Conference:ISC2 Conference, September 25–27

Philip Polstra

Speaker: Philip Polstra

Topic: Windows Timelines in Minutes

What He’ll Be Discussing:

A timeline is an essential part of many forensics/incident response cases. Attendees of this presentation will learn how to create timelines for NTFS filesystems in a matter of minutes using 100% free and open-source software. Tools used include Python, MySQL and shell scripting.

Additionally, Windows timestamp rules will be discussed in detail. Knowledge gained in this talk should be helpful to anyone performing incident response, penetration testers and those wanting a deeper understanding of NTFS timestamps.

Why He Choose This Topic:

Timelines can be valuable tools when performing many types of forensic investigations. At the same time, it can be extremely time-consuming to create a timeline with many of the standard industry tools (Autopsy, EnCASE, etc.). Even after the timeline has been created, options for displaying it can be limited.

There are several advantages of the method Polstra will show. First, the timeline creation takes minutes, not hours. Second, the data is stored in a proper database with this method so it allows complete flexibility with queries that can be run.

In his book Windows Forensics, he shows people how they can do everything they want with forensics with 100% open-source and/or free software running on a Linux workstation. Polstra says the book is important because it allows people to learn about and actually perform forensics without spending $10K-plus on software. While government and law enforcement agencies might have the money for this, many others cannot justify this expense. Students also need the ability to learn about forensics at home without access to expensive software and equipment.

What He Hopes Attendees Get Out of It:

Polstra is hoping attendees will leave with a better understanding of how timestamps work and how Python can be used to perform simple tasks in forensics. A secondary goal is to help people realize that they don’t have to spend a lot of money in order to do some real-world forensics.

Mike-D.-KailSpeaker: Mike D. Kail

Topic: Secure Applications, Not the Cloud

What He’ll Be Discussing:

As the massive and strategic shift to cloud computing takes place, security needs to be a top priority. But organizations that are worrying specifically about “cloud security” are misdirecting their time and energy. In the cloud, there’s no longer a well-defined perimeter that can be protected by hardware appliances, so security professionals need to fundamentally rethink traditional approaches to security in favor of programmatic, software-defined solutions.

The Software Engineering Institute estimates that 90% of reported security incidents result from exploits against defects in the design or code of software. By focusing on much-needed improvements to application security, more secure cloud environments will follow. This session will detail the cultural and technical adjustments that organizations need to make to improve security in this new, software-defined world.

Why He Choose This Topic:

Unfortunately, one of the ‘weapons’ used for not moving to public cloud is the general topic of security. Kail wants to level set that public cloud infrastructure is arguably more secure than on-premises data centers, and the focus needs to be on application security.

There are also plenty of studies backing up the idea that the cloud could be more secure than on-premises data centers. According to the State of Cloud Security, surveys over an 18-month period found that many consumers adopting cloud computing actually gain better capabilities, including improved monitoring and configuration management. Clutch also surveyed IT professionals across medium and large enterprises and found that 65% consider cloud infrastructure a more secure alternative to legacy systems.

Cloud-based systems tend to feature stronger surveillance with around-the-clock monitoring for malicious activity, and can potentially isolate and stop hacks. Access is also strictly controlled within the cloud by experts in cyber security. Meanwhile, small businesses and enterprises generally don’t employ the same level of cyber expertise. There often aren’t enough resources to hire a robust IT team to maintain the same level of security as the cloud.

What He Hopes Attendees Get Out of It:

Kail hopes to present a new way of thinking about cloud and application security, and give attendees a high level of assurance and a blueprint for thinking about cloud migration.

Ira WinklerSpeaker: Ira Winkler

Topics: Applying Threat Intelligence to Improve Security

Awareness Programs

Why Does Your Security Awareness Program Suck?

What He’ll Be Discussing & Why He Chose These Topics:

For the topic “Applying Threat Intelligence to Improve Security Awareness Programs,” Winkler discusses why most security awareness programs are not very effective against real attacks. They are straight “check the box” programs. They provide generic information, without motivation or relevance, and expect the average user to detect and counter highly-skilled attackers at random. Yet security professionals blame users for falling prey to advanced attacks. Threat intelligence involves understanding potential and ongoing attacks to prevent, detect and react to those attacks. Incorporating threat intelligence allows awareness programs to be both timely and relevant to an organization’s security needs. Additionally, they should provide motivation for employees to actually heed awareness efforts.

For the topic “Why Does Your Security Awareness Program Suck?” Winkler discusses why some security awareness programs are bound to fail from the start. Having created awareness programs for decades, he can see obvious indicators that will lead to an inevitable failure in the programs no matter how well the intent or execution. This session intends to cover what the red flags are for awareness programs, and potential ways to mitigate or avoid the underlying issues. Audiences will determine why some security awareness programs are succeeding or failing, and find out what the indicators are that lead to failure in an awareness program.

What He Hopes Attendees Get Out of It:

Winkler hopes attendees come away from “Applying Threat Intelligence to Improve Security Awareness Programs” with ideas on integrating ongoing events into their awareness programs to make them more effective and have employees be more engaged.

For the topic “Why Does Your Security Awareness Program Suck?” Winkler hopes that attendees will be able to examine their own organizations and determine where the roadblocks are going to be in implementing effective awareness programs. He also hopes to get out recommendations for overcoming those roadblocks and preparing the field, so that awareness programs can be relevant and effective. Attendees will learn how to identify the elements of successful awareness programs, determine which attackers are coming after their organization, how they are likely to target their users, and incorporate threat intelligence information into awareness programs to make them specific to users with intrinsic motivation.

Deirdre DiamondSpeaker: Deirdre Diamond

Topic: Cyber Security Careers: It’s Not Just Hacking

What She’ll Be Discussing:

With more than 500,000 unfilled cyber security jobs, an industry made up of just over 10 percent women, and data showing 56 percent of women leaving tech within 10 years, there’s a big problem. The stereotype of a hoodie-clad man at a terminal in a dark room is harmful to cyber security careers.

Diamond will discuss how to sell diverse cyber security jobs to women. These careers offer high salaries, tremendous growth, travel, ongoing training, fun projects and great career paths. Attendees will learn about the extreme need for cyber security talent, how hybrid roles are emerging, and how people without a security background can more easily transition into cyber.

Why She Chose This Topic:

While women represent approximately 50 percent of the world’s population and half of U.S. college graduates, according to the National Center for Education Statistics, only 11 percent of the cyber security workforce is comprised of women. Meanwhile, the opportunity in cyber security is vast, with over one million openings in 2016.

Diamond says she is seeing just 1-4% of leadership roles filled by women, and massive turnover in tech and cyber. Overall, representation of women in cyber security remains stagnant and represents an untapped industry for talented females focusing on cyber security and technology. Diamond is passionate about this topic and hopes to solve these issues.

What She Hopes Attendees Get Out of It:

Diamond hopes to give a better understanding of how we as a society create stereotypes that make young girls think cyber isn’t for them, and how boys are also turned off by this stereotype. There are 35 cyber jobs that exist, and only 6 of them require deep tech skills, so lack of soft skills is causing attrition.

Diamond hopes attendees leave as ambassadors and advocates for the strong career opportunities for women in the cyber security field.

Kim MahanSpeaker: Kim Mahan

Topic: Developing Security Talent: A DIY Approach

What She’ll Be Discussing:

Learn practical techniques for identifying untapped talent within your organization and developing your own world-class security team. (Hint: It doesn’t involve just sending people off to training classes.)

Mahan has been identifying and developing technical talent for the majority of her career. In this talk, she’ll share lessons learned from “reskilling” seasoned professionals.

Attendees will learn how to sort through the plethora of training resources and take away practical advice for implementing a hands-on, rotational learning approach that can be effectively implemented at any organization, whether it’s for retraining an existing workforce or implementing an intern/apprenticeship program.

Audiences will identify untapped potential within an organization, assess aptitude in interested candidates and sort out the qualified from the merely curious. Know the top things to look for in a future cybersecurity professional, and build a customized, rotational curriculum for getting people up to speed as quickly as possible. Guests will also understand more about adult learning styles, do’s and don’ts, and how to best leverage publicly available (and often free) training in conjunction with real-world applications.

Attendees will also learn how to implement workshops and events for building overall organizational security awareness, while simultaneously identifying potential talent. Many of these techniques can also be applied to finding interns/apprentices and building a talent pipeline.

Why She Chose This Topic:

There are definitely a lot of macro-trends that are coming to a head at the same time – the increased demand for tech talent, an aging workforce and rapidly increasing pace of change. There is a lot of work being done to evolve both the K-12 and higher ed spaces toward a project-based approach in order to cultivate a growth/learning mindset.

Mahan is a teacher at heart, and has been identifying and developing technical talent for most of her career. As the CEO of MAXX Potential, a unique tech talent incubator that has been finding and growing technical professionals since 2012, she’s helped create a living, breathing hands-on lab environment that is proving to accelerate learning. The team at MAXX has decided to share what they’ve learned with as many people as they can. With the competition for talent getting tougher every day, it makes much more sense for companies to look at ‘reskilling’ those employees they’ve already invested in.

What She Hopes Attendees Get Out of It:

Mahan hopes attendees leave with new tools and approaches for building skills, both within themselves, and across their organizations. She has a lot of advice on how to navigate through and apply the vast amount of freely available, high quality learning resources in a way that sticks.

Conference: Black Hat Conference, July 22–27

Anshuman BhartiyaSpeaker: Anshuman Bhartiya

Topic: Kubebot – Scaleable and Automated Testing Slackbot with the Backend Running on Kubernetes

What He’ll Be Discussing:

Security Testing, or any sort of testing for that matter, is still being done in ways that are not really scalable and extensible. Testers like to write their own tools/scripts and run them locally on their system. There are many problems that plague this kind of approach for testing.

Bhartiya will be discussing some of these problems and releasing a new tool – KubeBot – that was primarily built for automating and scaling bug bounties (i.e., something that would run multiple tools on a schedule against multiple targets and only returns back the output from these tools if the output changes). However, over time, it’s proven to be a more generic framework that can be leveraged as a harness to run any security testing tool and is easily scalable (because of Kubernetes in the backend). It is extensible and provides a nice front end in the form of a Slackbot so that you can look at the results on a real-time basis.

Despite the need for testing, few companies are actually doing it. And according to the Security Testing Practices and Priorities: An Osterman Research Survey Report, fewer than one in four organizations consider themselves to be proactive about their security testing. Meanwhile, one in five organizations don’t conduct security testing of any kind over a six month period. In reality, adddressing security and automating the process could save companies money and time in the long run by combatting vulnerabilities and breaches.

Why He Chose This Topic:

Scaling & Automation are two things that are some common major issues in the InfoSec industry. Bhartiya plans to solve these issues.

What He Hopes Attendees Get Out of It:

Security testing and InfoSec in general can be automated and shouldn’t be an afterthought.

Conference: SecureWorld, June 7

Edward-MarchewkaSpeaker : Edward Marchewka

Topic: Articulating InfoSec Business Value with a Better Story

What He’ll Be Discussing:

here – Marchewka will discuss how a CISOs role is to bridge two different groups, the executives and the technicians. Being able to have a conversation with both is critical for success. However, many struggle with this task – bringing technical speak and jargon to the boardroom generally does not bode well.

Similarly, speaking in terms of ROI, EBITDA, and margins tends to be Greek to technicians. Telling the right story to the right audience is key. Having your audience understand the message and not drift away from it is important for continued success. Marchewka says the driver behind this is many colleagues reporting that they aren’t being heard or that they are fighting for resources – for example, CISOs being recruited only to find out that they are fitting into a compliance checkbox.

What He Hopes Attendees Get Out of It:

Marchewka hopes that once the right story is heard by the right audience, progress can be made.

Conference: Edge Security Con, October 17–18

Aditya K. SoodSpeaker: Aditya K. Sood

Topic: Cloud computing attacks

Who he is:

Dr. Sood is an information security practitioner and researcher by profession. He has research interests in malware automation and analysis, cloud security, secure software design and cybercrime. He is also a founder of SecNiche Security Labs, an independent web portal for sharing research with security community. Currently, Dr. Sood directs the security efforts for the Elastica Cloud Security division at BlueCoat, Symantec. He obtained his Ph.D from Michigan State University in Computer Sciences.

Why He Chose His Topic:

In recent research, Gartner predicts the worldwide public cloud services market will grow 18% in 2017 to $246.8B, up from $209.2B in 2016. Experts are expecting a significant technology drift towards the cloud. Generally speaking, cloud applications have not been not effectively managed in enterprises as IT departments do not have robust mechanisms to detect insecurities persisting in cloud applications.

Cloud apps are heavily used for storage purposes and adopted by millions of users for routine work. There is no doubt these apps have revolutionized cloud computing technology by providing users with an ease of usability and portability for storing, managing and distributing documents over the cloud. However, with every technology, threat accompanies. Dr. Sood will discuss in detail the risks and threats associated with cloud applications to educate users about them.

The audience will learn and understand on how attackers are abusing cloud applications for nefarious purposes. The threat intelligence provided during this talk will enhance the existing state of cloud-specific detection and prevention algorithms. The audience will also learn how to securely interact with cloud applications and prevent themselves from being exploited by attackers.

Ben JohnsonSpeaker: Ben Johnson

Topic: Practical Lessons from 500,000 Air Miles of Security Meetings

Who he is:

Ben Johnson is co-founder and CTO of Obsidian Security, a stealth hybrid-cloud security start-up in Southern California. Previously, Ben Co-founded Carbon Black, a next-generation endpoint security company, where, as CTO, he helped drive technology vision, product effectiveness, and security evangelism while the company went from 2 to 750 employees. While at Carbon Black, he spent much of his time meeting with top enterprises, partners, and the press, and has routinely appeared online, in print, and on television regarding cyber security topics and news.

In the past four years he has met with over 600 organizations and presented in 15 countries. In addition to his regular job, Johnson is on the boards of several security start-ups and is routinely sought out for advice regarding security strategy, product strategy, or to help venture capitalists with due diligence. Prior to Carbon Black, he spent several years working in U.S. Intelligence, first at NSA and then as a defense contractor.

Why He Chose His Topic:

Johnson has traveled 500,000 miles over the past few years, speaking to people of all skill levels and to all sizes of enterprises across multiple continents. He’s learned many valuable lessons from those who are working in cyber security on a daily basis, and he hopes to share and explore some of those lessons with attendees.

Hearing what some of the best and worst teams out there are doing should be useful to just about everyone. His talk will be more high-level than technical.

Conference: Cyber Security Summit, August 8 (Chicago), September 15 (New York), November 8 (Boston), November 29 (Los Angeles)

Daniel B. GarrieSpeaker: Daniel B. Garrie

Topic: You’re Breached! Hacking Back & Its Legal Repercussions. What’s Your Strategic Incident Response Plan?

Who he is:

Garrie is a recognized leader in cyber security and is paving the way when it comes to 2017’s most pressing cyber and data breach issues. He is a renowned special master, forensic neutral, mediator, and arbitrator with JAMS, retained for complex, high-stakes cases around the country focusing on cyber security, privacy, and data breach disputes.

As one of the most sought-after cyber security and data breach experts, Garrie is Head of the Worldwide Cyber Security Practice at New York-based law firm, Zeichner Ellman & Krause LLP.

Prior to these roles, Garrie built and sold several technology startups and served as the Worldwide Director of Electronic Discovery & Information Governance at Charles River Associates. He is also on the Advisory Board of a number of different companies, including Get.it, KoolSpan, and Bounce Exchange.

Why He Chose This Topic:

Protecting data is imperative and more difficult as cyber attacks grow in scale and sophistication. Hackers are becoming more efficient, while companies struggle to establish fundamental cyber security measures. Businesses and governments are becoming frustrated and “hacking back” can be tempting. Garrie believes this topic is important to discuss in order to establish what best practices are for a company to respond to a cyber attack.

What He Hopes Attendees Get Out of It:

Although retaliation may be appealing for a private company, hacking back is currently an illegal avenue for companies or individuals to pursue. Garrie hopes that attendees will take away certain best practices and ways their companies can legally respond to cyber attacks.

Conference: Security Awareness Summit, July 31 – August 9

James-TaralaSpeaker: James Tarala

Topic: Implementing and Auditing the Critical Security Controls

What He’ll Be Discussing:

Cyber security attacks are increasing and evolving so rapidly that it’s more difficult than ever to prevent and defend against them. Tarala discusses how organizations should have an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. He’ll help attendees master specific, proven techniques and tools needed to implement and audit the Critical Security Controls as documented by the Center for Internet Security (CIS).

To enable your organization to stay on top of this ever-changing threat scenario, SANS has designed a comprehensive course on how to implement the Critical Security Controls, a prioritized, risk-based approach to security. Designed by private and public sector experts from around the world, the Controls are the best way to block known attacks and mitigate damage from successful attacks. They have been adopted by the U.S. Department of Homeland Security, state governments, universities, and numerous private firms.

The Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and information security personnel can use to manage and measure the effectiveness of their defenses. They are designed to complement existing standards, frameworks, and compliance schemes by prioritizing the most critical threat and highest payoff defenses, while providing a common baseline for action against risks that we all face.

This in-depth, hands-on training will teach attendees how to master the specific techniques and tools needed to implement and audit the Critical Controls. It will help security practitioners understand not only how to stop a threat, but why the threat exists, and how to ensure that security measures deployed today will be effective against the next generation of threats.

Why He Chose This Topic:

Tarala will be speaking on the Critical Security Controls because he want students to have a better understanding of practical defenses to stop cyber attacks. He’ll impart solutions based on solid research and studies on effectiveness. While there will always be trendy security tools and topics, he feels it’s crucial that organizations understand the basic defenses that can actually stop attacks if they want to be successful.

What He Hopes Attendees Get Out of It:

Tarala hopes students are able to walk away from class with a specific, prioritized plan for how they can successfully defend their organization’s information systems.

Dave-ShacklefordSpeaker: Dave Shackleford

Topic: Social Engineering for Penetration Testers

What He’ll Be Discussing:

Social Engineering for Penetration Testers provides the blend of knowledge required to add social engineering skills to your penetration testing portfolio. Successful social engineering utilizes psychological principles and technical techniques to measure your success and manage the risk.

SEC567 covers the principles of persuasion and the psychology foundations required to craft effective attacks, and bolsters this with many examples of what works from both cyber criminals and Shackleford’s experience in engagements. On top of these principles, Shackleford will provide a number of tools (produced in engagements over the years and now available in the course) and also labs centered around the key technical skills required to measure your social engineering success and report it to your company or client.

Attendees will learn how to perform recon on targets using a wide variety of sites and tools, create and track phishing campaigns, and develop media payloads that effectively demonstrate compromise scenarios. This course opens up new attack possibilities to better understand the human vulnerability in attacks and to let you practice snares that have proven themselves in tests time and time again.

Why He Chose This Topic:

Conference: Def Con, July 27 – 30

Patrick-WardleSpeaker: Patrick Wardle, Chief Security Researcher at Synack

Topics: Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server

Death By 1000 Installers; on macOS, it’s all broken!

What He’ll Be Discussing & Why He Chose These Topics:

Both of Wardle’s topics deal with macOS. As Macs become more prevalent, so will threats against them. There are already upticks in Mac malware, and especially Mac adware. Unfortunately, many Mac users are somewhat naive to these threats: Apple’s marketing department does an amazing job convincing users that all Macs are secure. As a passionate Mac user, Wardle thinks it’s important for other Mac users to understand the threats that are out there. His talks deal with macOS malware and macOS vulnerabilities in both Apple and third-party Mac software.

Wardle wants attendees to understand that there may be more efficient ways to analyze malware. In his talk “Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server,” he shows how it was trivial to create a custom C&C server that he then could use to coerce the malware to reveal its capabilities, which proved to be a much faster method than manually debugging and disassembling the malware. He chose this topic because he loves to analyze macOS malware. He also writes free macOS security tools, so he stays abreast of the latest macOS threats and malware to ensure the tools he writes do/and will continue to protect macOS users.

For his topic “Death By 1000 Installers; on macOS, it’s all broken!” Wardle looked at the software on his Mac, and realized that the installer components (including Apple’s core code) were vulnerable to wide range of attacks. He chose to cover this topic because as a Mac user himself, he is bothered by how easy Macs are to hack. He’s hoping that attendees realize how buggy most installers are, and hopefully raise awareness of these issues, which will lead to more secure Macs.

Elie-BurszteinSpeaker: Elie Bursztein

Topic: How We Created the First SHA-1 Collision and What it Means for Hash Security

What He’ll Be Discussing:

In this talk, Bursztein recounts how we found the first SHA-1 collision in February 2017. This collision, combined with a clever use of the PDF format, allows attackers to forge PDF pairs that have identical SHA-1 hashes and yet display different content. This attack is the result of over two years of intense research. It took 6500 CPU years and 110 GPU years of computations which is still 100,000 times faster than a brute-force attack.

Bursztein delves into the challenges faced in developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor.

He also discusses the aftermath of the release, including the positive changes it brought and its unforeseen consequences. Building on the Github and Gmail examples, he explains how to use counter-cryptanalysis to mitigate the risk of collision attacks against software that has yet to move away from SHA-1. Finally, he looks at the next generation of hash functions and what the future of hash security holds.

Will-SchroederSpeaker: Will Schroeder

Topic: An ACE Up the Sleeve: Designing Active Directory DACL Backdoors

What He’ll Be Discussing:

Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the “attackers think in graphs” philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It’s often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory DACLs in depth, our “misconfiguration taxonomy,” and enumeration/analysis with BloodHound’s newly-released feature set. Schroeder will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. He’ll then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.