A Theme of Fear: Changing the Paradigm
Dr. Catherine J Ullman
The InfoSec industry was born out of fear. Initially it was fear from virus infections and later, external attacks. We capitalized on that fear to build more secure environments. But fear is hard to manage: too much fear breeds paralysis, and too little fear breeds complacency. This talk will take a look at the history of fear in InfoSec, explore how its impact has shaped the industry, and how it is now getting in the way. Fortunately, we can provide the next generation a new paradigm to affect change. This talk presents some ideas on what the new security paradigm could be, and most importantly – how to enable a security-minded culture without using fear.
Beyond HTTP: A Crash Course Hacking IOT’s Non-HTTP Attack Surfaces
Jesson Soto Ventura
Hacking smart IOT devices that have a web interface typically depends on the same skill set as web application hacking. Plenty of resources exist that cover web application hacking and these resources largely map 1-to-1 with IOT devices. But what about IOT devices that are missing a web interface, how do you hack those? How do you even get started? Through this talk, we’ll hack a couple of IOT devices (a smart grill and light bulb) along the way, we’ll learn details about common non-HTTP attack surfaces and how to leverage them for your future hacks.
Getting started with Security in AWS
Zack Glick
Working in AWS can increase your ability to have visibility into what is happening in your infrastructure in unique ways vs working in an on premise environment. This talks will walk through ways in which you can secure both the assets running in your AWS environment as well as harden the account itself. Designed for an audience which is familiar with the basics of AWS and is looking for actionable ways they can harden their environment.
Kubernetes Software Supply (Kill) Chains
Mark Manning
Software supply chain attacks are on the rise with a projected 4X increase in these attacks this year, and most organizations don’t feel like they can do anything about it. We’ll first validate that perspective by demo’ing a Kubernetes cluster being compromised by a supply chain threat and go into the tools that are coming out to address these threats. We will cover ways to help fix this with the SLSA framework and tools like in-toto, cosign, and others that help build provenance in your build chain. The goal will be to replace your broad fears of supply chain attacks, with more specific, informed fears through exploit demos and realistic attack scenarios.
MITRE ATT&CK – Combining APTs, TTPs, & GRC to build realistic security programs
Alex Martirosyan
Are you prepared to face the next big APT? Do you need to be ready to face the next big APT? This session focuses on building a realistic GRC program. This approach uses intelligence gleaned from these attackers but does not chase down every type of attack. This session focuses on showing you how to leverage this attacker information without going overboard chasing down threats you’re likely to never see. This approach brings the best ROI for security controls by identifying the threats with the highest likelihood and focusing mitigation efforts.
Say Hi to the New Guy: How Diverse Backgrounds Can Mature Your Security Program
Ross Flynn
In a sea of candidates, why should you consider hiring a teacher as a SOC analyst? In what world would you hire a salesperson as a pen tester? As the need for more holistic security professionals grows, the Infosec field has a unique opportunity to address security concerns by leveraging the unprecedented number of converts from seemingly unrelated field.
The bad guys will always continue to develop and evolve their techniques, so strategic organizations are finding success pulling from more diverse backgrounds. Fresh thinking and function-specific experience can help these diverse defenders protect data and the basic human right to security and privacy.
Let’s talk about the influx of new blood, strategic positioning, and how qualified professionals from other industries can leverage their experiences to benefit your security team.
The Art of Analysis: How Analyzing Art Helps Us Be Better Analysts
Jeff Domedion
There are many learning platforms that teach the technical skill sets needed for an investigation. What is usually lacking is the thought process and questions that are necessary to take a real-life investigation to its resolution. By using Amy Herman’s book “Visual Intelligence,” we will see how looking at art can make us stronger analysts, capture the flag players, or just all-around more perceptive of the world around us.
The Threat Hunting Solution You Might Not Have Expected
Lee Archinal
I will be covering a couple points about Threat Hunting to drive the conversation from one that involves investing in more tools to one that invests in PEOPLE! Points to be covered are:
– IOCs are not threat hunting but are a good check to see if you have been compromised.
– Humans are behind the maliciousness whether it be script, executable, or hands on so our humans should be behind the hunt as well.
– Black box tools may be causing blind spots and could limit the creativity of the hunter.
– Creating meaningful alerts will help limit ‘alert fatigue’.
Threat modeling 101, or “Why you shouldn’t worry about bears on fiji”
Kurt_theTurk
Threat modeling is thrown around regularly in cybersecurity risk circles. There are many academic models for it (OCTAVE, S.T.R.I.V.E, TRIKE, P.A.S.T.A, etc), and apart from a general recognition that everyone should be doing it, not many people are talking about practical examples of ACTUALLY doing it. This has lead to “threat modeling” becoming just another buzzword in the cybersecurity industry.
Using the MITRE ATT&CK Framework, and a few silly and entertaining examples of real-life threat modeling we unknowingly do everyday, we will go through the process of identifying relevant threats, understanding their tactics, techniques, and procedures (TTPs), discover how to identify their ‘tells’ (Data sources), and how to plan mitigations and countermeasures that are timely and relevant for you and your organization.
Threat Modeling in an Agile Development Environment
Jonathan Coupal
Traditional threat modeling can be an important part of moving security leftwards from a QA-driven outcome to a design-driven outcome. Using a Data Flow Diagram works well for waterfall-style product development with a planned architecture, but what happens when you are using an agile development methodology? In this case, there is not necessarily a robust planned architecture for the product. However, there is still a way to leverage threat modeling as a powerful design tool in an agile team within story refinement, by asking the same questions of each story: – What are we working on? – What can go wrong? – What are we going to do about it? – Did we do a good enough job?
During story refinement, anyone on the team can contribute. But rather than contributing to the “user” story we contribute corollary “abuser” or “misuser” stories, describing potential issues with the product function as it’s being designed. Each abuser story can then be addressed with one or more potential mitigations. Additionally, tests can be written to determine whether the mitigations were productive as an additional acceptance criteria.
Shifting the responsibility of the security of the product left from the responsibility of the QA team to the product owner and technical leadership will result in a more secure product, and should also be more productive for the development team, allowing for fewer rejected stories due to security vulnerabilities (bugs) being introduced into the source code during development.
Wait, there can’t be only one?
Michael “Shecky” Kavka
We all have our favorite vendors and have those vendors we love to hate. Many places like trying to homogenize on a specific vendor or technology. What happens if you put all your eggs in one security vendor basket? Is it worth doing that? Does not knowing how a vendor’s Machine Learning makes decisions hurt or help us? Let us travel down a real-world scenario as to why using multiple vendors and multiple threat feeds could be advantageous. Wait, is that Defense in Depth? Maybe it is, but not in a way you normally think of.