Dave Marcus is a 25-year veteran and survivor of The Cyber Wars. Starting from IT administration and then into pre-1998 red teaming to getting bruised and battered in the cyber trenches of antivirus to the highs of becoming a Principal Engineer at both Intel and McAfee. The cyber scars are real. Dave Marcus currently serves as Senior Director of Intelligence and Analysis at LookingGlass (LGC). He has co-created methodologies and analytical processes to effectively research and target threat actors internationally, built and delivered thousands of weekly, monthly, and yearly Intelligence Summaries based upon unique customer intelligence requirements and has had the pleasure of presenting at more conferences than he probably deserved. A great team leader and people builder, he helps drive LGC’s intelligence, attack surface methodologies and technical direction. In his spare time, he is an avid powerlifter and family man.

---

Track 1 – NüWorld0rder

During the lockdown, many hackers were left to their own (and other’s) devices. This extra time, and a stable internet connection, lead some to the mass purchasing of inexpensive IoT devices and routers. One of these devices, a travel router by Trendnet, proved to be especially vulnerable. Through multiple chaining vulnerabilities, the system was compromised past repair.

This presentation explores the process, methodology, and tools used throughout the investigation and development of the full exploit. Designed to be friendly to both newcomers, and veterans, we’ll explore the technical and nontechnical sides of vulnerability hunting. While much of our work exists within the virtual realm, it's important to never forget the human side behind our endeavors.

Attendees will have the opportunity to relive the full hunting process from start to finish, including all the ups and downs of hacking and reporting. By retracing our steps through the hunt process, we can learn how to better focus our work, leading to more successful hunts.

Biography:
Austin Turecek is an application penetration tester with an interest in IoT, embedded systems, and open source technology. In the past Austin has worked within incident response, purple teaming, and system administration. Prior to beginning his work as an application penetration tester, Austin worked as a malware analyst studying and tracking cyber criminals, and their tools, throughout the deep and dark web.

The combined experiences of system administration, malware analysis, and penetration testing have all contributed to his independent work bug hunting.

---

Track 1 – NüWorld0rder

When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks and could lead to a cloud disaster.

In this talk, we will discuss common risks and challenges in serverless environments. I will introduce techniques used by attackers to exploit Serverless apps in unconventional ways. I will also demonstrate exploits of recently discovered CVE, targeting cloud functions.

Bio
With more than 15 years' experience in Application and Serverless Security, Tal recently co-founded CloudEssence, a cloud-native Application Security company that was acquired by Contrast Security in 2020, where he now leads the new innovation center. Previous to CloudEssence, Tal headed the security research at Protego Labs, a Serverless security startup that was acquired by Check Point. Tal is committed to evangelizing serverless and application security to the community, by training hundreds of developers and security teams around the world, serving as an AWS Community builder and teaching at the cybersecurity master's program at Quinnipiac University.

Not only has today’s enterprise perimeter extended beyond the traditional firewall to the cloud, but hackers have also been using Azure to launch attacks and host malware. In this talk, I will cover use-cases for launching your offensive operations from Microsoft Azure for maximum success on your next Red Team or phishing scenario.
Offensive operations may benefit from using Azure. Specifically, Azure Cloud Shell may be used to deploy and manage offensive operations. I will dive into (ab)using Azure Cloud Shell to launch your operation and target enterprises who utilize Microsoft 365 for email, chat, and Active Directory. This talk and demonstration will provide the audience the knowledge to utilize Microsoft Azure Cloud Shell and other Microsoft services as platforms to launch advanced offensive operations.

Bio
Steve (rvrsh3ll) Borosh is a proud U.S. Army Infantry combat veteran and security consultant at Black Hills Information Security. Steve earned a B.S. in Computer and Information Science from ECPI University. Steve has extensive experience as a penetration tester, red team operator, and instructor since 2014. Steve has instructed courses on penetration testing and red teaming for the public, private, and federal law enforcement sectors. Steve also has experience teaching or speaking at conferences such as Blackhat, various BSides events, Gartner, and others. Steve maintains a blog and GitHub repository to share knowledge and open-source offensive tools with the community.

Ransomware groups utilize a wide range of attack techniques to gain elevated access to enable their ransomware to be as effective as possible. It can be perceived that these ransomware groups must utilize the newest, most pristine tooling to achieve their goals, but that isn’t always the case. Of course, there can be some custom tooling, but other times you might see old-school PowerShell one-liners to deploy their code. In this talk, we plan on looking at different groups and instances of ransomware being deployed to study how the operators performed each attack. We’re going to discuss their tactics and tooling used, and we plan on releasing sample tooling, which re-creates some of the tools used by the ransomware groups, along with detections. Attendees will be able to walk away from our talk with a better understanding of how some ransomware groups operate, along with sample tooling to simulate the same actions within their work environment as well as indicators of compromise for some of the techniques covered.

Bio
Christopher Truncer (@ChrisTruncer) is a co-founder and Offensive Security Lead with FortyNorth Security. He is a co-founder and current developer of the Veil-Framework, EyeWitness, WMImplant, EDD, and many other tools. Chris enjoys offensive security work.

Victor Suarez (@Gr1mmie) is an Offensive Security Engineer on FortyNorth Security's offensive security and research team. He is an open source developer whose written tooling encompassing various aspects of a penetration test and red team operation including situational awareness and persistence. Victor is involved not only with offensive operations, but also detection engineering and threat hunting in an effort to better advise defenders.

In 2015, HD Moore published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fuelling station in the United States and tens of thousands of systems internationally. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port. The process for accessing these systems is quite simple: telnet to the port and issue documented TLS-350 or TLS-250 commands to execute everything from setting alarm thresholds to editing sensor configurations and running tank tests. While tools such as Nmap include scripts for enumerating these devices, the functionality is generally limited to In-Tank Inventory Reports and System Status Reports. These scripts are good for reconnaissance, but what if an attacker decided to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown? Could an attacker shutting down over 7,000 fueling stations in the United States with little effort leave the nation crippled? I believe the answer is clear.

Bio
Hey, I'm Michael! As a Cyber Network Operator experienced in vulnerability assessments, threat hunting, and incident response, Idevelop scalable intrusion detection capabilities to effectively discover and defeat adversaries in critical infrastructure networks! I'm passionate about transforming threat intelligence into tangible detection solutions. In my free time, you can catch me conducting security research for my blog (https://medium.com/@RoseSecurity), strengthening the cybersecurity posture of organizations through my company (https://rosesecurity.live/), and educating the community on modern threats and adversarial Techniques, Tactics, and Procedures; feel free to check out the work that I do through my GitHub portfolio (https://github.com/RoseSecurity).

If you’ve spent any time browsing blue team blogs or chatting with folks in the SOC, you’ve probably heard the phrase “Detection-as-Code” pop up. These discussions frequently exalt the virtues of Detection-as-Code characterizing it as the ultimate solution for all of the Blue Team’s problems. Usually, whenever something sounds too good to be true, it usually is. In this case, however, the advocates aren’t totally off base. In this talk, we’ll seek to separate truth from fiction and clarify how Detection-as-Code can help their organization.
We’ll start off with defining what Detection-as-Code is for those unfamiliar. After diving into some history of infrastructure, we’ll cover what problems Detection-as-Code solves and what it doesn’t. Finally, we’ll dive into some lessons learned from a team that manages hundreds of rules and petabytes of data using Detection-as-Code. Along the way, we’ll have some demos showcasing some of the power and failings of Detection- as-Code. After it all, you’ll come away with an answer to if Detection-as-Code is right for your team. You should also be equipped with an understanding of dos and don’ts and some guidelines and frameworks for a successful implementation.

Bio Daniel is a recent convert to the blue team after spending the majority of his career breaking systems at Praetorian and the USAF. For the past 2 years at Snowflake, he’s been helping to improve the threat detection program. When he’s not working, you can find him spending time with his wife and cats, enjoying a nice cup of coffee, or exploring Washington DC.

ICS security is a growing and critical field of cybersecurity. With the escalating conflict of Russia and Ukraine, increase in ransomware activity, and critical infrastructure becoming more interconnected, it’s important to have more people in the field. When I transitioned to an OT cybersecurity role, I felt lost by the vast number of concepts one needed to understand. Talking to people that show interest in joining the ICS side of the house, I noticed they asked me a similar set of questions including “where do you start with ICS?”, “what are the differences between ICS and IT security?”, and “what are the components and technologies you encounter on an OT environment?”. As someone who was once in the position of wanting to explore ICS security, I want to offer advice to those wanting to shift their career in this industry or simply are curious about ICS security.
In this presentation, I want to give attendees a “starting point” in their journey to ICS security. I want people to understand the fundamentals of what they should encounter in an OT environment. What is the difference between SCADA and a Distributed Control System? What are controllers used for in an ICS environment? What is the standard architecture you’ll find in an OT environment? Among other questions that I had when I first started learning about ICS security. I intend to pave the road and bridge the knowledge gap for IT cybersecurity professionals so they can have a better insight of what it takes to safeguard and protect critical infrastructure.

Bio
Santiago Gama is an Industrial Hunter at Dragos on the OT Watch team. He has been with Dragos for the past year and before worked in Help Desk, Software development, and System Administration. Santiago is active in the South Florida information security community with SFISSA and HackMiami.

As Machine Learning and AI are becoming more advanced, they are also becoming more prevalent in the field of cybersecurity. This talk will focus on the duality of using Machine Learning and AI in the realm of cybersecurity and hacking. Marcus Carey will highlight the potential for these technologies to be used for good, such as improving threat detection and response, and enhancing the overall security of networks and systems. Jonathan Echavarria will take a contrasting approach, examining the darker side of these technologies and the potential risks they pose to individuals and organizations. He will delve into the techniques used by hackers to leverage Machine Learning and AI to launch sophisticated attacks, such as malware and phishing campaigns. Together, they will present a balanced view of the current state of Machine Learning and AI in cybersecurity and their future possibilities, encouraging attendees to consider both the positive and negative implications of these technologies.
Join us for a thought-provoking and informative discussion on the "blue pill" and "red pill" of Machine Learning and AI in cybersecurity.

Bio
Jonathan is an experienced Enterprise Architect at ReliaQuest, where he aligns business strategy with technological solutions. Prior to this role, he was an offensive security engineer at Facebook, where he conducted various offensive operations. He has also held multiple positions at ReliaQuest, including penetration testing, red teaming, security operations, and malware analysis. Jonathan is a frequent speaker at industry conferences, discussing topics such as cybercrime, state-sponsored operations, and smart home security. Marcus is a cybersecurity practitioner with over 20 years of experience in the field and is a US Navy veteran. He currently serves as an Enterprise Architect at ReliaQuest, performing research and leading the development of a variety of solutions. He has worked with federal agencies like NSA, DC3, DIA, and DARPA and is the co-author of the Tribe of Hackers cybersecurity book series. He also holds a Master of Science in Network Security from Capitol Technology University. His diverse background and extensive experience make him a valuable asset in the field of cybersecurity.

Cybersecurity isn't solved. It's why there are so many products constantly appearing (we may be running out of made-up words for company names). We'll talk about how you can get involved! Whether it's in your enterprise, angel investing, or how to launch your own start-up!

Bio
Founder of SCYTHE, a start-up building a next-generation attack emulation platform, GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit for industrial control system security. He is a Senior Fellow at the National Security Institute and an Advisor to the Army Cyber Institute. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom. He was recognized as one of the Top 50 in Cyber by Business Insider, Security Executive Finalist of the Year by SC Media, and a Tech Titan in Washington DC.

---

Track 1 – NüWorld0rder

Zhadnost, was discovered when it was conducting DDoS attacks on Ukrainian government and financial websites shortly before and during Russia's invasion of Ukraine. The botnet was later used against Finnish Government websites, on the same date President Zelensky addressed the Finnish parliament, and against the Ukrainian Postal Service, on the day a controversial anti-Russian stamp was to go on sale. The presentation discusses the methodology and tools I used to discover its bots, provides an analysis of its bots and how they were compromised, how its impact can be mitigated, and attribution of the botnet to the Russian GRU. The presentation also compares and contrasts Zhadnost with the activities of another Russia aligned- botnet operator, KillNet, who has targeted dozens of US, European, and NATO websites with DDoS attacks.

Bio
Ryan Slaney While working for CSIS, I spoke at Security BSides in St. John's NL and ISACA's IT Risk Symposium Conference in Halifax about the disruption of a GRU close access cyber team in The Hague. Currently working as Staff Threat Research at Security ScoreCard.

Companies want to be ready for current and future cyber attacks, and a Cyber Threat Intel Program would give them the insight they need to combat these attacks. I will cover the basics of building a Cyber Threat Intel Program from scratch, even if your company has a limited or no budget for tooling. Ill cover essentials such as Threat Intel Platforms, OSINT, Dark Web research, Ransomware analysis, Threat Intel sources, and much more. So when they ask you...do you even Threat Intel bro..you can answer a resounding YES!

Bio
I have taught infosec classes for 15 years and achieved and taught 21 certifications. I have also done web app pentesting for a government facility as well as my current company. I created the AppSec Program there from scratch as well as the Cyber Threat Intel program. I enjoy teaching and have created a lot of cybersecurity content on my website at https://www.sh1katagana1.com. I also play live Trip Hop, Funk and Jazz using live looping. I play concerts both in real life and in the metaverse in Second Life, OpenSim and Neos VR.

Have you ever wanted a simple alert if an unexpected Windows process runs on a host? The open source Canarytokens project allows teams to build simple tripwires to alert on attacker actions. We’ve recently built a new free Canarytoken type that allows you to set up a quick alert when you want to know any time a specific windows file is executed. In nearly every ransomware report, we can see attackers running a series of commands on endpoints. What if you wanted to monitor critical systems and endpoints for sensitive commands? For example, suppose you wanted to see an alert if someone runs wmic.exe or qwinsta.exe or bitsadmin.exe on a device? With this new token, we can create Canarytoken alerts for some of these commands as an early warning tripwire that something is wrong, or someone is running a command that they should not be. Coupled with other telemetry, these Canarytokens may be just the rapid tipoff you need. This talk will explore our research and creation of the new Canarytoken. From windows internals to encoding alerts over a DNS channel, we think these classical offensive techniques can strengthen your defense.

Bio
Casey Smith is a Senior Security Researcher at Thinkst Applied Research. He enjoys continually working to understand and evaluate the limits of defensive systems. He led the development of Atomic Red Team, an open-source testing platform that security teams can use to assess detection coverage. His background includes security analysis, threat research, penetration testing, and incident response. Casey has spoken at several security conferences. DerbyCon, Shmoocon, BlackHat USA, BlueHat, BlueHat IL, and Troopers.

During the investigation into #openssl CVE-2022-3602 Michael Haag and Jose Hernandez from the Splunk Threat Research Team had the question, “who on the internet is registering potentially malicious certificates with punycode in them?” This led them down the path of writing a simple tool named TransPuny to study certificates being registered or changed on the internet with punycode on the SubjectAlternativeName (SAN). This talk will take the attendee on a journey through certificate transparency logs and how they may be used by researchers. In addition, learn how to install and use TransPuny in hopes to identify suspicious intent, and learn about interesting findings and observations found with certificate transparency logs. Spoiler there is A LOT of sketchy activity on the internet happening from sites with punycode in their domain name.

Bio
Jose
Currently, José leads the Threat Research team at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDoS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As an engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. Although security information has been the focus of his career, José has found that his true passion is in solving problems and creating solutions.

Haag
Michael Haag is a Senior Threat Researcher at Splunk. Michael has 10 years of experience across the spectrum of cybersecurity. Michaels main focus is the Atomic Red Team project and detection engineering. Michael enjoys threat research but also threat hunting and big data analysis.

Often when red teamers are preparing for initial access, they develop a complex payload and delivery method. Though it was tested in a lab, when launched, something gets caught burning the whole operation. Often the blame falls on the loader when it could be something as simple as the command used to execute. Adjusting just a few things might change the result from a successful callback to total invisibility. Let’s face it detection controls aren’t perfect, and this lack of knowledge often comes from a black box approach.
This talk will show an in-depth walk through of the process to make a sophisticated loader. We will begin by walking through detections, breaking it down into three major categories’ “Delivery”, “Loader”, and “Stage”. This division helps outline the different aspects that can result in the execution being blocked. Understanding the differences in the techniques used in each phase, we will walk through the OPSec considerations that need to be considered as well as what evasion features need to be built into your payload to be successful.

Bio
Matthew Eidelberg is a husband, father, and big security fanatic. Matthew works as an Engineering Fellow leading Optiv’s Red Team & Adversarial Simulation Services team. Matthew has authored several open-source tools including ScareCrow, Freeze, Ivy, Mangle, and published articles focused on EDR evasion and adversarial techniques.

Today CICD platforms are an integral and critical part of the overall software supply chain. To support the business requirements, it processes a lot of sensitive data, compromise of which can have effect on the entire organization. Security IN CICD is a well discussed topic, now security OF CICD deserves the same attention.

One of the challenges with security OF CICD, like most areas of security, is the lack of visibility of what actually makes a CICD ecosystem. Security starts with being aware of what needs to be secure.

In this talk I will be presenting how an organization can approach the visibility and thus security OF CICD ecosystem along with some common attack areas like access controls, credentials hygiene, misconfiguration etc. and their possible solutions.

I will introduce two new open source projects:

1) CICDGuard - a graph based CICD ecosystem visualizer and security analyzer, which

• Represents entire CICD ecosystem in graph form, providing intuitive visibility and solving the awareness problem
• Identifies common security flaws across supported technologies and provides industry best practices and guidelines for identified flaws
• Technologies supported as of now:
• GitHub
• GitHub Action
• Jenkins
• Spinnaker

2) ActionGOAT - a deliberate damn vulnerable GitHub Action for learning purposes

Biography:
Pramod Rana is author of below open source projects:
Omniscient - LetsMapYourNetwork: a graph-based asset management framework
vPrioritizer - Art of Risk Prioritization: a risk prioritization framework
sec-depend-aider - Dependabot pull request monitoring automation platform

He is leading the application security team in Netskope with primary focus on integrating security controls in the development process and providing security-testing-as-a-service to other teams. He loves to understand new security practices and how to practically implement them.

He has presented at BlackHat, Defcon, nullcon and GrayHat before. A security professional by job, a coder by hobby, a runner by passion.

This project stemmed from the RaspberryPi chip shortage, which drove up the cost of RPi Nano W boards making the cost to repair my team's long-range cloners not feasible. In addtion, there were some limitations with existing tooling (Wiegotcha, ESP-RFID-Tool, Tastic RFID Thief, etc.) that I aimed to mitigate. The intent with this project was to accomplish the following:

1. Reduce the amount of wiring/soldering required to go operational.
2. Hotswappable devices for easy servicing.
3. Use modern CoTS equipment that can easily be replaced.
4. The operator can't go into a comms blackhole when connected to the device.
5. Egress for notifications (Email/Text), reducing the need to check for card reads while in the middle of an operation.
6. Simplified WebGUI that only displays Bit Length, Facility Code, and Card Number. Option to download the complete data set(e.g., BL, FC, CC, HEX, BIN).
7. Error handling, so the device doesn't log bad reads, EMI, etc.
8. Easy configuration and reset functionality for team use.

Bio Travis Weathers is a Practice Director on Optiv's Attack & Penetration team based out of Tampa, FL. Since stepping out of the military, Travis has worked within the offensive security space performing advanced adversarial emulation assessments and leading offensive security practitioners.

I want to demonstrate how to exploit a CI/CD system and escalate privileges, as well as how we can defend ourselves and prevent this type of attacks.

Bio >/b>
I am Antonio Juanilla known as Specter, I am an active member and collaborator of the communities in Spain HackMadrid%27 and HackBarcelona%27, member of the CTF flagHunters team, I am DevSecOps, and speaker in the different conferences in LATAM and Spain.

This session will provide you with insights on how to put a security-focused threat model into action for Blockchain Applications. I will share learnings from building an NFT Security initiative and working with creators, developers, and communities as security champions from a seasoned Cybersecurity Professional and Community Builder perspective.

Bio
Kennashka DeSilva is a highly skilled Cybersecurity Consultant at a Big Four Financial Firm with experience ranging in Blockchain Security and Cloud Computing. She has participated as a Main Stage speaker at DEFCON30 in the AppSec Village. Kennashka works in various community initiatives towards tech diversity such as Women For Crypto and serves as an Executive Council Board Member at WICYS Florida.

This presentation will go through the thought process and inspiration for moving into the field, as well as the action plan used to set goals and achieve them. He also plans to go over the resources that he used to go from non-technical to fairly-technical

This presentation is not for the technical wizards or the people who were pwning networks as a teenager. This talk is for the call agent, the fast-food worker, and the truck driver who is looking to find a more fulfilling career. My path to working in cybersecurity is non- traditional, and this presentation is to help other “non-traditional” people find their way into the career they want.After leaving a non-technical business role, Matthew began the process of changing hiscareer into the field of cybersecurity and in less than a year moved into an Offensive Security role.

Bio
Matthew Nickerson is a former Customer Success & Project Manager for a Telecomm company in Florida who recently made a career change into Cyber Security. He is an Offensive Security Consultant at Layer 8 Security in his free time he enjoys golfing (currently on the quest to become a scratch), playing video games, camping (at music festivals and national parks) and spending time with his two dogs.

Are you looking to get a job as a level 1 analyst in a SOC or do you regularly lead month long investigations to counter foreign adversaries access operations? In conducting investigations of all levels of complexity and training over 100 investigators we have found some core skills that helped us solve cases. Identifying what information we can pivot off of is often taught as a very procedural process. We don’t teach how to use tools to enrich information. We teach how to find what information is valuable, and then find how to make a connection. This session is an introduction to this way of investigating that has been used in cases ranging from network intrusion to money laundering. Examples shown will span investigation types from malware to wrongful imprisonment.

bio
Vincent has led security teams for clients globally and is now at an international finance organization where he specializes in incident response, forensics, and insider threat. He is also an instructor at the University of Miami’s Cybersecurity Professional program and has taught at NYU, UCF, and UC Long Beach.

Zeshan Aziz is an independent security researcher with experience in combatting and attributing information operations by nation-states and profit-motivated actors. He is also a Digital Sherlocks scholar at the Atlantic Council. He writes about globally relevant disinfo campaigns, cyber attacks against civil society, and is active in the OSINT community.

Stop Committing Your Secrets - Git Hooks To The Rescue

No one wants their keys, passwords, and other secrets exposed. Ideally, no developer would ever hardcode anything like that into their work. Unfortunately, many repos are just one bad push from the world gaining access to sensitive data and mission-critical systems. In the best-case scenario, you can discover the issue and fix it before something terrible happens; but in the worst case, you don’t find out until it is too late. Just ask folks like Uber or Twitch.

Developers might be familiar with using .env and .gitignore files to help prevent Git from tracking specific files and folders, but did you know that you can leverage git hooks and some open source awesomeness to keep from accidentally committing your secrets in the first place?

Attend this workshop to:

• Learn about the state of secrets sprawl
• Gain a deeper understanding of the .git folder
• Understand git security best practices
• Set up your first git hook
• Get hands-on help setting up a free GitGuardian Internal Monitoring account
• Automate secrets detection before secrets can be pushed to your shared repositories

Bio
Dwayne has been working as a Developer Relations professional since 2015 and has been involved in the wider tech community since 2005. He loves sharing his knowledge by giving talks, and he has done so at over a hundred events worldwide. Dwayne currently lives in Chicago, and outside of tech, he loves karaoke, seeing live music, and doing improv.