TIME (CT) PRESENTATION SPEAKER(S) SPEAKER-PROVIDED DESCRIPTION
8:45 am Opening remarks Matt Pardo  
9:00 am Hacking into the pyramid of resistance against security initiatives Ashwini Siddhi

This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation.

The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud.

This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.

Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results.”

The session will briefly walk through the assessment report framework, providing tips along the way.

The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.

9:30 am Five years of OT security assessments: Horror show, myths, and practical advice to improve security & safety Derek Dunkel_JahanTigh & Justin Turner We will walk through what we’ve learned through 5 years of OT assessments. What is working for our clients, what are the challenges we’ve seen, how to provide effective solutions for both OT and IT, and where we see OT security going.
10:30 am Incident response: Are you prepared? Christina Barker When it comes to incident response everyone knows that it isn’t a question of if, but rather when; however many organizations are not prepared for the “when” once it arrives. Join Christina Barker as she shares her insights and experiences as an incident response practitioner, on how to ensure that your team is ready when the time comes.
11:30 am A guide to discovering plaintext credentials in enterprise environments Ben Burkhart This talk will serve as an overview of some advanced tactics and techniques for discovering the holy grail of confidential data on a pentest: passwords. While the offensive research space has been incredibly fruitful when it comes to complicated attack paths over the last few years, sometimes the old ways are best. And who needs a GPU cracking rig or rainbow tables when you can find PLAINTEXT credentials on an assessment? Additionally, the tools demonstrated can be equally leveraged by internal teams to audit and remediate the dreaded and never ending growth of attack surface creep when it comes to network file shares and other places for potential cryptographic data exposure. After this talk, you'll be better equipped and prepared to find plaintext passwords in environments and demonstrate impact to stakeholders.
12:00 pm Augmenting osquery visibility on Windows through reverse-engineering Guillaume Ross & Marcos Oviedo

Osquery is great for many reasons, including checking the security posture of workstations, servers and containers. But what can be done if what you need to check is not available in osquery? What if the operating systems don't include documentation on how to get this data?

This talk will take you on a technological journey covering the problems we found while trying to get Windows security policies visibility at scale.

We will show how we ended up reverse-engineering the Windows secedit.exe binary as a way to understand how it was querying security policies information.

We will then show how we ported that reverse-engineered mechanism into osquery core, and how we were able to use osquery to gather security policies information at scale across an entire fleet of machines.

Then, we'll cover how this data can be used to monitor the security of Windows systems.

1:00 pm Hacking Web3, blockchain, and smart contracts Justin Munier & Mehul Purohit

With the widespread adoption of Web3 technologies rapidly growing across multiple industries, there has been an increase in companies implementing blockchain, smart contracts, and digital assets (e.g., NFTs, Cryptocurrency). This shift from traditional Web2 technologies to Web3 has brought with it new classes of vulnerabilities and attacks that have never been seen before by the information security community, and are actively being exploited by malicious actors. These new attacks have required security professionals to adapt a new perspective and out of the box thinking for ways to identify security vulnerabilities in these new Web3 platforms. In this session we will go through:

  • What is Web3 and where is the space going?
  • How is Web3 different from Web2?
  • What are some commonly identified Blockchain and smart contract vulnerabilities (e.g. DASP Top Ten)?
  • What does a vulnerable smart contract look like?
  • What are some common tools for Blockchain and Smart Contract Hacking?
  • Walkthrough the anatomy of a Blockchain security attack (e.g., Re-entrancy)

1:30 pm Get your head in the clouds Sean Verity How do you feel about testing web apps hosted in Azure or AWS? What about thick client apps hosted in AWS? The majority of apps that I’ve tested throughout my career were hosted on prem or ran on a local device that was right in front of me. Recently, the majority of apps that I’ve tested were hosted in the cloud (AWS or Azure). It was a little intimidating at first, because I had very little experience in testing anything that was hosted in the cloud. Like me, you’ll come to love the intersection of cloud and app testing as it leads to interesting attack paths. Such as finding a service account allowing you to change the password on a privileged AzureAD account and pivot to a remote support platform for the company’s employees. Or using a thick client hosted in AWS AppStream as an entry point to dump LSASS from systems in an AD environment. In this talk you'll learn new go-to tricks and ideas so that you can find interesting attack paths during your next pentest or bug bounty hunt.
2:30 pm Ransom cartel: Possible connection with REvil Amer Elsa & Daniel Bunce Ransom Cartel is ransomware as a service (RaaS) that we've been tracking since Jan 2022. it exhibits several similarities and technical overlaps with REvil ransomware. We will provide our analysis of Ransom Cartel ransomware, lesson learned, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.
3:00 pm Honeypot Boo Boo: Better breach detection with deception inception Justin Varner

Breaches continue happening at unprecedented levels with huge financial impact to the global economy year after year.

Our traditional approach to breach detection that is focused on triaging alerts generated by massive amounts of data from disparate sources is not working. Adversaries know this fact and regularly benefit from it.

The average breach goes unnoticed for 212 days. That’s an ample amount of time for anyone to surreptitiously run off with the crown jewels and inflict significant damage with ramifications that include consumer privacy violations, loss of trust, steep financial penalties, and irreversible reputational damage.

We need a new approach if we’re ever going to stop the madness. Hackers also deserve a better opponent.

This talk discusses a different way of thinking about breach detection that is intended to reduce the number of false positives, improve alert fidelity, reduce time-to-detection, and prevent the massive level of burnout affecting our industry.

We will cover the history of breach detection, the current state of affairs, the paradigm shift to new ways of thinking about the problem, and many practical examples of how to deploy effective breach detection technology.

4:00 pm Securing your supply chain Dustin Sachs In the wake of Solarwinds and Log4J, what do organizations need to consider related to supply chain cybersecurity?
5:00 pm Building and maturing an atomic purple team Sean Mackey Love the idea of purple teaming but don't know how to introduce it to your organization? Even if you're familiar with the concept, it can be challenging to know where it fits in your information security program. In this talk, we'll walk through how to plan a purple team program from scratch and cover the most common challenges when defining requirements, designing your purple team environment, replicating and centralizing logging, and operationalizing atomic testing for your SOC. We'll also discuss going beyond test libraries like Atomic Red Team and maturing your program to the point where your team is proactively developing and executing custom test cases relevant to your organization.
5:30 pm Adaptive cybersecurity risk assessments Gideon Rasmussen

This session provides practical cybersecurity assessment advice. It details the end-to-end process including: scoping, 9 steps to develop work papers, scheduling, on-site assessment, report preparation and presentation.

The first assessment example leverages the NIST Cybersecurity Framework to ensure coverage across security domains. Sample scoping questions will be provided, along with tips and examples to add controls based on business processes, insider threat, privacy and fraud.

This session also addresses follow-on assessments. Attendees are encouraged to evaluate lines of business and to take deep dives into critical functions. Tips and examples are provided to leverage best practices, creating specific testing procedures.

Rather than repeating the same assessment year-over-year, the scoping methodology is risk opportunistic. There is focus on areas that have not been evaluated recently and areas that may require enhanced controls due to presence of valuable data. Albert Einstein’s quote applies here “the definition of insanity is doing something over and over again and expecting different results.”

The session will briefly walk through the assessment report framework, providing tips along the way.

The assessment presentation phase includes a slide deck framework covering: the threat landscape, assessment methodology, high and moderate-high findings, a Strengths, Weaknesses, Opportunities and Threats (SWOT) slide and next steps.

6:30 pm Closing ceremonies & prizes Matt Pardo  

BSides Austin 2022 Schedule