8:35 AM - 9:20 AM

Name:  Bryan Brake

Talk Title:  Community Building in the Infosec Space
Talk:  Information Security is a varied experience in terms of breadth of knowledge and people in it. But what happens when you can't find like minded people to share or can't find an outlet for the knowledge you have? You have to make it yourself sometimes! This talk to will discuss community building, whether it be local, virtual, and ways to build networks and communities, how to increase chances of success, and the pitfalls to watch for.

Name:  awsm

Talk Title: Getting the most out of your Pentest
Talk:  Did you receive a good Pentest? Do you know the difference? Could you have gotten a better one? In this talk we will briefly review what makes up a pentest, the differences in 'types' of assessments, and what information you should end up with at the end of a good test. Not all pentest are equal and with a few basic upfront questions you can identify the type of work you can expect to receive. It's not all abstract, I will also show a few simple techniques that are often out-of-scoped that pose a huge risk to organizations. I will demonstrate the differences between having scanners ran and actual pentesters preforming real-world threats. I will also cover various ways to get the most out of the time and work purchased, identify areas often overlooked that every company should concern themselves with, and help make sure you aren't partly at fault!

I've been speaking at various events in 2017 covering offensive techniques in exploiting organizations. I started with very technical talks and, after great feedback, started making them less and less technical and higher level after realizing that not everyone is on the same page about what pentesting really is. We(pentesters) aren't just shooting 0-days out of ion cannons at web servers! In fact it can be, and often is, much simpler than that and I only rely on 'exploits' as a last resort. Security misconfigurations and weak users are much, much, easier to take advantage of. That being said, when companies go out and get a pentest they seem to think that they only need to be looking for 'exploits' that can affect the organization and miss some of the largest and easiest attack surfaces. This year I hope to speak more on what companies can do to ensure they are getting the results that they need and can actually use. Having tests done that fire scanners at resources they already know are protected by product X is 1. Not a good pentest 2. Not even close to demonstrating the risks to a company, and 3. Providing a false sense of security that you are protected from well known scanner tests that the defensive products already know are coming! In this talk I will demonstrate a few attacks that have recently led me to full company compromises that no firewall or IPS would ever detect and differentiate 'scanner' pentest from _good_ pentest. I have worked for a few different security companies and see the same mistakes, or what I consider mistakes, made by customers that could have easily been prevented and gotten them a much better understanding of where the risk lies in their organizations. And no, the answer isn't always more money. There are plenty of ways companies can get more actionable data and better understanding of risk by better scoping during the initial talks with the vendor. There are too many security companies taking advantage of customers and provide a false sense of security. There is always a way in, once you understand and identify those areas you will be in a much better position to protect what matters most to your company.

10:15 AM - 10:45 AM

Name:  Jason Killam

Talk Title: Registry Forensics for IR
Talk:  I will go over Windows registry forensics and highlight the information that would be important from an incident response perspective. I will go over the files that contain registry data, and how to gather them from a live response and dead box perspective. I will highlight the tools I use for most incident response which include Registry Explorer, Regripper, Shellbags Explorer. After which I will go over specific artifacts that would indicate a user has fallen for a phish or malicious document.

Name:   Todd O'Boyle

Talk title:  Attacker vs. Defender: Observations on the Human Side of Security
Talk:  Attackers spend about a hundredth of the time and money that defenders do giving them a huge advantage when it comes to carrying out their nefarious deeds. With such a strong advantage to the attacker, what’s a defender to do?
This talk will explore research completed for the U.S. Department of Defense that delves into why simply blocking a cyberattack with technology never favors the defender. For example, after spending months implementing a sophisticated account management process (thinking we had finally “won” once and for all), we watched the attacker adapt within weeks to be able to social engineer the process.

Yet, attackers aren’t infallible. We’ll identify weaknesses in attacker tactics based on our research and then explore some practical ways defenders can to use those dependencies against them. We will wrap up with a shared brainstorming session to improve how everyone in the audience can respond when under attack.

Attendees will learn:
- Why spending more time and money on blocking attackers won’t keep you safe
- Lessons from real-world attacks and defensive countermeasures
- The importance of humans in security engineering
- How to identify weaknesses in an attacker’s tactics
- Ideas that help even the defensive playing field and make cybersecurity more symmetric

12:15PM - 1:00PM

Name:  Mark Mahovlich

Talk  Title:  Cloudy with a Chance of Risk - Applying Risk Adaptive Models
Talk:  Traditional cyber defense strategies are designed to defeat the external threat actor and deny entry and access to the corporate network and its most treasured information assets The adoption of Cloud Platforms, End User Self Service, and the growth of the Mobile and highly Social workforce threatens to circumvent those controls.

Coupled with the lack of appropriate IS staffing and the struggle to operationalize point solution "noise" requires the adoption of Risk Adaptive Models.

This presentation will cover the following topics:
• Challenge: We will define cloud adoption rates, the reality of usage, and the threats facing the modern enterprise
• Solution: How to secure cloud platforms and data stores using Risk Adaptive techniques
• Execution: We will review a Use Case, Installation Timeline Realities, and Tips for Success

Recommended attendees:
CIO, CISO, CRO, Governance & Compliance Officers, VP of Information Security, Chief Architect, Directors of Infrastructure and/or Security, Infrastructure and/or Security Managers, Cloud Platform Specialists

Name:  Jason Holcomb

Talk title:  Do No Harm: Low Impact Testing & Assessment Techniques for Highly Sensitive Environments
Talk:  “This environment is too sensitive” should not be an excuse for failing to understand attack surface and overall security posture and, if anything, may be an indicator that a thorough examination is warranted to understand potential risks. But how do you do test or assess a network or system that is potentially fragile and where interruption or downtime comes with a serious price tag that can even include health, safety, and environmental risks? There are many examples of negative assessment side effects including:

- An map scan with default flags forces a shutdown of a critical industrial controller
- A simple vulnerability scan saturates a network segment causing an outage for a SCADA system
- An aggressive vulnerability scan overwrites data in a poorly configured database

Beyond just the technology interruption, all these examples come with a potentially serious operational impact. In this presentation we will examine tools and techniques to help effectively understand architectural weaknesses, technical vulnerabilities, and attack surface in a “do no harm” approach. The tools and techniques covered represent an accumulation of proven methods developed over ten years of performing assessments in critical infrastructure industrial environments including electric, nuclear, oil and gas, chemical and other production environments.  

Name:  Sunny Wear

Talk  Title: How To DevOps (while sneaking in Security)
Talk:  The purpose of this talk is to provide instruction on how security professionals can introduce secure lifecycle processes and tools into the DevOps workflow, with little disruption. The processes I will cover include selling security to the business, secure code training, threat modeling exercises during Agile design phase, and automating security-related tasks further in the software lifecycle. The tools I will cover include interactive static analysis plugins, automated dynamic scans, metrics gathering and backlog ticket generation. The audience will have several takeaways from this talk they can apply in their organizations.

Name:  Jason Reaves, Joshua Platt

Talk Title: Finding malware backends through server profiling
Talk:  Discussion into how to find malware backends by using server profiling techniques such as open port mappings, certificates and incorrect configurations including creating frameworks for automating the process.

Name:  Karlo Arozqueta

Talk Title: GO HACK YOURSELF: MOVING BEYOND ASSUMPTION-BASED SECURITY
Talk:  You have many security products, probably too many. But you are still not secure because it's nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security.

Name: fan0654

Talk  Title: Discovery - How An Attacker Sees You

Talk:   This talk will cover various aspects of "Discovery" on an organization. This is the process of finding all domains, IPs, usernames, email addresses, passwords and keys for a target without actually breaking in. This consists of various areas of open source intelligence, such as certificate information, web archives, and various tools. It also consists of more in-depth information gathering, such as using LinkedIn and public password dumps. The aim is to show how an attacker can map out very detailed information on a target, to result in an external or internal compromise. This talk will also cover some things an organization can do to defend against these various attacks.

Name:  Killian Ditch

Talk title: A Good Shell is Hard to Choose
Talk:  Given the plethora of remote command shell payloads out there, how does one decide which to use? Should an initial foothold such as a webshell be upgraded to an interactive shell; if so, why and how? Perhaps a Meterpreter payload would be best. That decision then leads to the following question of should it be a standard Windows or Linux Meterpreter payload? Maybe it should be a PHP or Java Meterpreter instead. This talk will discuss the various differences in the aforementioned options among others, with the goal being to impart an understanding of which payloads may be best suited for which situations and why. Many of the assorted options will be demonstrated in scenarios derived from situations encountered in real penetration tests to exemplify the need for the ability to differentiate between payloads