Despite your best efforts, there is a good chance your organization will be the victim of a ransomware attack. What do you do when that happens? Organizations need to plan for a ransomware attack. This talk will cover steps organizations can take to prepare for a ransomware attack and review the initial steps after an attack happens. Topics include:
1. What log sources should be collected.
2. Getting the right people involved
3. Testing your IR plan
Read More
Panel talk with real-world examples from this year's CFP (sanitized, of course, and presented without making anyone feel bad about their submission.)
Topics include:
- Making sure the talk is applicable to the conference you're submitting to
- Selling yourself and your talk
- How to NOT sound like a vendor pitch
- WRITE. AN. OUTLINE.
- Submit one or two REALLY GOOD talks - don't "spray and pray" your entire back pocket of topics into a single CFP
Read More
Offensive forensics is the concept of using forensics technique to find secrets or other valuable data to further attack paths. Offensive security tools such as Mimikatz that employ strong forensics and reverse engineering techniques have proven invaluable in red teaming and penetration testing.
This talk will discuss finding the golden nuggets in .NET dumps using existing tools and provide scenarios in which exercising forensic skills can be a game-changer in offensive security operations. Additionally, this talk will demonstrate Turdshovel, a tool for quickly analyzing .NET dumps for objects of interest.
So go ahead, fam. Take a huge dump.
Read More
Ten years ago, Lockheed Martin introduced the Intrusion Kill Chain. Since then, it has morphed into the Cyber Kill Chain and remains as a widely used framework for cybersecurity and incident response strategy. However, ransomware does not fit into the traditional Cyber Kill Chain attack lifecycle, and many organizations make the mistake of simply folding ransomware attacks into existing incident response programs. What’s really needed is a new “Ransomware Kill Chain,” which can form the framework for ransomware response plans.
In this session, Nicole Hoffman, a Threat Intelligence Analyst and Kurtis Minder, CEO/Expert Ransomware Negotiator, both at GroupSense, will explain the best way to defend against ransomware is “The Ransomware Kill Chain.” They will explain the 15-step framework of the chain – from first access through encryption – by using client case studies and examples of custom-made ransomware playbooks. Discover the power and effectiveness of “The Ransomware Kill Chain” and keep your organization one step ahead during an attack.
Read More
The speakers have an abundance of experience working with organizations across many different sectors and regions. Something they have seen be the most effective use of tactical Threat Intelligence and Purple Teaming is the concept of “Active Defense Exercises”. “Active Defense Exercises” involve the creation of realistic and timely, adversary specific, kill chain scenarios. During this talk the speakers will discuss the best approaches for scenario selection. The speakers will then pivot to discuss the nuances of liaising Purple Team testing to determine the level of effectiveness of the organization’s security controls. The speakers will also discuss strategies for engaging internal security teams and detail the most effective mechanisms for conveying the “Active Defense Exercise” lessons learned to technical and non-technical stakeholders.
Read More
The threat of ransomware is ever-evolving, just as artificial intelligence is. It’s clear that businesses need better defense, but the answer isn’t solely AI – it’s actually human intelligence.
In this session, Bryce Webster-Jacobsen, an expert ransomware negotiator who deals with ransomware negotiations on a daily basis, will challenge the ideas of human intelligence versus artificial intelligence when it comes to ransomware attacks. Learn how expert ransomware negotiators can validate the reputation of the threat actor and why dark web monitoring and human reconnaissance is an indispensable part of the resolution process.
Read More
As individuals and companies look for ways to save money, cloud providers incentivize choosing their service over others. Unless they are demoing a security project, security isn't a forethought until an incident happens. Free cloud tiers are the focus, as there may not be money invested by the individual/organization, especially in something like a project demo. There are two simulated threats, so we cover what artifacts are generated, and opinions on the ease and quality of the information.
Read More
Learn Network Forensics with PacketCTF!
Have you ever wanted to learn more about network traffic and network forensics? Come play PacketCTF!
PacketCTF is a capture the flag (CTF) game using packet capture files (pcaps). Participants will download and analyze pcaps using Wireshark to answer questions on the gameboard. PacketCTF uses a jeopardy-style gameboard. Questions and collaboration are encouraged, but players will compete as individuals (no teams please).
Wireshark skills will be demonstrated throughout the workshop and prizes will be awarded for top finishers.
This event is for all skill levels. A computer running Wireshark is required to play. All required pcap files will be provided.
Read More
I love vulnerability management as a core discipline of what makes an effective security operations program because it can help to both reduce risk and improve efficiency. However, I still find many organizations are still stuck after rolling out a scanning tool (and then stopping). I've seen the reason for this being one of three main reasons (but there are more).
1 - Conflicting information between patching processes and vulnerability scanning tools
2 - Lack of guidance or frameworks to prioritize the growing list of vulnerability
3 - Very manual process without a clear understanding how to automate activities
This talk is for anyone who is working as a security analyst or leader who directly performs vulnerability management activities (identify, assess, triage, and track). Additionally, this will be really informative for those who have process inputs (any pentesters out there?) or outputs (IT and critical process owners).
This talk will give you all the tools and processes that you'll need to level up your program TODAY, without having to go ask for more budget (again).
Read More
SOC analysts are familiar with Wireshark and all of it's capabilities but are often at a roadblock when the pcap is relatively large. My tool, PacketSifter, and the open-source tool TShark will enable analysts to jump over that hurdle and learn to analyze pcaps on the command line!
Gone are the days of opening a large pcap in Wireshark and waiting two days for Wireshark to parse and load the pcap. PacketSifter will carve out noteworthy traffic as well as provide enrichment capabilities with GeoIP lookups via AbuseIPDB and hash lookups via VirusTotal.
This talk will demo PacketSifter as well as introduce TShark to continue on with the output files provided by PacketSifter.
Read More
Have you struggled to get security baked into your DevOps process or have your security needs taken a back seat to "run fast and break things"? Just because we’re moving fast doesn't mean we can’t be secure. Join us for this deep dive into adding container scanning to a DevOps pipeline. We'll enumerate the security tool categories, and give you tips for adding these tools to your development workflow, build pipeline, and production monitoring setup. You can achieve a robust security posture and still release continuously.
Read More
Advanced Persistent Threat (APT) groups do not like to have the evidence of their crime into their targets, usually, they would develop or use file-less malware to not leave any fingerprints traces proof their crime and unleashed their operations. Network forensics analysis became an essential skills to uncover APTs operation and identify what has happened by utilizing Wireshark and other open-source tools to analyze network packet captures (PCAP). In this lecture, we will introduce couple of APT attack scenarios and walk-through how to analyze them.
Read More
For some people, trying to figure out if you’re being followed is a matter of physical safety for themselves or others. In this talk we’ll discuss a methodology for using low cost, off the shelf parts and some adequate python code to help determine if you’re being followed by analyzing wireless signals nearby.
We’ll cover methodology and best practices as well as challenges encountered during development and field testing. We’ll release the code so anyone who wants to build their own easily can, likely with parts they already have laying around.
Read More
LockBit ransomware operators have been active since September 2019, but still there’s very limited pieces of information on their operations available in public space. The ransomware-as-a-service program and ransomware itself have updated in June 2021, so now we are dealing with LockBit 2.0. Despite the fact the updated RaaS has quite short lifecycle, their affiliates already performed at least a hundred of successful attacks. In this talk, we’ll look at the threat actor’s tactics, techniques and procedures, from gaining the initial access to impact, as well as some custom tools leveraged by them for data exfiltration (StealBit) and files encryption (LockBit).
Read More
While APIs have clear and obvious benefits, they’re also creating a rapidly-growing attack surface that isn’t widely understood and is sometimes completely overlooked by developers and software architects. With recent reports suggesting that by 2022, API abuses will be the most responsible vector for data breaches within enterprise web applications, securing them is a top challenge and must be a bigger priority.
Read More
I'll be going over how to reverse engineer dll files in the windows space. We'll cover common vulnerabilities, loading dll files, intrinsics, exported functions, loading orders, dynamic loading vs static loading.
Read More
Pivoting, tunneling, and redirection are essential skills that separate the junior and senior operators in the offensive security landscape. This workshop describes various techniques used to creatively route traffic through multiple network segments. Various tools and techniques will be discussed and demonstrated. Attendees will be able to practice these skills in a provided cyber range during and after the workshop. These are essential skills for every pentester, bug bounty hunter, and red team operator. But that's not all! Defenders will learn techniques for detecting this sort of suspicious traffic.
Read More
What exactly is security analytics? Quite simply, it's leveraging large data sets through queries and visualization. And in security…we have a lot of data! This lab will introduce the attendee to tips, tricks, and other magic to get the information out of data that helps a security organization specifically get the value out of log data.
Read More
Track 3
5 Feb 2022 9:00 AM - 10:00 AM
Nefilim’s malware sample uses a polymorphic dropper, meaning the file it drops may be one of over 2000 different file hashes. Polymorphism is used in a dropper to make a malware sample harder to detect, and I will explain a lot of basics about reverse engineer for a diverse IT security crowd.
Mark Embrich
Malware Analyst
Mark has been a Network Admin, System Admin, SOC Analyst, Sec Eng, Forensics Analyst, Threat Detection Analyst, and Malware Analyst.
Mari DeGrazia is an Associate Managing Director at Kroll Cyber Risk, which provides cyber security services on a global scale. Throughout her career, Mari has investigated high-profile breach cases, worked civil and criminal cases and provided testimony as an expert witness. She has written and released numerous programs/scripts to the forensics community; presented her research at industry conferences; and is a published author in several magazines. She is also a SANS instructor where she loves sharing her knowledge with students. She holds several industry certifications in addition to earning a B.S. in Computer Science from Hawaii Pacific University.
Read More