BSides Cleveland 2016

You’ve done the patch work, you have good perimeter defenses, and even application whitelisting, however, an attacker has found themselves on an end-user machine. For most networks, once an attacker has gained access the game is usually over quickly for the blue team. In this session, I will discuss several techniques used by attackers to find additional credentials and laterally move about and how to prevent them. Implementing these changes will slow down escalation and lateral movement and credential theft to provide an opportunity for detection and subsequent response.

"In an effort of general threat intelligence I sought to understand what understanding of other criminals could be applied to cyber criminals. What I found was startlingly useless. The difference between our adversaries and traditional criminals is not simply modernity. The dynamics and incentives underlying these advanced actors is fundamentally different from traditional thieves or even organized crime. The closest comparison I have found is the pirates of the late 1600s.

Pirate companies share a similar distinction - roaming the seas instead of cyberspace and sailing through significant gaps in international law. They organized together but did so by inventing democratic organization more advanced than the world had seen before. These pirate companies, forced to innovate or die, turned into some of the most progressive companies the world had ever seen. There is a lot of learn from this stunning level of innovation. Drawing from history we can also examine which strategies were successful in stopping pirates - and which failed"

At CircleCityCon 2015 in the presentation “Turn Your Head and Cough”, Nathaniel "Dr. Whom" Husted compared security architecture assessments to being a physician. The similarities run deep. Doctors struggle with patient compliance, complex and unclear problems, time and resource pressures, and succeed only when others carry out their recommendations. Doctors struggle all the time. In this session, we explore the field of patient engagement and discuss how doctors are trained to drive patient behavior. We will cover the metrics and reporting used to determine patient engagement. And at each step along the way, lessons will be shared for applying these ideas to information security. So the next time you present an IT compliance report, the next time you share your findings from a penetration test, or the next time you tell developers their code is weak, you’ll be ready to drive behavior and get results by playing doctor.

This talk will center on a project that has been active since July 2015, which involves attempting to understand internal North Korean conditions through the use of nmap and masscan, and the scanning of the entire North Korean IP range. In the process of undertaking this project not only was some interesting information gathered about North Korean internal political practices, postures and responses to crisis, but also a significant amount was learned about port scanning hostile and well defended networks, as well as learning a little bit about code on the side. In this presentation the lessons learned and the challenges encountered will be reviewed within the wider discussion of the importance of the use of technical tools to understand the world outside of the technical realm.

This talk will present and outline various techniques for the manipulation of processes at runtime in the Windows environment. Attendees will leave with a better understanding of how the Windows API functions are leveraged by attackers to extract the contents of memory, inject shellcode into other processes and how functions can be hooked and rerouted to execute malicious code. The different techniques used to manipulate processes will be discussed with provided examples. Penetration testers and defensive security people alike will benefit from learning just how tools such as meterpreter are able to inject themselves into and manipulate processes.

I will examine how the techniques of con artists and magicians are relevant to physical penetration testing, social engineering and infiltration. Focus is on some classic cons and basics of stage magic deception.

Attack patterns are something that when it occurs is extrinsic (not natural) behavior in a computer ecosystem. Understanding what attack patterns look like and building an understanding of how to detect them with what you already have is possible. Most preventative technology tries in some extent to detect extrinsic behavior in an environment but falls short because of the continual changes in attack patterns and commoditized detection. This talk dives into looking at what you already have in your infrastructure that you can use for intrinsic (natural) detection capabilities that doesn't rely on a specific signature, but more so on how attackers go after an organization. As an industry, we need to be detecting the extrinsic occurrences in our networks which exhibit abnormal behavior. During this presentation, we'll be covering a large percentage of techniques used by attackers, and how to detect them with what you currently have in place at your organization today.