08:15 - Doors Open
08:45 - Opening Remarks
09:00 - Real Time Bidding, or, Why the Internet is Free, or, Why Does That Creepy Ad Keep Following Me? - Sid Faber
09:45 - Break
10:15 - SOCs for the Rest of Us - Dave Herrald
11:15 - Lunch Service Begins
11:00 - Cyber Security Careers: It's Not Just Hacking - Deidre Diamond
11:45 - Incident Response Evidence Collection \ Triage - John Meyers
12:30 - DevOps: Security's Big Opportunity - Peter Chestna
13:15 - Malware and Exploit Kits: Together Forever? - Dave Vargas
14:00 - Break / Lunch Service Ends
14:15 - Lesser-known Application Vulnerabilities - Which are Costing Companies $$$$ - Kevin Cody
15:00 - Break
15:15 - All Your Fleet Are Belong To Us: Vulnerabilities in Fleet Management Systems - Dan Klinedinst
16:00 - Thinking Inside The Box: A New Framework for Promoting Innovation and Successful Cyber Defense - Ernest Y. Wong
16:45 - Closing Remarks
17:00 - After Party sponsored by Anomali
Real Time Bidding, or, Why the Internet is Free, or, Why Does That Creepy Ad Keep Following Me? - Sid Faber
This talk will center around the online world of real-time bidding for Internet advertising. After presenting some of the structure necessary to support current trends in advertising, we will look at some concrete examples, explore trends in cookie policies as separate from privacy policies. If time permits, we will also explore typical cases for malicious advertising. By the end of the talk attendees should understand why ads tend to follow you through your travels on the Internet, and enhance techniques for traffic analysis.
SOCs for the Rest of Us - Dave Herrald
In this talk we will discuss key traits of some of the largest and most successful security operations centers we've visited over the last two years. From automating tier-1 to integrating investigations into Slack channels, from curating toolchains to cutting out threat feeds, we'll cover what’s working well and what challenges remain. Many industry verticals will be represented including financial services, multi-national conglomerates, entertainment, healthcare, energy, defense, technology, and dynamic internet startups.
Cyber Security Careers: It's Not Just Hacking - Deidre Diamond
"With over 500,000 unfilled cyber security jobs, an industry made up of 10% women and a trend of 56% of women leaving tech inside 10 years, we have a big problem. The stereotype of a hoodie-clad man at a terminal in a dark room - a myth our schools perpetuate - is harmful. Those in cyber security can change this right now! Come discuss how to sell all 32 cyber security jobs to women and tech pros so they will want to join us.
- Cyber security career paths are incredibly diverse.
- Due to the extreme need for cyber security talent, more career paths are opening for people to be cross-trained, hybrid roles are emerging, people without a security background can transition into cyber easier now than in years past.
- Cyber security careers offer high salaries, tremendous growth opportunities, travel, ongoing training, fun projects and great career paths. Leave this talk with an understanding of how you can be an ambassador to the cyber security field by advocating to your own friends and family about this great career field."
Incident Response Evidence Collection \ Triage - John Meyers
"Incident Response succeeds or fails at evidence collection. If you don't collect evidence properly or soon enough, you might not be able to determine the root cause of the incident. I will explain how and when to start your evidence collection process, verifying your evidence, hashing your evidence, and the concept of working copies to examine your evidence. Demonstration will include capturing disk image and device memory using FTK Imager and SIFT Workstation.
Incident triage is the process reviewing gathered evidence in an expedient manner to answer important questions. Topics will include the usefulnesses of artifacts including Memory, MFT, Windows Registry and Browser History. Memory triage would cover basic usage of Volatility to find running processes, network connections and review other artifacts available in memory. Disk triage would cover locations of key artifacts including MFT, Registry, Browser History, etc. Log triage would explain how to review large log sets to find relevant evidence using grep. Includes real world example of using the strings command to find bad URLs in phishing PDF files from over 9k PDF files."
DevOps: Security's Big Opportunity - Peter Chestna
DevOps culture creates an opportunity for us to improve application security. Since developers are the ones producing code, integrating components and creating the innovations that fuel our digital economy, they are also the ones who will determine whether or not security is part of development or not. Security professionals must therefore learn to how to talk to developers about how to create a security program that will accelerate development and not slow it down.
Malware and Exploit Kits: Together Forever? - Dave Vargas
"Exploit kits (EKs) first appeared in 2006 but their initial growth was limited by the high level of technical expertise required to use them. Over time, however, EKs have steadily evolved into easy to use (and important) tools in the growing Crimeware-as-a-Service (CaaS) industry. Due to their effectiveness in delivering many different kinds of malware, Blue Teams should understand them. This presentation will begin by differentiating an exploit from a payload. It will then define the term exploit kit and discuss their most common characteristics, including their management consoles and delivery techniques. To give attendees some perspective, the presentation will examine several famous EKs to explain what makes them so successful. Attendees will then be led through an example EK infection chain, including a discussion of the crucial role that DNS plays in EK effectiveness. The session will close with a discussion of current best practices for protecting against EKs and predictions of what Blue Teams can expect to see from EKs in the future.
At the end of this presentation participants will be able to:
• Explain what exploits kits are and what they are most commonly used for
• Describe the relationship between exploit kits and Crimeware-as-a-Service (CaaS)
• Describe the difference between an exploit and a payload
• Name exploit kit components and architecture
• Discuss exploit kit delivery methods
• List the prerequisites required for an exploit kit to successfully compromise a device
• Deploy those best practices that will most protect against exploit kits
• Explain why exploit kits will continue to threaten all types of organizations for the foreseeable future"
Lesser-known Application Vulnerabilities - Which are Costing Companies $$$$ - Kevin Cody
Vulnerabilities are expensive, there’s simply no way around it. Whether it be mitigation costs, Penetration Testing fees, auditing, or bug bounties - vulnerabilities and bugs are pricey. While SQLi and XSS are certainly dangerous, this talk will focus on some of the more obscure application vulnerabilities which were identified within apps and services we use every day. This presentation won’t simply stop at introducing these talking points; rather, we will dive into identification, both risk and technical analysis, and finally remediation techniques. The goal of this discussion will be to arm security practitioners, of all skill levels, in better understanding application risks in 2017.
All Your Fleet Are Belong To Us: Vulnerabilities in Fleet Management Systems - Dan Klinedinst (@dklinedinst)
Organizations that operate fleets of vehicles are increasingly using Internet-connected devices in those vehicles to manage them. I will demonstrate some specific vulnerabilities in such systems that could allow an attacker to track and/or control a large number of the vehicles in a given fleet. Most of the presentation will consist of methods for assessing various components of these telematics systems. Specifically, we will look at examining cellular communications via a homemade base station (IMSI catcher), abusing SMS and cellular data communications, reverse engineering ARM firmware, and sniffing traffic on circuit boards with an oscilloscope and logic analyzer. Finally, I will discuss how to exploit these systems to achieve fleet tracking, theft, and potentially control of the vehicles.
Thinking Inside The Box: A New Framework for Promoting Innovation and Successful Cyber Defense - Ernest Y. Wong
Since our Republic's origins, Americans have demonstrated a speculative knack and considerable optimism that have translated into innovative solutions for grappling problems. From the first English colonists to today's NASA astronauts, Americans have a proud history of discovering new ways for getting the job done. Today innovation has become a buzzword in the US Army, and it is helping to shape the vision for the Army of 2025 and Beyond as an agile organization for a complex world. But does the US Army have the capabilities needed to protect vital national interests in cyber? Does the US Army know how to foster innovations that can keep pace with disruptive cyberattacks? The Internet's growth in our globally connected world has meant that the tools within the cyber domain are constantly changing. To make matters worse, many believe the US Army is such an unwieldy bureaucracy that it can't adapt to win tomorrow's wars. So does the US Army have the capacity to out-hack those attacking us in the digital terrain? This presentation provides a framework for analyzing different types of innovation, and in doing so, asks us to think inside-the-box to promote better ways the US Army can defend our cyberspace.