Pen Test HackFest & Cyber Ranges Summit
Live Online | June 4-5
Two Summit Tracks
HackFest Track | Cyber Ranges Track
Thursday, June 4th - all times are Mountain Time, UTC - 7 | |
---|---|
9:00-9:15 am |
Welcome & Opening RemarksMoses Frost @mosesrenegade, Summit Co-Chair, SANS Institute Jorge Orchilles @jorgeorchilles, Summit Co-Chair, SANS Institute Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute |
9:15-10:10 am |
KeynoteOpportunity Amidst Uncertainty: Spinning Up Virtual Cons on a ShoestringLesley Carhart @hacks4pancakes, Principal Industrial Incident Responder, Dragos Budgets have been slashed and travel is restricted or prohibited, but we still want and need both training and connection. Early March saw a flurry of virtual cybersecurity events, which are more important to our community than ever. Lesley will discuss her experience spinning up a 4000-attendee virtual conference in under one week, where the expenses and time-sinks come from and how to mitigate them, and lessons learned. |
10:10-10:30 am |
Let the Games Begin: Overview of Summit Challenges and Jupiter RocketsEd Skoudis @edskoudis, SANS Institute Fellow Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute This Summit offers a unique array of options for hands-on learning. Ed will outline the different options for playing and competing in challenges, and then you'll get a crack at Jupiter Rockets. |
10:30-10:50 am |
Break |
10:50-11:35 am |
Track 1Some of Them Want to Use You; Some of Them Want to Get Used By YouChris Wysopal @weldpond, Founder & CTO, Veracode Track 2Anatomy of a Gopher: Binary Analysis of Go BinariesAlex Useche, Senior Application Security Consultant, nVisium Go is everywhere these days (because Go is awesome). It is now common to find Go binaries embedded in IoT, Edge computing devices, and web assembly applications. However, there are some important differences between C and Go binaries that penetration testers should be aware of when conducting binary analysis and reverse engineering of Go applications. In this talk, we will highlight those differences, identify what makes Go binaries unique, and recommend approaches to reverse Go applications with tools like Radare2 and Binary Ninja. The proposed approach will help penetration testers, and anyone interested in reverse engineering Go binaries conduct a faster and more effective analysis of Go application. The goal will be to: - Identify protections added by the Go compiler - Learn how Go compiles loops, goroutines, conditional statements, and other common functions - Learn what makes the analysis of Go binaries different than C binaries - Learn what to look for when obtaining Go binaries during penetration tests - Identify ways in which Go binaries can and should be protected. |
11:35 am–12:15 pm |
Track 1How You Can Use your Offensive Skills to Help the Air ForceLillian Warner @blackburn_lilly, Capt, USAF, Security Engineer, Cloud Products, Kessel Run Have you wished you could use your skills to help the U.S. Air Force, but don’t know how? Do you think you cannot contribute because of your citizenship, your lack of a degree and/or your possible previous recreational drug use? Good news! There are still opportunities available to you! If you are a pen tester, you can participate in Hack the Pentagon, and Hack the Air Force. If you are a small business owner that has an innovative product, you can apply for Small Business Innovation Research (SBIR) funds, through an upgraded process with AFWerx and get paid to partner with an Air Force unit to see if the product works for them. Academic teams can follow a similar path and use the Small Business Technology Transfer (SBTT) funds to do business with the Air Force. Anyone with great ideas (experts, industry, academics) can solve AFWERX challenges or apply to attend one of AF Cyberworx in-person problem-solving worx. For both opportunities, the AF lays out the challenges they are facing, and ask for help leveraging new technology and best practices to solve those challenges. If you are a U.S. citizen and a developer, you can be hired as a government civilian at one of the AF’s software factories: Kessel Run, Kobayashi Maru, PlatformOne, SkiCamp, Sonikube, or SpaceCamp—scattered all across the United States. I will outline the general requirements and locations for these opportunities so you can get involved! Track 2Supercharge Your Red Team with RedELKMarc Smeets @MarcOverIP, IT Security Specialist, Red Teams, Co-Founder, Outflank Blue teams and CERTs are increasingly better equipped and better trained. At the same time offensive infrastructures are increasingly diverse in components and growing in size. This makes it a lot harder for red teams to keep oversight but also a lot easier for blue teams to react on the traces that red teams leave behind. However, do blue teams really know what traces _they_ leave behind when doing their investigation and analyses? RedELK was created and open sourced to help red teams with these two goals: 1) make it easy to have operational oversight, 2) abuse blue team OPSEC failures. This talk will teach you how RedELK can help you to supercharge your red team. |
12:15-1:30 pm | Lunch |
1:30-2:15 pm |
Emulating the Adversary in Post-ExploitationJake Williams @malwarejake, President & Founder, Rendition Infosec We all know that non-technical personnel (e.g. managers and executives) struggle to understand the impacts detailed in technical pentest/red team reports. But the same people have no trouble understanding the impact of a data breach. What's the difference? Well, in most red team reports, we focus on system compromise and getting domain admin rather than emulating the adversary and demonstrating what can be done with a compromise. Real attackers aren't interested in complicated exploitation techniques, they just want to get the data that pays the bills. In this talk, we'll discuss how attackers discover relevant data to target so you can more closely emulate your adversary and maximize the value of your next penetration test. |
2:15-3:00 pm |
TRACK 1Maldocs: Tips for Red TeamersDidier Stevens @DidierStevens, Senior Analyst, NVISO BE; Senior Incident Handler, SANS Internet Storm Center The revival of Office documents leveraging macro code for malicious purposes started in 2014 and is still “going strong”. This is due to malware authors and researchers developing new macro techniques and rediscovering old techniques. TRACK 2Automated Detection of Software Vulnerabilities Using Deep-LearningNidhi Rastogi, Research Scientist, Rensselaer Polytechnic Institute The automated detection of software vulnerabilities is an important security research problem. However, existing solutions are subjective to the expertise of humans who manually define features and often miss many vulnerabilities (i.e., incurring high false-negative rate). This presentation showcases the design and implementation of deep learning-based vulnerability detection systems to relieve human experts from the tedious and subjective task of manually defining features as well as to produce more effective vulnerability detection systems. The vulnerabilities that are detected are buffer errors and resource management errors in software. An approach called code gadgets [1] is used, which represents software programs and then transforms them into vectors. A code gadget is the number of lines of code that are semantically related to each other. The approach then demonstrates the identification of vulnerabilities in different software products. The attendees will learn how deep-learning methods are more than just an improvement over the traditional vulnerability detection systems. They will understand the end-to-end implementation and be able to replicate it at their workplace. |
3:00-3:20 pm | Break |
3:20-4:05 pm |
Track 1Handling Advanced Threats: De-Obfuscation, Emulation and Anti-ForensicsAlexandre Borges, Leading Cyber Security Researcher, Blackstorm Security The cyber war has changed and advanced adversaries have been using modern advanced malware threats to attack critical infra-structure, financial companies and even performing nation-wide espionage. These sophisticated actors have written malicious codes which deploy several obfuscaton and anti-forensic tricks to make static and dynamic analysis harder than usual. including techniques such as CFG, opaque predicate, call stack manipulation, virtualized instructions and so on. Therefore, understanding all these concepts could be useful during an investigation. No doubt, there're several techniques and frameworks to handle all these tricks such as METASM, MIASM and many emulation approaches to make the analyzed code simpler, sometimes using symbolic analysis or quantitative analysis. Additionally, we have further problems to manage during malware analysis such as anti-disassembling, tricky anti-debugging traps and even new forensics challenges because virtualized environments. Track 2Hardware Hacking: Intro to Programming Micro ControllersMick Douglas @bettersafetynet, Certified Instructor, SANS Institute Have you ever wondered how the Hak5 Rubber Ducky or Teensy work? Well ,wonder no more! We'll show you how to build your own... or at least better understand and appreciate these powerful platforms. We'll explore the Adafruit Circuit Playground Express and go over some of the neater features it has! |
4:05-4:50 pm |
Windows 10 Kernel Mitigations and ExploitationJaime Geiger @jgeigerm, GRIMM; Certified Instructor, SANS Institute In this talk we will take a quick dive into Windows 10 Kernel internals and Kernel exploit mitigations. Microsoft has done an incredible job reducing the attack surface of the Windows operating system and applying effective mitigations to prevent exploitation, with some of the latest mitigations focusing on control-flow enforcement technology. Exploitation is still possible under the right conditions; however, generalized techniques are mostly mitigated. We will finish the presentation looking at some remaining exploit opportunities. |
4:50-5:00 pm |
Day 1 wrap-up
Moses Frost @mosesrenegade, Summit Co-Chair, SANS Institute Jorge Orchilles @jorgeorchilles, Summit Co-Chair, SANS Institute Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute |
Friday, June 5th - all times are Mountain Time, UTC -7 | |
9:00-9:10 am |
Day 2 Welcome & Overview
|
9:10-10:00 am |
KeynoteUsing Capture-the-Flag Challenges to Massively Level-Up Your Cybersecurity Career…Plus a Bonus Sneak Peek View of the 2020 Holiday Hack ChallengeEd Skoudis @edskoudis, SANS Institute Fellow Capture-the-Flag (CtF) events are a dynamic, fun, and challenging vehicle for developing hands-on skills. Yet, few people take full advantage of all the great career-boosting results they can get from participating in a CtF. In this keynote talk, Ed Skoudis will share specific strategies and tactics for leveraging CtFs to help you systematically take your career to the next level — building your skills, making yourself more valuable to your organization, and landing that job assignment you’ve always longed for. Additionally, Ed will release the H2 Matrix, a new tool to help you identify and maximize all that you can gain from the CtFs that are best for you. Finally, Ed will provide an exclusive, behind-the-scenes sneak peek of the free SANS Holiday Hack Challenge, sharing unique insights and lessons learned this annual event that is the most popular CtF in the world. |
10:00-10:40 am |
Functional Cloud C2Chris Truncer @christruncer, Co-Founder & Offensive Security Lead, FortyNorth It’s no surprise that attackers repurpose legitimate cloud services for malicious use, such as command and control. Defenders are also aware of this shift and have spent their time researching this move to build better defenses. As such, attackers are forced to innovate. |
10:40-11:00 am |
Break |
11:00-11:40 am |
Quickstart Guide to MITRE ATT&CK -The Do’s and Don’ts When Using the MatrixAdam Mashinchi @adam_mashinchi VP of Product Management, SCYTHE Given the increasing awareness and use of the MITRE ATT&CK Matrix as a common language between Red Teams, Blue Teams, and executives, a growing number of organizations are utilizing the framework in inappropriate ways. This talk will provide the audience with a very fast yet very practical overview of ATT&CK, as well as how it is being utilized well and not so well in the industry. From periodic tables to minesweeper, and from CALDERA to Atomic Red Team, we will go over a list of the do’s and don’ts to get the most value from the ATT&CK matrix. |
11:40 am - 12:20 pm |
Plenary SessionGetting the Most of Out of Free CtFsDerek Rook @_r00k_, Senior Manager - Offensive Security, Teradata You’ve probably heard of the DefCon Capture the Flag (CTF) and the annual Holiday Hack Challenge from Counter Hack Challenges. But did you know that there are multiple CTF events happening online almost all the time? This talk will help you figure out where to find them and how to get started. Most importantly, you’ll learn why you should. Derek Rook, who has captured quite a number of flags, will discuss how CTFs have helped him learn and sharpen valuable professional skills, network with industry peers, and make some lifelong friends. Whether you just want to learn or to compete for glory (or both!), Derek will point you towards the right resources. |
12:20-1:00 pm | Lunch |
1:00-1:40 pm |
Where the *$&% is my Identity?Chris Edmundson, Program Manager, University of Colorado Denver | Anschutz Medical Campus As Identity and Access Management (IAM) continues to span both on-premise and cloud-based systems; it has become more and more of a necessity to build a hybrid approach of governance with robust IAM in mind. So, we ask where are my organization’s identities stored and how do we protect them? Identity and access management systems represent a treasure trove from many attack vectors; therefore, providing a valuable opportunity for penetration testing to better secure the information technology ecosystem. In this presentation, let us explore the value and principles of IAM, opportunities for evaluating IAM from a penetration testing point of view, and how we can all share the responsibility for protecting our identities. |
1:40-2:20 pm |
Identifying Novel Malware at ScalePedram Amini @pedramamini, CTO, InQuest It's no secret that client-side attacks are a common source of compromise for many organizations. Web browser and e-mail borne malware campaigns target users by way of phishing, social engineering, and exploitation. Office suites from vendors such as Adobe and Microsoft are ubiquitous and provide a rich and ever-changing attack surface. Poor user awareness and clever social engineering tactics frequently result in users consenting to the execution of malicious embedded logic such as macros, JavaScript, ActionScript, and Java applets. In this talk, we'll explore a mechanism for harvesting a variety of these malware lures for the purposes of dissection and detection. We'll explore mechanisms for clustering and identifying "interesting" samples. Specifically, we're on the hunt for malware lures that can provide a heads up to defenders on upcoming campaigns as adversaries frequently test their lures against AV consensus. Multiple real-world examples are provided, proving that an astute researcher, can harvest zero-day exploits from the public domain. |
2:20-2:40 pm | Break |
2:40-3:20 pm |
Open Source Election Security – End-to-End Verifiable Voting with Microsoft ElectionGuardEthan Chumley, Sr. Security Strategist, Microsoft’s Defending Democracy Program Microsoft’s Defending Democracy Program released ElectionGuard as an open source SDK that makes voting systems more secure, transparent and accessible. Though not a voting system itself, the ElectionGuard SDK integrates with new and existing technologies to leverage homomorphic encryption to ensure that votes recorded by electronic systems of any type remain encrypted, secure, and secret. Meanwhile, ElectionGuard also allows verifiable and accurate tallying of ballots by any 3rd party watchdog organization without compromising ballot secrecy or security. In this session, we will discuss some background on election security and end-to-end verifiable (E2EV) elections, the fundamentals of ElectionGuard, our associated Bug Bounty and security research program, and why we believe that developing election security technology in the open encourages a more secure and more robust democracy. |
3:20-4:00 pm |
Assumed Breach: The Better Pen TestTim Medin @timmedin, Principal Consultant, Red Siege; Principal Instructor, SANS Institute Traditional penetration testing often concedes internal access to the tester, but then the tester does a lot of scanning and poking around. This is not representative of most breaches. Most breaches start with a phish and adversary effectively starts with access as one of your users on one of your systems. Are you prepared to defend? In this talk, Tim Medin will discuss the shortcomings of the traditional penetration test, and talk you through ways to deliver (and receive) a higher value penetration test. |
4:00-4:40 pm |
PanelPractical Cyber Range Tips from Experienced Builders and Users
Cyber ranges and CtFs can provide tremendous learning value when designed, built, and used right. Alternatively, they can lead to frustration and wasted time if you don’t plan well. This panel of veteran range builders and participants will share some of their best practical tips on how you and your team can get the most out of your range and CtF experiences. We’ll talk about lessons learned, address pitfalls to avoid, and share some great ideas from these panelists who have decades of experience with some of the best ranges and CtF environments in the industry. |
4:45-5:15 pm |
Closing Remarks & Global Cyber Range Competition Awards |
Cyber Ranges Track
Friday, June 5 – all times are Mountain Time, UTC - 7 | |
---|---|
9:00-9:10 am |
Day 2 Welcome & Overview
|
9:10-10:00 am |
KeynoteUsing Capture-the-Flag Challenges to Massively Level-Up Your Cybersecurity Career…Plus a Bonus Sneak Peek View of the 2020 Holiday Hack ChallengeEd Skoudis @edskoudis, SANS Institute Fellow Capture-the-Flag (CtF) events are a dynamic, fun, and challenging vehicle for developing hands-on skills. Yet, few people take full advantage of all the great career-boosting results they can get from participating in a CtF. In this keynote talk, Ed Skoudis will share specific strategies and tactics for leveraging CtFs to help you systematically take your career to the next level — building your skills, making yourself more valuable to your organization, and landing that job assignment you’ve always longed for. Additionally, Ed will release the H2 Matrix, a new tool to help you identify and maximize all that you can gain from the CtFs that are best for you. Finally, Ed will provide an exclusive, behind-the-scenes sneak peek of the free SANS Holiday Hack Challenge, sharing unique insights and lessons learned this annual event that is the most popular CtF in the world. |
10:00-10:40 am |
PanelLessons Learned from Kinetic RangesModerator: Ed Skoudis @edskoudis, Fellow, SANS Institute Panelists: Kinetic ranges are built to provide individual, collective and unit level skill development; cyber ranges are no different. The panel will share design considerations for ranges that vary in size and complexity to to train blue, white, and red teams alike. |
10:40-11:00 am |
Break |
11:00-11:40 am |
Building Compelling Cyber Challenges and Range ScenariosChris Elgee @chriselgee, Challenge Developer, Counter Hack Challenges Cyber challenges and ranges can be an invaluable learning tool. But how do you design challenges and ranges that are compelling, engaging, and just plain fun enough to hold participants' attention? The nuts and bolts are important, but the bells and whistles will draw in participants and keep them engaged. These veteran challenge and range designers will share some of their best tips, ideas, and secrets. |
11:40-12:20 pm |
Plenary SessionGetting the Most of Out of Free CtFs You’ve probably heard of the DefCon Capture the Flag (CTF) and the annual Holiday Hack Challenge from Counter Hack Challenges. But did you know that there are multiple CTF events happening online almost all the time? This talk will help you figure out where to find them and how to get started. Most importantly, you’ll learn why you should. Derek Rook, who has captured quite a number of flags, will discuss how CTFs have helped him learn and sharpen valuable professional skills, network with industry peers, and make some lifelong friends. Whether you just want to learn or to compete for glory (or both!), Derek will point you towards the right resources. |
12:20-1:00 pm |
Lunch |
1:00-1:40 pm |
PanelBest Practices for a Persistent Cyber Training Environment (PCTE)Moderator: James Yacone, Chief of Mission, SANS Institute The Persistent Cyber Training Environment (PCTE) addresses a critical and urgent need to provide a persistent and realistic training environment to Joint Cyber Mission Forces (CMF). To address this, PCTE is leveraging rapid acquisition and prototyping efforts to develop capability efficiently and quickly. PCTE is a cloud-based training platform supporting individual sustainment training, team certification, and provides the foundation for collective training exercises (i.e. Cyber Flag, Cyber Guard). PCTE leverages existing connectivity and is a cloud-based environment to facilitate the sharing of resources (such as scenarios and content), and provide additional cyber "maneuver space" (such as emulated Red, Blue, Gray, and Industrial Control System (ICS) environments). PCTE enables realistic training with variable conditions to increase readiness and lethality of our Cyberspace Forces, while simplifying and automating the training management process. Program Characteristics:
|
1:40-2:20 pm |
Creating Simulations for Historical Data CollectionTim Conway, Technical Director - ICS and SCADA Programs, SANS Institute Creating realistic forensic data sets is an intensive process. The core goal of a forensic investigation is to uncover the truth based on artifacts in the evidence. Taking shortcuts in creating forensic data sets leaves artifacts that can undercut the value of the training. |
2:20-2:40 pm |
Break |
2:40-3:20 pm |
PanelMaximizing the Value of Training in Cyber RangesModerator: Ed Skoudis @edskoudis, Fellow, SANS Institute Cyber ranges offer the opportunity to train like you fight, giving your team hands-on experiences in a simulated environment that's as close to the real thing as you can get without breaking anything. They also represent a considerable investment of development, time, and money. The panelists will tell you why it's worth is and how they've found ways to maximize the return on their investments. |
3:20-4:00 pm |
Making the Most of Cyber RangesJames Lyne @jameslyne, SANS Institute The depth and breadth of the security profession continues to expand and provide challenges for individuals and teams alike. Cyber ranges vary in shape, size, and learning outcomes. How do you make the most of ranges as a space to sharpen your skills? What is the right type of range for your level of experience or skill? In this talk, James will explore how ranges may evolve to meet our future adversary simulation needs, and how teams can maximize their outcomes from exercises.
|
4:00-4:40pm |
PanelPractical Cyber Range Tips from Experienced Builders and Users
Cyber ranges and CtFs can provide tremendous learning value when designed, built, and used right. Alternatively, they can lead to frustration and wasted time if you don’t plan well. This panel of veteran range builders and participants will share some of their best practical tips on how you and your team can get the most out of your range and CtF experiences. We’ll talk about lessons learned, address pitfalls to avoid, and share some great ideas from these panelists who have decades of experience with some of the best ranges and CtF environments in the industry. |
4:45-5:15 pm |
Closing remarks & Global Cyber Range Competition Awards |