Talks

-- Understanding Container Security: Isolation at Layers - Yong Tang 
Abstract
In recent years, container platforms such as Docker and Kubernetes have big impacts on DevOps and the way applications are deployed. Security of the container platforms themselves are imperative for the safety of the applications.

This talk covers the fundamental components of Docker and Linux containers, and the impact in creating isolation at different layers for applications. Concepts such as namespaces, cgroups, capabilities and seccomp will be discussed in detail, along with the measures to secure applications deployed with containers.

Bio
Yong Tang is the Director of Engineering at MobileIron. He contributes to different container and machine learning projects for the open source community, and is currently a committer of Docker, CoreDNS, SwarmKit, and TensorFlow. Most recently his focus is on data processing with machine learning frameworks. He also had talks in KubeCon about service discovery for multi-cloud Kubernetes deployments. Yong Tang received his PhD of Computer Science in network security at the University of Florida.

-- From Cognitive Bias to Mass Manipulation: A Botmaster's guide to Active Measures - Evan Wagner
Abstract
Social media, crowd sourced content sites and translation services have removed all barriers of communication. Because of this, bots have exploited and driven hyper partisanship to new levels. These acts appear to be the work of trolls for the lulz and manipulators with an agenda. No matter your political disposition, position in society or social cause, they are targeting you. Steadily manipulating sentiment with manufactured social engagement, astro turfed popularity and blatant distractors. We will go over the structure of how these bot armies are created and tailored to amplify social reaction to their messages. Designed to exploit vulnerabilities in human psychology, they persuade the masses into action and in to become unwitting contributors bolstering these effects.
Bio
Currently 19 years of IT experience. He began with his first hosting and development company in 1999. Since then he has worked a variety of roles from Software Engineer, DBA, System Administrator III, Security Admin and Sr. Incident Responder. Some organizations include UCA.edu, Interop, Akamai, Seminole Gaming/Hard Rock and Fortune 1. He got started full time in security in 2013 when working for Prolexic DDoS mitigation and becoming exposed to CTF tournaments which have been a passion ever since. Evan has also been involved in the community and has presented for Hacker Halted, ISSA, OWASP, HackMiami and meetup groups.

-- Operationalizing Threat Intelligence via Automation - Christian Nicholson
Abstract
This talk will discuss some of the basic principles of threat intelligence, and touch on how you can get started with a threat intel program of your own. We will then dive into the main focus of this talk, operationalizing the data via automation and a centralized platform of your choosing. This talk will make use of some free and commercial tools, and offer up some alternative options in the commercial and open source space that allow you to achieve the same goal. We will talk about the pros and cons of a few architecture variations, and most importantly how to use this solution to maximize your return on investment into the threat intel program, and minimize the amount of analyst hours needed to gather data to reach an incident close.

Bio 
Christian Nicholson (GuardianCosmos)
GSEC, GMOB, GWAPT, GCIH, GPEN, RF Certified Analyst, Lead Cyber Consultant and Partner @ Indelible Christian is a security leader with a strong technical background spanning across multiple disciplines. Christian has spent his last 12 years in industry as a consultant specializing in Purple Teaming, Security Architecture and Program Development, and Threat Intelligence. His previous work experience includes being one of the leads and core developers of KPMG's Threat Intelligence and Penetration Testing Service Lines, as well as a Foundstone Consultant in charge of building out Security Operations Centers for Fortune 5s, among other clients. Christian is also a resident SANS SME and Instructor, and holds 5 GIACs across a number of disciplines.


-- Left of Boom - Ted Corbeill
Abstract
The term “Left of Boom” was made popular in 2007 in reference to the U.S. military combating improvised explosive devices (IEDs) used by insurgents in Afghanistan and Iraq. The U.S. military spent billions of dollars developing technology and tactics to prevent and detect IEDs before detonation, with a goal of disrupting the bomb chain. This is an analog to cybersecurity as we
strive to increase the incident prevention capabilities of our security tools and where we can’t prevent attacks, augment prevention with incident detection and response tools.

This presentation will demonstrate automated methods to mitigate these problems. It will identify approaches that you can apply to improve the effectiveness of your security tools, security teams, and processes. Following this presentation, you’ll be able to develop your ownstrategy to get “left of boom.”

Bio
Ted Corbeill is the Senior Manager,  Enablement Programs at Verodin.  He is a retired Marine Corps Intelligence Officer who is adapting military best practices to improve cybersecurity effectiveness. Additionally, he is leveraging his military experience to build and lead innovative enablement programs to drive revenue growth through data-driven insights, business innovation, and collaboration. Prior to joining Verodin, Ted built enablement programs for DXC Technology and Hewlett Packard Enterprise.

-- Extending Archive-Based Path Traversal Attacks - Dan Crowley
Abstract
Not long ago, a series of basic attacks against archive utilities (branded as "Zip Slip") proved fruitful, much to the world's surprise. However, the research was limited: Only the most basic attack case was tested and other related attack vectors were left unexplored. We extend the research to include these cases and see what happens.

Bio
Daniel Crowley is the head of research and a penetration tester for X-Force Red. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel is the primary author of both the Magical Code Injection Rainbow, a configurable vulnerability testbed, and FeatherDuster, an automated cryptanalysis tool. Daniel enjoys climbing large rocks and is TIME magazine's 2006 person of the year. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE. Daniel does his own charcuterie and brews his own beer. Daniel's work has been included in books and college courses. Daniel also holds the noble title of Baron in the micronation of Sealand.

   
-- BAPT ( Blockchain Advanced Persistent Threat ) - How to PWN smart contracts and make $4 millions in a few weeks. 
Victor Fang, Ph.D.  
Abstract
AnChain.ai recently discovered the first BAPT hacker group in history. Per AnChain.ai's AI powered Situational Awareness Platform (SAP), These sophisticated coordinated hackers have been targeting vulnerable DApp smart contracts: Fomo3D, LastWinner, etc, and as of Aug 2018 they have stolen 12,948 Ethereum (~ $4 millions worth). AnChain.ai, partnering w/ SECBIT Lab, and Graphistry, we are able to track down the BAPT hacking tactics, by leveraging behavior based machine learning, knowledge graph, bytecode reverse engineering, visual graph investigation, etc. 
You will learn more about our quest : “APT is the worst nightmare in Cyber Security. How about Blockchain APT? Does BAPT even exist in Blockchain era? What does that mean to all of us?” 

Bio
Dr. Victor Fang is the Founder and CEO of top VC backed blockchain startup, AnChain.ai. 
Before AnChain.ai, He heads the AI initiatives at FireEye Mandiant, responsible for company's AI product strategic roadmap. 
Under his leadership, various of ML models are successfully introduced into millions of endpoints and various services that improves On-Execution dynamic detection and efficiency. He also initiated FireEye's AutoML platform that has delivered hundreds of ML model to Network, Email security products. He's recognized as Face of FireEye AI.
Dr. Fang holds more than 15 US patents, and more than 20 research papers around AI, Big Data, Fraud and Threat detection. He’s a contributor of “MIT Technology Review 2017”.
Prior to FireEye, Dr. Fang has 10+ years of ML practice and 5 years of enterprise data science leadership experience at top VC backed startup and Fortune 500 companies.
1st Prize Winner of 2017 FireEye Global Hackathon.

-- “Everyone is an investor: A VC’s perspective on how to invest your time with security startups” - Will Lin
Bio
Will is a Principal and a Founding Investor at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. He has worked with and helped invest more than $100 million across 15+ cybersecurity companies to date. As a Founding Investor at ForgePoint, Will is involved with 4iQ, Appthority, Attivo Networks, Bayshore Networks, ID Experts, IronNet Cybersecurity, LoginRadius, ReversingLabs and Uptycs. He is a board member/observer at 4iQ, Attivo Networks, Bayshore Networks, LoginRadius and Uptycs.

-- The Crux of the Cloud Apps Threat Landscape ? --Aditya K Sood
Abstract
Cloud storage usage is increasing rapidly. The attackers are using cloud applications as launchpads for triggering cyber attacks on the Internet. It has become indispensable for enterprises to keep track of the active cloud applications in the network for detecting malice. With that, threats from malicious insiders, attackers and naive users are increasing that are putting organizations at risk.

Bio
Dr. Sood works as a Director of Cloud Security at Symantec. Dr. Sood has research interests in cloud security, malware automation and analysis, application security, secure software design and cybersecurity. He has authored several papers for various magazines and journals including IEEE, Elsevier, CrossTalk, Usenix and others. His work has been featured in several media outlets including Associated Press, Fox News, The Register, Guardian, Business Insider, Kaspersky Threatpost, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEFCON, HITB, RSA, Virus Bulletin, OWASP and others. Dr. Sood obtained his Ph.D from Michigan State University in Computer Sciences. Dr. Sood is also an author of "Targeted Cyber Attacks" book published by Syngress.

-- Using Deep Learning to uncover darkweb malicious actors and their close circle - Rod Soto and Joseph Zadeh
Abstract
This presentation shows how data driven techniques can be used to provide vision and establish relationships between users and participants of DarkWeb forums. These relationships can provide clues to uncover and reveal tracks of malicious actors. Things such as chat room transcripts and forum data are used can be used to build graphical relationships.
This provides a context where it is possible to use machine learning algorithms to unmask relationships and profile users of these dark forums. Some of the methods used include Machine Learning Algorithms such as Googles PageRank. Once these users are profiled it is possible to predict behaviors, gaining further understanding of actors using these forums to obfuscate and evade attribution.
Bio
Rod Soto has over 15 years of experience in information technology and security. Currently working as a Director of Security Research at JASK. He has spoken at ISSA, ISC2, OWASP, DEFCON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 BlackHat Las vegas CTF competition and is the founder and lead developer of the Kommand && KonTroll competitive hacking Tournament series.

Joseph Zadeh studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEFCON and Torcon security conferences. Most recently he joined JASK as Director of Data Science. Previously, Joseph was part of Splunk UBA and the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanentes first Cyber Security R&D team.

-- Vulnerability Modeling with Binary Ninja - Josh Watson
Abstract
Plenty of static analyzers can perform vulnerability discovery on source code, but what if you only have the binary? Dynamic tools can analyze binaries, but there are times when you can’t execute the code, a targeted area is difficult to reach, you just want initial targets for your bug hunting, and other situations where static tools would better suit your needs. How can we perform automated static analysis to check a binary for vulnerabilities in an architecture-agnostic manner? The short answer: combine Binary Ninja’s MLIL and SSA forms with a theorem prover like Z3. Together, these tools make it easy to build a mathematical model of incorrect behavior that can turn binaries, alchemy-like, into vulnerabilities.
In this talk, I present a case study for Heartbleed. First, I briefly highlight previous work for detecting the bug at the source level. Then, step by step, I walk through developing an architecture-agnostic Binary Ninja plugin that automatically identifies the bug class in OpenSSL. This walkthrough explains how to combine Binary Ninja’s powerful intermediate languages and SSA form with the Z3 theorem prover to build a mathematical model of the vulnerability. Finally, I discuss the results of running the plugin on both vulnerable and patched versions of OpenSSL, compiled for multiple architectures. After this talk, attendees will have the tools necessary to build their own static analysis plugins for vulnerability discovery with Binary Ninja.
Bio
Josh Watson is a Senior Security Engineer at Trail of Bits and an active member of the Binary Ninja community. He has published numerous articles about reverse engineering with the Binary Ninja APIs and released several open source plugins and tools. Due to his intimate knowledge of its features and API, he is often confused for a Binary Ninja developer.

-- Automatically tuning a ModSec WAF
Abstract
One of the most common challenge an organization rolling out a web application firewall is the tuning process. Specially when this needs to be done at scale hundreds or thoughts of different web services. In this talk we will quickly review the structure of ModSec rules, discuss what techniques you can use to automatically generate a recommended rule set profile base and how to make this profile unique to any web service traffic. We will also share best practices for building a comprehensive rule set that covers not only general attacks web attacks like SQLi, XSS, but also targeted platform exploits.
Bio
Jose Enrique Hernandez is currently the SOC Manager at Fastly. He started his professional career at Prolexic Technologies (now Akamai) in DDoS, fighting attacks from Anonymous and Lulzsec against Fortune 100 companies. As an engineering co-founder of Zenedge, (acquired by Oracle) he helped build technologies to fight bots and web application attacks.While working at Splunk as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. In the past, he has helped build security operation centers as well as run a public threat intelligence service. www.josehelps.com

-- Cybersecurity for SmartCities - Lan Jenson
Abstract
As the FBI and Wall Street Journal have shared, smaller businesses, nonprofits and American towns have increasingly fallen victim to cybercriminals attacks. They have suffered suffered financial losses in the millions and service interruption for days to weeks. They have a healthy fear, yet are unable to protect themselves due to budget and expertise shortages. The challenges are tackled head-on under NIST and Department of Homeland Security's joint GCTC-Smart Secure Cities and Communities Challenge (SC3). A team of experts from the government, nonprofit and forprofit businesses have formed an Advisory Committee and an ActionCluster to help municipalities and communities to:

* get free / low-cost cyberrisk assessment methodology and technology 
* get free / low-cost technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution) 
* get experts to implement solutions pro bono or at cost through the nonprofits matching platform Are you passionate about hacking the hackers and want to help Smart Cities, schools, nonprofits and smaller businesses avoid being low hanging fruits to cybercriminals? 
Bio
Lan Jenson is the CEO of Adaptable Security Corp (ADA for short), a nonprofit matching cybersecurity and privacy experts to smaller businesses, governments and people’s needs.   ADA accomplishes its goals in partnership with governments such as NIST, DHS, City of San Jose, professional and civic organizations such as ISC2, ISSA, ISACA, People Centered Internet, Global Cyber Alliance (GCA), and SBDC Silicon Valley.  

Lan Jenson has extensive policy experience in government, nonprofit and private sectors.Lan currently serves as Co-Chair of the Cybersecurity and Privacy Advisory Committee for NIST/DHS Smart Secure Cities and Communities Challenge.  Lan is also a board member with ISC2 Silicon Valley Chapter.  As a certified information security professional (CISSP) since 2009, Ms. Jenson has led many risk management, policy and compliance initiatives.  Her analysis enabled the Secret Service to arrest hackers.  Lan Jenson advanced to leadership roles at Fortune 500 companies including FM Global, Charles Schwab and Cisco Systems.

-- Beyond Cryptography Theater -- Sam Bowne 
Abstract
Many products scramble data in minor ways, to make it look encrypted, but don't actually protect secrets from serious attackers.  Examples are shown of security theater in Windows, Android apps, Web browsers, and Web apps, with good examples of proper encryption in similar use cases.  Developers need to do better, and managers need to expect more, and both of those improvements are achievable with just a little more education.
Bio
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEFCON, HOPE, B-Sides SF, B-Sides LV, BayThreat, LayerOne, Toorcon, and many other schools and conferences.

-- Chafer: An Evolving Targeted Attack Group - Sylvester Segura
Abstract
This talk will share details of a targeted spionage attack campaign that has been impacting a small number of targets for a considerable amount of time. It will detail the tools and infrastructure used, the attackers' motivations, and possible attribution. The talk will also discuss how the attackers' tools and techniques have evolved over time. Research published at https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
Bio
A relative newcomer to information security, Sylvester is a threat intelligence analyst at Symantec.He spends his time tracking baddies.

-- From Introvert to SE: The Journey - Ryan Macdougall
Abstract
In 20 years I learned how to step outside my introverted personality to explore the world in a more successful way, but not without bumps and bruises which taught me valuable lessons. My journey from a deep introvert to a professional social engineer has so many lessons for those who think they cannot do it. What can you do if you are an introvert and want to become a professional social engineer? What benefits can you reap? What challenges will you have to overcome? Is there a way to get where I am and not take 20 years?
Bio
Ryan MacDougall is a Senior Social Engineer Pentester for Social-Engineer LLC, who has over 20 years’ experience in the information technology world and 5 years in the security space specifically. Naturally a deep introvert, he has achieved goals and experienced life that early on did not seem possible or even imaginable. With the help of professionals and experts in the field of psychology, he amassed techniques to navigate the social world to achieve goals he wanted and some he never knew he wanted.

Breaking IoT Security: A Practical Guide to Pentesting IoT devices - Aditya Gupta
Abstract
Getting started into IoT security can be challenging, given the fact that IoT involves a numberof different components including Firmware, Hardware, Software (Web, Mobile and Thick Clients),Network and Radio. This talk will help shortenthe learning curve by providing you with a step-by-step approach on how you can get started in IoT pentesting and exploitation.We will talk about everything ranging from Firmware RE and Exploitation, to BLE/ZigBee Sniffing to attacking associated mobile apps to take control of the IoT device. All the topics will be covered with real-world case studies or live demos. 
The goal of this talk is to not make you an IoT pentesting ninja in an hour - but rather show you the tools and tactics used by IoT security practitioners, and how you can get started by tinkering with IoT devices around you, while providing you with an exact roadmap to gain real- world IoT pentesting skillsets.
Bio
Aditya Gupta is the Chief Hacker at Attify, a Bay Area based security firm specializing in IoT Security and Exploitation training. At Attify, his day-to-day work includes performing research into IoT device exploitation and writing Proof-of-Concepts.He is also the author of IoT Pentesting Cookbook (Nov '17 - PacktPub) and IoT Hackers Handbook (Jan '19 - Apress). He has also been frequent speaker and trainer at various security conferences including BlackHat, DefCon, OWASP AppSec, ToorCon, phDays, C0C0n, among many others. 

-- Evolving security operations to the year 2020 - Tim O’Brien 
Abstract
The security operations aspect of your Information Security risk management program is where the “rubber meets the road” — the tools and people you have to implement the process and procedures you put together to find the badness and put out the fires. How has the concept of security operations evolved, and where are we headed?
There is plenty of buzzword bingo: UBA, UEBA, machine learning and artificial intelligence, network abnormality detection, the marketing conversations of evolving to that SOC of 2020 — what do all these really mean to you and your operations and which can be useful in your efforts to find the badness?
Bio
Tim O’Brien is a 19-year information security professional and a subject matter expert in risk and incident management, intrusion and data analysis and secure architecture design. Having progressed through the ranks to hiring manager and director level, he has experienced the pain from both sides of the hiring process and desires to improve the situation for the InfoSec/hacker community.

-- Countering Identity Creep in a Hybrid-Cloud World - Ben Johnson
Abstract
Cloud computing has exploded the attack surface area. As employees are granted more access and more privileges, identity creep is real. And even with the migration to the cloud, organizations are still usually on the hook for the IAM responsibilities and maintenance. The concept of “Triple A” – Authentication, Authorization, and Accounting – has defined security for some time. But recently the industry has been heavily focused on authentication, placing a small amount of attention on authorization, and virtually ignoring accounting. In this presentation, we’ll explore how shifting our focus towards authorization and accounting can help us improve our grasp on identity in the modern hybrid-cloud world. 
Bio
Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company's Chief Security Strategist. As the company's original CTO, he led efforts to create the powerful capabilities that helped define the next-generation endpoint security space. Prior to Carbon Black,Ben was an NSA computer scientist and later worked as a cyber engineer in an advanced intrusion operations division for the intelligence community. Johnson has extensive experience building complex systems for environments where speed and reliability are paramount. His background also includes a great deal of technical "agility," having worked on advanced operational teams supporting US national security missions, to advising cyber security start-ups and the Department of Justice to writing complex calculation engines for the financial sector.

-- Endpoint Vs Cloud: Evaluating cyber threats in two parallel worlds! - Abhinav Singh 
Abstract
This talk will demonstrate a comparative study of security countermeasures of endpoints and the cloud. The talk will begin by layering down the similarities between the two mediums and how our existing security tools and practices of endpoint world can be implemented at cloud level as well. The end goal is not to reinvent the wheel,but to understand how the existing resources be best utilized in the cloud environment. The talk will compare various aspects of pentesting, system and network forensics of endpoint environment with the cloud infrastructure.We will then discuss about some of the novel ways by which we can build defense mechanisms for the cloud infrastructure.There are several fundamental differences between the cloud and endpoint infrastructure which needs a fresh understanding to build an effective detection strategy.In the last part of the talk we will give a closer lookat some of the security tools that the popular IaaS providers provide. These tools can equally serve as a strong first line of defense for the cloud environment.
Bio
Abhinav Singh is an information security researcher for Netskope, Inc. He is the author of Metasploit Penetration Testing Cookbook(first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines,and digital portals. He is a frequent speaker at eminent international conferences like Black Hat and RSA. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.

-- OSQuery workshop - Milan Shah
Abstract
Osquery is a powerful cross-platform, cross-virtualization, open-source endpoint agent that was released by Facebook in 2014. It has been growing rapidly in the past year, becoming one of the top security projects on GitHub, with major internet companies above and beyond Facebook adopting it
as their endpoint tool of choice. This workshop, offered by a seasoned engineer, who has been working closely with osquery since mid-2016, will provide information for security practitioners who:

- Want to stay abreast on the cutting edge of EDR or IR endpoint technology

- Want the ability to freely customize the questions they are asking of their endpoints over time

- Want the ability to collect and analyze data passively like they would with a SIEM yet have active investigation capabilities for the endpoint without having to deploy a separate tool.

This session will be a presentation-style hands-on workshop, where the presenter will walk you through exercises including installing and configuring osquery on linux, running osquery in interactive mode, basic osqueryi shell commands, using various facets of sql to writequeries for osquery, configuring osqueryi to listen for events and querying events tables,
and some examples of how osquery can be used to investigate a host. If time allows, we will conclude with a final exercise of putting all the lessons learnt to investigate a host that had been compromised as part of a pen test.
Bio
Milan Shah, is a serial entrepreneur with a track record of building and leading cutting edge cybersecurity technology companies. Prior to co-founding Uptycs, Milan was SVP of Products and Engineering at Core Security, where he formulated a vision for a new class of automated pen testing solutions. Milan has also served as VP of Engineering at CA Technologies and IM logic, which was successfully acquired by Symantec. 
The first part of his career was spent as a member of the early Windows NT development team, and he was a key architect of Microsoft Exchange. Milan holds a Masters in EECS degree from MIT, and a Bachelors in EECS from University of Illinois, Urbana.