Keynote

 

History Repeating: Patterns in the Evolution of the Security Industry 

Mike Murray,  VP of Security Intelligence, Lookout

 

Abstract

The old cliche is that those who don't learn history are doomed to repeat it. Across our industry, we are failing to see the parallels of the present to the past. In this keynote, we will examine the history of the security industry and highlight the patterns that are present, so that we may predict the trends of the future.

 

Bio

Mike Murray is the VP of Security Intelligence at Lookout. For nearly two decades, Mike has focused on high-end security research, first as a researcher and penetration tester and then building and leading teams of highly skilled security professionals.   He previously lead Product Development Security at GE Healthcare, where he built a global team to secure the Healthcare Internet of Things.   Prior to that, he co-founded The Hacker Academy and MAD Security, and has held leadership positions at companies including nCircle Network Security, Liberty Mutual Insurance and Neohapsis.

 

Presentations

 

A Case Study in Attacking KeePass - Lee Christensen and Will Schroeder - @tifkin_ and @harmj0y

 

KeePass is one of the most commonly used password managers in modern enterprises, with the KeePass databases of particular administrators at times protecting the literal “keys to the kingdom”. This talk will cover a number of ways to “attack” an administrator’s KeePass database operationally. We will detail our open-source project KeeThief, which allows for the decryption of KeePass key material from unlocked databases without relying upon a keylogger and is indifferent to KeePass’ “secure desktop” protection. For unlocked databases, we will show methods for triggering KeeThief at the perfect time, extracting out everything you need to decrypt a database and pilfer credentials off-system. We’ll also cover a way to exfiltrate all database contents without any malware or code injection, and will conclude with demos that show how to pilfer KeePass databases with all current protections enabled.

 

Andromeda – bringing sexy back with PowerShell - Jared Greenhill - @jared703

 

Organizations commonly face older malware threats that are being retooled with modern, sophisticated delivery and entrenchment techniques. This talk outlines a case study around the detection, response and analysis around multiple Andromeda malware infections observed across a globally diverse technology conglomerate.

 

Cross-Site Scripting: To Alert() and Beyond! - Joshua Barone - @tygarsai

 

Cross-Site Scripting is often reported, in the news and as findings in analysis reports. People don't always understand what is the cause, or the risk that it presents. Most proof of concepts used to demonstrate these flaws, stop with just making a message box appear. But, what is the real issue, the real risk, how far can an intruder get with a cross-site scripting vulnerability?

 

This talk is a discussion of what the vulnerability is, and how it can be exploited featuring the following:

 

    - What is it

    - How does it work

    - How bad can it get

    - What can developers and security practitioners do to defend

 

Live demos will show these attacks in action, as well as how critical the impact of these attacks can be. 

 

Defining "Reasonable Security" in 2017 - David A. Stampley

 

In 2016, a shared legal understanding of what reasonable security looks like continued to evolve, propelled by a number of forces, including new laws and regulations and new regulatory enforcement actions at the state and federal level. In the civil litigation arena, a number of prominent, long-running data breach cases continue to be litigated, and new ones have been filed. As a major development in data breach cases, courts have become more willing to acknowledge that consumers are harmed when their information is compromised. Related to these developments: increasingly, information security personnel are call on to fill various roles in litigation—as witnesses, whistleblowers, and defendants. The visibility of information security personnel will increase with the prevalence, interconnectedness, and invasiveness of new technology applications. All of these forces affect the current legal understanding of what reasonable security, or lack of it, looks like. 

 

DFIR from the LEO side - Stephen A. Villere

 

Learn from a local law enforcement forensics lab supervisor how local law enforcement handles digital forensics investigations. The multiple challenges faced while acquiring and processing evidence. DFIR becomes vastly different when suspects do not cooperate. Staying on the cutting edge of digital forensics is not so easy.

 

Finding Haystacks in Your Needles: Threat Hunting Problems in Real World Data - Sarah Miller - @beyazfar3

 

Resources such as SANS's "Know Normal, Find Evil" and MITRE's ATT&CK framework are a great starting point when looking for malicious activity ... but what happens when you actually start diving into the data? Is finding malware really as easy as just looking for any port 80/443 connection that's not from a browser? (Spoilers: It isn't.) This talk goes through a number of real scenarios where legitimate applications behave just like malware, and how to improve behavioral detection.

 

Intro to Darknets - Golden G. Richard III - @nolaforensix

 

This talk introduces key darknet technologies, such as Tor, I2P, Freenet, ZeroNet, and cryptocurrencies such as Bitcoin.  The focus is both on tools for safely accessing the darknet, as well as how the tools and darknet protocols work.

 

Logs Unite! - Forensic Analysis of Apple Unified Logs - Sarah Edwards - @iamevltwin

 

Apple has introduced a new unified way of logging across devices and operating systems. Now with iDevices on iOS10 and Mac systems on Sierra (10.12) there is a common logging format versus many different types of logs as before. This talk with discuss these new features, how they are different from legacy logs, and how to extract, view, and analyze these logs for great forensic artifacts!

 

Murder Mystery – How Vulnerability Intelligence is Poisoning your Information Security Program - Gordon MacKay - @gord_mackay

 

Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program.  This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it.  Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes.

 

One Script To Triage Them All! - Asif Matadar

 

Triage of 100’s or even 1000’s of *nix based systems during an incident can be a challenge when dealing with several *nix variants. This script was developed to undertake triage of *nix based systems in a timely manner to allow investigators to analyse critical files, logs, memory dumps, and interact with the File System for particular indicators of compromise across numerous systems.

 

Ransomware Stories From the Front Lines - Thomas Pace - @tommypastry

 

Ever wonder how ransomware negotiations look?  How much they actually cost?  How successful the negotiations are?  In this talk Thomas Pace will answer all of these questions and more.  Thomas will discuss multiple ransomware cases that he has handled personally that have made him laugh, cringe and cry.  From attackers sending the wrong decryption keys to having to acquire Bitcoin in a very non-traditional manner, Thomas will walk everyone through the highs and mostly lows of dealing with a ransomware incident.  

 

SIEM is dead? Not so fast: How to use SIEM as an analysis/IR tool - Erika Noerenberg - @gutterchurl

 

Recently there has been talk of moving away from traditional SIEM platforms into a security operations and analytics platform architecture (SOAPA). In this new concept, the integration of functionality such as malware sandboxing, threat intelligence, and endpoint monitoring are combined into one platform that also includes a traditional SIEM tool. However, these tools do not have to be mutually exclusive; leveraging a SIEM's log processing and machine learning to aid in incident response can reduce manual analysis time, thereby reducing the mean time to respond (MTTR) for an incident. In this talk, I will demonstrate how common malware and forensic tools such as Volatility or log2timeline can be used as SIEM log sources for aggregation and correlation in an incident response.

 

Web App Forensics - Vassil Roussev and Shane McCulley

 

Web applications present a qualitatively new target for digital forensics/incidents response: the server component is completely invisible while the (Javascript) client is minified and obfuscated, and downloaded on the fly. The vast majority of current tools a useless when it comes to working with web app's native artifacts.

 

In this talk we will focus on the internal structure of cloud-native artifacts of several online collaboration applications, with an emphasis on Google's G Suite. We look at the available public and (reverse engineered) private protocols, as well as the means to independently store and replay them. We also discuss some of the non-obvious implications of log-centric artifact design  for both forensics and privacy and ways to extract "invisible" artifacts.

 

Windows IR made easier and faster - Michael Gough - @HackerHurricane

 

Windows systems are still king of the desktop and server operating systems, thus the #1 target of hackers, malware, ransomware, and phishing attacks.  Hunting for malicious activity is something we all must get better at or the hackers will win; hell, the hackers are already winning.  Learning what to look for is hard enough with all the ways Windows can get infected and hide malicious payloads.  Worse, there are few tools to help us effectively hunt, short of buying expensive enterprise solutions which many, if not most organizations find hard to afford.  Doing it quickly is also difficult and we need to get faster at it.

 

So how do we find the head of the snake slithering inside our Windows systems fast?  Traditional forensics methods are too slow to keep up with active attacks and are generally a collection of scripts authored by many different individuals.  What artifacts do we look for and focus on to find the infection or determine whether or not a system is clean?  In dealing with commodity to advanced malware we came up with an approach that speeds up Windows Incident Response and improves our security program in the process.  How does someone sift through over 1000 persistence locations, hidden payloads, other malicious artifacts, IP/WhoIs and get netflow data from inside Windows in minutes?  This talk will show you how.

 

Your New Red Team Hardware Survival Pack - Chris Salerno - @secrisk

 

A few years ago all you needed was a 4 port switch and Kali VM to reliably bypass most controls and have domain admin in a few hours. Defenses and networks have improved and so should your red team arsenal. Spoiler alert; you’re going to need a bigger backpack.  This talk will provide a practical guide to bypassing NAC controls, taking over workstations from the parking lot, and breaking into locked PC’s.  We’ll walk through 5 different hardware devices; how to build them, use them effectively, and how to protect against them.

 

Speakers

 

Asif Matadar

 

Asif is an Senior Incident Response Investigator in the UK, responding and leading complex incidents around the world, including advanced targeted attacks, state affiliated, data breaches, and industrial espionage, to name a few. 

 

Asif has over 6 years’ experience working in incident response and penetration testing on infrastructure, web and mobile applications. He holds a BSc (Hons) in Forensic Computing along with the GCFA certification. He has particular interest in research with a keen focus on memory analysis and automation, *nix based forensics, PowerShell as a defence capability, and triage analysis.

 

 

 

Chris Salerno - Security Risk Advisors

 

Chris oversees Security Risk Advisors’ CyberSOC services.  His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications.  He has conducted and led hundreds of red team exercises and has been a speaker at SecureWorld and RSA.

 

David A. Stampley - Partner - KamberLaw

 

David Stampley is an attorney who has been described by a federal judge as having “recognized experience in complex litigation involving technology and privacy issues.” For over 16 years, his practice has routinely involved supporting information security experts as well as consulting with them to support his litigation work. 

 

As a partner at KamberLaw, Dave specializes in security and privacy-related matters. He has also served as an assistant attorney general in the Internet Bureau of the New York State Attorney General’s Office. In both positions, Dave’s handling of precedent-setting cases has advanced industry practices for implementing consumer-facing technologies.

 

In the corporate sector, Dave served as general counsel and compliance specialist at Neohapsis, a security advisory services firm that is now part of Cisco Systems. He also served as director of privacy and senior corporate counsel at Reynolds & Reynolds, an information technology provider to auto dealerships.

 

Dave is a member of the advisory board of Concierge Defense. He began his legal career as an assistant district attorney at the Manhattan District Attorney’s office.

 

Erika Noerenberg - Senior Malware Analyst - LogRhythm

 

Erika Noerenberg is a senior malware analyst and reverse engineer in the Threat Research group of LogRhythm Labs in Boulder, CO. Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the DoD and FBI. 

 

Golden G. Richard III - LSU

 

Golden G. Richard III is a digital forensics and and computer security expert and a Fellow of the American Academy of Forensic Sciences, with over 35 years of practical experience in computer systems and computer security. He is Professor of Computer Science and Engineering at the Louisiana State University and Associate Directory for Cybersecurity at the Center for Computation and Technology (CCT). His research interests mirror his teaching interests: digital forensics, reverse engineering, offensive computing, operating systems internals, and malware analysis. Dr. Richard is also a member of the United States Secret Service Electronic Crime Taskforce and the Editorial Boards of the Journal of Digital Investigation, the International Journal of Digital Crime and Forensics (IJDCF), and Computers and Security (COSE). He is a founding member and chairman of the non-profit that runs the Digital Forensics Research Workshop (DFRWS), the premiere venue for publishing digital forensics research. He earned a B.S. in Computer Science (with honors) from the University of New Orleans and an M.S. and Ph.D. from The Ohio State University. His first floppy drive cost $600 and required financing. Golden is also the owner of Arcane Alloy, LLC, a private digital forensics firm and a professional music photographer--you can check out his work at HighISOMusic.com.

 

Gordon MacKay - CTO  - Digital Defense Inc.

 

Gordon MacKay, Software/Systems Guru with a dash of security hacking, serves as CTO for Digital Defense, Inc.

 

Gordon has presented at many conferences including BSides San Diego 2017, ISSA International Conference 2016, ISC2 Security Summit 2016, BSides DC 2016, Cyber Texas 2016, BSides Detroit 2016, BSides San Antonio, BSides Austin, BSides DFW, RSA and more, and has been featured by top media outlets such as Fox News, CIO Review, Softpedia and others.

 

He holds a Bachelor's in Computer Engineering from McGill University Montreal Canada, and is a Distinguished Ponemon Institute Fellow.

 

Jared Greenhill - Senior Forensic Analyst - Sony

 

Jared Greenhill is a Senior Forensic Analyst at Sony where he performs digital media analysis in support of global investigative efforts. Jared also teaches a Graduate Memory Forensic course at George Mason Universities MS in Computer Forensics program. Before joining Sony in 2015, Jared was an incident responder for RSA’s IR practice where he performed network and host based forensics, memory analysis and reverse engineered malware. Jared has spoken at multiple industry-recognized conferences including RSA Conference, Security BSides New Orleans, Volatility’s Open Memory Forensics Workshop and the BlackHat webcast series. 

 

Joshua Barone - Senior Developer - BlackBag Technologies

 

Joshua Barone has over 15 years of experience as a software developer, with a majority of that time specialized in security design and development. Joshua Barone has a core background in Go, Java, .Net, Python, Javascript, and security design principles. Joshua specializes in .Net and Java Enterprise technologies, Web Services, Agile Methodologies, Open Source, and Test-Driven Development. He is familiar with a variety of platforms (Windows, Mac OS X, Linux, Unix), databases (PostrgreSQL, MySQL, MSSQL, Oracle), J2EE Application Servers, Software Development Methodologies and Tools. Joshua is also experienced in security vulnerability assessment for platforms and applications. Joshua is a Certified Information System Security Professional (CISSP) and holds GIAC Security Essentials (GSEC), Certified Incident Handler (GCIH), Certified Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT) certifications, as well as a Master's in Computer Science from the University of New Orleans. He is currently a Senior Developer at BlackBag Technologies.

 

Lee Christensen 

 

Lee Christensen (@tifkin_) is a red teamer, defensive analyst, and tool developer. He is the author of UnmanagedPowerShell, which has been integrated into the Metasploit and Empire projects, and is the primary author for KeeThief.

 

Michael Gough - hMalware Archaeologist - Malware Archaeology

 

Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic.  Michael developed the “Malware Management Framework” and several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for.  Michael is co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts.  Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.  Michael is also blogs on HackerHurricane.com on various InfoSec topics.

 

Sarah Edwards - Mac Nerd - Parsons Corp / SANS

 

Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, CEIC/EnFuse, Bsides*, Defcon and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the SANS Mac Forensic Analysis Course - FOR518.

 

Sarah Miller -Threat Intel Analyst - Carbon Black

 

Sarah Miller has worked for Carbon Black as both a member of their Security Operations team and a member of their Threat Research team. Prior to her infosec career, she worked a variety of jobs that took her to exciting places such as Kazakhstan, Turkey, and Harvard Square.

 

Stephen A. Villere - Digital Forensics Unit Supervisor

 

Stephen A. Villere has been in the Law Enforcement field since 2002. He is currently the Digital Forensics Unit Supervisor for the Jefferson Parish Sheriff’s Office Crime Laboratory Digital Forensics Unit. Mr. Villere is a member of the International Association of Computer Investigative Specialists (IACIS) and a Certified Computer Forensic Examiner (CFCE). During the beginning of his law enforcement career he was a Crime Scene Technician with the New Orleans Police Department Crime Laboratory. In 2003, because of his existing knowledge and enthusiasm for computers and electronics, he was recruited to develop a Computer Forensics Examination Section. Within a year he was selected to join the Gulf Coast Computer Forensics Lab (GCCFL), a federally funded task force which brought together academia, local, state and federal levels of individuals for training, equipment, experience and knowledge to be shared throughout the entity, this model was adapted by the current Regional Computer Forensics Labs (RCFL) that exist through the United States. In 2008 Mr. Villere was recruited by Jefferson Parish Sheriff’s Office (JPSO) to develop their Computer Forensics Examination Section. Because of the high success rate and the increased volume within this section, the Digital Forensics Unit was created and was made part of the Crime Laboratory. 

In addition to earning a Bachelor’s of Applied Science Degree in Computer Information Science from Loyola University of New Orleans, he has continued his education and training by attending discipline specific courses throughout his career.  Attending training from National White Collar Crime Center (NW3C), Accessdata, Paraben, Homeland Security, Intelligent Devices, United States Secret Service (USSS) National Computer Forensics Institute (NCFI), Cellebrite, BerlaCorp, Blackfin Security Group, SANS, and BlackBag. Also in 2014 earned his Computer Forensic Analyst Certification (GCFA) offered by the Global Information Assurance Certification (GIAC), the leading provider of Cyber Security Certifications. Also, more recently has been brought on to the BlackBag Training Team as a contract instructor.

 

Thomas Pace - Principal Consultant, Incident Response & Forensics - Cylance

 

Thomas Pace has an extensive background in building incident response programs, policies, procedures and playbooks at multiple top tier organizations. Thomas has 11 years of security experience in various fields including physical security, intelligence gathering and analysis, sensitive site exploitation, incident response, intrusion analysis and endpoint and network forensics.

 

At Cylance Thomas serves as a Principal Consultant where he acts as a technical lead on various projects sold and delivered as well as creating processes and methodologies to better assist Cylance’s client base. Thomas conducts incident readiness assessments, security tool assessments, as well as responding to incidents when needed. Thomas is also currently an Adjunct Professor at Tulane University where he has developed a portion the Homeland Security Studies program curriculum centered around cyber security. Thomas also currently provides guidance and expertise to the New Orleans cloud security community as the Louisiana Cloud Security Alliance Co-Chair.  Thomas possesses a Master’s degree from the University of Pittsburgh in Information Security and also multiple industry certifications such as CISSP, GCIH and GCIA.

 

Will Schroeder

 

Will Schroeder (@harmj0y) is a offensive engineer and red teamer. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON, DerbyCon, Troopers, BlueHat, a various Security BSides.

 

Planners

 

Organizers:

• Vico Marziale - @vicomarziale
• Andrew Case  - @attrc
• Joe Sylve       - @jtsylve 

 

Volunteers

 

  Please email bsidesnola [@] gmail.com if you would like to volunteer during the event.

 

Tags for flickr, twitter, blog, etc.

Please use the tag #BSidesNOLA for content related to this event