Loading…
BSidesDEN 2018 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Friday, May 11
 

10:00am MDT

Putting the Love into your DLP
Over the last 12 years of being involved with Data Loss Prevention I have seen many brilliantly deployed DLP solutions fail because of the human element.   This is totally understandable because I as many in the industry naturally gravitate to the bits, bytes, technical capabilities and data but tend to hate the messy human part.  However, success with DLP is all about the humans:  what they need, who they are, what their intent is and detecting when they go off the rails crossing the line from good corporate citizen to bad actor. To be successful with DLP you must embrace the human equation in a passionate way vis-a-vis “Love” it.  In this talk I will walk through five simple steps to roll-out a DLP Program including enabling technologies, so it is impactful and relevant to your organization.  

Speakers
avatar for David Phillips

David Phillips

Director, Data Security, Trace3
David Phillips has 22 years of Information Technology experience with the last 18 years in Security. He has been involved with Data Loss Prevention since 2006 in professional services beginning as a consultant and later building practices from the ground up for McAfee, Optiv and currently... Read More →



Friday May 11, 2018 10:00am - 10:45am MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

10:00am MDT

In The Trenches: Dealing With Ransomware and the Attackers Behind It
Ransomware has locked your files and deleted your backups - you decide to pay up.  Where do you start? How long does it take to get your files back? What is the process of paying someone in bitcoin? Once you get the tool, how do you know it works? Take a dive into the world of cybercrime negotiations, attacker profiling, decryption troubleshooting, and some of the surprises (and horrors) that arise along the way.

Speakers
avatar for Elizabeth Cookson

Elizabeth Cookson

Senior Cyber Investigator, Kivu Consulting


Friday May 11, 2018 10:00am - 10:45am MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

10:00am MDT

Hacker Carpet Bomb
Abstract: This talk is series of live demonstrations of real-world attacks that organizations see on a daily basis. The goal is to present as many possible live demos of exploits and attacks as possible in the time alloted. Attacks will include stealing hashes off the wire with Responder & Inveigh, Poison Tap, Bash Bunny, MouseJack and more!

Outline:

* Introduction
* Explanation of the Cyber Kill-Chain
* Poison Tap
* Responder & Inveigh
* Bash Bunny
* MouseJack
* WifiPineapple
* USB Killer
* Mitigation Techniques
* Q&A


Friday May 11, 2018 10:00am - 10:45am MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

11:00am MDT

Building a Cyber Incident Response Program that fits your budget
A strong incident response (IR) program is a key component in any organization's cybersecurity defense. Often time, many security professionals who wear different hats get asked to build an Incident Response program, but aren't provided enough budget. This presentation will share methods and resources to build a solid IR program, including IR plan and procedure, training process for the SOC, outreach program, forensic investigation capability and skills, using free open-source or low cost tools and resources. A solid program can help you identify and respond quickly to a security incident, and minimize the financial and reputation costs.

Speakers

Friday May 11, 2018 11:00am - 11:45am MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

11:00am MDT

Converge: A Cross Discipline Approach to IR and Breach Investigations (and Lessons Learned)
How non-traditional litigation tools can assist cyber investigators with Incident Response and data breaches.

With the increased use of SaaS, IaaS, and PaaS platforms, organizations are shoveling more compute, applications, and data into the cloud from on-premises solutions. However, answering cloud governance and access control questions such as “What data do I have?," "Where is my data stored?," Who has access to my data?,” has become challenging. Often, it is because data is out of sight and out of mind.. Additionally, during a breach, these questions can impede an investigation that is already challenged by decentralized logging, access rights, large volumes of data review, and the inability to physically access the environment.
 
This presentation will walk thought the current challenges faced by defenders and IR investigators, and offer solutions that call on a variety of cyber security, digital forensic and incident response, and eDiscovey talents. We will step through a case example where the convergence of these disciplines allowed an organization to effectively investigate a complex cloud data breach, and comply with regulatory notification requirements.


Speakers

Friday May 11, 2018 11:00am - 11:45am MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

11:00am MDT

Blue Cloud of Death: Red Teaming Azure
On-demand IT services are being publicized as the “new normal”, but often times these services are misunderstood and hence misconfigured by engineers which can frequently enable red teams to gain, expand, and persist access within Azure environments.

In this talk we will dive into how Azure services are commonly breached (e.g. discovering insecure blob storage), and then show how attackers are pivoting between the data & control planes (e.g. mounting hard disks, swapping keys, etc...) to expand access. Finally we will demonstrate some unique techniques for persisting access within Azure environments for prolonged periods of time.

Speakers
BK

Bryce Kunz (@TweekFawkes)

Adobe
Bryce Kunz (@TweekFawkes) is an Information Security Researcher located in Salt Lake City, Utah. Bryce currently leads the security offensive testing of Adobe's Marketing Cloud SaaS infrastructure via researching and developing custom exploits for web applications and other cloud... Read More →


Friday May 11, 2018 11:00am - 11:45am MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

12:00pm MDT

GDPR: Finding the Magic Bullet
GDPR enforcement is quickly approaching. Companies outside the EU have been either ignoring the regulations, have been naïve about applicability, or have taken a wait and see approach to see how serious or severe the regulation will be applied to non-EU companies. As a result of the sudden sense of urgency, vendors have taken to using FUD tactics to sell their products as the magic bullet to quickly becoming compliant.
I’ll be taking the audience through debunking a few common misconceptions around the applicability of GDPR and dispelling the FUD tactics in use to sell technologies that are viable controls but don’t solve the full problem companies will be quickly facing.


Speakers
avatar for Ken Morehouse

Ken Morehouse

Principal Data Security Strategist, Trace3
Ken Morehouse is a 30 year veteran within Information Technology and Security. He has held different roles over the course of his career, including database and application development, storage architect, network architect, security consultant, and management roles. His areas of expertise... Read More →



Friday May 11, 2018 12:00pm - 12:45pm MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

12:00pm MDT

Seive of Stackstrings: Hunting, Triaging, and Deobfuscating Stackstrings in Malware
Like packing, the presence of obfuscated data in executable files often indicates a malicious disposition. If we can find a way to detect obfuscation techniques in a feed of suspicious files, then we can potentially identify new strains of malware as they are first collected.

During this presentation, we’ll focus on stackstrings, a common technique that mixes code and data to break-up contiguous data and evade naïve malware analysis tools. I’ll demonstrate why FLOSS (the FireEye Labs Obfuscated String Solver) can pull out stackstrings of a file, but is not a good fit for hunting stackstrings at scale. Instead, we’ll see how to develop Yara rules that match C code constructs in compiled binaries. Finally, I’ll share an introduction to the Unicorn CPU engine and teach the audience how to emulate select portions of malware samples to deobfuscate stackstrings. We’ll see that the proposed solution can detect and decode stackstrings from thousands of samples per second, easily consuming the entire public VirusShare corpus (30 million samples).

The audience will enjoy a real-world case study of scaling a hunting technique by relying on high-performance, open-source tools. We’ll see that with very few lines of code, we can implement a novel, yet effective, sieve for malware executable files. If all goes well, the audience will leave with renewed confidence to hunt for new malware families using Yara alongside binary code emulation.


Speakers
avatar for William Ballenthin

William Ballenthin

Reverse Engineer, FireEye


Friday May 11, 2018 12:00pm - 12:45pm MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

2:00pm MDT

Ducky-in-the-middle: Injecting keystokes into plaintext protocols
This presentation will cover the research I preformed analyzing the protocols used for HippoRemote, and iPhone application that turns your phone into an mouse/trackpad/keyboard and Synergy, software for remotely controlling multiple systems with a single mouse and keyboard.   By intercepting these protocols on the wire, an attacker can inject malicious keystrokes to compromise a user's workstation.  

https://www.n00py.io/2017/01/control-your-mac-with-an-iphone-app-an-analysis-of-hipporemote/
https://www.n00py.io/2017/03/compromising-synergy-clients-with-a-rogue-synergy-server/


Friday May 11, 2018 2:00pm - 2:45pm MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

2:00pm MDT

Why are you still focused on guarding the empty castle?
Data is the gold of our age and it is everywhere not just behind the network perimeter.  However many still focus the bulk of their energy on fortifying the network perimeter like the castles of medieval times in hope it will provide protection, but it won’t.  The network perimeter is gone, and users are walking around with your gold so what do you do?  Focus on the data and the individual to protect your treasure else it will be taken from you. In this talk I will walk through five simple steps to roll out a DLP Program including enabling technologies in a world without walls that is is impactful and relevant to your organization

Speakers
avatar for David Phillips

David Phillips

Director, Data Security, Trace3
David Phillips has 22 years of Information Technology experience with the last 18 years in Security. He has been involved with Data Loss Prevention since 2006 in professional services beginning as a consultant and later building practices from the ground up for McAfee, Optiv and currently... Read More →


Friday May 11, 2018 2:00pm - 2:45pm MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

2:00pm MDT

So it begins: a neophyte's journey into the arcane magic of cyber security
Looking at the first steps of learning about info sec from the view point of an old hat IT tech. Fighting through confusion, imposter syndrome, misinformation and self inflicted ignorance. Searching for a foothold to start a climb finding a community open and willing to help. And this is just the start. Help others new to "Cyber" (whatever that means) to work through the fear of feeling lost and stupid so they can see the light that we all can succeed at the simple yet not easy task of learning and sharing.

Speakers
avatar for Gabriel Walker

Gabriel Walker

Norther Colorado, self taught Systems Admin with 20 plus years of IT experience, with aspirations of networking and cyber security mediocrity. We all need to start somewhere and grinding through the basics is the best plan I have come up with. Curious and human, willing to share... Read More →


Friday May 11, 2018 2:00pm - 2:45pm MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

3:00pm MDT

GreatSCT: Gotta Catch 'Em AWL
Great Scott Marty, we went all the way back to 1995! The project is called Great SCT (Great Scott). GreatSCT is an open source project to generate application whitelisting (AWL) bypasses. This tool is intended for BOTH red and blue team. Blue team can benefit by testing the publicly known application whitelisting bypass methods. We will review the most common application whitelisting bypass methods and how to utilize these methods with GreatSCT.


Friday May 11, 2018 3:00pm - 3:45pm MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

3:00pm MDT

DanderSpritz: A case study in Nation State Post-Exploitation Framework Capabilities & Defense Strategies
A lot of organizations and independent researchers have dug into The Shadow
Broker's leaks and the exploits within them. However, very little research has been done into the bulk of the leak: the post-exploitation tools and frameworks.

In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scanned, sampled, subdued, and successfully dominated an entire organization ninja-style. I will dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and remains undetected by even the latest security tools.

Speakers
avatar for Francisco Donoso

Francisco Donoso

Francisco's passion is making information security consumable, effective, and efficient so he spends much of his time working on security automation. He has been on the forefront of research into the Equation Group’s post-exploitation tools and capabilities since their release by... Read More →


Friday May 11, 2018 3:00pm - 3:45pm MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

3:00pm MDT

Innovation in Cyber GRC: Rise of the CRO and CSO
With the dynamic climate of corporate cyber-risk, cyber-security, corporate GRC, Enterprise Risk Management, Compliance and IT Operations has revealed a need for the rise of the Cyber Risk Officer (CRO) and the Cyber Security Officer (CSO).  The need for cultural change and innovation is driving a new perspective and re-alignment in the roles and responsibilities.  We need current day cyber athletes, cyber warriors plus their executive team leaders to meet the demands of this dynamic set of operational needs and compliance requirements.

Speakers
EM

Elvis Moreland

Cyber Risk and Compliance, SEC-NET


Friday May 11, 2018 3:00pm - 3:45pm MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205
 
Saturday, May 12
 

10:00am MDT

Adversary Simulation Using Metasploit and ATT&CK
With an ever-increasing landscape of vulnerabilities and threats, it becomes imperative that Blue Teams are able to test their defensive solutions and implementations. We propose an adversary framework which is able to simulate a realistic threat actor that uses a playbook of scenarios to launch, escalate and persist without manual input. Additionally the framework is able to detect and react to a defender's actions. The framework uses MITRE's ATT&CK to map tactics and techniques to specific Metasploit modules, whom it communicates with over its RPC API. It is currently being used in production and is used for cybersecurity scenarios.

Speakers

Saturday May 12, 2018 10:00am - 10:45am MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

10:00am MDT

Thinking outside the security box: Assembling non-traditional security teams
In an environment where traditional security professionals are scarce, I have taken a different approach to building out a robust pentesting team. By thinking outside the box and adding a bit of creativity to the process, such as providing our recruiters with different technical personas, we have been able to transform the way we attract and hire talent, transforming them into incredible security professionals and consultants. Through mining different industries, technology sectors and practices, we are able to assemble a team that learns and grows together. Their multi-faceted experiences in technology and diverse educational and professional backgrounds helps them introduce each other to different experiences and ways of thinking, enabling them to achieve things they otherwise would not have been able to do on their own.

Building this kind of team requires a clear path and dedicated resources who are invested in the success of both the team at large, and the talent at the individual level. It also requires hard work, ambition, and a willingness to learn from all team members. During this presentation, I will walk the audience through this idea, the most effective way to execute it, and some of the results we have seen since embarking on this initiative.

Speakers
avatar for Jay Paz

Jay Paz

Senior Manager, Penetration Testing, Rapid7
Jay Paz (GSEC, GWAPT, GISP, GSSP-JAVA) has more than nine years of experience in information security and sixteen plus years of information technology experience including system analysis, design and implementation for enterprise level solutions. He has a strong background in developer... Read More →


Saturday May 12, 2018 10:00am - 10:45am MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

10:00am MDT

Home' DDOS defense
How to prepare yourself [and your provider] for effective DDOS response


Saturday May 12, 2018 10:00am - 10:45am MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

11:00am MDT

Pwning in the Sandbox OSX Macro Exploitation & Beyond
While performing red team engagements against a hybrid OSX/Windows environment we were challenged with creating successful maldocs targeting OSX systems with the up to date Microsoft Office Suite, which is protected by the OSX sandbox. After jumping through many hurdles both with VBA version conflicts and sandbox restrictions we successfully created our payload along with a post exploitation process to gather and exfil data from within the sandbox. Adam will share his experience with working with Apple security experts to block these attacks and put protections with a corporate environment. This is a perfect love story of Purple teaming which resulted in creating a more secure environment. Also, the mitigation we will be sharing for these attacks has not been publicly released by anyone including Apple at this point in time.

Speakers
avatar for Adam Gold (@import_au)

Adam Gold (@import_au)

Active Defense Engineer, Walmart
With over 10 years’ experience in the information technology and cyber security fields, Adam has been recognized as an expert in these areas, strengthening the overall security posture for many organizations including NATO, Hewlett-Packard, Department of the Navy, and more recently... Read More →
avatar for Danny Chrastil (disk0nn3ct)

Danny Chrastil (disk0nn3ct)

Senior Red Team, Walmart
Daniel Chrastil has over 10 years experience in security ranging from red teaming for the world's largest commercial organization, hacking web and mobile applications, developing and hosting CTFs, and building secure web application environments. Daniel uses his skills from his past... Read More →


Saturday May 12, 2018 11:00am - 11:45am MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

11:00am MDT

Shoulder for ARM: Generating Software from the ARM Architecture Reference Manual
Reference manuals for the ARM architecture are complex and exceedingly long (over 6000 pages for ARMv8-A!). While these manuals are certainly detailed and complete, the process of reading and understanding them is both time consuming and prone to error. However, what would happen if you could write a program to read and understand these manuals for you? In 2017, ARM released the ARMv8-A Architectural Reference Manual in a machine parsable format that was designed specifically to be read and understood by a computer program. This presentation will provide an introduction to ARM's machine parsable specification, discuss a few use cases related to information security, and will introduce a new open source project called Shoulder for ARM which generates software APIs from these documents.

Speakers

Saturday May 12, 2018 11:00am - 11:45am MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

11:00am MDT

Collect and SOAR all the things
Visibility and Analytics are key, but how can you act on all of that data in an automated, orchestrated, and consistent way?

Speakers
avatar for Colin Blumer

Colin Blumer

SSA, Splunk
Anything tech really, but certain areas like InfoSec Architecture, SIEM, Endpoint Security, Automation & Orchestration, SOC/IR playbooks are quite fun


Saturday May 12, 2018 11:00am - 11:45am MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

2:00pm MDT

Finding the Rouge Node - Digital Forensics and IR
Have you ever wanted to find out how that one 0-day took down the business? Ever wonder what tools (free) are available and what aspects of the hard drive, memory and network you can investigate for your incident response investigation? Well come and join me, for a fun and exciting journey down the Digital Forensic and Incident Response rabbit hole!

Speakers

Saturday May 12, 2018 2:00pm - 2:45pm MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

2:00pm MDT

Sentry or: How I Learned to Stop Worrying and Delete My Accounts
With social media, anyone can become "incidentally infamous" in minutes. Your tweet could go viral, your gif could get posted by a president, or the media could single you out because they think you made Bitcoin. This happens to hackers too, @MalwareTechBlog was arrested after DEF CON 2017 and certain media started doxing him and painting him as a spendthrift criminal based on his Twitter posts. Rather than become a social media hermit to prevent this, just set up a Sentry. This talk will present Sentry, an automated cross-platform application that will silently watch your social media for trigger words and unusual behaviors before springing into action. In minutes Sentry can lock your Twitter account, delete your Reddit comments, disable your websites, and a whole host of other actions to keep attention away in high visibility, low-privacy situations. Released under the MIT license and easily extensible, virtually any site and any API can be scripted with a bit of C#.

Speakers
avatar for Michael West (T3h Ub3r K1tten)

Michael West (T3h Ub3r K1tten)

National Technical Advisor, CyberArk


Saturday May 12, 2018 2:00pm - 2:45pm MDT
Track 2: SecureSet Denver 2228 Blake St #100, Denver, CO 80205, USA

2:00pm MDT

WiFiPi: Rasperries and Radios and Antennas, oh my!
Tired of carrying heavy backpacks? Wondering why wireless assessments can be such a drag? Script kiddies making fun of you for your outdated tools and techniques? If so, then the WiFiPi is for you!

In this talk, I'll discuss using Raspberry Pis to assess wireless networks. Your Pi can be a valuable tool in pentesting, remote monitoring, managing networks, signal testing, and more.

If you're new to Raspberry Pis, this talk will give you general methodology for wireless assessments as well as tips for making your gear more portable. If you're not into wireless testing, then hopefully you'll come away with some other half-baked ideas for all of those Pis that we all have Pi-ling up!

Speakers
avatar for Ray Doyle

Ray Doyle

Principal Penetration Testing Consultant, Secureworks
The man, the myth, the legend; Ray Doyle, OSCP, GXPN, aka @doylersec is an avid pentester and security enthusiast. He now works as a Senior Penetration Testing Consultant at Secureworks, and has been there for over a year now.When he's not hacking for work he's, well, hacking for... Read More →


Saturday May 12, 2018 2:00pm - 2:45pm MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205

3:00pm MDT

Operation Segmentation?
Layered network defense is good, but can we have too many layers and are there other tools to consider? 


Saturday May 12, 2018 3:00pm - 3:45pm MDT
Track 1: Blake Street Tavern 2301 Blake St, Denver, CO 80205, USA

3:00pm MDT

Why Hackers Still Get In
In my talk, i give examples of methods hackers (and penetration testers) use to penetrate modern corporate networks in spite of the millions of dollars that have been spent on countermeasures and security hardware. I demonstrate several techniques we use to exploit corporate blind spots and discuss the most commonly overlooked attack vectors. 

Speakers
avatar for B1tWr4ngl3r

B1tWr4ngl3r

Senior Security Analyst, Rapid7
Trevor O'Donnal has over 20 years experience in Cyber Security. 16 of those years have included penetration testing for every type of organization imaginable. Trevor has worked with both private and public sector entities evaluating their security postures and consulting on ways to... Read More →


Saturday May 12, 2018 3:00pm - 3:45pm MDT
Track 3: SecureSet Denver 2228 Blake St #100, Denver, CO 80205