FBI Wants You! (To help in Protecting the U.S. From Cyberattacks)

System Administrators, information security professionals, and ethical hackers are often the first line of defense in protecting U.S. companies and public institutions from cyberattacks.  However, there are local, state, and federal resources available to assist in mitigating and investigating a cyber incident.  Presidential Policy Directive 41 (PPD-41) established the FBI as the lead federal agency for cyber threat response activities in the U.S.  How does the FBI conduct this threat response?  This presentation will discuss various cyber threats to U.S. institutions, seek to dispel various myths about the FBI’s cyber efforts, and seek to clarify what an institution can expect when contacting the FBI to report a computer intrusion, ransomware attack, or other incident.  Special Agent Franz will also discuss the vital importance in IT professionals both reporting IOCs to the FBI and considering applying for an FBI Special Agent, Intelligence Analyst, or related position to bolster the U.S.’ national  cyber defense capabilities.


Mike ‘Shecky’ Kavka

Mike ‘Shecky’ Kavka

It’s Log, It’s Log… or Why are standards not standard

There are so many things we deal with in the field of Information Security, and so many vendors out there to deal with. The money to be made is staggering for vendors, but at what cost? Using a non-standard standard (i.e. Syslog), and not supporting easy of integration seem to be the norm, but is that not creating a less secure world? We shall take a brief look at reasoning why the world of security vendors might be hurting the security field overall with the non-standard standards used.