A common misconception about automation is that it needs to be complicated and requires a specific skillset. This talk is to show that automation CAN be simple and achieve the desired objective. We will discuss how to break larger problems into smaller pieces to develop a repeatable solution.
Read More3.5 million open cybersecurity positions globally and 300,000+ in the US. It is expected that the gap between qualified security experts and unfilled positions will continue to widen leading to critical security risks. Additionally, nation states are integrating AI/ML into cybersecurity curriculum faster than US Schools. There is a disconnect between HR and corporate expectations for “entry level” cybersecurity professionals for both competencies, experience, and pay at odds with the realities of the workforce. So how we do we create a cybersecurity talent pipeline to improve security within our communities, organizations, and the nation?
Read MoreThreat Hunting may be one of the more glamorized components of modern security operations today. Every week we read of how modern security controls are being evaded and bypassed. We know that a more proactive approach to detecting Evil is needed. Still, Threat Hunting is much more complicated than reviewing our SIEM enriched and neatly packaged alerts that our security controls have decided are worth our attention. It can often be challenging to know where to start, obtain a high ROI, and measure and communicate value or progress with Threat Hunting.
In this talk, we are going to explore how to do just that.
It is not expensive tools or highly situational graphical user interfaces that are needed. What we need is a repeatable, scalable, and measurable process that will give the effort vision and direction at the beginning and the ability to validate maturation as advance in the dicipline. While paid products can help, there are more than enough open-source resources to develop a Threat Hunting operation that can reliably detect some of the techniques used by the advanced adversaries of our day.
Working as a security analyst is a popular way to start a career in infosec, are you considering this path? Join the presenter as she recounts her first year working as an analyst and what it takes to survive and thrive in a SOC. When it comes to being on the front lines protecting networks, some lessons are learned the hard way. This talk is full of the things she wish she knew when she started.
Read MoreTag managers (such as Google Tag Manager, Adobe Launch...) are scripts which let non-developer easily add and remove—in one word manage—third-party scripts. Marketing people often require them in order to promptly experiments with analytic scripts, without bothering the development team for their inclusion on the website.
More than 40% of websites uses Google Tag Manager[^1] which is used to fires on average 12 scripts[^2] per website. Unfortunately, those scripts are often added ad hoc, outside of the regular development life-cycle and CI/CD pipeline.
Here lies the problem for security professionals: those scripts and their usage often don't go through the imposed security processes; they bypass code review and tests.
As an ex-web marketing professional, I will explain how those tag manager scripts are used, what kind of scripts are deployed through them and the pipeline used by marketers to deploy them to the end-user facing website.
As a current web application security developer, I will explain how security professionals can work with the marketing team to ensure the scripts used are not compromising the website integrity, nor the user's security, without hindering the marketing team's productivity.
4 Feb 2022 3:30 PM - 4:00 PMIn today's world, we have a modern and stable web application framework to develop on. That is already so much secured from the attacks, regardless of the OS. If you design the system properly, attacker cannot injection the system. Or attacker cannot attack the website with common attacks like XSS, CSRF, SSRF, SSTI, etc.
On the other hand, we have sophisticated scanners which scan the website dynamically with the interactive logins as well, it scans the website along with the internal pages. And we have secure coding practices as well along with the scanners which can scan the source code regardless of the programming language. They are necessary tools while developing a secure application.
But what all these are missing is "Business Logic Flaws", which are the reason for the highest-paid bounties on Hackerone, bugcrowd, etc. Business Logic Flaws are the attacks, which neither the source-code analysis tool nor dynamic web application scanner can detect.
The presentation/talk will discuss vulnerabilities that can arise from business logic flaws which can affect confidentiality, integrity & availability of customers' information as well as the product that is connected with the application. We will discuss CVE-2019-2823 - Oracle Financial Services along with other 2FA bypasses in Financial Mobile Applications. Where I was able to do vertical privilege escalation in regards to roles, checker, maker, etc. modules. These were critical findings that were used in financial information systems. On which APTs are attacking day and night.
This will also discuss the poor coding practices that were used in the application and negligence of built-in secure software development life cycle. This not just limits to data exposure but anyone can alter the data as well and can view which is not allowed to them.
The majority of the banks use this Oracle service in the world. There are a lot of similar bugs in the world right now as well, in regards to Business Logic Flaws. We have to enhance the testing skills rather than depending on the scanners, manual testing approach to test the use cases will be a good approach.
The industrial revolution was powered by coal and steam. They were the power that enabled innovation and propelled the world down the road that has brought us to where we are today. The next revolution is on the horizon, and it’s an information revolution. Smartphones, smart homes, and smart assistants are proliferating our lives. Artificial intelligence is becoming in integral contributor to how this technology adds value to the our lives. The capabilities of the cyber security ecosystem must keep pace with this evolution. During this session we will cover how artificial intelligence is being used to fuel the next generation of cyber security ecosystems. We will see how it can be used to improve accuracy, speed and efficiency of enforcement technologies while enhancing the information used to make business and security decisions. On the other hand, how could AI & Machine Learning be used against us? If we have the technology, so do our adversaries.
Read MoreCOVID-19 has impacted all of us in some form. For social engineers and I, COVID-19 impacted the way we perform social engineering assessments. In this talk I will discuss how my social engineering assessments were impacted with the rise of COVID-19, how my pretexts were modified to focus on COVID-19 (in an ethical manner), and what I learned from them.
With the mandatory (and life changing) switch to remote work. Employees more than ever began to rely on both emails and their phones as a means for communication. This introduced a gigantic opportunity for attackers to target the weakest link of an organization, the employee. This also meant that to stay current and up to date with the latest attacks, many social engineers, including myself tailored their campaigns to include COVID-19 as a pretext. This also meant that employees were significantly more likely to engage with my emails or phone calls because it became ‘the norm’. Furthermore, several of the employees I called were so thankful just to speak to someone that they were more than willing to ‘assist me with my technical issues’. In the body of the talk, I want to present multiple pretexts, results, and stories of my experiences from phishing and vishing through the pandemic to provide some insight as to how it introduced vulnerabilities to my clients.
COVID-19 has shone a light on many organizations security posture. More than ever, company’s need to be educating their users on cybersecurity threats and involving them with the security team. Security is a group effort, and it is our job as consultants, social engineers, and supports of the InfoSec community to educate those around us on social engineering attacks such as those demonstrated throughout my talk.
That’s what Daniel was told in May 2020, two months after starting a new job. In this talk, he’ll share the inside experience of how a small team of (mostly government!) infosec folks worked to secure the entire vaccine development, distribution, and supply chain, and the key takeaways for the larger infosec community from this crazy (and surprisingly successful) experience.
This talk will cover a few key topics. First, Daniel will share the overall story of the operation, some of the (nation state) attacks they saw, and how the team were able to help harden literally dozens of companies in a matter of months. He’ll cover the critical role that the infosec/hacker community played, between collaboration with CTI League and industry partners, as well as an effective use of bug bounties to rapidly secure a plethora of questionable apps developed by contractors. He’ll explain some of the problems and promises that industry faces when collaborating with government, from what role each agency plays to some of the barriers that were overcome. And he’ll dive into the vaccine supply chain and its vulnerabilities, and how badly we need the larger infosec community to help harden this rapidly ‘techifying’ space before the next bio-catastrophe hits.
In today’s world, we mainly focus on the importance of the cybersecurity analyst, the CIO, the CISO.
But the fact is many other roles are essential to cybersecurity. Michelle Winters initiative to open doors to newcomers to the industry is bringing attention to a larger conversation. As members of the cybersecurity community, how can we help increase inclusion, diversity, and access to untapped talent?
Utilizing her role as manager of customer success, Michelle shares her experience, strategy, and results in generating more opportunities for newcomers to the industry.
How can you effectively hunt data from the dark web using scripts? How can you circumvent scraping defenses on the dark web? How can you automate your scripts? If you are curious about the answers to these questions and want to learn how to write automated scripts for this task effectively, then this workshop is for you. There are many forums and marketplaces on the dark web where actors buy, sell, and trade goods and services like databases, exploits, trojans, ransomware, etc. Collecting data from the dark web can help any organization identify and detect risks that may arise due to their assets being sold on the dark web. In this workshop, you will learn why collecting data from the dark web is essential, what open-source tools you can use to collect these data, how you can create your tools & scripts, and automating your script for effective collection. The workshop's primary focus will be on circumventing defenses put by forums & markets on the dark web against scraping.
Prerequisites:
Basic scripting in python
Knowledge of using VMs
Knowledge of using Linux machines
Basics of Dark Web
There are two kinds of companies: those where leadership cares and… those where they don't. No amount of personal heroics, technical awesomesauce, or the world's greatest tool is going to change that and have the business suddenly get it. Your leadership is an elephant. Large. Moves only when it wants. Tramples things. And… the cleanup! So, how do we move the elephant when and where we want?
We'll talk how to get leadership buy-in for your risk management program, how to translate this for different kinds of offensive/threat assessments (vulnerability assessments, penetration testing, red teaming, and purple teaming), metrics (including real-world data) derived from a detection maturity model I created with business context (alignment) from my work with blue teams. Come with questions and curiosity, leave with actionable insights to build or mature your risk assessment program.
New phishing websites are setup every few seconds with intentions on stealing your credentials, infecting your system, or convincing you to do something via social engineering. Most of these sites are distributed and deployed through (mostly crude) automation which usually results in attackers leaving their kits behind. During this talk I will walk through what phish kits are, why they are important for proactive defense, security research, and how you can automate identifying these kits in the wild.
Read MoreIn this session, two tech writers who roasted the worst tech reporting of 2019 and 2020 are back on the grill to discuss...the worst tech reporting of 2021! This year we’ve broken down the top media fails into four cardinal sins: not reading or understanding a company’s privacy policy/terms of use, taking press releases at face value, being unclear about relevant details, and relying on sources without domain expertise. But this bleeds into the tech sector as well: before journalists misrepresent a company privacy policy, the company itself often misleads its own users (by error or by design). And who is responsible for writing those press releases that sometimes get parroted in the first place? We’ll see what we can learn from the year’s biggest fails, and how journalists and hackers can work together to make security reporting suck a little bit less in 2022.
Read MoreIn the CTI space, there’s a steady drumbeat repeating a mantra: security teams cannot successfully and sustainably operate in an intelligence silo. This feeds continuous discourse around how developing cross-boundary collaborations in intelligence sharing, standardization, and reporting are key to proactive defense, collective resilience, coordinated response, and effective remediation during an active attack. Of course!
Yet, the enormity - and complexity - of it all feels insurmountable when considering how CTI professionals can most effectively network and share intelligence *today*. So what’s really going on at the individual level?
This presentation shines a light on the human aspect of today’s CTI sharing practices via networks - both formal and informal, public and private. The session lays out the landscape of popular channels for CTI networking following peer-to-peer, peer-to-hub, and hybrid models; previous research and ongoing efforts to enhance CTI sharing by public-private groups; and well-known blockers (hello, legal approvals!) to effective networking. Survey insights add depth to this foundation by benchmarking real practitioner behaviors and attitudes. We seek answers like: how do good old-fashioned 1-to-1 ‘DMs’ compare to invite-only Discords, paid industry memberships, or national sharing initiatives? What real-world networking experiences actually prevented an attack?
The scammer epidemic is ever-present in our connected world and shows no sign of slowing down anytime soon. Our team is currently researching infrastructures commonly used by scammers and creating our own malware to hack in and monitor scammers without their knowledge, allowing us to preemptively warn victims and gather enough intel to report the scammers.
In this talk, we'll break down our approach to a project of this scale as students, along with the progress we have made and lessons we've learned. Join us for a dive into the world of scams, malware, and ethical hacking!
The usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing pages, to Magecart, and supply chain injection to JavaScript malware droppers all use JavaScript obfuscation techniques on some level.
The usage of JavaScript obfuscation enables evasion from detection engines and poses a challenge to security professionals, as it hinders them from getting quick answers on the functionality of the examined source code.
Deobfuscation can be technically challenging (sometimes), risky (if you don’t know what you are doing), and time consuming (if you are lazy, as I am). Yet, the need to find and analyze high scaled massive attacks using JavaScript obfuscation is a task I’m faced with on a daily basis.
In this presentation I will present a lazy, performance cost effective approach, focusing on the detection of JavaScript packer templates. Once combined with threat intelligence heuristics, this approach can predict the maliciousness level of JavaScript with high probability of accuracy.
In addition to the overview of what I’ve developed, I’ll share the techniques used, as well as source code needed to create a representation of JavaScript by using AST parsing, obfuscation pattern matching, and the machine learning techniques involved.
Congratulations, you recently completed a successful, high-value Purple Team Exercise in your organization! Your Cyber Threat Intelligence team identified an adversary that has the capability, internet, and opportunity to attack your organization and provided those adversary behaviors to the red team. The red team emulated those same tactics, techniques, and procedures (TTPs) in your production environment while the Blue Team watched and learned how the attack works. Then the blue team showed everyone how they identify those adversary behaviors and follow their response process to quickly mitigate the threat. All your security teams collaborated and efficiently tested, measured, and improved your people, process, and technology! A month has passed, what happens next?
This talk picks up after your first successful Purple Team Exercise is complete and teaches you how to continue maturing and improving your security program by operationalizing the collaboration between your security teams (Cyber Threat Intelligence, Red Team, and Blue Team). You don’t have to wait for the next scheduled, formal exercise to continue testing your people, process, and technology. You can leverage new Cyber Threat Intelligence and collaborate with your team to test new TTPs through a process called Detection Engineering.
Nowadays when you read about cybersecurity, you’re almost sure to see something that mentions machine learning (ML) as the silver bullet to solve all problems cyber. Of course, ML isn’t the cyber cure-all, and indeed suffers from its own non-cyber problems – chiefly that ML bring with it its own set of vulnerabilities and weaknesses, often termed “adversarial ML.” These weak points range from leaking private data that the model was trained on to being easily evadable given the right motivation and context.
In this talk, we’ll go through our own experiences leveraging ML to try to build and defend a robust malware detector as part of our submission to the 2021 Machine Learning Security Evasion Competition. Our talk will start by first going over the background on adversarial ML, followed by how we used these ideas to generate adversarial malware variants that we then built our model from. We’ll then shift gears to how we sought to “defend” this model by explicitly attacking the models submitted by the other participants, walking through how we trained a proxy ML model and staged attacks against it.
In the end, our submission took third place in the competition, outperforming some but not all of the contestants. However, our journey helped expose many lessons learned for others looking to get into the space, as well as for those already practicing in it. Attendees of this talk should walk away with an understanding of those lessons, including pointers to resources they can use to build their own models – including the open-source code and the data behind our submission.
From smartphones to tablets to watches, users are relying more and more on the convenience of mobile technology. Organizations must meet this growing trend with greater security measures to support critical business functions and protect sensitive data on enterprise devices. Mobile architectures, applications, networks and services must all be developed and managed in compliance with the oversight of a strong IT workforce.
This course provides an in-depth technical overview of the security features and limitations of modern mobile operating systems, including the top risks and vulnerabilities, every IT professional needs to know.