Converge Conference 2019 Recorded Talks

 

Title Presenter Abstract
Honeybotting: Extracting Confessions From Client-Side Implants Lee Holmes While worms and automated attacks are a huge danger, persistent attacks that leverage interactive remote command and control servers can be especially damaging. But control of a remote machine requires one major thing: cooperation of the compromised. What if our machines don’t play along?
Implementing Application Explicit Allow Without Getting Fired Steve Edwards The way we have historically addressed malicious software is backwards. Instead of trying to explicitly list every one of the limitless numbers of malicious programs, or trying to programmatically determine whether or not their code is malicious, we should be working in the opposite direction. There are a finite number of applications that need to be run in your business. And while that number may be large, it is still easier to enumerate this list than to list all potentially bad software that could ever be created. For Duo’s corporate infrastructure we have attempted to implement the principle of Application Explicit Allow (or whitelisting) across all platforms, and in as many ways as possible. Knowing that security is circumvented when it isn’t usable, in each case we built this with user experience in mind. While Application Explicit Allow is the most restrictive approach to malicious software prevention, by creating a simple and fast end-user workflow we have rolled this out company wide without getting fired. In this presentation I will show demos of each system we’ve developed and explain the underlying infrastructure that we have built or implemented.
Intelligent Threat Intelligence Michael Roytman The prior approach to assessing threat intelligence—measures how good your data sources are, and the operational utility of this data. This is useful, and should be a part of any mature security practice. Instead we attempt to describe the effectiveness of the threat itself, and hence the amount of risk that a remediation mitigates. 299 CVEs are responsible for 44 million attacks. In the incident response paradigm, you can deal with 44 million attacks by monitoring and remediating around 30,000 malware samples, and see as those samples mutate and generate new strains. Or, you can remediate 299 CVEs, and never worry about those strands again. Context and appropriate statistical blending of the data makes threat intelligence – intelligent.
Forensics for the Small to Medium Size Org Edd Black A good information security program is more than just defending against and remediating attacks. It includes understanding exactly what happened so better defenses can be implemented. This will include forensic examinations. Forensics as a discipline seems out of reach for most small to medium orgs with security practitioners spread thin. This talk will look at forensics place in the arsenal of the SMOrg defender, including rules of engagement, defining capabilities, scoping a forensic environment, and building the appropriate skill sets.
Incident Communications 101 – Breaking the Bad News Catherine Ullman Enabling better communications between geeks and management, especially during incident response. As humans we have had 60,000 years to perfect communication, but those of us working in IT, regardless of which side (Blue or Red Team), still struggle with this challenge. We have done our best over the centuries to yell “FIRE!” in a manner befitting our surroundings, yet today we seem utterly incapable of providing that very basic communication capability inside organizations. This talk will endeavor to explain HOW we can yell “FIRE!” and other necessary things across the enterprise in a language both leadership, managers and end-users understand.
The Evolution of Penetration Testing at Domino’s (Not Recorded) Ronald Ulko The journey to secure Domino’s Pizza has been an interesting one. With a fast paced environment, and an ever changing landscape, penetration testing at Domino’s needed to keep up to support the business. In this presentation we’ll talk about how we started with the common one test for everything approach to our dynamic one. From waiting weeks for a report to just hours or days.
Decomposing Risk: What does a Blue Team Stop? Alexander Feick This presentation details incident data and observed rates for breach detection (with numbers of assets impacted) from the perspective of eSentire’s Security Operations Centers (SOC) over the last year. After discussing the data collection practice, we will then discuss how we can take the data set of around 2,000 different protected locations and use it to detail the risks facing different industry sectors in terms that are relevant and understandable to business leaders. It will cover the mathematics we used to create our own version of the tool, a brief demo of the presentation tool we created, and public access to an anonymized copy of our industry data that you can use to run your own calculations on risk.
Red Team Level over 9000! Fusing the powah of .NET with a scripting language of your choosing: introducing BYOI (Bring Your own Interpreter) payloads. Marcello Salvati Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sorta dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language, operationally this has a few major downsides: we can’t be as “flexible”, setting up a proper development environment has overhead and can be time consuming, you have to compile all the things all the time etc.. Bottom line is I’m lazy and creating your malwarez/custom payloads in C# is not as easy & straight forward as it would be in PowerShell or really any scripting language. This raises the following quandary: can we somehow get our own scripting language interpreter on the target machine while still remaining opsec safe and use it to perform all of our post-exploitation activities? Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the “power” of PowerShell, without going through PowerShell in anyway! In this talk we will be covering some key .NET framework concepts in order to understand why this is possible, how to actually do the interpreter/engine/runtime embedding, the concept (that I coined) “engine inception”, differences between traditional C# payloads & BYOI payloads, demoing some examples of BYOI payloads and finally SILENTTRINITY: an open-source C2 framework that I’ve written that attempts to weaponize some of the BYOI concepts.
Breaking NBAD and UEBA Detection Charles Herring Network Behavior Anomaly Detection (NBAD) and User and Entity Behavior Analytics (UEBA) are heralded as machine learning fueled messiahs for finding advanced attacks. The data collection and processing methodologies of these approaches create a series of new exploitable vectors that can allow attackers to navigate network and systems undetected. In this session, methods for poisoning data, transforming calculations and preventing alerts will be examined. Proof of concept Python code will be demonstrated and made available. Approaches to harden against these attacks will also be discussed as well as outlining needed changes in detection standards.
Corporate Phishing: Keeping the Phish in the Water and the Boat Afloat Samantha Paquette At the end of 2015 we realized we had a problem. Through a third party audit we discovered that our company click rate on phishing campaigns was around 40%. This was completely unacceptable so Consumers Energy set out to change that. This talk will cover the journey that Consumers Energy and our employees have taken over the last three years as we set out to change the phishing vulnerability and awareness around cyber security. We will go over tools we used, how processes and culture changed, measuring our performance and how we added multiple technology platforms to achieve this.
The Intelligence Information We Share and How We Share It James Palazzolo Incorporating an active threat intelligence (Information sharing) program into the security operations center is not easy. How much can be shared and to whom, is always a tricky question. However, with the right strategy and planning, (and some lessons learned) you will be well on your way. Come hear how BCBSM is sharing and why.
Red vs Blue: The Untold Chapter Aaron Herndon, Thomas Somerville When a red teamer and a blue teamer get together for a casual evening, you inevitably end up with the argument of ‘I can do this attack!’ followed by ‘I can stop that attack!’. After hours of this exact conversation, Aaron and Tom threw down the gloves and put words into action. Join us as we recount the Battle Royale, with Aaron conducting red team attacks, such as generating obfuscated payloads, living off the land, and persisting inside the network, while Tom, representing the blue team, shows how to detect, defend against, and eradicate these threats within a mid-sized corporate network without a dedicated SOC or Fortune 500 InfoSec tool set.
Design: Human-centered Security Wolfgang Goerlich Security happens where man meets machine. Or, fails to happen, as we see all too often. Blame the users. They’ll click anything. Blame the developers. Half their code is riddled with vulnerabilities anyways. Blame the IT staff. You’d think they’d at least know better. But perhaps, we’ve been placing the blame on the wrong places. What exactly happens where people and technology meet? At that moment, that very moment, what factors in human psychology and industrial design are at play? And suppose we could pause time for a moment. Suppose we could tease out those factors. Could we design a better experience, design a better outcome, design a better path to the future? This session explores these questions and identifies lessons the cyber security field can learn from industrial design.