Philosophy Track: It’s the Economy, Stupid: Tackling Technical Debt in Times of Economic Uncertainty
Wednesday, Oct 25 | 11:35-12:15
No matter the number of weeks between my submitting this abstract and you reading it, we’ve probably seen about as many wrong market predictions as we’ve seen CVEs. Economic uncertainty is… not great, but it does give security teams and CEOs a potential common language– if we can learn to speak their dialect. In this crash course, you’ll learn how to explain true zero trust to your boss’s boss’s boss so it actually gets funded, and maybe– just maybe– we can start tackling 30+ years of market-driven technical and security debt. Come for the hot takes, stay for the strategy.
Operations Track: Are You Committed to Secret Free Version Control?
Wednesday, Oct 25 | 14:00-14:30
Scanning version control systems for secrets is a paradox. Security needs context to focus on the right secrets, but context requires external factors such as reachability to API services to assess if secrets are still valid or not. This carries the risk of missing key secrets in version control.
In this talk, we discuss using trufflehog to scan GitHub repositories for secrets and use custom detectors and local validation servers to detect secrets for services and/or platforms which are not publicly reachable from your environment.
Arpan Abani Sarkar⌗
Operations Track: Getting MAAD-AF to Attack Microsoft 365 & Azure AD
Thursday, Oct 26 | 11:05-11:45
Let’s take a hands on approach to emulate attacker tactics, techniques & procedures in the cloud to use the attackers game against them. Learn how attacks progress significantly differently in cloud vs network attacks. Leverage open source tools such as MAAD-AF to emulate attacks easily & effectively in Microsoft cloud to test your security and better prepare against the real threats.
Philosophy Track: Discover Your Cyber Superpowers
Wednesday, Oct 25 | 13:45-14:30
Empowering Cyber Security Professionals Through AI-Driven Comics - This session is designed to address the unique challenges faced by cyber security personnel, helping them find confidence, resilience, and self-actualization in their roles.
Operations Track: Threat Detection Engineering Metrics
Wednesday, Oct 25 | 15:35-16:15
“You can’t improve what you don’t measure.” In the context of threat detection engineering, what should be measured and how should the data be used to change or improve current practices?
Geared towards small threat detection teams, the talk covers key metrics in order to measure operational and business effectiveness. Operational effectiveness metrics indicate how well (or unwell) the detection development and triage processes are doing. Business effectiveness metrics cover how much (or little) the program’s output helps the business.
Philosophy Track: The year of RADICAL data breach transparency
Thursday, Oct 26 | 11:35-12:15
2023 is the year of radical data breach transparency. From criminal prosecutions of CISO’s for lack of transparency, to new SEC rules - we need to disrupt the industry approach to foster trust among our peers, stakeholders and investors. This presentation will explore the significance of this paradigm shift, deep dive into the drivers and outline the challenges that we need to overcome.
Operations Track: Dealing with Kubernetes Identity Crises!
Thursday, Oct 26 | 14:15-14:45
In this technical talk, we will show techniques to implement least privileged identities in Kubernetes clusters. We shall delve into kubernetes RBAC configurations, cloud provider IAM integration, and common tools of the trade to level-up least privilege.
Philosophy Track: Less is Not More: Sharing Richer Indicators
Wednesday, Oct 25 | 10:55-11:35
As a community, we regularly share nondescript lists of IP addresses, domains and file hashes as IOCs. Each of these core indicator types are critical to defense, but require additional context to be rapidly usable by recipients. We typically share the indicators with a description of why they’re bad, but without origin context relating to them. In this session we’ll discuss resulting resulting challenges as well as how to gain a multiplier effect, increasing the impact of IOCs we share downstream by representing indicators in a richer but still compact format to fuel additional recognition of related threat aspects by recipients. We will also review available tooling that can help with this endeavor.
Operations Track: The upside-down of ATT&CK coverage
Thursday, Oct 26 | 11:45-12:15
How much coverage is enough? Purple teams often treat the ATT&CK matrix like a bingo card: put a green dot of protection on a technique here, a tactic there, and… BAM! Security. But with a countless number of TTPs, and a mind-bending array of sequences to combine them into, just how much coverage is enough to be “secure?
This talk will break apart a real attack chain in a way that will feel like the upside-down of red teaming. You will learn to think about offense through the lens of automation, defensive efficacy and strictly from the perspective of “the endpoint.”
Most of all, your current approach to adversary emulation will be challenged with a new perspective, one that will leave you with tips and tricks applicable to any security role.
Philosophy Track: Applying Physical Discipline to Cybersecurity Challenges
Thursday, Oct 26 | 10:00-10:40
Cybersecurity has failed to learn from the physical world. Unfortunately, more and more attacks have real world consequences. This talk explains how Failure Mode and Effects Analysis (FMEA), which is a disciplined method to design reliable and robust systems and processes, can be applied to cybersecurity.
Operations Track: Threat Actor: Scattered Spider
Thursday, Oct 26 | 13:45-14:15
Join us for an in-depth exploration of Scattered Spider, a major cyber threat, and their involvement in the 2023 cyber incidents at MGM and Caesars. We’ll uncover their secretive methods, tools, and targets while shedding light on their role in these high-profile attacks. This session will provide crucial insights into the evolving cybersecurity landscape, making it easier to understand how to defend against this elusive adversary and safeguard critical industries.
Philosophy Track: Cheap Parking and Express Lanes Through Your Proxy Filters
Thursday, Oct 26 | 10:55-11:35
Infrastructure as a service/code has taken root. With a few API calls and some minor orchestration, almost anyone is able to have a horde of servers at their disposal in seconds. This however doesn’t generally help bypass proxy filters and those looking for new infrastructure. This presentation will focus on techniques and services that APTs and other cyber criminals are using to turn what used to be a months/years long process into something achievable on short timelines, how and where this has been used in the past, quantification of the problem (although incomplete), and who we need to get engaged in order to solve it.
Ian Campbell, Travis Hall⌗
Philosophy Track: Out Of Time: Neurodivergent Success in Security as a Framework
Thursday, Oct 26 | 13:00-13:45
From the pages of the Wall Street Journal to deep research and advocacy by the defense think-tank RAND, neurodiversity and related topics continue to gain visibility and importance. They’re discovering what we already knew - that the worlds of hacking and security are full of the neurodiverse - but no one has to walk alone. This talk brings together two experienced engineer with complex diagnoses and a security industry CISO to talk about the experience of being neurodiverse in security and in the world, benefits gained, lessons learned, complications detonated along the way, and practical advice for both neurodiverse and neurotypical friends, coworkers, and managers.
Ian Campbell, Travis Hall, Daniel Schwalbe⌗
Operations Track: Keeping Exchange Blue with a Walled Garden
_Wednesday, Oct 25 | 14:30-15:15 _ IT and Blue Teams often receive mandates to deploy software difficult to secure with the immediate experience available. One such mandate led our open source-focused team to design and deploy a Microsoft Exchange cluster in the midst of continuing high-profile attacks on the platform. Our Walled Garden approach allowed us to use familiar tools to mitigate those attacks, including those with nation state actor-related Indicators while producing off-system logs for validation, enabling timely updates, and preserving positive user experience. This talk will walk through that Walled Garden approach which could be modified for use with other self-hosted platforms as well.
Operations Track: DevSecOps is Dead, Long Live DevSecOps
Thursday, Oct 26 | 09:15-10:00
The principles of DevSecOps are not hard, so why are we still failing?
James Jin Park⌗
Operations Track: Cybersecurity Law Demystified
Thursday, Oct 26 | 13:15-13:45
In this talk, James Jin Park talks about his learning and lessons in an emerging landscape of cyber law and reflects on the good, the bad, and the ugly of information security laws and regulations. He’s here to shed some light on what the law is increasingly expecting from information security programs.
Operations Track: LAPSUS$ is better than us
Thursday, Oct 26 | 10:00-10:45
LAPSUS$ had a splendiferous 2022: they’re a group with an exceptional victim list. They’ve out flanked the security posture of very experienced and well resourced organizations, some of which the rest of the world rely on for their own security. In this talk I’ll walk through their TTPs, talk about mitigations and reason as to why so many organizations haven’t deployed effective counter-measures in the 2+ years since we’ve become aware of their TTPs. I’ll probably also rant a lot about brushing one’s teeth and eating vegetables.
Philosophy Track: Breaking down the wall between art and science; artists can type fast too
Wednesday, Oct 25 | 14:30-15:15
We’ve let cybersecurity become divided by typing speed and computational expertise. In this talk our speaker will make the case for realigning our organizations by timing instead of expertise, pulling red teamers, appsec, and other hands-on experts over into the second line where they can revitalize Governance, Risk, and Compliance.
Operations Track: I Don’t Know You! - One Way of Verifying Contacts
Wednesday, Oct 25 | 11:05-11:30
With more and more social engineering attacks on companies, the need for a method for verifying employees is consistently growing. One common exploit that targets companies is Vishing. The goal of vishing is to trick the target into performing a desired action over a phone call. Currently there is no real way to determine if the voice on the phone belongs to the actual person whose identity is being claimed. This talk focuses on this use-case and introduces a custom built Google Chat Bot that supports MFA, allowing users to verify others with a high degree of certainty. The demonstration of a working bot, architecture design, and best practices will be discussed.
Operations Track: JA4+ Network Fingerprinting
Wednesday, Oct 25 | 10:00-10:45
In 2017, The JA3 TLS client fingerprinting method was released. Since then it has been built into nearly every networking tool including those in AWS, Azure, and Google Cloud. However, it has many limitations and issues that have grown over time.
JA4 replaces JA3, resolving those issues and brings with it a suite of new network fingerprinting methods that go far beyond just TLS, allowing for new detection capabilities and increased forensics fidelity.
In this talk I will go over all of the new JA4 methods, what can be detected with them and how.
Operations Track: Get MADD, Not Glad: Metrics for ATT&CK-driven detection
Wednesday, Oct 25 | 16:15-16:45
Many CSOCs measure success based on mean time to detect (MttD) and mean time to respond (MttR), metrics that provide data only after an attack occurs. Instead of simply reacting to attacks, how can security teams proactively evaluate their detection coverage and prioritize closing the biggest coverage gaps? In this session, the speaker will discuss coverage metrics pitfalls and propose a path to realistic measurements that benefit both detection system creators and management alike. Attendees will acquire a practical method for using MITRE ATT&CK techniques as a “detection denominator.”
Operations Track: Sigma and MISP visualization for the masses
Wednesday, Oct 25 | 13:15-14:00
Unqork’s Threat Detection & Response team are open sourcing a new pysigma backend for dictquery which allows anyone with JSON log files (or streams) and a set of Sigma rules, to perform alerting with full boolean, PCRE, and all the bells and whistles.
In addition to the Sigma backend, Unqork’s TDR team is also open sourcing a set of libraries designed to take arbitrary log files/streams, and create well structured MISP data, which includes attributes and objects with relationships.
The talk will be designed to get attendees familiar with common, everyday use cases which can be transposed into their respective environments with little effort. Some use cases include:
- Lateral Movement
- Recon activity
- Incident Response / Triage
- WAF correlation
- Packaging for Law Enforcement
Philosophy Track: Ask Not Will AGI Be Aligned With Our Values, Ask Are My Values Consistent With Big Data
Thursday, Oct 26 | 15:30-16:15
Humans have a far worse record with bias than computers, as AI developer Janet Adams, who replaced humans with AI at Royal Bank of Scotland in the 90s for reviewing credit applications. Using larger datasets, from all humans as well as other life forms, AI will likely get much better still. While many religious leaders think that science threatens their god, others like Michael Faraday found no such conflict “Oh, so that is how God does it”
Philosophy Track: Motivation & incentive systems that shape the dynamics of the cybersecurity industry for security practitioners and future founders
Wednesday, Oct 25 | 10:15-10:55
When most people think about cybersecurity, they think of it as a practice asking “What do we need to do & how to safeguard people, organizations, and their data?”.
There is, however, another side of the coin - namely security as an industry. When looking at it from this angle, one will realize just how many different parties come into play - startups, mature product vendors, investors, resellers, integrators, service providers, insurance companies, not-for-profit organizations and think tanks, lobbyists, analyst firms, and more. Each of these has its interests, motivations, and incentive systems. In this talk, we will take a brief look at the most influential of the parties and see how their motivation & incentive systems shape the dynamics of the security space.
Operations Track: Easy Mode Deception Technology Deployments @ Scale
Wednesday, Oct 25 | 11:30-12:15
Many threat detection & incident response teams struggle with the idea of when to deploy or leverage 7 deception technologies. During this talk, I’ll introduce the audience to Canary tokens as a tool that enables fast, simple, and customizable token types for a variety of environments (www, macOS, Windows, Linux/EC2, k8s AWS). I’ll discuss the benefits of deploying canary tokens as a detection strategy weighed against the challenges of environment wide deployment of a new technology within a D&R program. Mass deployment is easier than you think!
Joint Session: Anticipating the Next Stages of the AI Revolution
Wednesday, Oct 25 | 09:30-10:00
Philosophy Track: Day 1 Welcome and Overview of the Philosophy Track
Wednesday, Oct 25 | 10:05-10:15
Philosophy Track: A machine quantifiable approach to risk quantification
Wednesday, Oct 25 | 15:30-16:15
Philosophy Track: Recap / Discussion
Wednesday, Oct 25 | 16:15-16:45
Philosophy Track: Day 2 Welcome and Day 1 Recap
Thursday, Oct 26 | 09:15-09:30
Philosophy Track: Exploring the role and the limits of AI in cybersecurity through the lens of the Cyber Defense Matrix
Thursday, Oct 26 | 09:30-10:00
Philosophy Track: Recap & Discussion
Thursday, Oct 26 | 16:15-16:45
Taiga Walker, Venkat Iyer⌗
Operations Track: Deception and Connection: How we Fooled a Scammer and Made a Friend
Thursday, Oct 26 | 14:45-15:15
In today’s dynamic digital landscape, businesses grapple with the persistent threat of phishing SMS messages. Scammers employ ingenious social engineering tactics, often posing as high-profile figures to lure unsuspecting recipients into their traps, like the allure of an Amazon gift card. Our presentation explores this challenge and the broader realm of cyber deception, with a focus on honey tokens to fortify security.
Philosophy Track: The Threat Hunting Wars: Juxtaposing Different Threat Hunting Schools of Thought and Setting a Standard in Program Implementation & Training and Hiring: FENRIR & SKADI
Thursday, Oct 26 | 14:30-15:15
When you ask different organizations to define threat hunting, you will have a variety of definitions that lack standardization. It is one of the areas of security where organizations are aware they should be engaged in it but not everyone can fathom the scope or requirements of what is entailed. A standard for a threat hunter has yet to be universally adopted to foster equality of talent transference from one organization to another. This talk is geared towards addressing the different schools of thought in threat hunting, a holistic definition of threat hunting, how to set a standard of a job for them, organizational progression to framework incorporation and the factors/requirements required to progress to different levels.
Philosophy Track: Maturing your security program means leveling up, personally
Wednesday, Oct 25 | 13:00-13:45
If you were to measure security programs on a continuum, regardless of which level your program is – one of the keys to accelerating program evolution and maturity requires understanding the current environment, roadblocks, and options with action plans. Unsurprisingly, it also provides an opportunity for you to step up and level up. We’ll talk about both.
Philosophy Track: Controls Reliability Engineering
Thursday, Oct 26 | 13:45-14:30
Treating (security) control failures as engineering incidents and how to bring SRE principles to security engineering.