Talks Saturday & Sunday November 9th/10th (Schedule) BUY TICKETS How Political Bots influence Brexit – Zeshan Aziz @Lockheedmartini As expected, many of the previously useful automated heuristics for bot detection have started to become less relevant as bot creators have updated their operational security (OPSEC) and tactics, techniques, and procedures (TTP) to account for common detection mechanisms. Bots that display obvious methods, like posting at odd hours, creating extremely high amounts of interaction, retweeting without ever posting original content, etc., are routinely suspended by Twitter’s internal team. This has produced a Darwinian effect on inauthentic accounts making them harder to discern using automated statistics. What remains, especially for researchers without access to internal Twitter telemetry (such as log-in IP addresses or associated metadata such as email addresses or phone numbers), is analysis and classification of accounts based purely on behavior and content. Bots are useless to their creators unless influencing a conversation - aside from building some historical record. As a result, visually exposing accounts that attempt to communicate in a largely broadcast manner has traditionally been the most useful classification used by Brainspace and other data analytics tools (aka, the “star-pattern" analysis). However, content-based sentiment analysis can also prove useful. Many sentiments are unusual for humans to have in conjunction with one another, simply because humans have a limited set of interests in which they Tweet about. An early example of this was discussed by Cyxtera analysts in research pertaining to seemingly Pro-Trump bots posting heavily about the U.S. leaving the Syrian war. Bio Zeshan Aziz is an undergraduate student majoring in industrial engineering at the University of Miami. Since starting college, Zeshan has been active in the cyber security community, attending conferences, competing at CTFs, and working in industry. Zeshan has previously presented at Countermeasure (Ottawa). This past spring he worked as an intern on the research team at Immunity Inc, a Cyxtera subsidiary. He has worked in various roles including cyber threat intelligence for Wapack Labs, and data analytics for a Fortune 100. Zeshan’s interests lie mainly at the intersection of cyber security, data science and geopolitics. Zeshan is also a two-time Blackhat USA scholarship winner and recipient of the Howard Schmidt award from ISSA. Medical Records and Default Passwords - Qasim Ijaz As a penetration tester with focus on the healthcare industry, I’ve seen patient data in medical devices that lacked authentication, portrayed a medical doctor to dupe help desk into handing over credentials (and vice versa), and gone as far as gaining domain admin in 10 minutes (thank you defaults). This talk will be full of stories, memes, and screenshots portraying cybersecurity issues affecting healthcare environments. I will discuss what I see as root causes and talk about regulatory & industry frameworks that try to mitigate these issues. The attendees will leave the talk with a better understanding of healthcare security issues, a methodology for conducting HIPAA penetration tests, and ideas to combat these issues head-on. Bio Qasim "Q" Ijaz is Director or Penetration Testing at Coalfire Systems who specializes in healthcare security and penetration testing. He has conducted hundreds of penetration tests in small to large environments with focus on networks and web applications testing. His areas of interest include healthcare security, cybersecurity policy, Windows penetration testing, Python, and the "dry" business side of hacking. Qasim is a penetration test lead during the day and a teacher in the after hours. He has delivered training at conferences as well as in college classrooms. Connected World of Devices - Exploiting the Embedded Web Security - Aditya K Sood Threats in IOT space are increasing at an exponential scale. One of the stringent issue encountered in the IoT devices is the management and deployment of embedded web servers and security controls associated with them. A number of security flaws exist due to the inability of imposing strong authentication and authorization controls at the granular level. In addition, bad design practices result in giving birth to inherent vulnerabilities. This talk highlights the state of security in embedded web servers by presenting undisclosed vulnerabilities in IOT devices. Additionally, the talk unveils how the embedded web servers used in IOT devices are exploited by adversaries to trigger advanced cyber attacks. There will be demonstrations and associated proof of concept codes will be released. Bio Aditya K Sood (Ph.D) is a security practitioner, researcher and consultant. With experience of more than 10 years, he provides strategic leadership in the field of information security covering products and infrastructure. Dr. Sood has research interests in cloud security, malware automation and analysis, application security and secure software design. He has authored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, ISACA, Virus Bulletin, and Usenix. His work has been featured in several media outlets including Associated Press, Fox News, The Register, Guardian, Business Insider, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP and many others. Dr. Sood obtained his Ph.D from Michigan State University in Computer Sciences. Dr. Sood is also an author of "Targeted Cyber Attacks" book published by Syngress. Currently, he directs the security efforts for the cloud security division at Symantec. From zero to Yara with Volatility Framework - Evan Wagner Memory analysis can help fill gaps in your coverage if you don't have Sysmon or an expensive EDR solution and want to get process execution trees, open file handles, mutexes, executed command lines, browsed folders and much, much more. In this talk I will give some background on the tool, it's fork Rekall and where they both fit in. Then we will discuss memory acquisition, supported formats and how to select the correct OS build profiles. Basic plugin usage will be conveyed for displaying useful information and to dump out intact files/process executables for performing further analysis. Then I will demonstrate techniques that I use for responding to alerts and identifying malware and behavior from indicators. Finally I will give examples on how to write Yara rules and to script out Volatility commands to further enrich the data and then visualize it for easier analyst consumption. Bio Evan Wagner. Currently 19 years of IT experience. He began with his first hosting and development company in 1999. Since then he has worked a variety of roles from Software Engineer, DBA, System Administrator III, Security Admin and Sr. Incident Responder. Some organizations include UCA.edu, Interop, Akamai, Seminole Gaming/Hard Rock and Fortune 1. He got started full time in security in 2013 when working for Prolexic DDoS mitigation and becoming exposed to CTF tournaments which have been a passion ever since. Evan has also been involved in the community and has presented for BSides Austin, Hacker Halted, ISSA, OWASP, HackMiami, Nolacon and other meetup groups. Applying Pareto’s Principle to Securing AWS with SCPS - Ayman Elsawah In this talk I will walk through the use of Pareto’s 80/20 rule to add significant security to your AWS accounts at scale with little relative effort (but lots of testing). We will be leveraging the power of AWS Organizations and Service Control Policies (SCPs) to accomplish our goals. This will be a technical talk and guide on taking advantage of AWS Organizations and SCP from scratch and lessons learned from using it in the wild that will save you time. If you have not yet utilized AWS Organizations or SCPs and have (or plan to have) multiple AWS accounts, this talk is for you. Bio Ayman Elsawah is a veteran Information Security Professional and Educator having worked in a variety of industries including Financial, Social Media, Global E-Commerce, Silicon Valley Startups, and the Movie/Entertainment Industry. An early user of AWS, Ayman specializes in AWS Security and helps companies operationalize their presence in the cloud and take their security maturity to the next level. He has built custom tools internally for organizations with hundreds of AWS accounts helping streamline their operations. His specializations are in Centralized Log Management and Identity and Access Management (IAM). He is also the host of the Getting Into Infosec Podcast and author of the book Breaking IN: A Practical Guide to Starting a Career In Information Security. He loves teaches others about Information Security and Cloud Security. Finding badness - Using Moloch for DFIR - Elyse Rinne - Andy Wick In this presentation, we will share how the Verizon Media Paranoids use Moloch (molo.ch), our open source full packet capture system, to perform DFIR. Moloch augments your current security infrastructure by storing and indexing network traffic in standard PCAP format, while also providing fast indexed access. We will explore several scenarios: How we use Moloch internally in our day-to-day investigations How Moloch allowed us to view the modification to go-pear.phar and build a timeline around its exploitation Using Moloch for proactive hunting of badness How to use Moloch for sustained collection for long-term investigations Correlation with other data sources (ie: Suricata, WISE, etc.) Outline: Bad go-pear.phar file discovery and demo What is Moloch Moloch history Moloch deployments Proactive Moloch hunting Moloch enrichment from other data sources Moloch opensource community Future work Bios Andy Wick is a Senior Principal Architect and the creator of Moloch and former Chief Architect of AIM. He joined the security team in 2011. He has a passion for building large scalable tools and empowering users, as well as, the global open source community. Elyse Rinne is the UI and full stack engineer for Moloch. She revamped the UI to be more user-friendly and maintainable and is now working on implementing awesome new features to make Moloch the go-to open source tool for network security professionals. She is passionate about open source software and its ability to create amazing tools. Cybersecurity Responsibilities - Sam Bowne As US influence declines, China is rapidly rising to be the next superpower. Russia is dividing and disrupting us in a desperate struggle to regain the lost glory of the USSR, and North Korea funds their military with cybercrime. This cyberwar rages around us, largely invisible and poorly understood. This talk explains how we got here, how the current conflict is affecting us, and makes recommendations for ways to protectindividuals, businesses, our nation, and our values. Bio Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks andhands-on trainings at Black Hat, DEF CON, DEF CON China, HOPE, RSA, and many conferences and colleges. He is the founder of Infosec Decoded, Inc., providing security training and consulting.Credentials include: PhD, CISSP, DEF CON Black Badge Co-Winner Ransomware And How It Evades Our Defenses - Rene Kolga Ransomware has long been a menace for organizations and consumers. Global damage cost estimates reach about 10 billion USD per year. After all these years, why does ransomware continue to be so good at being so bad?In this talk we will review security industry’s history of largely ineffective responses to ransomware, including common ransomware detection methods with their pros and cons. You will see how ransomware developers use simple techniques to bypass each of those methods. This session will also highlight some of the latest attacks including Norsk Hydro and ransomware pretending to donate your Bitcoins to children charity. Finally, we'll see a demo of ransomware that not only bypasses common antivirus products, but also leaves EDR solutions blind. Bio Rene Kolga, CISSP, has over 15 years of cybersecurity experience in the areas of endpoint protection, insider threat, encryption and vulnerability management. He worked for both Fortune 500 companies and Silicon Valley startups, including Symantec, Citrix, Altiris and Nyotron. Rene earned his Computer Science degree from Tallinn University of Technology. He frequently speaks on security topics at industry conferences like Black Hat, BSides, InfoSecurity and (ISC)2 Security Congress. Blockchain developments in the state of California - Ben Bartlett Berkeley City Councilmember and Fmr. Vice Mayor Ben Bartlett is a nationally recognized policy leader. Ben has authored and passed more than 60 measures focused on innovation, opportunity, and inclusion, including: - Prefabricated Housing for the Homeless - Health Innovation Zone - Electric Vehicle Infrastructure - Telemedical Adoption - Unionized Jobs in Robotics and Automation Ben is a member of the State of California Blockchain Working Group and is working to integrate government and Blockchain through public finance, currencies, and data markets. Ben authored Berkeley’s Tokenized Debt Offering (Berkeley ICO) using blockchain technology to issue bonds. He is author of the Smart Path Blockchain investment and policy thesis. Professionally, Ben is a partner in Tackett Bartlett LLP where he provides counsel for Blockchain entrepreneurs, governments, and businesses. How to report and handle security disclosures - Aviv Sasson In a dynamic environment as the computing world, technology changes rapidly and new CVE's are disclosed everyday. In this presentation, Aviv will shed some light over the process of security disclosure from the perspectives of the researchers and the developers. He will talk about the implications of handling the process poorly and about scenarios that could have happened because of inadequate security disclosure. He will talk about some vulnerabilities he found and how he and the developers handled the situations. In the end, he will give some tips regarding how to improve the disclosure process from the researcher and developer perspectives while keeping maximum security. Bio Aviv is an experienced security researcher responsible for the findings of many vulnerabilities in cloud native projects. Aviv served 5 years at the IDF as a Security Researcher in the Special Ops Department. Now works as a senior security researcher in Palo Alto Networks looking for vulnerabilities in the cloud native landscape. Open-Source tools in Infosec - Marco Palacios Open-Source tools are becoming popular in the InfoSec industry, and they are replacing commercial products. Yet, not many people know about them and continue paying high prices for commercial tools. In this presentation, we are going to discuss the various open-source tools used in Security Operations, with an emphasis on "TheHive Project." Bio Marco has over 10 years of IT Operations and more than 4 years of Security Operations experience. He has worked as a SOC Analyst for NASA and as Incident Handler for Fortinet. In his current position, he is responsible for monitoring and detecting malicious activity.Marco has presented at Hack The Valley %27 and Pacific Hackers Meetup. He is very active in the InfoSec community and loves collaboration. Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture - Rod Soto - Jose Hernandez This presentation shows how to use Splunk to provide the analyst with a comprehensive vision of AWS/GCP/Azure security posture. Presenters will outline how to ingest the audit data provided by open source tool Cloud Security Suite into Splunk to analyze cloud vulnerability, harden multi-cloud deployments and visualize multi-cloud threat surface. Presenters will also demonstrate use cases based on Splunk knowledge objects (Tables, Dashboards, Alerts, Field extractions, Lookups, etc), in order to take advantage of the information provided by various supporting tools like Scout2 and G-Scout projects for cloud API auditing. Bios Rod Soto has over 15 years of experience in information technology and security. Currently working as Principal Security Research Engineer at Splunk. He has spoken at ISSA, ISC2, OWASP, DEFCON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 BlackHat Las vegas CTF competition and is the founder and lead developer of the Kommand && KonTroll competitive hacking Tournament series. José is a Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. While working at Splunk as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. He has also built security operation centers and run a public threat-intelligence service. Although security information has been the focus of his career, José has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote-control vehicle called the SensorSub, which was used to test and measure toxicity in Miami's waterways. Designing Automation Playbooks for security teams - Lior Kolknik Security teams use a variety of different tools and services to handle alerts and investigate cases, including EDR, Sandboxes, SIEM, TIPs etc. Many user actions need to be repeated for each alert, making it near impossible to handle hundreds and thousands of alerts. False positives must often be identified manually due to the lack of direct communication between the siloed tools. The need for intelligent automation has never been more clear - we need automation that serves the human analyst and empowers them to use their skills on the more complex cases. Playbooks can automate flows across many tools in both company networks and cloud environments, leveraging APIs to speed up response, save analysts time and make security more efficient. In this session, we will learn how to design such automation playbooks and analyze use cases for different security teams, including SOC, threat hunting, vulnerability management and more. Bio Lior Kolnik currently leads Security Research for Demisto at the Palo Alto Networks HQ in Silicon Valley. Lior and his team design security playbooks to arm the next generation of blue teams and work with some of the world's leading blue teams to support them in their mission. Through his private sector consulting, Security-focused M.Sc. studies and 7 year service in an elite technological unit of the IDF, Lior has accumulated varied experience in R&D, Threat Intelligence and Security Operations. Lior has given talks on various security topics in closed peer forums as well as global conferences such as Infosec Europe, Palo Alto Networks Ignite and Black Hat Arsenal Serverless Log Analysis on AWS - Georgios Kapoglis In this talk we will go over traditional log analysis methods for AWS Cloudtrail logs and why we needed to find a better way of performing such investigations. We will then dive into AWS Athena which is essentially a serverless hive on the cloud “too many buzzwords alert” and how we use it to perform log analysis on the cloud under a centralized, efficient and transparent framework. We will go over use cases and examples of investigations, showcase investigations and how Athena helped us perform more efficiently than the traditional methods mentioned before. Additionally, we will mention use cases for other types of log analysis like apache access logs, ELB and ALB logs, etc. Lastly, we will demo AWS Athena and show how we perform forensics on AWS, all done in the cloud serverless without the need to spin up any instances or servers. In the end, we will describe the countless possibilities for future work which include, automation, threat hunting and continuous monitoring of your AWS environment. Bio Georgios Kapoglis works as an Incident Responder at Verizon Media for the past 2 and a half years where he gets the chance to work on complex problems at scale! He is originally from Greece and has been living in the US for the past 4 years. Got his Master’s in Cybersecurity from Stevens Institute of Technology in Hoboken NJ and holds multiple GIAC certifications WPA3 Is it really broken? - Phil Morgan Session on WPA3, specifications, operation, implementation. Is it really broken as some researchers say? Bio Phil Morgan. CCIE 5224, CWNE 322. Been working in the industry for 30 years, working with wireless for 20 years, and working with CyberSecurity for 10 years. I also have CEH.Been specializing in wireless hacking, erm I mean pen testing, for the last few years, and developed a course that I teach for NC-Expert, and at WLPC conferences around the world. OWASP top 10 for APIs - Inon Shkedy The OWASP API project addresses modern threats for API based applications. While traditional vulnerabilities like SQLi, CSRF, and XSS are becoming less common in APIs, there’s been an increase in vulnerabilities that are either specific to APIs or present a bigger risk, which many developers are unaware of. The presentation talks about: - The OWASP API Security Project - OWASP top 10 for APIs - including recent examples - Tools for security engineers to perform pentest for APIs - Tips for developers on how to develop more secure API Bio Inon Shkedy has 8 years of experience in application security. He started his career in a red team in a government organization for 5 years, and then moved to the Silicon Valley to learn more about startups, modern applications and APIs. Today he provides consultation to various companies, and leads the research for a startup in the field of API security. He’s also a co-leader of the OWASP API Security Project Opening Pandora's box with FAIR + ATT&CK + SOAR = An Improved cyber security response strategy Tyler Rorabough When I meet with CISOs and Cyber Security Directors, they usually ask what use cases should they target first. I generally proceed with a few simple questions and immediately recommend going after general use cases or low hanging fruit or a strategy based on how mature their organization is. During this session, you'll find out what questions I ask, what answers I get, and why I propose approaching a cyber security response using FAIR + ATT&CK + SOAR. Bio Tyler has 16+ years of experience in cyber security including offensive, defensive, product engineering, consulting and for the last 3 years in SOARLandia. I've worked for a number of large and small cyber security companies and government agencies on projects. I have done a variety of talks on different realms in cyber security and a variety of positions from executive management to helping security analysts with issues and programming or hacking on stuff. In a past life I've managed security engineering teams and red teams and most recently helped build SOC's and SOAR programs for organizations both at the fortune 100 level and for micro small companies from the ground up. Black Phenix - Chris Navarrete BLACKPHENIX is an open-source malware analysis automation framework composed of services, scripts, plug-ins, and tools based on a Command-and-Control (C&C) architecture. It relies on virtual machine software to operate and scripts to remotely control (GUI and console) tools and scripts running on a guest (analysis) virtual machine. It reports back results to a controller machine to perform further deep data analysis and execution decisions. Bio Chris Navarrete is a Senior Security Researcher working for Fortinet Inc. in the FortiGuard Labs division, researching malware as well as emerging and zero-day vulnerabilities. Chris holds a CEH and CREA certifications. In the past, he has presented in Conferences such as BugCON, GuadalajaraCON, and BlackHat Arsenal BUY TICKETS