Track 3
5 Feb 2022 4:00 PM - 5:00 PM

Despite your best efforts, there is a good chance your organization will be the victim of a ransomware attack. What do you do when that happens? Organizations need to plan for a ransomware attack. This talk will cover steps organizations can take to prepare for a ransomware attack and review the initial steps after an attack happens. Topics include:

1. What log sources should be collected.
2. Getting the right people involved
3. Testing your IR plan

Allan Liska
Intelligence Analyst, Recorded Future
@uuallan

With more than 20 years of experience in ransomware and information security, Allan Liska has improved countless organizations’ security posture using more effective intelligence. Liska provides ransomware-related counsel and key recommendations to major global corporations and government agencies, sitting on national ransomware task forces and speaking at global conferences. Liska has worked as both a security practitioner and an ethical hacker at Symantec, iSIGHT Partners, FireEye, and Recorded Future. Regularly cited in The Washington Post, Bloomberg, The New York Times, and NBC News, he is a leading voice in ransomware and intelligence security. Liska has authored numerous books including “The Practice of Network Security, Building an Intelligence-Led Security Program;” “Securing NTP: A Quickstart Guide;” “Ransomware: Defending Against Digital Extortion;” “DNS Security: Defending the Domain Name System;” and “Ransomware: Understand.Prevent.Recover.”

Track 3
5 Feb 2022 3:00 PM - 4:00 PM

The speakers have an abundance of experience working with organizations across many different sectors and regions. Something they have seen be the most effective use of tactical Threat Intelligence and Purple Teaming is the concept of “Active Defense Exercises”. “Active Defense Exercises” involve the creation of realistic and timely, adversary specific, kill chain scenarios. During this talk the speakers will discuss the best approaches for scenario selection. The speakers will then pivot to discuss the nuances of liaising Purple Team testing to determine the level of effectiveness of the organization’s security controls. The speakers will also discuss strategies for engaging internal security teams and detail the most effective mechanisms for conveying the “Active Defense Exercise” lessons learned to technical and non-technical stakeholders.

Track 3
5 Feb 2022 2:00 PM - 3:00 PM

The threat of ransomware is ever-evolving, just as artificial intelligence is. It’s clear that businesses need better defense, but the answer isn’t solely AI – it’s actually human intelligence.

In this session, Bryce Webster-Jacobsen, an expert ransomware negotiator who deals with ransomware negotiations on a daily basis, will challenge the ideas of human intelligence versus artificial intelligence when it comes to ransomware attacks. Learn how expert ransomware negotiators can validate the reputation of the threat actor and why dark web monitoring and human reconnaissance is an indispensable part of the resolution process.

Bryce Webster-Jacobsen
Director of Intelligence Operations, GroupSense
@BrycexWJ

Bryce Webster-Jacobsen is the Director of Intelligence Operations at GroupSense, a digital risk protection services company. He leads a team delivering fully managed cyber intelligence and reconnaissance services to help organizations manage risk.

Track 3
5 Feb 2022 12:00 PM - 12:30 PM

SOC analysts are familiar with Wireshark and all of it's capabilities but are often at a roadblock when the pcap is relatively large. My tool, PacketSifter, and the open-source tool TShark will enable analysts to jump over that hurdle and learn to analyze pcaps on the command line!

Gone are the days of opening a large pcap in Wireshark and waiting two days for Wireshark to parse and load the pcap. PacketSifter will carve out noteworthy traffic as well as provide enrichment capabilities with GeoIP lookups via AbuseIPDB and hash lookups via VirusTotal.

This talk will demo PacketSifter as well as introduce TShark to continue on with the output files provided by PacketSifter.

Ross Burke
Mandiant - Security Consultant | University of Houston - Instructor
@packetsifter

Ross Burke is a Security Consultant at Mandiant and also an Instructor of Information Science and Technology at the University of Houston. Ross has worked across several aspects of cybersecurity including operating as a SOC analyst at an MSSP as well as staff augmentation and strategic consulting projects.

Ross has two degrees from the University of Houston including a Bachelor of Science in Computer Information Systems and Master of Science in Cybersecurity. He also holds several cybersecurity certifications including CISSP, GCIA, GCDA, GCFA, and Security+. Ross is also the developer of the open-source tool PacketSifter (https://github.com/packetsifter/packetsifterTool) which he presented at Wild West Hackin' Fest - Way West 2021.

On his free time, he enjoys kickstarting board games after having a few drinks.

Track 3
5 Feb 2022 11:00 AM - 12:00 PM

Advanced Persistent Threat (APT) groups do not like to have the evidence of their crime into their targets, usually, they would develop or use file-less malware to not leave any fingerprints traces proof their crime and unleashed their operations. Network forensics analysis became an essential skills to uncover APTs operation and identify what has happened by utilizing Wireshark and other open-source tools to analyze network packet captures (PCAP). In this lecture, we will introduce couple of APT attack scenarios and walk-through how to analyze them.

Rami AlTalhi
Incident Response Consultant @ Cisco Talos

Rami has experience across different information security and cybersecurity fields for over 13years. Worked as Incident Response Expert in the past for four years to handle different cyber incident and events. Provided DFIR and Cyber Range training for different regions in the world (Europe, Asia, Middle East and US). Dealt with different sophisticated APT cyber incident cases that ranging from cyber espionage until data destruction.

Track 3 (Virtual)
5 Feb 2022 10:00 AM - 11:00 AM

LockBit ransomware operators have been active since September 2019, but still there’s very limited pieces of information on their operations available in public space. The ransomware-as-a-service program and ransomware itself have updated in June 2021, so now we are dealing with LockBit 2.0. Despite the fact the updated RaaS has quite short lifecycle, their affiliates already performed at least a hundred of successful attacks. In this talk, we’ll look at the threat actor’s tactics, techniques and procedures, from gaining the initial access to impact, as well as some custom tools leveraged by them for data exfiltration (StealBit) and files encryption (LockBit).

Oleg Skulkin
Head of DFIR Team, Group-IB
@oskulkin

Oleg Skulkin is the Head of DFIR Team at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for almost a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and co-authored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications.

Track 3
5 Feb 2022 9:00 AM - 10:00 AM

Nefilim’s malware sample uses a polymorphic dropper, meaning the file it drops may be one of over 2000 different file hashes. Polymorphism is used in a dropper to make a malware sample harder to detect, and I will explain a lot of basics about reverse engineer for a diverse IT security crowd.

Mark Embrich
Malware Analyst

Mark has been a Network Admin, System Admin, SOC Analyst, Sec Eng, Forensics Analyst, Threat Detection Analyst, and Malware Analyst.

Track 3
4 Feb 2022 4:30 PM - 5:30 PM

Threat Hunting may be one of the more glamorized components of modern security operations today. Every week we read of how modern security controls are being evaded and bypassed. We know that a more proactive approach to detecting Evil is needed. Still, Threat Hunting is much more complicated than reviewing our SIEM enriched and neatly packaged alerts that our security controls have decided are worth our attention. It can often be challenging to know where to start, obtain a high ROI, and measure and communicate value or progress with Threat Hunting.

In this talk, we are going to explore how to do just that.

It is not expensive tools or highly situational graphical user interfaces that are needed. What we need is a repeatable, scalable, and measurable process that will give the effort vision and direction at the beginning and the ability to validate maturation as advance in the dicipline. While paid products can help, there are more than enough open-source resources to develop a Threat Hunting operation that can reliably detect some of the techniques used by the advanced adversaries of our day.

Christian Taillon
Threat Response Engineer, GCE
@christian_tail
https://christiantaillon.medium.com/

Christian contributes to Grand Canyon Education's IT Security team as a Threat Response Engineer. His efforts focus primarily on improving the Security team's operational tools and capabilities to efficiently detect and effectively respond to threats. This is done primarily through work relating to SIEM, EDR, NTA, and an evolving Threat Intelligence program.

He enjoys contributing to the larger community via various Threat Intelligence Content Development efforts and open-source projects. He leads Threat Exchanges as a Global Watch Center Handler for ACTRA, where he teaches for their Academy. He works as a Solutions Architect for the Cyber Resiliency Institute and contributes to SPORTS-ISAO as a member of the COTH team. When away from the keyboard, he enjoys camping, kayak, and hiking with his wife.

Track 3
4 Feb 2022 4:00 PM - 4:30 PM

Tag managers (such as Google Tag Manager, Adobe Launch...) are scripts which let non-developer easily add and remove—in one word manage—third-party scripts. Marketing people often require them in order to promptly experiments with analytic scripts, without bothering the development team for their inclusion on the website.

More than 40% of websites uses Google Tag Manager[^1] which is used to fires on average 12 scripts[^2] per website. Unfortunately, those scripts are often added ad hoc, outside of the regular development life-cycle and CI/CD pipeline.

Here lies the problem for security professionals: those scripts and their usage often don't go through the imposed security processes; they bypass code review and tests.

As an ex-web marketing professional, I will explain how those tag manager scripts are used, what kind of scripts are deployed through them and the pipeline used by marketers to deploy them to the end-user facing website.

As a current web application security developer, I will explain how security professionals can work with the marketing team to ensure the scripts used are not compromising the website integrity, nor the user's security, without hindering the marketing team's productivity.

Alexandre Mercier
Ex-web marketer turned security engineer and privacy advocate
@cyberflamingo
https://www.cyberflamingo.net/

Alexandre Mercier was born and raised in Lorraine, France.

After graduating from Lorraine University, major in Communication, he joined a Japanese IT venture to setup its marketing department. After gaining interest in the cyber-security world, he joined UBsecure, Inc. as a security engineer. As an engineer, he likes to think about ways to update, automate and make the development environment more efficient.

Outside work, he likes collecting Kokeshi (Japanese wooden dolls).

Track 3
4 Feb 2022 3:00 PM - 4:00 PM

That’s what Daniel was told in May 2020, two months after starting a new job. In this talk, he’ll share the inside experience of how a small team of (mostly government!) infosec folks worked to secure the entire vaccine development, distribution, and supply chain, and the key takeaways for the larger infosec community from this crazy (and surprisingly successful) experience.

This talk will cover a few key topics. First, Daniel will share the overall story of the operation, some of the (nation state) attacks they saw, and how the team were able to help harden literally dozens of companies in a matter of months. He’ll cover the critical role that the infosec/hacker community played, between collaboration with CTI League and industry partners, as well as an effective use of bug bounties to rapidly secure a plethora of questionable apps developed by contractors. He’ll explain some of the problems and promises that industry faces when collaborating with government, from what role each agency plays to some of the barriers that were overcome. And he’ll dive into the vaccine supply chain and its vulnerabilities, and how badly we need the larger infosec community to help harden this rapidly ‘techifying’ space before the next bio-catastrophe hits.

Daniel Bardenstein
Tech Policy Fellow at the Aspen Institute, Partner at Foresight Partners.
@bardenstein

Daniel Bardenstein is just trying to help make the world be even just a little more secure. As a Tech Policy Fellow at the Aspen Institute, he is focusing on policies to improve cybersecurity across the energy sector and incentivize IoT manufacturers to natively secure their devices. At Foresight Partners, he volunteers infosec and disinformation training and support to political campaigns. At DoD's Defense Digital Service, Daniel led efforts including cybersecurity for the COVID-19 vaccines, the Hack the Pentagon program, and research into OT/ICS/SCADA security. Before government, he worked in the private sector, where he built tools to make security teams’ lives easier. Daniel also holds certifications as a GCFA (Windows Memory Forensics) and, begrudgingly, a CISSP, as well as a patent on network anomaly detection. When not learning about some new security issue, Daniel tries to unwind by playing drums, hiking with his dog (Bowie), and baking banana bread.

Track 3
4 Feb 2022 2:00 PM - 3:00 PM

New phishing websites are setup every few seconds with intentions on stealing your credentials, infecting your system, or convincing you to do something via social engineering. Most of these sites are distributed and deployed through (mostly crude) automation which usually results in attackers leaving their kits behind. During this talk I will walk through what phish kits are, why they are important for proactive defense, security research, and how you can automate identifying these kits in the wild.

Josh Rickard
Security Solutions Architect
@MSAdministrator
https://letsautomate.it

Josh Rickard is a Security Solutions Architect at Swimlane focused on automating everyday processes in business and security. He is an expert in PowerShell and Python, and has presented at multiple conferences including DerbyCon, ShowMeCon, BlackHat Arsenal, CircleCityCon, Hacker Halted, and numerous BSides. In 2019, Josh was awarded an SC Media Reboot Leadership Award in the Influencer category and is featured in the Tribe of Hackers: Blue Team book. You can find information about open-source projects that Josh creates on GitHub at https://github.com/MSAdministrator

Track 3
4 Feb 2022 11:00 AM - 12:00 PM

The usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing pages, to Magecart, and supply chain injection to JavaScript malware droppers all use JavaScript obfuscation techniques on some level.

The usage of JavaScript obfuscation enables evasion from detection engines and poses a challenge to security professionals, as it hinders them from getting quick answers on the functionality of the examined source code.

Deobfuscation can be technically challenging (sometimes), risky (if you don’t know what you are doing), and time consuming (if you are lazy, as I am). Yet, the need to find and analyze high scaled massive attacks using JavaScript obfuscation is a task I’m faced with on a daily basis.

In this presentation I will present a lazy, performance cost effective approach, focusing on the detection of JavaScript packer templates. Once combined with threat intelligence heuristics, this approach can predict the maliciousness level of JavaScript with high probability of accuracy.

In addition to the overview of what I’ve developed, I’ll share the techniques used, as well as source code needed to create a representation of JavaScript by using AST parsing, obfuscation pattern matching, and the machine learning techniques involved.

Or Katz
Akamai, Principal Lead Security Researcher
@or_katz
https://www.akamai.com/blog?author=or_katz

Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence and defensive techniques. Data driven security researcher that is constantly looking on how to move security challenges into the science and solutions space.

Track 3
4 Feb 2022 10:00 AM - 11:00 AM

Congratulations, you recently completed a successful, high-value Purple Team Exercise in your organization! Your Cyber Threat Intelligence team identified an adversary that has the capability, internet, and opportunity to attack your organization and provided those adversary behaviors to the red team. The red team emulated those same tactics, techniques, and procedures (TTPs) in your production environment while the Blue Team watched and learned how the attack works. Then the blue team showed everyone how they identify those adversary behaviors and follow their response process to quickly mitigate the threat. All your security teams collaborated and efficiently tested, measured, and improved your people, process, and technology! A month has passed, what happens next?

This talk picks up after your first successful Purple Team Exercise is complete and teaches you how to continue maturing and improving your security program by operationalizing the collaboration between your security teams (Cyber Threat Intelligence, Red Team, and Blue Team). You don’t have to wait for the next scheduled, formal exercise to continue testing your people, process, and technology. You can leverage new Cyber Threat Intelligence and collaborate with your team to test new TTPs through a process called Detection Engineering.

Jorge Orchilles
CTO - SCYTHE
@jorgeorchilles
https://www.scythe.io/authors/jorge-orchilles/

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.
‍
He also co-authored Common Vulnerability Scoring System (CVSS) and A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry, and author of Microsoft Windows 7 Administrator’s Reference. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science. Jorge speaks English, Spanish, and Portuguese, in decreasing levels of fluency. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.

Track 3
4 Feb 2022 9:00 AM - 10:00 AM

atomic-operator enables security professionals to test their detection and defensive capabilities against prescribed techniques defined within atomic-red-team. By utilizing a testing framework such as atomic-operator, you can identify both your defensive capabilities as well as gaps in defensive coverage.

Josh Rickard
Security Solutions Architect
@MSAdministrator
https://letsautomate.it/

Josh Rickard is a Security Solutions Architect at Swimlane focused on automating everyday processes in business and security. He is an expert in PowerShell and Python, and has presented at multiple conferences including DerbyCon, ShowMeCon, BlackHat Arsenal, CircleCityCon, Hacker Halted, and numerous BSides. In 2019, Josh was awarded an SC Media Reboot Leadership Award in the Influencer category and is featured in the Tribe of Hackers: Blue Team book. You can find information about open-source projects that Josh creates on GitHub at https://github.com/MSAdministrator