BSidesDEN 2018

Ransomware has locked your files and deleted your backups - you decide to pay up.  Where do you start? How long does it take to get your files back? What is the process of paying someone in bitcoin? Once you get the tool, how do you know it works? Take a dive into the world of cybercrime negotiations, attacker profiling, decryption troubleshooting, and some of the surprises (and horrors) that arise along the way.

How non-traditional litigation tools can assist cyber investigators with Incident Response and data breaches.

With the increased use of SaaS, IaaS, and PaaS platforms, organizations are shoveling more compute, applications, and data into the cloud from on-premises solutions. However, answering cloud governance and access control questions such as “What data do I have?," "Where is my data stored?," Who has access to my data?,” has become challenging. Often, it is because data is out of sight and out of mind.. Additionally, during a breach, these questions can impede an investigation that is already challenged by decentralized logging, access rights, large volumes of data review, and the inability to physically access the environment.
 
This presentation will walk thought the current challenges faced by defenders and IR investigators, and offer solutions that call on a variety of cyber security, digital forensic and incident response, and eDiscovey talents. We will step through a case example where the convergence of these disciplines allowed an organization to effectively investigate a complex cloud data breach, and comply with regulatory notification requirements.

GDPR enforcement is quickly approaching. Companies outside the EU have been either ignoring the regulations, have been naïve about applicability, or have taken a wait and see approach to see how serious or severe the regulation will be applied to non-EU companies. As a result of the sudden sense of urgency, vendors have taken to using FUD tactics to sell their products as the magic bullet to quickly becoming compliant.
I’ll be taking the audience through debunking a few common misconceptions around the applicability of GDPR and dispelling the FUD tactics in use to sell technologies that are viable controls but don’t solve the full problem companies will be quickly facing.

Data is the gold of our age and it is everywhere not just behind the network perimeter.  However many still focus the bulk of their energy on fortifying the network perimeter like the castles of medieval times in hope it will provide protection, but it won’t.  The network perimeter is gone, and users are walking around with your gold so what do you do?  Focus on the data and the individual to protect your treasure else it will be taken from you. In this talk I will walk through five simple steps to roll out a DLP Program including enabling technologies in a world without walls that is is impactful and relevant to your organization

A lot of organizations and independent researchers have dug into The Shadow
Broker's leaks and the exploits within them. However, very little research has been done into the bulk of the leak: the post-exploitation tools and frameworks.

In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scanned, sampled, subdued, and successfully dominated an entire organization ninja-style. I will dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and remains undetected by even the latest security tools.

In an environment where traditional security professionals are scarce, I have taken a different approach to building out a robust pentesting team. By thinking outside the box and adding a bit of creativity to the process, such as providing our recruiters with different technical personas, we have been able to transform the way we attract and hire talent, transforming them into incredible security professionals and consultants. Through mining different industries, technology sectors and practices, we are able to assemble a team that learns and grows together. Their multi-faceted experiences in technology and diverse educational and professional backgrounds helps them introduce each other to different experiences and ways of thinking, enabling them to achieve things they otherwise would not have been able to do on their own.

Building this kind of team requires a clear path and dedicated resources who are invested in the success of both the team at large, and the talent at the individual level. It also requires hard work, ambition, and a willingness to learn from all team members. During this presentation, I will walk the audience through this idea, the most effective way to execute it, and some of the results we have seen since embarking on this initiative.

Reference manuals for the ARM architecture are complex and exceedingly long (over 6000 pages for ARMv8-A!). While these manuals are certainly detailed and complete, the process of reading and understanding them is both time consuming and prone to error. However, what would happen if you could write a program to read and understand these manuals for you? In 2017, ARM released the ARMv8-A Architectural Reference Manual in a machine parsable format that was designed specifically to be read and understood by a computer program. This presentation will provide an introduction to ARM's machine parsable specification, discuss a few use cases related to information security, and will introduce a new open source project called Shoulder for ARM which generates software APIs from these documents.

With social media, anyone can become "incidentally infamous" in minutes. Your tweet could go viral, your gif could get posted by a president, or the media could single you out because they think you made Bitcoin. This happens to hackers too, @MalwareTechBlog was arrested after DEF CON 2017 and certain media started doxing him and painting him as a spendthrift criminal based on his Twitter posts. Rather than become a social media hermit to prevent this, just set up a Sentry. This talk will present Sentry, an automated cross-platform application that will silently watch your social media for trigger words and unusual behaviors before springing into action. In minutes Sentry can lock your Twitter account, delete your Reddit comments, disable your websites, and a whole host of other actions to keep attention away in high visibility, low-privacy situations. Released under the MIT license and easily extensible, virtually any site and any API can be scripted with a bit of C#.