2019 Speaker Lineup

Rocke'in the NetFlow: the TTPs to detection

By: Nathaniel "Q" Quist

Rocke is a Chinese threat actor group that specializes in crypto jacking. They are known for compromising Linux-based systems to mine Monero and for uninstalling other a select set of miner applications that may be installed on the system previously. What makes Rocke interesting is that they primarily target cloud systems to mine their currency. Rocke is sophisticated enough to evade common (detection). Within this talk I will lead you through the identification of Rocke's TTPs and, in a world still trying to fully monitor cloud operations, how we can use a tool as simple as NetFlow to track Rocke operations within an environment.

Pentest Attack Tactics

By: Jordan Drysdale

In 45 minutes, I will cover reconnaissance against a target, password spraying with multiple tools, and account compromise. From there, we'll pivot in to an environment, look around the place and steal more domain credentials! All of this with well documented command usage, tool descriptions, and methodology. That's it, that's all! Oh - we'll do this attack live. 

FUD is Dead, Stand Up and Be Heard

By: Alyssa Miller

The fastest way to get executives to ignore your proposal for security remediations or projects is trying to scare them with fear tactics. In this session, we’ll describe a detailed methodology for winning support by identifying opportunities for business growth that are created by our security projects. We will have audience interactive exercises and share three simple strategies for identifying the types of business benefits that resonate with executives. Attendees will leave this session with a great knowledge of how to approach business leaders and make them offers they can’t refuse.

Hidden Agenda: The darker side of a prominent cryptocurrency mining botnet

By: Greg Foss

Carbon Black's Threat Analysis Unit (TAU) uncovered various new and otherwise previously unknown components of a prominent cryptocurrency mining campaign. The botnet overseeing the operation leverages unique attack patterns that are designed to bypass application whitelisting, provide remote access, collect and exfiltrate sensitive information, and sell access to hundreds of thousands of compromised hosts. We'll dive deep into this campaign and present findings which: 1) demonstrate the weaponization of commodity threats, 2) highlight the potential hidden impacts of commodity malware, 3) show how attribution models can be misleading in an active threat economy, and 4) uncover a significant link between C2's which reveals the details of a massive multi-botnet spreading campaign.

Cloud Wars: Episode V - The Cryptojacker Strikes Back

By: James Condon

It is a period of civil war. Cryptojacking ousted ransomware as the malware of choice for cybercriminals. To be successful an attacker must compromise a device and remain persistent long enough to gain a profit. To stay persistent the attacker must remain stealthy enough evade detection by the owners. Cryptojacking has become so popular that attackers must battle other attackers for control of the hosts they compromise. In fact, we have observed multiple attackers gaining and losing control of host resources repeatedly in the course of a couple of hours. In this talk, attacker methods of offense and defense are revealed. We discuss typical infection vectors, methods of persistence, and methods of targeting attacker objectives.

IPv6 host discovery for attackers and defenders

By: KB

The IPv6 address space is too large to scan reliably with traditional techniques. This will cover some new techniques and less used tools for managing discovery of IPv6 hosts in a usable way. A demo of some of these techniques is incorporated into the presentation.

Memory Analysis is the Ground Truth (OR HiddenWasp/Linux malware)

By: Itai Tevet

Fileless malware is a type of evasive, in-memory threat that appears only inside of a computer’s memory. The malware cannot be seen and it will usually vanish once the machine is turned off or the system is rebooted. According to the Ponemon Institute’s 2018 State of Endpoint Security Risk report, fileless malware attacks are 10 times more likely to succeed than file based attacks and nearly 40 percent of cyber attacks targeting organizations in 2019 will be fileless. This session will discuss the current challenges involved in performing a memory analysis, and how applying a genetic approach can help security teams automate the memory analysis process in order to detect advanced in-memory threats such as malicious code injections, packed and fileless malware.

Blue Team Automation

By: Cuong Dinh

Today, with the headcount & budget shortage, the increasing and overwhelming amount of security alerts, and security teams are facing alert fatigue, more organizations are turning to automation Security Orchestration, Automation and Response (SOAR) platform to assist them with noise reduction and process streamline. Most of the time we're busy putting out fire, during one of those moments we wish some of these repetitive tasks can be automated. What if one of the recommendations/lessons-learned of the last incident could be "automating 'that' task". We would be amazed how many things in security can be automated, either by leveraging existing tools & API's, using free open source tools, or, if you want to be fancy, acquiring a more formal SOAR solution. Although automation can be cool, there are also pain points and best practices on selecting tools and implementation, what to automate first, what not to automate, etc.

Mentoring and Coaching: Using each other to grow our security careers

By: Daniel Ayala

The best way to grow within a career is to talk to others that have gone there before you, and those that have outside perspectives. We can all benefit from hearing perspectives to contemplate dilemmas, challenges, quandaries and share successes. This session will be a panel of three to four people at various stages in their careers discussing how they have both been mentors, coaches as well as protégés/mentees, and benefitted from the experience. Panelists will also share key factors for being a successful mentor and protégé, and how to get started.

© 2019 Security BSides Denver, Inc.  A Nonprofit 501(c)(3) Educational Organization

  • LinkedIn Social Icon
  • YouTube Social  Icon
  • Google+ Social Icon
  • Facebook Social Icon
  • Twitter Social Icon