2022 Talks

#SBOM is here: making progress (not excuses)

I Am The Cavalry

Allan Friedman, Adam Kojak, Katie Bratman, Chris Gates

A Tale of Two Malware Families - Overcoming Anti-Forensics and Foiling Botnets in the Cloud

Breaking Ground

With a sustained migration to the cloud and widening attack surface, organisations are more susceptible than ever to attacks that are increasing in both severity and sophistication. Despite this, defenders haven’t adapted at the same pace. Recent cloud-focused malware campaigns targeting East-Asian Cloud Service Providers (CSPs) have shown adversary groups possess an increased awareness of incident response techniques and cloud security mechanisms, which are being leveraged in attacks. In this session, Matt Muir, Threat Intelligence Engineer at Cado Security, will provide an overview of two distinct malware campaigns where the threat actors’ knowledge of these mechanisms becomes evident in the TTPs employed. Matt will guide the audience through notable examples of anti-forensics and system-weakening techniques, many of which have never been discussed before, used in real-world attacks on cloud infrastructure. How this exposes the level of sophistication of the attackers will also be discussed. The session will include a deep dive into the evolution of two cloud-focused malware campaigns, where Matt will highlight specific methods used by attackers in these campaigns to evade detection and foil attribution, and how these can be identified by defenders.

Matt Muir

Adding DAST to CI/CD, Without Losing Any Friends WORKSHOP

Training Ground

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this workshop we will discuss multiple options for adding dynamic application security testing (DAST) to your CI/CD, in ways that won’t compromise speed or results, such as limiting scope, using HAR files, using test subsets, etc. Then we will do it! Learn to setup a CI/CD in GitHub using Actions, create a Bright Sec DAST account, and scan to find many, many vulnerabilities.

Requirements: Users will need a laptop with wifi and admin access to install a repeater tool on their laptops in order to participate. They will also create a GitHub and Bright Sec account, which are both free. They can run the repeater using windows, npm or docker for the workshop.

Tanya Janca, Akira Brand

All Things FIDO (Panel + Q&A)


Tim Cappalli, Andrew Shikiar, Christiaan J Brand, Per Thorsheim

Ask a Fed


Q&A with an FBI Agent. This track was previously hosted by Russ Handorf. The purpose of this track is provide conference attendees with the opportunity to ask an FBI agent questions to explain the mission of the FBI and to promote future collaboration between law enforcement and the cyber community.

Andrew Buel

Ask the EFF


“Ask the EFF” will be a panel presentation and question-and-answer session with the Electronic Frontier Foundation, featuring Kurt Opsahl, Deputy Executive Director and General Counsel; Andrés Arrieta, Director of Consumer Privacy Engineering; Bill Budington, Senior Staff Technologist; Eva Galperin, Director of Cybersecurity; and Mukund Rathi, Stanton Legal Fellow.

Half the session will be given over to question-and-answer, so it’s your chance to ask EFF questions about the law and technology issues that are important to you.

Kurt Opsahl, Andrés Arrieta, Hannah Zhao, Bill Budington, Mukund Rathi

Attack Flow: From Data Points to Data Paths

Ground Truth

The answer to your security problems is locked in data stored in red team reports, text files, threat feeds, and infrastructure APIs with no way for you to bring them together. This talk introduces Attack Flo: a data structure to rationalize security data in paths rather than points. Any time you have actions, assets, and time, you can use Attack Flow to capture the 3C’s: Causality, Complexity, and Context. Whether you work security engineering, DFIR, red team, or strategic planning, come learn how Attack Flow improves finding, sharing, and taking action on your security data. Sure, not all security problems can be solved through better data science and better visuals. But it is a start.

Gabriel Bassett

Back to Basics: Using Descriptive Statistics to Study the Shape of the Internet

Ground Truth

AI and machine learning have been widely applied to various problems in the security domain, becoming increasingly popular over the last few years. While less touted on marketing pages or covered in the media, traditional statistical and exploratory analysis techniques are also valuable tools for any researcher–there is often much to be learned from applying descriptive statistics to security-related data.

This talk will explore applications of descriptive statistical techniques to Censys’ Internet-wide scan data to better understand the shape of the Internet. We’ll compare distributions of various services like HTTP, SSH, and FTP across different ports; examine database exposures and SSH cipher usage; and review trends around popular cloud providers like Amazon, Google, and Microsoft. We’ll also explore seemingly non-existent versions of software, along with other anomalies found in the long tails of these distributions.

Finally, we’ll cover how these techniques can lead to more interesting research questions and inform future analyses. No previous machine learning or statistical analysis knowledge is necessary; this talk will be introductory in nature.

Emily Austin

Beyond logs and time series: observability for security & privacy

Breaking Ground

In recent years, the concept of “observability” has rapidly gained in popularity in the SRE world. By rethinking how signals are gathered and analyzed, this has helped organizations solve reliability and performance problems that traditional logging, monitoring, and alerting did not. This isn’t just for SREs, though: in this talk Amanda will discuss how the same principles can be applied to security signals, along with some guidelines on how to do this kind of rethinking.

Amanda Walker

Building Security Automation Using Jupyter Notebooks

Training Ground

Security Orchestration, Automation, and Response (SOAR) is sweeping SOCs and helping reduce workload and increase accuracy. In a world that’s ever more API driven, being able to create your own automation workflows is a competitive advantage for companies and a career advantage for staff.

This session will show how to use an interactive computational platform called Jupyter Notebooks can be used to prototype security orchestration (or even build production quality automation). We’ll get hands-on with data enrichment APIs to show just how quickly and easily tools can be built.

A web browser and keyboard are required for the interactive parts. Basic knowledge of Python is useful but not strictly required.

Joe Schottman

Busting Biases in Infosec

Common Ground

Biases are vulnerabilities in our brains. Our minds serve as pattern seeking biomachines telling us what to focus on and how to make decisions with the sensory inputs we receive. This talk will explore various biases an InfoSec practitioner might come up against in metrics, hiring, promoting, and incident response. The audience will receive mental tools to identify and address biases as they encounter them and to improve their decision making.

Jack Hatwick

CICD security: A new eldorado (talk)

Ground Floor

CI/CD pipelines are increasingly becoming part of the standard infrastructure within dev teams and with the rise of solutions such as Infrastructure as Code, the sensitivity level of such pipelines is escalating. In case of compromise, it is not just the applications that are at risk but the underlying systems themselves and sometimes the whole information systems. Attackers are beginning to exploit those weaknesses both for supply chains attacks but also to escalate their privileges within the victim IS.

Remi Escourrou, Xavier Gerondeau, Gauthier Sebaux

CICD security: A new eldorado (training)

Training Ground

CI/CD pipelines are increasingly becoming part of the standard infrastructure within dev teams and with the rise of solutions such as Infrastructure as Code, the sensitivity level of such pipelines is escalating. In case of compromise, it is not just the applications that are at risk but the underlying systems themselves and sometimes the whole information systems. Attackers are beginning to exploit those weaknesses both for supply chains attacks but also to escalate their privileges within the victim IS.

In this fully hands-on workshop, we’ll guide you through multiple vulnerabilities that we witnessed during numerous penetration tests. You’ll learn how to:

  • Get a foothold within a CI/CD pipeline
  • Find interesting secrets and other information within code repositories
  • How to pivot and exploit weak configuration on the orchestrator
  • Compromise building nodes in order to add backdoors to artifacts
  • Pivot on cloud infrastructure
  • Escape kubernetes thanks to common misconfiguration
  • Perform a privilege escalation in AWS

Hand-on exercises will be performed on our lab environment with a wide variety of tools. For each attack, we will also focus on prevention, mitigation techniques and potential way to detect exploitations.

Remi Escourrou, Xavier Gerondeau, Gauthier Sebaux

Can a password management service safely learn about users’ passwords?


Abstract will be written later, but the is talk an early exploration of whether differential privacy and other tools can enable a password management service to safely learn aggregate data such as average password strength. The talk does not give an answer. But it lists challenges and some potential approaches.

Jeffrey P Goldberg

Clean Forensics: Analyzing network traffic of vacuum bots

Ground Floor

Have you ever wondered how vacuum bots work under the hood? How safe is your home’s floor plan that these bots automatically scan? This talk will walk you through a step by step procedure on how you can perform network forensics all from the comfort of your own home. For a particular set of bots, we uncovered and reported issues like plaintext transmission of passwords and a way to manipulate their cleaning schedules. The audience walks away with not only the awareness of security and privacy issues with vacuum bots but also a method to research on their own.

Karan Dwivedi

Climbing the Production Mountain: Practical CI/CD Attacks Using CI/CD Goat

Ground Floor

To date, well-known attack scenarios like moving laterally in the domain or network to obtain privileged accounts, abusing misconfigurations in production systems, compromising engineers’ workstations, or exploiting vulnerabilities to breach the perimeter of a cloud data center, are the consensus for attacking organizations’ environments. The methodologies are well-known both for the hackers and the defenders, making it harder for hackers to succeed - while staying undetected.

We all keep hearing about the rise of attacks targeting CI/CD environments - the systems that are linked together, and are responsible to ship code and artifacts from developers to production. But how many of us got to see actual attacks being planned and executed, step by step?

Come to this talk to learn about attack vectors that will lead you to production through CI/CD. With nothing but read permissions to a source code repository, you might be just one pull request away from production access. This talk will showcase real-world flows and demos - based on the recent CI/CD Goat open source project.

Omer Gil, Asaf Greenholts

Code Dependency: Chinese APTs in Software Supply Chain Attacks

Ground Floor

In their current drive for innovation and cloud migration, organizations increasingly rely on software development and all its dependencies: third-party code, open source libraries and shared repositories. Recent attacks have shown how easy it is to create confusion and send malicious code undetected through automated channels to waiting recipients. State-sponsored threat actors have engaged in software supply chain attacks for longer than most people realize, as governments seek out access to information and potential control. SolarWinds delivered a hard truth to defenders: everyone is vulnerable when trust can be abused. While Russian APTs have garnered much attention, Chinese APTs have been the force behind more attacks than people may realize, targeting the technology sector for economic espionage and intellectual property theft.  As we innovate our enterprises line by line, adversaries are finding their strength in our weaknesses and vulnerability in our dependencies. Are we ready for what else comes down the CI/CD pipeline?

Cheryl Biswas

Comparing Centrally and Locally Verified Memorized Secrets


Secrets memorized by the user (passwords, passphrases, PINs, etc.) can be verified centrally or used locally to unlock a multi-factor authenticator. Centrally verified and locally used memorized secrets have very different vulnerabilities, and therefore should have different complexity and storage requirements. This talk will attempt to clarify some of the terminology in this area and to present candidate requirements for both classes of memorized secrets.

Jim Fenton

Breaking Ground

A seasoned infrastructure professional and a web developer walk into a red team engagement. The point-of-contact says “Hey, we have an extremely mature security model, and we inspect all the traffic.” So what does our red team do? They write a tool to exfiltrate data, encoded, obfuscated, and hidden in plain sight in HTTP traffic. And when you write a tool that exfils data via cookies, what do you call it? We called it Cookie Monster, and this session is all about it, how it’s built and functions, its usage of other auth methods for hiding payloads, its relatively young command and control functionality, and what the development roadmap looks like for the future.

Eric Kuehn, Mic Whitehorn-Gillam

Cracking passwords for good, bad & commercial purposes: second thoughts on password cracking


Who am I to speak? I’ve been cracking passwords for more than two decades, privately for hobby & research, and as part of my job. Heck, I’ve always said that what you learn at PasswordsCon should only be used for good. But what is “good”, and is there a chance others might not like what we do when cracking passwords from public or private leaks, customers or our own employer?

Per Thorsheim

Day One Feedback Loop: What did we hear?

I Am The Cavalry

Detecting Log4J on a global scale using collaborative security

Breaking Ground

Utilizing collaborative security to collect data on attacks we were able to detect Log4J in a quite unusual but effective manner. We’ll show you how CrowdSec enables the entire infosec community to stand together by detecting attempts to exploit a critical 0day, reporting them centrally thereby enabling anyone to protect themselves shortly after the vulnerability was made public. The unusual part is that this is done using FOSS software and by analyzing logs of real production systems but in a way that doesn’t compromise the anonymity of anyone (except the attacker, of course) and doing so with a reliable result where poisoning and false positives are almost impossible. Too good to be true? Come by and judge for yourself!

Klaus Agnoletti

Everything I know about prototype pollutions: how to react when confronted to a brand new vulnerability

Breaking Ground

In 2018, I received a report about an attack vector I never heard of. It was the first report about prototype pollution. Since then, this vulnerability has been used to publish more than 177 CVEs. But back then, I was in the dark. I did not know what would be the real impacts of this attack vector. I could not find any literature on similar cases and to add up to that, we were used to receiving dozens of reports that did not make sense.I was potentially opening the door to a train of vulnerabilities impacting one of the biggest programming ecosystems in the world. Four years later, we have gone a long way. I want to tell you everything I know about prototype pollutants and how to prevent them in the code or at runtime!

Vladimir De Turckheim

Failing Upwards: How to Rise in Cybersecurity by finding (and exploiting) your weaknesses

Hire Ground

One day as an sysadmin I was asked to just deal with the WAF one day and now I’m a CSO, 18,000 miles, 5 countries and 6 years later. How did this happen?!

Full disclosure: I’m a mediocre sysadmin, an okay engineer, an acceptable architect, and a reasonably good infosec officer. What links them, and my rise through the corporate layers, is that at one point or another my hard work hit a wall and they said “you know what? You’ve done well but how about you head upward while the more apt people finish what you started?”

So here I am, rising far too quickly, doing just enough to keep the Imposter Syndrome at bay, and somehow succeeding at (cybersec) business without really trying. Come find out how!

Wes G Sheppard

Find your north star

Hire Ground

This talk will cover what kinds of job categories match your skills and temperament. Then how to think about a way to map our your career. Finally we will cover how to build out the skill set to get the job you want and to include how to actually get the job. I have a lot of scar tissue on both the hiring and looking side that I to share so you can avoid getting your own.

Steve Winterfeld

Follow the Rabbit


What happens when you’re a malware author and have bad OPSEC? You get exposed, that’s what. This talk will show you what information can be gathered from malware analysis all the way to attribution. Follow the rabbit with me and discover the power of threat intelligence and really bad OPSEC.

It’s Malware

Fragilience - The quantum state of survivable resilience in a world of fragile indifference

Breaking Ground

We’ve arrived at the latest iteration of a buzzword’s return as a term of art that is fashionable in IT pop-culture the way that bell bottoms ultimately come back into style every ten years or so.

Whether you enjoy words like: survivable, robust, or the most popular refrain of all: resilience, the technical, business, operational and cyber elements that contribute to an entity’s ability to continue to function — and perhaps even benefit — from stressors has taken center stage with stakeholders and regulators alike.

There is a lot at stake in correctly defining both the meaning and outcomes of work like resilience, and depending upon one’s perspective, many get it wrong, not because their definition is flawed, but because they cave to the human condition of trying to over-simplify incredibly complex meaning with soundbites that can be productized, marketed and TAM’d to a magic quadrant or a chasm to cross. See also: Zero Trust.

I give you the result: Fragilience.

Chris Hoff

From Vulnerability to CTF

Ground Floor

What happens when you find vulnerabilities by day, and write capture the flag challenges by night? Answer: teachable moments! At their core, most long-lived vulnerabilities have a little kernel of something at their core that makes them interesting: are they hard to find? Hard to exploit? Part of a multi-part attack? In a place nobody thought to look? Too obvious? Distilling what makes a vulnerability cool, then making that into a CTF challenge, is an unusual skillset that qualifies one for a distinguished career in “edutainment”.

In this presentation we’ll do a deep-dive into some interesting vulnerabilities and what makes them unique, then talk about the CTF challenges where the vulnerabilities lived on in eternal undeath.

Ron Bowes

GPT-3 and me: How supercomputer-scale neural network models apply to defensive cybersecurity problems

Ground Truth

A key lesson of recent deep learning successes is that as we scale neural networks, they get better, and sometimes in game-changing ways. In this talk, I’ll demonstrate and explain how supercomputer-scale neural networks open new vistas for security, qualitatively changing the horizons for machine learning security applications in surprising and powerful ways. Specifically, I’ll demonstrate two applications of large neural networks to security problems that wouldn’t have been tractable with smaller models: generating custom, human-readable explanations of difficult-to-parse attacker behavior and detecting malicious behaviors even when we have very few examples of the kind of behaviors we’re looking for. I’ll describe each example application in transparent and reproducible detail, and then show you how you can use this work, or do your own large neural network experimentation, using publicly available models like OpenAI’s GPT-3 series of models.

Joshua D Saxe, Younghoo Lee

Hacking Remote Interviewing: Lessons Learned

Hire Ground

Finding a remote Infosec position can be daunting but there are some factors completely within your control to tilt the odds in your favor - in an ethical manner. Learn how to maximize your interview and minimize any distractions that may arise as you work your way through the process to achieve that desired phrase.. ‘continue with the next steps.’

Will Baggett III

Honey, I’m Home! (Customizing honeypots for fun and !profit)

Common Ground

Honeypots AND live demos all in one place? Yes, why YES I tell you! Oh sure, honeypots aren’t new, but how they are used is what makes this talk different. Presented for your viewing pleasure: How to customize honeypot configurations and how they are used to detect attacks against your environment.

Kat Fitzgerald

How to Succeed as a Freelance Pentester

Proving Ground

Have you ever thought about what it would take to work as a freelance penetration tester? How do you ensure that you’re not putting your financial life at risk? How do you approach all the legal aspects that come along with penetration testing? How do you actually find work? Join Mike as he discusses the lessons he’s learned and the steps he’s taken to succeed as a freelance penetration tester.

Michael Lisi

How to Win Over Executives and Hack the Board

Common Ground

Stop me if you’ve heard these before (or maybe you’ve said them yourself), “Management just doesn’t listen”, “The executives don’t care”, “The board just doesn’t understand”. These exasperations can be very common for hackers. We know bad things are but we just can’t seem to get the support of our organizational leadership to fix them. Even when CISOs or high-level security leaders break through and get time with the board, it’s not uncommon to see them with their heads down looking at their phones. Well, this session is your master class in turning that around and making these conversations work for you.

Come learn from a hacker turned security executive about how to leverage hacking techniques to influence business leaders. Learn to effectively plan and deliver a message, recover engagement from an audience that’s tuned out, and overcome some the skepticism and animosity that can derail your efforts with tactics you already know. You’ll see re-world examples from presentations that succeeded as well as from those that failed. Whether you’re in an individual technical role or in the executive suite, this is a chance to up your game and start gaining the support you need.

Alyssa Miller

I got an alert, now what?

Ground Floor

New alert hits, is this a threat that could take down your infrastructure? You’ve got to be quick or it could be your company’s name in the news. Let’s slow this down and take the pressure off. “How do you assess a new alert and determine if it is a threat? Is the first thing to just go to VirusTotal, check hashes, google stuff, and see what information there is?”

Lets walk through assessing a new alert, how to investigate if something is an active threat, and what questions we should ask to make an educated decision about if something is a threat.

Kellon Benson

I know…But I Have a System


Cecilie Wian

I’m a Little Bit (FedRAMP) Country, I’m a Little Bit SOC2 ‘n Roll

Common Ground

Since its introduction in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has been required for all companies providing cloud-based services to the Federal government. FedRAMP was developed in order to address the lack of a standardized method for evaluating and monitoring the risk and security of providers of cloud-based services to Federal agencies. Meanwhile, System and Organization Controls (SOC) 2 assessment is often used by companies to demonstrate a secure baseline of operations as well as an enterprise sales tool to other businesses.

So if you have a SOC2 and want to start providing services to federal agencies, how do you leverage your existing program to achieve success in FedRAMP certification? In this session, participants will be provided with an introduction to FedRAMP and other Federal information security frameworks - both in terms of the general requirements for compliance and successful authorization, and in terms of identifying organizations that are best suited to pursue Federal contracts. Strategies to transform your SOC2 compliance program into one that complies with the FedRAMP baselines will be discussed, and participants will be provided with best practices for maintaining SOC 2 and FedRAMP programs in parallel.

Shea Nangle, Wendy Knox Everette

IATC Workshop Part 1: Next Phase of IATC Mission

I Am The Cavalry

IATC Workshop Part 2: Next Phase of IATC Mission

I Am The Cavalry

ICS Security Assessments 101 or How da Fox I Test Dis?

I Am The Cavalry

We have seen many ICS attacks both in the news and in several talks at security conferences. They show how ICS protocols are insecure by default and how we can mess with control components so easily. However, from a consulting point of view, are we really asking our ICS clients to let us mess with their critical infrastructure just to show what we already know?

In this talk, I’ll show how we can scope and address an ICS security engagement aligned with the industry’s needs. I’ll talk about real-world planning, attack surface identification, exploitation, and reporting from the understanding of what is giving value to our ICS clients. To keep things spicy, I’ll also include short demos to better show what we can do for each assessment type and yea some exploitation as well.

Yael Basurto

Injectyll-HIDe: Hardware Implants at Scale

Breaking Ground

Enterprises today are shifting away from dedicated workstations, and moving to flexible workspaces with shared hardware peripherals. This creates the ideal landscape for hardware implant attacks; however, implants have not kept up with this shift. While closed source, for-profit solutions exist and have seen some recent advances in innovation, they lack the customization to adapt to large targeted deployments. Open-source projects exist but focus more on individual workstations (dumb keyboards/terminals) relying on corporate networks for remote control. Our solution is an open source, hardware implant which adopts IoT technologies, using non-standard channels to create a remotely managed mesh network of hardware implants. Attendees will learn how to create a new breed of open-source hardware implants. Topics covered in this talk include the scaling of implants for enterprise takeover, creating and utilizing a custom C2 server, a reverse shell that survives screen lock, and more. They will also leave with a new platform from which to innovate custom implants. Live demos will be used to show these new tactics against real world infrastructure. This talk builds off of previous implant talks but will show how to use new techniques and technologies to move the innovation of hardware implants forward evolutionarily.

Jonathan Fischer, Jeremy Miller

It was a million to one shot, Doc. Million to one’ – Lessons learned while modeling rare catastrophic cyber loss events

Ground Truth

For many years, the InfoSec community has been skeptical about the feasibility of estimating cyber risk, especially risk of rare catastrophic events. RMS has just completed Version 6 of our Cyber Solutions Risk model for the insurance industry, and in this talk we share our lessons learned, including – How to make the most of available empirical data; Scoping out the space of possibilities; Modeling mechanisms is key; When and how to “guesstimate”; Getting the level of detail right; Managing model complexity; Pitfalls to be avoided; and Building trust in the model and its output. We will close with some thoughts on where quant. risk modeling is going and how it might be more widely used.

Russell Thomas, Christopher Vos

Lessons Learned from the CISA COVID Task Force & Healthcare Attacks

I Am The Cavalry

The session will explore Lessons Learned from the Pandemic, and the work of the CISA COVID-19 Task Force. It will specifically focus on the work done by the Task Force’s Strategy Cell and Risk Analysis Cell focused on COVID-19’s impact on the Provide Medical Care National Critical Function. A highlight of the task force’s work was the CISA Insight analysis and publication on “Provide Medical Care is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm”. As the COVID-19 pandemic continued to evolve, with increased and protracted strains on the nation’s critical infrastructure and related National Critical Functions such as Provide Medical Care, CISA undertook a renewed push for cyber preparedness and resilience, as well as decision support for stakeholders within critical infrastructure sectors.

Kendra L Martin, Michelle Holko

Long Overdue: Making InfoSec Better Through Library Science

Ground Truth

Libraries and archives are thought to have existed back to the year 3000 B.C. In the years since then, the collection and organization of information has been refined and mastered. In the relatively new Information Security discipline, we experience fatigue from all the data, news, and alerts we receive in a steady, powerful stream. That’s not even accounting for the fatigue from the human factor which is at the core of Information Security. This talk will show you how to refine how you approach InfoSec by learning from examples refined by Library Science. Get tips on information organization and management, guidance for people skills, and thinking of your network as a library to help make security an ingrained part of your enterprise. Linton Weeks said, “In the nonstop tsunami of global information, librarians provide us with floaties and teach us to swim.” The presenter has a Master of Library and Information Science degree and worked as a librarian for 20 years. Check out this session and use books smarts to make you more cyber smart.

Tracy Z Maleeff

Look! The scammer is coming! The peculiarities of Brazilian frauds, hackers creativity, and their resilience

Ground Floor

What comes to your mind when you think about Brazil? Probably Carnival, caipirinha, summer…. However, has it ever crossed to your mind that Brazil is one of the leading countries in the global ranking of online fraud?

Brazil was an early adopter of online banking technology in the beginning of the 1990’s. The Brazilian financial system is quite advanced with high security standards and controls. Transferring money between Brazilian and foreign banking accounts, for example, is not free of bureaucracy at all!

In order to cheat people, fraudsters use different tactics such as social engineering, phishing, and fake invoices, aiming at credit card skimming, cloning scams and Pix - instant and free electronic payment.

These Brazilian scams have been gradually expanding into other countries in Latin America, and have already reached some European countries. Now, the Brazilian way of fraud wants to take over the world with its MacGyverism.

In this talk, we will detail the eccentricities of the Brazilian threat landscape, how fraudsters operate, their creativity, and show why they are not so easily intimidated. In addition, we will discuss the artifacts used, how Brazilian hackers subvert bank protections, and its uniqueness in these types of fraud.

Cybelle Oliveira

M33t the Press: CyberSafety Got Real… Now What?

I Am The Cavalry

So much “cyber” news has been measured in dollars & data… and many of the concern areas of the Cavalry origins 9 years ago had “not happened yet”. That’s all changed. Now that harms are affecting food/shelter/safety, how is coverage changing? How should it? And how can the public safety “voices of reason”best evolve to ensure the stories that need telling - are told well to drive impact?

Lily H Newman, Joe Uchill, Suzanne Smalley

Malware Analysis - Red Team Edition

Ground Floor

In this talk and technical deep-dive analysis, we will present the importance of malware analysis in red teams, how it can be used, why, and how APT groups learn from each others’ malware followed by practical use-cases. The goal of this talk is to understand the importance, benefits and power of using malware analysis and developing your own malware followed by practical examples live on stage.

Uriel Kosayev

Management Hacking 101: Leading High Performance Teams

Hire Ground

Have you been recently promoted (willingly or unwillingly) into a leadership role within your organization? Are you someone that has been a technical “individual contributor” and now you’ve made a career change into management? If so, this talk is for you!

Tom Eston, AVP of Consulting at Bishop Fox, will share his 17 year career journey from IT professional to penetration tester, making the leap into management, and now as an executive overseeing multiple teams. Throughout his career he’s learned many lessons on how to be a better manager and leader. In this talk he’ll share his real-world experiences to help you be a great manager and leader. Topics include:

• What makes a great team
• How to hire great people
• Understanding emotional intelligence
• What motivates team members
• Goal setting and evaluating performance
• The importance of communication, feedback, and coaching

After this talk you will be able to immediately apply these concepts to yourself and the teams you manage.

Tom Eston

Model Robustness Isn’t Security

Ground Truth

There are a lot of ML security companies selling tools to make your model robust, or audits to verify that your model is robust. Some of these claims are mathematically impossible, unless they have solved open problems that have plagued ML from it’s inception. Also, in a real deployment scenario it does not help secure the overall system. In this talk we will go over why robustness is mathematically an almost impossible problem, how several robustness solutions claim to work and how they fail,

Sven Cattell

Oauth third party not departing

Proving Ground

This talk is about persistent infections with OAuth third-party apps connected to business SaaS platforms. Unveiling our developed technique to keep a watchdog app persistent to restore an app after attempts to disable it and we will go over the latest techniques to keep persistent and to bypass MFA on Office 365 and Google workspace even after a malicious app is disabled.

In this talk, we will go over the new risks introduced by OAuth integrations into business SaaS and how to use them to keep persistence in users who took your bait and installed an app or sent you their auth flow grant and now you are connected to their cloud account.

Gadi Z Naveh, Alon Rosenblum

PG Forensics. (No, the other Forensics.)

Proving Ground

PG Forensics. (No, the other Forensics.)

Proving Ground

Parsing Differential Problem

Ground Floor

As microservices have become a prevailing trend in the current software engineering landscape, it is of increased importance to consider security risks arising from interactions between components within a system.

I have chosen to focus on the specifics of how vulnerabilities surface due to the differences in how HTTP requests are parsed across various services. Such inconsistencies would result in inconsistent states, which could snowball into critical security bugs.

In this talk, we will delve into the mechanisms involved in the parsing differential problem, and seek to remedy it using methods inspired by real life examples from existing works by researchers.

Cher Boon Sim

Passkeys: Where we started and where we’re going


You’ve most likely heard of FIDO and WebAuthn, but have you heard of passkeys? Passkeys aim to solve some of the key usability issues holding back FIDO adoption and paves the way to true, passwordless authentication. We’ll start by discussing some FIDO basics and then move on to best practices when implementing passkey based authentication in your app or website.

Christiaan J Brand

Password surveys are shit!


Asking “How many passwords do you have” is not the same as asking “how many accounts do you have”, which again is not the same as “how many accounts do you have, both active and inactive?”. And when you ask if they counted their pins into those figures, the answer is no, because to most a password and a pin are two very different things!

Per Thorsheim

Penetration Testing Experience and How to Get It

Hire Ground

There are many resources to learn how to become a pentester but the lack of experience can be an obstacle when getting that dream role in pentesting. The Pentester Blueprint coauthor Phillip will share ways to get experience and demonstrate the experience and skills that are helpful in getting started in a pentesting career.

Phillip Wylie

Protecting Against Breached Credentials in Identity Workflows


Breached credentials are the root of many of the most common identity-based attacks. This talk gives an overview of beloved attacks build on a foundation of leaked passwords like credential stuffing, presents insights from real-world consumer identity and access management (CIAM) log data and proposes mitigation techniques that defenders can employ in their identity workflows.

Mathew Woodyard

Proving Ground Prep/Signups

Proving Ground

Mouse, Falcon Darkstar

Prowler Open Source Cloud Security: A Deep Dive Workshop

Training Ground

Whether you are a long time Prowler user or if you are just getting started, this workshop will give you the tools to get AWS security up and running and under control at your organization.

Prowler, the beloved AWS security open source tool, has some new features and important changes coming in v3.0. This includes a new check architecture, python support, and a load of new checks for compliance and AWS services.

We will cover how to get started and how to take advantage of all the new features in Prowler v3.0.

Toni De la Fuente, Sergio Garcia

Putting Driver Signature Enforcement Tampering to Rest?!

Breaking Ground

Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE).

Threat actors usually tamper with DSE on runtime to disable it and run their rootkits. In response, Microsoft introduced different measures to prevent that. One of those is leveraging Kernel Data Protection (KDP), a new platform security technology for preventing data-oriented attacks.

In this talk, we’ll present two novel techniques we found to bypass KDP-protected DSE, one of which is feasible in real-world scenarios, and run them on live machines. We will also show how it’s possible to create an effective mitigation to cope with the issue until HVCI becomes prevalent and really eliminates this attack surface.

Omri Misgav

Ransomware Emulation Done Right

Breaking Ground

Ransomeware is one for the most prevalent cyber security threat. Information Security Teams require to understand a variety of Ransomware Malware’s out in the wild to successfully action on them in case they get affected. Ransomware emulation allows you to understand this malicious behavior and when an adversary emulation is done right, it provides a safe way for an enterprise to enhance its defenses and capture the necessary behaviors to effectively test detection rules and security tools/products

Shreyas Rami, Shaun Jones

Repurposing Vulnerability Tickets to Predict Severity Levels: An Introduction to Natural Language Processing and Classification Algorithms

Ground Truth

The process of manually determining severity levels for detected vulnerabilities is susceptible to inaccuracy and inconsistency. The main reason is because individuals and teams approach this decision with varying backgrounds and perspectives. Similarly, depending on the complexity of the vulnerability and/or experience level of the team member, manual fulfillment can also contribute to fluctuating completion times; ultimately, impacting operational progress. Eventually, an org can accumulate a repository of vulnerability tickets with little to no discernible justification process for the prioritization of detected vulns.

The purpose of this talk is to introduce natural language processing (NLP) and classification algorithms by emulating prior work that successfully improved this process flaw. By applying existing methods to a sample of vulnerabilities pulled from a public data source, the value of repurposing text within vulnerability tickets to predict severity levels will be effectively shared. The result of this work is a tool that can be used by multiple teams and individuals where a word is entered and the severity level is predicted.

Brittany Bahk

Reverse engineering a DOS PC FMV Game from 1994

Proving Ground

A interesting look at how things don’t always go to plan during the development of video game using a copy of the final game itself and digital archeology methods to uncover it’s history. We take a look at an outdated and forgotten PC CDROM game which at the time seemed to push the edge of what PC’s were capable of, and get to find out what tools the developers had at the time to make it happen.

Andrew Lewton

Rivers on Fire; Shaping the next phase of the mission

I Am The Cavalry

For 9 years, we’ve been an empathetic, helping hand, and catalyst for cybersafety - wherever bits & bytes meet flesh and blood. “Stuff” is on fire - across critical infrastructure… The water we drink, the food we put on our table, the oil & gas that fuels our cars and our homes, the schools our kids attend, the municipalities who run our towns and our cities… and even the timely access to healthcare during a global pandemic - with losses to human life.

We’ll review several of the “rivers on fire” that have tipped consciousness, explore how things are changing, and pose difficult questions to this community… It’s time to evolve our mission for this next phase…

Joshua Corman, Beau Woods

Russian Malware in the Ukraine War

Common Ground

Ukraine has been hit with wave upon wave of malware by Russia. During the build up to the war and everyday since. During my time in Kiev, evacuating and working on efforts to evacuate over 1000 people with humanitarian orgs. Targets have ranged from the Ukraine government to everyday citizens and refugees. With grave human effects. From banking, foreign exchange, ATMs, water infrastructure attacks, Ukrainian border patrol, orphan database, surveillanceware against refugees and humanitarian organizations. A constant flow of digital harassment and pain. Including the first known instance of a digital Geneva Convention violation I witnessed and brought to international media attention. A journey into the worst side of cyberwar from a defender that fled Ukraine.

Chris Kubecka

SBOM challenges and how to fix them!

Common Ground

Today’s modern software services are built on top of open source libraries, and this makes consumers susceptible to the open source vulnerabilities. This includes risks due to known CVEs and malicious source codes, operational risk due to dead dependencies and out of date software and legal risks due to licensing discrepancies.

Software Bill of Material (SBOM), as a concept, offers an inventory of details of all components that constitute software services. SBOM is the first step to manage vulnerabilities of 3rd party dependencies.

The challenge is that producing accurate SBOM (low false positive and false negative) is not easy, and using noisy SBOMs can be misleading and quite wasteful! In this talk, we walk you through the existing tooling landscape for SBOM generation, enumerate the challenges we faced employing them to generate them form our source codes, and share critical advice on how to generate the “correct” SBOM. We will also enumerate the open SBOM challenges we have identified for the security community to address.

Hossein Siadati, Trupti Shiralkar

STUFF is on Fire - a Panel

I Am The Cavalry

This session will discuss observations and concerns from subject matter experts across several different disciplines of critical infrastructure to show that not everybody has ‘gotten the memo’ about the need to incorporate security practices into the operations that provide for really important elements of contemporary life. The goal for the session is not to simply make people feel terrible about the current state of affairs, but to identify some security elements that if added to operations could meaningfully improve their ability to continue to operate in the current contested environment.

David Batz

Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All

Breaking Ground

Hundreds of thousands of human hours are invested every year finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere!

The scale of GitHub & tools like CodeQL (GitHub’s code query language) enable scans for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale triaging, reporting, and fixing. Automating the creation of thousands of bug reports isn’t useful, & would be a significant burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.

When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.

Jonathan Leitschuh, Patrick Way

Secrets of the Second Factor: Threat Hunting with Multi Factor Authentication


This isn’t the typical talk convincing you to setup 2 Factor Authentication (2FA), as if you haven’t already had it on your video game account years before your bank even considered it. There’s more to Multi Factor Authentication (MFA) than protecting an account from a bad, reused, or dumped password. Let’s go discover all the dirty little secrets in $company using the MFA logs!

Break the barrier of complacency that comes with MFA, Zero Trust, and ! Explore all the obvious security violations of risky login habits. I’ll step through why you should be logging every authentication attempt and read the logs to discover all the hidden secrets that could have been unnoticed for years. Bad actors and policy violations slip by other data sources and behavior analytic tools but become clear when you know how to hunt the secrets of the second factor.

Susan Paskey

Secure IT Operations, or, How to Shoehorn Security into a Small/Medium Business

Common Ground

What should be considered when starting up a security program at a small to medium sized business, especially one that has not had a formal security program before? I will walk you though my personal experience and insight of over a decade of security building for small organizations. We’ll cover what went right and what when spectacularly wrong. Most importantly, we’ll talk about the advantages that small organizations have when it comes to starting a security program and how to leverage them.

Carl Hertz

Security AI in the real world: Lessons learned from building practical machine learning systems deployed to hundreds of thousands of networks

Ground Truth

Machine learning has become indispensable in modern cybersecurity, but knowledge of how to build security machine learning systems that go beyond proof-of-concept is not widely available. In this talk, I’ll break the ice on discussing best practices for bringing machine learning into the domain of actual security practice, discussing how to research, develop, build, deploy, and operate security machine learning systems effectively in real-world environments. Based on seven years of experience deploying machine learning systems to hundreds of thousands of organizations, the talk will start with a discussion of what capabilities machine learning affords and where machine learning can help within cybersecurity ecosystems. I’ll then discuss a representative set of real-world machine learning operationalization case studies, including alert prioritization, mobile malware detection, malicious web content detection, and phishing detection. In each example, I will go beyond simple proofs of concept to describe a fully fleshed out and deployable system in which machine learning co-exists within a larger ecosystem of allowlists, blocklists, and signatures. Finally, I’ll give pointers to how you can learn more, and references to papers my colleagues and I have authored describing the machine learning models covered in the talk.

Joshua D Saxe

Security Data Science Meet-Up

Ground Truth

See you later, allocator!’: Updating Volatility’s analysis of modern Linux memory allocators

Breaking Ground

Memory forensics, which is the recreation of system state through the analysis of physical memory (RAM), is a key technique for responding to modern security incidents. Given the frequent use of memory-only frameworks and payloads by attackers, memory analysis is often the only technique that incident response handlers can rely on to perform complete investigations. In this talk, research will be presented that introduces newly developed techniques for deep examination of Linux memory samples. This includes new research performed against the kernel memory allocator, known as SLUB, as well as the development of new Volatility capabilities that leverage the research to uncover new artifacts. With these new capabilities, investigators can uncover a wide variety of system information that will greatly increase insight into examined systems. This includes direct recovery of processes and network activity hidden by malware, file system interactions by attackers, and historical information not available to live forensics tools. Attendees of this presentation will be shown examples of how to use Volatility to recover these artifacts, and the code developed during this research process will be contributed to the open source Volatility project. This will allow attendees to immediately use the presented capabilities during their daily investigations.

Daniel A Donze

So Who’s Line Is It Anyway? (A Recruiter Panel)

Hire Ground

Conversations with recruiters are always challenging. What do you say? What do they say? Who goes first? Who should follow up? This panel is made up of two amazing recruiters who are long time volunteers in the community who know how to coach hackers in their job search but also how to navigate the hiring process. Come to listen to a frank discussion about recruiting and job search. More importantly, come to ask questions!

Kirsten Renner, Kris Rides

So You Wanta Build a C2?

Breaking Ground

There seems to a handful of different C2 solutions to use out there, but have you ever thought of building one? From scratch? iDigitalFlame takes us on a journey through the process he faced building his C2 framework XMT, with accompanying solution ThunderStorm. He’ll cover the intricacies of building your own networking protocol, defense evasion and cool new techniques he discovered.

This talk will cover some interesting Golang programming practices, optimizations and hacks to the Golang runtime and cover the ongoing development process including test cases that were run during a couple of ProsVJoes CTF games in 2020 and 2021.

In addition to a demo of it in action, iDigitalFlame will provide color commentary on some fun bugs, programming troubles and silly Windows API issues that almost drove him mad.


Solid Tradecraft for Cryptomarket Drug Trafficking

Proving Ground

A review of common DEA and Law Enforcement attacks against cryptomarket narcotic vendors. The talk will discuss forensics minimization procedures to deanonymize criminal operators including fingerprint, DNA, hair, and saliva recovery. Good mailing OPSEC is discussed and contrasted with replacing the mail system with one-time dead drops for mid-level trafficking. Minimizing risk during a controlled delivery and the factors unique to using mail drops are considered. Narcotics manufacturing OPSEC, organizational compartmentalization, and frequent teardown reorganizations are discussed. Finally, OPSEC failures of high profile cryptomarket traffickers such as DPR/Ulbricht and Le Roux are compared and contrasted with those of Guzman, a more “traditional” transnational narcotics trafficker. Cryptomarket operators using the OPSEC and COMSEC procedures discussed will be substantially more difficult for state-level actors to deanonymize.

Lawrence Fox

Speeding Up AWS IAM Least Privileges with Cloudsplaining, Elastic Stack & AWS Access Analyzer

Training Ground

There are two main problems at Cloud Security World: IAM Permissions & Control Plane Misconfigurations.

In the current Cloud Security World, access keys are the new perimeter, and permissions associated with those keys are the limits for this perimeter. So most of the time, the initial vectors to get into some company cloud environments are leaked keys. There are a couple of ways to have access to a key.

So based on the fact that an access key is a new perimeter, IAM with Least Privilege becomes a mandatory part of the security posture in an AWS account. It will mitigate problems when an access key is leaked, stolen, or accessed for some reason from an unauthorized one. To help in this process of least privilege, the SalesForce Cloud Team developed a tool to identify those violations called Cloudsplaining.

In this training, we will demonstrate the pipeline we created. From extracting and analyzing permissions with Cloudsplaining, ingesting and enriching with elastic stack, and finally using Access Analyzer Policy Suggestion (based on principal actions logged at Cloudtrail) to generate a better policy to mitigate over permissive policy problems.

Rodrigo Montoro

Target Rich Cyber Poor

I Am The Cavalry

Don Benack, Tom Millar

That Escalated Quickly: A System for Alert Prioritization

Ground Truth

At any moment, tens of thousands of analysts within security operations centers (SOCs) inspect security alerts to detect evidence of compromise, but the knowledge they gain in the process is often lost, siloed, or inefficiently preserved. In our talk, we’ll present a machine learning prototype that leverages this forgotten knowledge, helping analysts triage malicious alerts in a feedback loop. The system learns to predict which alerts analysts will escalate, presents these alerts to analysts, and improves as analysts make decisions about these alerts. Our system is trained on real activity from hundreds of SOC analysts analyzing threats over thousands of customer environments, and it demonstrates a dramatic reduction in alert volume with minimal loss in detection rate, freeing up analysts to dive into alerts that truly matter.

In our presentation, we describe this system in transparent detail, discussing the complexity of raw data, the limitations of current approaches, and how our system can integrate into existing infrastructure, even in the presence of unstructured data and a shifting landscape of security sensors. We’ll also show our system’s performance in the practical defense of a diverse population of organizations and go over in-the-trenches case studies illustrating our system’s strengths and weaknesses.

Ben U Gelman

The Exclave Experience: Relocating To ‘Almost Canada’


One day, I was working remotely from my small house in a neighborhood I didn’t like, looking through my window at cars crawling by through heavy traffic on the freeway, and I realized that my life didn’t have to be this way. I’d been putting up with a city I didn’t want to be in for far too long. My job is fully remote. Absolutely nothing was keeping me within commute distance of an office. I could live anywhere in the country that I wanted.

A lot of people have realized the same thing, but most people are moving to up-and-coming, trendy places. I chose the opposite, and moved to a place that is not only one of the most isolated places in the country, but is best known as a rumored Witness Protection Program hideaway. It has been a wild adventure, but it’s also one that I’m surprised more people haven’t taken. In this talk, I’ll explain how I decided to move to one of only a handful of US exclaves, surrounded on three sides by water and on the north by Canada, and why this could be the start of something big.

Robert “TProphet” Walker

The Hip Hacker’s Guide to Policy.

I Am The Cavalry

Executive Orders, new laws, and sanctions, oh my! With widespread disruption caused by ransomware attacks and major vulnerabilities, cybersecurity is a continuing priority for policymakers and government leaders alike. This will impact the lives and careers of all BSides attendees, and policymakers can benefit from your expertise to ensure they focus on the right things and avoid unintended harms.

Don’t Panic! This informal session will guide you through the noteworthy sights, happenings, and potential pitfalls of Policyland, and we’ll talk about how you can choose your own adventure to get more involved.

Leonard Bailey, Jack Cable, Jen Ellis

The Northern Virginia Shuffle: Lateral Movement and other Creative Steps Attackers Take in AWS Cloud Environments and how to detect them.

Breaking Ground

Attackers do not always land close to their objectives (data to steal). Consequently, they often need to move laterally to accomplish their goals. That is also the case in cloud environments, where most organizations are increasingly storing their most valuable data. So as a defender, understanding the possibilities of lateral movements in the cloud is a must.

Because the control plane APIs are exposed and well documented, attackers can move between networks and AWS accounts by assuming roles, pivoting, and escalating privileges. It is also possible for attackers to move relatively easily from the data plane to the control plane and vice-versa.

In this talk, we are going to explore how attackers can leverage AWS Control and Data Planes to move laterally and achieve their objectives. We will explore some scenarios that we discovered with our clients and how we approached the problem. We will also share a tool we created to help us visualize and understand those paths.

Felipe A Pr0teus

The One With The Foreign Wordlist


Many of us crack passwords daily as part of our work, hobbies and research. We have a vast array of word-lists and sources for cracking passwords, however things start to go wrong when working with foreign languages. If your success-rate at cracking foreign passwords and passwords with non-Latin characters is not doing well, then this talk is for you. We’ll help you build efficient, successful wordlists to use in other languages and character-sets, as well as how to use them with cracking tools like Hashcat.

Dimitri Fousekis, Ethan Crane

The Technical Trap

Common Ground

Have you had this conversation when discussing a potential candidate? “That person is great, but they are not technical enough.” Have you heard this in talent reviews? Perhaps even had it said to you in your review … “Great year, but to advance, you really need to be more technical.”

What does it mean to be technical anyway? More importantly, what’s it in information security? Bias in understanding of what technical means can be used to minimize people. Furthermore, unclear expectations, biases, and generalizations hold back careers and feed unhealthy work environments.

Combining decades of industry experience and survey data, we will spark discussion with participants about the multiple definitions of the word “technical” in information security. We will engage in conversations on the problem space including previously collected survey data, discuss the impact of these biases and generalizations, and consider actionable feedback to help both managers and individual contributors avoid the technical trap. The audience will walk out of this conversation with an understanding of biases when it comes to defining the word technical, impact of biases in the greater security industry, and ways to navigate when finding themselves in the technical trap no matter their role

Josh Michaels, Lea Snyder

Tomb Raider - Automating Data Recovery and Digital Forensics

Ground Floor

Data Recovery and Digital Forensics can be an extremely time consuming process, leading to expensive and extremely limited options for those looking to get their data back off a broken drive, or investigate data on another’s drive. The two fields have a lot of common ground, with many of the same time-consuming and boring steps, even for experienced professionals. We demonstrate and disclose Tomb Raider, a tool developed from this need for a faster and more automated way, while poring over dozens of dumpster-dived hard drives in search of treasures and curiousities.

Blue Hephaestus

Trust Me, I’m a Robot: Can we trust RPA with our most guarded secrets?

Common Ground

Robotic Process Automation (RPA) is one of the hottest technologies in the industry today, rapidly gaining traction as larger enterprises look to speed up their business processes by automating mundane and repetitive office tasks. This trend has significantly grown during COVID-19. Any RPA solution, most of which are Windows applications, running in an enterprise would have to use a large pool of credentials to do its job. From usernames and passwords of unattended robots to read/write access to enterprise backbone applications, such as: financial, HR, IT, Sales and Marketing and more. This talk is about our research on an automation platform from one of the largest RPA vendors in the market. We will analyze the RPA platform while discussing some of the vulnerabilities we found and offer mitigations.

Nimrod Stoler, Nethanel Coppenhagen

Understanding, Abusing and Monitoring AWS AppStream 2.0

Common Ground

Amazon Web Services (AWS) is a complex ecosystem with hundreds of different services. In the case of a security breach or compromised credentials, attackers look for ways to abuse the customer’s configuration of services with their compromised credentials, as the credentials are often granted more IAM permissions than is usually needed. Most research to date has focused on the core AWS services, such as , S3, EC2, IAM, CodeBuild, Lambda, KMS, etc. In our research, we present our analysis on a previously overlooked attack surface that is ripe for abuse in the wrong hands - an AWS Service called Amazon AppStream 2.0.

In this talk, you’ll learn about how AppStream works, how misconfigurations and excessive IAM permissions can be abused to compromise your AWS environment and allow attackers to control your entire AWS account. We’ll cover tactics such as persistence, lateral movement, exfiltration, social engineering, and privilege escalation. We will also cover the key indicators of compromise for security incidents in AppStream and how to prevent these abuse cases, showing how excessive privileges without great monitoring could become a nightmare in your Cloud Security posture, making possible attackers control your AWS account.

Rodrigo Montoro

Watching the Watchers: Exploiting Vulnerable Monitoring Solutions

Breaking Ground

Security teams cannot be the weak link. You are trusted to protect networks and systems, and expected to not be part of the security problem. Yet we continually see examples of security decisions and solutions causing breaches. In this talk, we discuss several threat models that must be considered when instrumenting defenses and provide real-world exploitation examples we have seen in the wild. It’s not all about popping shells – we also provide feasible mitigation examples to help defenders reduce the impact of future breaches caused by their security solutions.

Rock Stevens, Matt Hand

We’re not from the government, but we’re here to help them help you

I Am The Cavalry

We have learned many things from the last few years, but one thing is for sure - Help is probably not on the way; it’s more likely lost in the supply chain. Connections are tenuous, long range support can be impossible in a crisis, and defenders are easily overwhelmed, When the victim is a local government or non-profit, people suffer.

But local and regional governments and NPOs are strained for resources - who wants to float a bond issue to remediate vulnerabilities and hire trained SOC staff, or maybe start one in the first place? Do we really want to answer that question? Regardless of the ultimate answer, volunteers can step into the breach (pun intended) and help their neighbors.

For the past 6 years, Michigan has developed a program to leverage the skills of volunteer infosec professionals to assist local and regional governments in the event of cyber disruptions. We’ve passed (and amended!) legislation has been passed and updated, and the program is getting national attention after being featured at the National Governor’s Association meeting in June. Other states are pursuing similar efforts.

Internationally, the CyberPeace Institute, an NGO based in Geneva, has been matching volunteers from the private sector with local and regional NGOs working on the frontlines. The program has already served NGOs active in more than 120 countries, leading to hundreds of hours of targeted help in different time zones and languages.

Come hear why volunteers join such programmes and how you can be part of the movement!

Ray Davidson, Adrien Ogee

Weaponizing Your Fitness Tracker Against You: Health, Fitness, & Location Tracking in a Post-Roe World

Common Ground

Many women wear fitness trackers, use period tracking software, and geo tag photos on their phone without thinking about the data ever being used against them. But in a world where states are now exploring private citizen bounties against women suspected of receiving abortions, could the digital trails you create be used against you? Privacy leaks through fitness tech are nothing new -see the secret military bases exposed by Strava a few years ago. But now the confluence of health trackers which record a woman’s body temperature (Oura rings), their locations (maybe you logged a walk in a new city with Apple Fitness), and even period tracking applications can be used to implicate women, even if they just missed periods due to stress, took a work trip to a city, or any other benign reason. What legal and technical protections are in place to shield women from a techno-dystopia in a post-Roe world?

Wendy Knox Everette

Weeding Out Living-off-the-land Attacks at Scale

Ground Truth

LOLBins (living off the land binaries) are executable files that are already present in the user environment. They are generally not considered malicious but can be misused by an attacker for malicious purposes. In recent years, attacks using LOLBins have been increasing in prevalence, and detecting them is a hard problem for several reasons. The use of legitimate executables makes it more likely that they fly under the radar of anti-malware systems. Often, the only artifact that can be used to detect such attacks is the command line that is executed. This makes it a needle-in-a-giant-haystack problem, since there are millions of command lines executed on a customer’s network every single day. Add to this the possibility of obfuscation and execution of downloaded files, and the problem becomes extremely complex. In this talk, we introduce a machine-learning based system that we developed at Sophos AI to reliably detect command lines used in LOLBin attacks. We talk about the challenges we faced in collecting the right data, establishing ground truth, sampling strategies to mitigate the scale and get around the long-tail problem, and evaluating performance. We then conclude with a list of lessons learned during this multi-year research effort.

Adarsh D Kyadige, Konstantin Berlin

When DevSecOps Fails

Ground Floor

DevSecOps has become the ultimate marketing buzzword, and is often suggested as a silver bullet to solve all software security issues. But what happens when things go wrong? This talk will cover what to do if you run into any of the most common pitfalls: false positives, slow tooling, lack of other SDLC security activities, unfixed bugs and lack of training & knowledge.

Tanya Janca

Whose encryption key is this? It’s a secret to everybody.

Common Ground

Imagine the critical moment where you need logs written to an S3 bucket, but you find they are encrypted with a key unknown to your organization. Is there an AWS account you own that you are not aware of? Were you hacked and are now a victim of ransomware? Are you misunderstanding some functionality of your cloud provider? Join us on our journey to answer these questions…

Utilizing providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure carries a level of shared responsibility. In this talk, we share a cautionary tale of how that shared responsibility can fail in a way you may never have expected, and how following best practices can lead you to a worse place than you were before. We’ll discuss how using an AWS-managed service in a common configuration can result in your log data being silently encrypted with a “rogue” encryption key, rendering your data completely inaccessible and outside of your control.

This talk will center around what we found, how we found it, implications, and our recommended remediation responses surrounding the issue. We will also provide scenarios blue teamers will want to investigate in their own environments.

David Levitsky, Matthew J Lorimor

Why kidz couldn’t care less about your password advice.


For kids & teens to use social media and play games, they often have to authenticate using a password. They face the same cyber security threats as the grownups, from a younger age. Their parents are often their first role models when it comes to knowing about these threats and to protect themselves. Parents and children report that they talk together about online safety. That is great news, but when did we ever listen to our parents? Did we use our dogs name as our password? Did we share our password and pin code with our best friend? Did we drink that damned tequila shot when we were told we would get sick? Yes we did. Mia Landsem will talk about the issues that these young children face. Being hacked on their favorite game, their best friend who logged into their Instagram account and started to write nasty stuff to other children, the nude photos that were saved on their snapchat that suddenly ended up in a hackers hand and they receive a message that if they do not send more photos, they will post the nude photos on their story to all their friends. Mia will talk about HOW we should educate the young ones, and how to make them care about security, passwords and password managers. Why kidz couldn’t care less about your password advice? Come find out!

Mia Landsem, Mia Landsem

Your Passwords Should Be Shorter


If you’re reading this, I bet you use a password manager - and your autogenerated passwords are incomprehensible. How long do you make them - 30 characters? 40 characters? Keyboard specials are a given - do you throw in those extended ASCII characters you used to draw things on BBSs forever ago? Congratulations, you played yourself.

This talk will help you understand why making it difficult to get your new phone on your network isn’t actually that useful, and give you the optimal password length as a bonus.

Jeremy Brown

Zero Days should not be a fire drill

Ground Floor

On the way to work when you hear there is a new Log4j, solarwinds or wannacry attack / vulnerability sweeping the internet it should not be a crisis. We will talk about lessons learned and mitigation strategies that are effective until you can patch or reconfigure your network. Join Tony and Steve who have build programs and supported customers going thought this, they will share best practices and methodologies leveraged to make this a process so the event doesn’t destroy your entire teams life.

Steve Winterfeld, Tony Lauro

bscrypt - A Cache Hard Password Hash


This talk will cover the different types of key stretching algorithms (“password hashing”). The differences in memory hard and cache hard algorithms. How to design and spot problems in key stretching algorithms. The design of a cache hard algorithm and specifically how bscrypt works and why it’s the current best cache hard algorithm.

Steve Thomas