HackFest & Ranges Summit - Live Online

Welcome & Opening Remarks

Moses Frost @mosesrenegade, Summit Co-Chair, SANS Institute

Jorge Orchilles @jorgeorchilles, Summit Co-Chair, SANS Institute

Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute

Keynote

Opportunity Amidst Uncertainty: Spinning Up Virtual Cons on a Shoestring

Lesley Carhart @hacks4pancakes, Principal Industrial Incident Responder, Dragos

Budgets have been slashed and travel is restricted or prohibited, but we still want and need both training and connection. Early March saw a flurry of virtual cybersecurity events, which are more important to our community than ever. Lesley will discuss her experience spinning up a 4000-attendee virtual conference in under one week, where the expenses and time-sinks come from and how to mitigate them, and lessons learned.

Let the Games Begin: Overview of Summit Challenges and Jupiter Rockets

Ed Skoudis @edskoudis, SANS Institute Fellow

Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute

This Summit offers a unique array of options for hands-on learning. Ed will outline the different options for playing and competing in challenges, and then you'll get a crack at Jupiter Rockets.

Track 1

Some of Them Want to Use You; Some of Them Want to Get Used By You

Chris Wysopal @weldpond, Founder & CTO, Veracode

Developers love to build their apps with open source libraries, so much so that in recent years, some popular platforms encourage the use of hundreds of libraries per app, each with their own set of dependencies. All of this code ages like milk and often no one is doing a smell check. This make apps built on many platforms such as Java and PHP a target-rich environment that we can attack. Did you know that 27.1% of vulnerable PHP libraries have a PoC exploit available? Veracode State of Software Security: Open Source Edition has a rich set of data that can point us to where we have the highest probability of attack success.

Track 2

Anatomy of a Gopher: Binary Analysis of Go Binaries

Alex Useche, Senior Application Security Consultant, nVisium

Go is everywhere these days (because Go is awesome). It is now common to find Go binaries embedded in IoT, Edge computing devices, and web assembly applications. However, there are some important differences between C and Go binaries that penetration testers should be aware of when conducting binary analysis and reverse engineering of Go applications. In this talk, we will highlight those differences, identify what makes Go binaries unique, and recommend approaches to reverse Go applications with tools like Radare2 and Binary Ninja. The proposed approach will help penetration testers, and anyone interested in reverse engineering Go binaries conduct a faster and more effective analysis of Go application. The goal will be to: - Identify protections added by the Go compiler - Learn how Go compiles loops, goroutines, conditional statements, and other common functions - Learn what makes the analysis of Go binaries different than C binaries - Learn what to look for when obtaining Go binaries during penetration tests - Identify ways in which Go binaries can and should be protected.

Track 1

How You Can Use your Offensive Skills to Help the Air Force

Lillian Warner @blackburn_lilly, Capt, USAF, Security Engineer, Cloud Products, Kessel Run

Have you wished you could use your skills to help the U.S. Air Force, but don’t know how? Do you think you cannot contribute because of your citizenship, your lack of a degree and/or your possible previous recreational drug use? Good news! There are still opportunities available to you!

If you are a pen tester, you can participate in Hack the Pentagon, and Hack the Air Force. If you are a small business owner that has an innovative product, you can apply for Small Business Innovation Research (SBIR) funds, through an upgraded process with AFWerx and get paid to partner with an Air Force unit to see if the product works for them. Academic teams can follow a similar path and use the Small Business Technology Transfer (SBTT) funds to do business with the Air Force. Anyone with great ideas (experts, industry, academics) can solve AFWERX challenges or apply to attend one of AF Cyberworx in-person problem-solving worx. For both opportunities, the AF lays out the challenges they are facing, and ask for help leveraging new technology and best practices to solve those challenges. If you are a U.S. citizen and a developer, you can be hired as a government civilian at one of the AF’s software factories: Kessel Run, Kobayashi Maru, PlatformOne, SkiCamp, Sonikube, or SpaceCamp—scattered all across the United States. I will outline the general requirements and locations for these opportunities so you can get involved!

Track 2

Supercharge Your Red Team with RedELK

Marc Smeets @MarcOverIP, IT Security Specialist, Red Teams, Co-Founder, Outflank

Blue teams and CERTs are increasingly better equipped and better trained. At the same time offensive infrastructures are increasingly diverse in components and growing in size. This makes it a lot harder for red teams to keep oversight but also a lot easier for blue teams to react on the traces that red teams leave behind. However, do blue teams really know what traces _they_ leave behind when doing their investigation and analyses? RedELK was created and open sourced to help red teams with these two goals: 1) make it easy to have operational oversight, 2) abuse blue team OPSEC failures. This talk will teach you how RedELK can help you to supercharge your red team.

Emulating the Adversary in Post-Exploitation

Jake Williams @malwarejake, President & Founder, Rendition Infosec

We all know that non-technical personnel (e.g. managers and executives) struggle to understand the impacts detailed in technical pentest/red team reports. But the same people have no trouble understanding the impact of a data breach. What's the difference? Well, in most red team reports, we focus on system compromise and getting domain admin rather than emulating the adversary and demonstrating what can be done with a compromise. Real attackers aren't interested in complicated exploitation techniques, they just want to get the data that pays the bills. In this talk, we'll discuss how attackers discover relevant data to target so you can more closely emulate your adversary and maximize the value of your next penetration test.

TRACK 1

Automated Detection of Software Vulnerabilities Using Deep-Learning

Nidhi Rastogi, Research Scientist, Rensselaer Polytechnic Institute

The automated detection of software vulnerabilities is an important security research problem. However, existing solutions are subjective to the expertise of humans who manually define features and often miss many vulnerabilities (i.e., incurring high false-negative rate). This presentation showcases the design and implementation of deep learning-based vulnerability detection systems to relieve human experts from the tedious and subjective task of manually defining features as well as to produce more effective vulnerability detection systems. The vulnerabilities that are detected are buffer errors and resource management errors in software. An approach called code gadgets [1] is used, which represents software programs and then transforms them into vectors. A code gadget is the number of lines of code that are semantically related to each other. The approach then demonstrates the identification of vulnerabilities in different software products. The attendees will learn how deep-learning methods are more than just an improvement over the traditional vulnerability detection systems. They will understand the end-to-end implementation and be able to replicate it at their workplace.

TRACK 2

Maldocs: Tips for Red Teamers

Didier Stevens @DidierStevens, Senior Analyst, NVISO BE; Senior Incident Handler, SANS Internet Storm Center

The revival of Office documents leveraging macro code for malicious purposes started in 2014 and is still “going strong”. This is due to malware authors and researchers developing new macro techniques and rediscovering old techniques.
In this talk, Didier Stevens, a pioneer in malicious document analysis, will provide tips to improve existing techniques and present new techniques.
By default, VBA code is stored under 2 forms inside module streams: compiled code and (compressed) source code. A well-known technique, known as VBA stomping, consist of altering or suppressing the VBA source code, while leaving the compiled code intact. It is also possible to do the opposite: suppress or alter the compiled code, while leave the VBA source code intact. Transforming documents this way leads to different types of malicious Office documents with interesting properties and behavior. Some techniques are public (VBA purging), others will be revealed during this talk.

Track 1

Handling Advanced Threats: De-Obfuscation, Emulation and Anti-Forensics

Alexandre Borges, Leading Cyber Security Researcher, Blackstorm Security

The cyber war has changed and advanced adversaries have been using modern advanced malware threats to attack critical infra-structure, financial companies and even performing nation-wide espionage. These sophisticated actors have written malicious codes which deploy several obfuscaton and anti-forensic tricks to make static and dynamic analysis harder than usual. including techniques such as CFG, opaque predicate, call stack manipulation, virtualized instructions and so on. Therefore, understanding all these concepts could be useful during an investigation. No doubt, there're several techniques and frameworks to handle all these tricks such as METASM, MIASM and many emulation approaches to make the analyzed code simpler, sometimes using symbolic analysis or quantitative analysis. Additionally, we have further problems to manage during malware analysis such as anti-disassembling, tricky anti-debugging traps and even new forensics challenges because virtualized environments.
This presentation aims to explain key concepts and show a practical approach on how to manage these reverse engineering techniques and challenges.

Track 2

Hardware Hacking: Intro to Programming Micro Controllers

Mick Douglas @bettersafetynet, Certified Instructor, SANS Institute

Have you ever wondered how the Hak5 Rubber Ducky or Teensy work? Well ,wonder no more! We'll show you how to build your own... or at least better understand and appreciate these powerful platforms. We'll explore the Adafruit Circuit Playground Express and go over some of the neater features it has!

Windows 10 Kernel Mitigations and Exploitation

Jaime Geiger @jgeigerm, GRIMM; Certified Instructor, SANS Institute
Stephen Sims @Steph3nSims, Fellow, SANS Institute

In this talk we will take a quick dive into Windows 10 Kernel internals and Kernel exploit mitigations. Microsoft has done an incredible job reducing the attack surface of the Windows operating system and applying effective mitigations to prevent exploitation, with some of the latest mitigations focusing on control-flow enforcement technology. Exploitation is still possible under the right conditions; however, generalized techniques are mostly mitigated. We will finish the presentation looking at some remaining exploit opportunities.

Day 1 wrap-up

Moses Frost @mosesrenegade, Summit Co-Chair, SANS Institute

Jorge Orchilles @jorgeorchilles, Summit Co-Chair, SANS Institute

Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute

Day 2 Welcome & Overview

Moses Frost @mosesrenegade, Summit Co-Chair, SANS Institute

Jorge Orchilles @jorgeorchilles, Summit Co-Chair, SANS Institute

Stephen Sims @Steph3nSims, Summit-Co-Chair, SANS Institute

Keynote

Using Capture-the-Flag Challenges to Massively Level-Up Your Cybersecurity Career…Plus a Bonus Sneak Peek View of the 2020 Holiday Hack Challenge

Ed Skoudis @edskoudis, SANS Institute Fellow

Capture-the-Flag (CtF) events are a dynamic, fun, and challenging vehicle for developing hands-on skills. Yet, few people take full advantage of all the great career-boosting results they can get from participating in a CtF. In this keynote talk, Ed Skoudis will share specific strategies and tactics for leveraging CtFs to help you systematically take your career to the next level — building your skills, making yourself more valuable to your organization, and landing that job assignment you’ve always longed for. Additionally, Ed will release the H2 Matrix, a new tool to help you identify and maximize all that you can gain from the CtFs that are best for you. Finally, Ed will provide an exclusive, behind-the-scenes sneak peek of the free SANS Holiday Hack Challenge, sharing unique insights and lessons learned this annual event that is the most popular CtF in the world.

Functional Cloud C2

Chris Truncer @christruncer, Co-Founder & Offensive Security Lead, FortyNorth

It’s no surprise that attackers repurpose legitimate cloud services for malicious use, such as command and control. Defenders are also aware of this shift and have spent their time researching this move to build better defenses. As such, attackers are forced to innovate.
Azure Functions is Microsoft’s entry into “server-less code”. Beyond developing code that can run anywhere in the cloud, it provides users with the ability to trigger arbitrary code execution that performs any task you’ve developed, including proxying communications. We’re going to look at how Azure Functions can be leveraged by security professionals, and attackers, for command and control.
This talk will dive into two methods for establishing command and control communications while leveraging the cloud to control compromised systems.

Quickstart Guide to MITRE ATT&CK -The Do’s and Don’ts When Using the Matrix

Adam Mashinchi @adam_mashinchi VP of Product Management, SCYTHE

Given the increasing awareness and use of the MITRE ATT&CK Matrix as a common language between Red Teams, Blue Teams, and executives, a growing number of organizations are utilizing the framework in inappropriate ways. This talk will provide the audience with a very fast yet very practical overview of ATT&CK, as well as how it is being utilized well and not so well in the industry. From periodic tables to minesweeper, and from CALDERA to Atomic Red Team, we will go over a list of the do’s and don’ts to get the most value from the ATT&CK matrix.

Plenary Session

Getting the Most of Out of Free CtFs

Derek Rook @_r00k_, Senior Manager - Offensive Security, Teradata

You’ve probably heard of the DefCon Capture the Flag (CTF) and the annual Holiday Hack Challenge from Counter Hack Challenges. But did you know that there are multiple CTF events happening online almost all the time? This talk will help you figure out where to find them and how to get started. Most importantly, you’ll learn why you should. Derek Rook, who has captured quite a number of flags, will discuss how CTFs have helped him learn and sharpen valuable professional skills, network with industry peers, and make some lifelong friends. Whether you just want to learn or to compete for glory (or both!), Derek will point you towards the right resources.

Where the *$&% is my Identity?

Chris Edmundson, Program Manager, University of Colorado Denver | Anschutz Medical Campus

As Identity and Access Management (IAM) continues to span both on-premise and cloud-based systems; it has become more and more of a necessity to build a hybrid approach of governance with robust IAM in mind. So, we ask where are my organization’s identities stored and how do we protect them? Identity and access management systems represent a treasure trove from many attack vectors; therefore, providing a valuable opportunity for penetration testing to better secure the information technology ecosystem. In this presentation, let us explore the value and principles of IAM, opportunities for evaluating IAM from a penetration testing point of view, and how we can all share the responsibility for protecting our identities.

Pedram Amini @pedramamini, CTO, InQuest
Session details to come

Open Source Election Security – End-to-End Verifiable Voting with Microsoft ElectionGuard

Ethan Chumley, Sr. Security Strategist, Microsoft’s Defending Democracy Program

Microsoft’s Defending Democracy Program released ElectionGuard as an open source SDK that makes voting systems more secure, transparent and accessible. Though not a voting system itself, the ElectionGuard SDK integrates with new and existing technologies to leverage homomorphic encryption to ensure that votes recorded by electronic systems of any type remain encrypted, secure, and secret. Meanwhile, ElectionGuard also allows verifiable and accurate tallying of ballots by any 3rd party watchdog organization without compromising ballot secrecy or security. In this session, we will discuss some background on election security and end-to-end verifiable (E2EV) elections, the fundamentals of ElectionGuard, our associated Bug Bounty and security research program, and why we believe that developing election security technology in the open encourages a more secure and more robust democracy.

Assumed Breach: The Better Pen Test

Tim Medin @timmedin, Principal Consultant, Red Siege; Principal Instructor, SANS Institute

Traditional penetration testing often concedes internal access to the tester, but then the tester does a lot of scanning and poking around. This is not representative of most breaches. Most breaches start with a phish and adversary effectively starts with access as one of your users on one of your systems. Are you prepared to defend? In this talk, Tim Medin will discuss the shortcomings of the traditional penetration test, and talk you through ways to deliver (and receive) a higher value penetration test.

Panel

Practical Cyber Range Tips from Experienced Builders and Users

Moderator: Ed Skoudis @edskoudis, Fellow, SANS Institute
Panelists:
MAJ Joseph Marty, Strategic Planner, USCYBERCOM
David Raymond, Ph.D., Director, Virginia Cyber Range and U.S. Cyber Range; Deputy Director, IT Security Lab, Virginia Tech
Skip Runyan, Tech Advisor, US Air Force
MAJ Joshua Rykowski, Co-Founder & Challenge Developer, RunCode.Ninja

Session description to come

Global Cyber Range Competition Awards

Day 2 Welcome & Overview

Moses Frost @mosesrenegade, Summit Co-Chair, SANS Institute

Jorge Orchilles @jorgeorchilles, Summit Co-Chair, SANS Institute

Stephen Sims @Steph3nSims, Summit Co-Chair, SANS Institute

Keynote

Using Capture-the-Flag Challenges to Massively Level-Up Your Cybersecurity Career…Plus a Bonus Sneak Peek View of the 2020 Holiday Hack Challenge

Ed Skoudis @edskoudis, SANS Institute Fellow

Capture-the-Flag (CtF) events are a dynamic, fun, and challenging vehicle for developing hands-on skills. Yet, few people take full advantage of all the great career-boosting results they can get from participating in a CtF. In this keynote talk, Ed Skoudis will share specific strategies and tactics for leveraging CtFs to help you systematically take your career to the next level — building your skills, making yourself more valuable to your organization, and landing that job assignment you’ve always longed for. Additionally, Ed will release the H2 Matrix, a new tool to help you identify and maximize all that you can gain from the CtFs that are best for you. Finally, Ed will provide an exclusive, behind-the-scenes sneak peek of the free SANS Holiday Hack Challenge, sharing unique insights and lessons learned this annual event that is the most popular CtF in the world.

Panel

Lessons Learned from Kinetic Ranges

Moderator: Ed Skoudis @edskoudis, Fellow, SANS Institute

Panelists:
Tim Conway, Technical Director - ICS and SCADA Programs, SANS Institute
Jeff McJunkin @jeffmcjunkin, Founder, Rogue Valley Information Security
Matthew Toussain @0sm0s1z, Certified Instructor, SANS Institute
James Yacone, Chief of Mission, SANS Institute

Kinetic ranges are built to provide individual, collective and unit level skill development; cyber ranges are no different. The panel will share design considerations for ranges that vary in size and complexity to to train blue, white, and red teams alike.

Building Compelling Cyber Challenges and Range Scenarios

Chris Elgee @chriselgee, Challenge Developer, Counter Hack Challenges
Simon McNamee, Security Researcher, SANS Institute

Cyber challenges and ranges can be an invaluable learning tool. But how do you design challenges and ranges that are compelling, engaging, and just plain fun enough to hold participants' attention? The nuts and bolts are important, but the bells and whistles will draw in participants and keep them engaged. These veteran challenge and range designers will share some of their best tips, ideas, and secrets.

Plenary Session

Getting the Most of Out of Free CtFs

Derek Rook @_r00k_, Senior Manager - Offensive Security, Teradata

You’ve probably heard of the DefCon Capture the Flag (CTF) and the annual Holiday Hack Challenge from Counter Hack Challenges. But did you know that there are multiple CTF events happening online almost all the time? This talk will help you figure out where to find them and how to get started. Most importantly, you’ll learn why you should. Derek Rook, who has captured quite a number of flags, will discuss how CTFs have helped him learn and sharpen valuable professional skills, network with industry peers, and make some lifelong friends. Whether you just want to learn or to compete for glory (or both!), Derek will point you towards the right resources.

Panel

Best Practices for a Persistent Cyber Training Environment (PCTE)

Moderator: James Yacone, Chief of Mission, SANS Institute

Panelists to come

Creating Simulations for Historical Data Collection

Tim Conway, Technical Director - ICS and SCADA Programs, SANS Institute
Phil Hagen @philhagen, Digital Forensic and Incident Response Strategist, Red Canary; Senior Instructor, SANS Institute

Creating realistic forensic data sets is an intensive process. The core goal of a forensic investigation is to uncover the truth based on artifacts in the evidence. Taking shortcuts in creating forensic data sets leaves artifacts that can undercut the value of the training.
For example, if an exploit is loaded to a system in the target environment using the SCP utility and executed by the root user, forensics will show exactly that. If the scenario being taught reflects a network-based attack vector, the artifacts will contradict the scenario.
Similarly, The lack of realistic background texture will make the attacker’s activity stand out clearly, minimizing the training value of the data set. If simulated browser activity only involves the continuous reloading of a single web page or simply lying dormant, malicious traffic will stand out clearly.
For these reasons, the SANS DFIR team use a practice of strategically building an environment and scenario that support specific learning objectives. Then, we populate the environment with realistic background activity that mimics the appropriate level of realism. Finally, while conducting the attack simulation, we meticulously document all of the attacker's actions as they are taken.
While this may sound easy, the result can be a years-long process that must work the first time through while maintaining enough flexibility to accommodate unexpected problems during the attack simulation. In this talk, we’ll cover some of the lessons learned with conducting a dataset generation supporting FOR508 and FOR572, as well as future courses under development. This methodology can also be used by others who need to create realistic forensic data sets for their own testing and training purposes.

Panel

Maximizing the Value of Training in Cyber Ranges

Moderator: Ed Skoudis @edskoudis, Fellow, SANS Institute
Panelists:
David Cowen @HECFBlog, Managing Director, KPMG LLC; Certified Instructor, SANS Institute
Dean De Beer, Co-Founder & CTO, ThreatGRID/Cisco Systems Inc.
Nicholas Wood, Chief Technologist, Booz Allen Hamilton

Cyber ranges offer the opportunity to train like you fight, giving your team hands-on experiences in a simulated environment that's as close to the real thing as you can get without breaking anything. They also represent a considerable investment of development, time, and money. The panelists will tell you why it's worth is and how they've found ways to maximize the return on their investments.

Making the Most of Cyber Ranges

James Lyne @jameslyne, SANS Institute

The depth and breadth of the security profession continues to expand and provide challenges for individuals and teams alike. Cyber ranges vary in shape, size, and learning outcomes. How do you make the most of ranges as a space to sharpen your skills? What is the right type of range for your level of experience or skill? In this talk, James will explore how ranges may evolve to meet our future adversary simulation needs, and how teams can maximize their outcomes from exercises.

Panel

Practical Cyber Range Tips from Experienced Builders and Users

Moderator: Ed Skoudis @edskoudis, Fellow, SANS Institute
Panelists:
MAJ Joseph Marty, Strategic Planner, USCYBERCOM
Skip Runyon, Tech Advisor, US Air Force
MAJ Joshua Rykowski, Co-Founder & Challenge Developer, RunCode.Ninja

Cyber ranges and CtFs can provide tremendous learning value when designed, built, and used right. Alternatively, they can lead to frustration and wasted time if you don’t plan well. This panel of veteran range builders and participants will share some of their best practical tips on how you and your team can get the most out of your range and CtF experiences. We’ll talk about lessons learned, address pitfalls to avoid, and share some great ideas from these panelists who have decades of experience with some of the best ranges and CtF environments in the industry.

Global Cyber Range Competition Awards