2022 Agenda
9AM
The Cyber Entrepreneur
Terry Bradley
The cybersecurity industry is full of technical experts with amazing cyber skills. However, the skills that are needed to start and grow a successful cybersecurity company are not typically understood by "techies." Terry Bradley, Founder and President of Mile High Cyber, will discuss the key success factors that are needed but often overlooked when hackers start cybersecurity businesses.
10AM
The FBI Citizen's Academy: Outreach Experience
Beck Norris
I will walk participants through what it's like to apply for and then be selected to participate in the FBI Citizen's Academy, from my vantage as a participant and a graduate of the Class of 2022. I'll then outline the FBI's involvement with: FATS (firearms training, both virtual and field-based), the Infraguard, our regional forensics computer crime lab, human trafficking, drug cases, murder, kidnapping, international and domestic terrorism, hate crimes, bomb threats, gangs, public corruption, white collar crimes, weapons of mass destruction, radicalization, counterterrorism and counterintelligence. I'll conclude with a Q&A session. I'm hopeful that this will dispel some myths about the FBI in who they are and what they do, and provide an additional outreach point of contact for anyone who would wish to get involved.
11AM
FAIR STRIDE - Building Business Relevant Threat Models for AppSec
Arthur Loris
Have you ever wondered what the ROI is on a security control? Or whether you should spend time fixing 2 highs or 47 mediums? FAIR STRIDE is a method for creating application threat models that can answer these questions. We will explore expressing the outputs of a STRIDE threat model in projected dollars lost instead of a set of high, medium, and low severity threats. We will discuss how to use the output of such a model to inform strategic planning, justify investment in security controls, and define a roadmap towards scalable risk reduction for a product.
Historically, there has been a disconnect between what security engineers see as risks or threats and how these risks are perceived by senior leaders. Mikko Hyppönen pointed this out concisely during his keynote at RMISC 2019 by stating: “In security, when we do our jobs right, nothing happens”. In reality, this is not the case, but we have to observe the situation through a lens that can bring a security program’s value to light. In the scope of application security, the disconnect happens when security engineers express the impact of vulnerabilities on systems and applications, rather than their impact on the business itself.
On one hand we enable the business to sell products that are trustworthy, usually by fulfilling compliance frameworks like SOC2 or ISO 27001. On the other hand, when security teams do their jobs right they prevent monetary losses from being inflicted on the company. To drive strategic planning and growth, the impact needs to be measured in a language that senior leaders and executives care about: dollars. A list of high, medium and low severity bugs is not sufficient for this purpose. These losses can be measured in the form of bounties or ransoms paid, sales opportunities lost, litigation, incident response processes, PR campaigns, customer churn, etc.
12PM
LUNCH
1PM
11 Foot Ladder- Modern In-Depth Defense Evasion
Landon Rice
Show me a 10-foot wall and I’ll show you an 11-foot ladder. Build a 50-foot wall and I’ll build a 51-foot ladder. In the modern era, defenses are getting stronger, so attacking a target is getting more and more complex. This will be a highly technical talk and will focus on bypassing common defenses that are present in secure ecosystems. Antiviruses, Windows Monitoring, Application Controls, as well as network-level systems such as firewalls or IDS’es are always there to get in your way as a penetration tester or a red teamer. Surprisingly, with the right skill set and knowledge, most of these are trivial to bypass, and we’ll explore some of the best ways to go about building ladders over these defenses.
In this session, we’ll explore concepts such as Userland Unhooking, Process Injection, Fileless Attacks, Using LOLBASes, Suspending sysmon, Hash Collision Attacks, Bypassing PPL, PowerShell Downgrade Attacks, as well as the importance of using encryption and compression in all stages of an attack to avoid any chance of detection.
2PM
Yolo'ing in System32: Stomping LOLBins to Keep Business Bussin (Sort of)
Michael Karbarz & Taylor Chapman
Banning critical LOLBins is always a terrible idea— except when it's not.
Time is of the essence. You're playing whack-a-mole with host isolation, disabling credentials, network blocks, and identifying missed activity.
In this talk, we’ll discuss a radical approach to gaining response time by limiting adversary activities during a ransomware event, Cobalt Strike spread, or other attack type.
3PM
The Conti Group
Kevin Stear
This discussion will dive deep into the criminal underground, to examine Conti (and affiliate) operations from start-to-finish. We will begin with the history and origin of the group, discuss the evolving TTPs and Victimology, and provide insight into the fragmentation and break-up of the group (in early 2022).
4PM
Down in a Hole: Experiences in OT Security for Colorado Water Districts
Tyler Bell
Colorado has more than 293 special districts dedicated to managing water and sanitation. The life-safety impact these districts have on residents, businesses, and critical services such as hospitals are one reason why the Cybersecurity and Infrastructure Security Agency lists water and wastewater systems as critical infrastructure. While there are plenty of regulations these districts must follow to provide clean drinking water, each district is left to determine appropriate controls for operational technology that supports the delivery of clean water. This increases the level of risk to the control systems we depend on every day.
We’ve recently gotten a taste of what can happen if control systems related to water, pipelines, and other critical infrastructure are breached, with the Oldsmar, Florida water treatment plant attack and Colonial Pipeline ransomware attack as prime examples. The threat of nation-state attacks is also on the rise. So what can our local districts do to help mitigate some of this risk? What can we do as Colorado residents to protect our water systems?
In this session, I’ll share what I’ve seen while assessing the cybersecurity of operational technology in these types of environments, from climbing down manholes to touring water treatment plants. I’ll provide insight into common vulnerabilities and issues faced by our districts, and guidance to help prioritize cybersecurity and risk management when time and resources are limited.
5PM
ICS Security Introduction and Demystification
Mingda Li
The talk will focus on ICS (Industrial Control System) and SCADA (supervisory control and data acquisition) field and demystify the public misconceptions of the complexity of ICS / SCADA cybersecurity field. There will be case studies of major ICS incidents, compromises, and ransomwares, as well as some insights from a Red Teamer working in the field.